JIE-READY STEP 1: Know what you have

The first and arguably most critical step in any data center consolidation or migration is to first understand what you have. Most complex or large-scale networks have grown so rapidly over the years or decades that there is no clear picture of the functioning system. As the opportunity to refresh large-scale global infrastructure becomes available today, experts are building security in on the front end. The challenge is understanding what exists today, how it is (or isn’t) being secured, and then designing the security requirements in tandem with the new system/network. RedSeal Networks provides a unique perspective on what is happening today on the network, how the network is actually connected, and the efficacy of security controls deployed in the network.

jie-step-1RedSeal Networks can provide this unique perspective by aggregating the configurations of core components that comprise the network, more specifically routers, firewalls, load balancers and switches. The RedSeal platform then analyzes these configurations and creates a model of the network. This is a visual representation of the network itself, but it is also a full model of all possible access based on the devices and the configurations of those devices. This model is a critical first step in understanding the DoD infrastructure today and will be the foundation upon which RedSeal will continue to provide unique data for the success of JRSS and JIE.

The model of networked infrastructure that RedSeal is providing to the JRSS project will not only help understand access at a high level. This model allows the capability to drill down into specific access areas, enclaves, single path analysis, and even model access that doesn’t yet exist. It is this flexibility that will allow architects and design experts to understand, from a high level down to fine detail, what is working today and what is not, so the new infrastructure can be designed effectively and efficiently.

Our next blog post will address Step 2 – Defense in Depth.

JIE-READY: A roadmap

The United States Department of Defense Joint Information Environment (JIE) began to take shape in 2010, as part of efficiency initiatives to consolidate Defense IT infrastructure and generate savings, provide full situational awareness across all defense networks, and improve the Department’s ability to share information between the services and with its industry partners and other government agencies.  While full capabilities are not expected to be realized until the 2016-2020 timeframe, DoD is already hard at work with industry to procure and configure IT in a more secure fashion and the first demonstration of JIE will take place in Europe this year, hosted by the U.S. European Command. Many organizations are asking themselves if they are JIE-ready, yet what exactly does this mean?

jieintro1 RedSeal Networks is playing a key part in the security component of the JIE program. Part of the JIE program is to migrate to a Single Security Architecture (SSA). The deployment of this SSA will be realized through what is commonly referred to as Joint Regional Security Stacks (JRSS). Within these stacks are integrated technology components that will provide comprehensive security to the JIE environment. The development and deployment of JRSS along with the overall JIE program will take a significant effort of consolidation and migration to realize the financial and organizational benefits. RedSeal’s role in this effort is recognized through four key use cases of the RedSeal Networks platform.

The four key areas where the RedSeal platform will have impact with respect to JIE are aligned with the phases of JRSS development and can be seen as:

  • Model and visualize the current state of your complex legacy networks and security infrastructure including calculating every possible internal and external attack path
  • Ensure defense in depth with tiers/enclaves are efficient and effective
  • Visualize the completed JIE infrastructure before migration even begins
  • Create artifacts for JIE ATO and IA certifications

Our next blog post will discuss how to model and visualize legacy environments.

New security bug dubbed Backoff exposed

The Green Sheet | Aug 1, 2014

The latest big breach apparently occurred at the nonprofit retail thrift store operator Goodwill Industries International Inc. The culprit: a new strain of malware called Backoff.

Ray Rothrock, Chief Executive Officer at enterprise cyber security company RedSeal Networks, said the security and retail industries are keen on fighting fraud, even if a modicum of complacency has set in with consumers and the mass media.

“I guarantee if you’re a CEO, you are worried about breaches,” Rothrock said. “In fact, a lot of people these days are being asked by their boards and senior management, assume we will be breached because we will be. What’s your plan of response and remediation for it?”

Goodwill working with secret service to investigate data breach

Cyber Security Business | Jul 31, 2014

Mike Lloyd, CTO of RedSeal Networks, stated to TechNewsWorld: “Many organizations have been in denial for too long … Many industries are loved by the public and can lapse into thinking they don’t have enemies, and so don’t really need to worry about security.”

Breaches Reach the Board Room

The discussion of cyber security is finding its way into the board room.  Everyone has read about a breach like the ones at Target, or Neiman Marcus, or Sony.  They also probably now have the word “Heartbleed” in their lexicon whereas six months ago most people would have thought this was a medical condition.  Directors surely must be thinking about whether this could happen to them and what they should do.  Just framing the discussion is often difficult because people simply have little or no background.  They need to know what is going on and what the risks to the company are.

The first interested director is probably the chair of the audit committee.  She or he should be active in asking key questions about security, processes, and what operationally is being done.  This is no different than asking if procedures for check signing are set up and being managed, or about how the shrinkage in retail or warehouse operations is being managed and monitored.  Cyber security has a complete parallel to these issues.

war-room-jpgOf course I can’t speak for every board of directors, but a couple of companies on whose boards I serve have a line item on the agenda – usually during the audit committee report – to discuss cyber.  Regrettably, the discussion usually lasts less than five minutes even though the headlines in the newspaper are full of corporate issues around being breached.  I can’t tell if it is a lack of appreciation of how serious the problem is, or if there is even a real problem.  I can’t tell if it is one of those “if I don’t ask, then I don’t have to know” problems.   Solving any problem first requires acknowledgement of the problem.  And the cyber attack problem is getting top billing in the news, just not in the board room.

Ask yourself, does the CEO get a report on cyber security, just like s/he gets a P&L or sales report?  Cyber is dynamic, and it’s a constantly changing front of action, just like sales.  Unfortunately, this is now part of every business and it takes away from business.  But I bet it’ll take much less away than a full breach.

The Weakest Link

Today, TrendMicro announced their discovery of Emmental, proof that “…online banking may be full of holes.” The focus of the attack is on users of online banking, and it, like many of the current attacks, starts with a phishing attack on consumers. The New York Times Bits Blog covered the report, as well, providing a high-level view of the attack on two-factor authentication used by many online financial sites.

weakest-linkThis attack unimagederscores two vital truths:

 

  1. The weakest link in security is the human factor, and
  2. Trust is the key to security

In Emmental, the cyber-criminals used the combination of fear for their finances and trust of consumer brands to convince consumers to open attachments and visit financial sites that had been created to capture their usernames, passwords, and PINs. The holes exploited in this process are many, including email systems, operating systems, web browsers, and the wide variety of multi-factor authentication in use.

It can be easy for enterprise technology specialists to write this off as simple error on the part of the unwashed consumer masses. Yet, these issues and truths exist within enterprise environments, and we see this consistently: simple typos and conceptual errors in device configurations lead to violations of security policy and potential breach paths, misunderstandings of policy intentions result in open access, and IT organizations trust more widely than is prudent.

How do you protect your enterprise from these risks while recognizing these two vital truths?

Is Nothing Sacred Anymore?

It’s unthinkable: hackers targeting that sacrosanct American institution, the sports team? The recent incident in which the Houston Astros’ internal trade discussion were hacked and posted on the Internet shows that, today, no target is off limits.  Jeff Luhnow, GM for the Astros, was quite right when he said: batter_swinging_baseball_bat_at_a_pitched_ball_0515-1104-1601-5532_tn“It’s a reflection of the age we living in. People are always trying to steal information” The main problem that encourages this kind of illegal activity is that it’s really relatively easy.  Nobody thinks the hacker who stole the information from the Astros was heavily funded by a foreign government, or anything like that.  Indeed, it’s quite possible the person or people involved had no more motivation than curiosity, and found it easy to get in. The challenge, of course, is that every business has secrets – how it approaches negotiation, or the pricelist for its upcoming products, or its next quarter of advertising plans.  All that information is useful to others if it’s exposed.  Many businesses like the Astros have treated IT security as a “high end” problem – something for banks, the military, or energy companies to worry about.  But it’s just not possible to operate that way anymore – the risk of corporate embarrassment, or worse, is escalating.  Attackers are finding our complex defenses are badly deployed, badly coordinated, and easy to walk through.  All the attacker needs is persistence, and the search for a forgotten, unlocked “side door” onto the business can be largely automated.  Defenders need to understand all the gaps, and how all the security defenses work together, even if their only target is “good enough” security.  As the Astros have found, the standards of “good enough” are rising rapidly.

Congratulations on StubHub Arrests

I would like to offer my congratulations to the private and public entities that participated in the recent investigation and arrests of cyber criminals in New York City, Ontario, Canada, and London, United Kingdom.  A tremendous amount of hard work and dedication from all parties is required to successfully dismantle an international criminal enterprise.  The success we witnessed this morning should be used as the gold standard upon which future collaboration between private companies and the International law enforcement community are modeled.

hacker_handsCollaboration at this scale is required to turn the tables on cyber criminals. The impact of today’s events should not be underestimated: this is bigger than any individual arrest.  The global law enforcement community has sent a strong message to the individuals who commit these crimes – You are no longer safe to travel and operate outside of your home country, without significant risk of arrest and prosecution. Isolation is a powerful force in the effort to change behaviors.  Confined within the borders of their home countries, I suspect we’ll see a change in behavior on the part of some of these criminals.

Continued success with prosecutions will have a lasting effect on cyber criminal behavior… but it is not a silver bullet.  Cyber attacks and data breaches are still way too easy for attackers with even a moderate level of skill.  We must continue working to make our systems and economy more resilient to attack.

I recently joined RedSeal Networks to work on this specific problem, making it easier for network owners to protect their assets and defend against intrusion and data breach.  I’m looking forward to the coming months when we share more of our plan to make network security something that we aren’t just striving to attain, but something we actually have in our toolkit to counter cyber threats.

StubHub Hit in Cyber-Attack That May Have Stolen $10M in Tickets

Security Week | Jul 23, 2014

“The global law enforcement community has sent a strong message to the individuals that commit these crimes,” said Robert Capps, senior director of customer success at RedSeal Networks and former head of global trust and safety for StubHub.

A Question of When, not If

Breached!  This is the new watchword in the executive office suite these days.  Ever since Brian Krebs revealed to the world that Target had been breached, every company is on notice.   While the primary role of the CEO is revenue and growth, there are a host of other activities that support revenue and growth.  Namely, the company’s employees and its data infrastructure are critically important for every company.  But what about the network?

Having been an investor in network infrastructure for a couple of decades, I know chances are very high that your company’s network has been built over decades, by scores of people of varying skill levels.  Chances are your network is very complex, beyond what any person or team can truly understand.  Chances are your network runs your business more than you really appreciate, and without it your business would stop.  It’s just as important as your manufacturing and supply chain, or your service centers, or your employees.  The network is a strategic asset of the corporation.

tweezersThis was brought home in a powerful way when I recently attended a cyber security meeting in London.  In addition to briefings with a number of industry analysts, this meeting also included a panel discussion with about 15 CISOs from various industries like finance, not-for-profit, publishing, media, banking, and manufacturing.  To a person these CISOs said two things.  First, their greatest need was skilled personal to run their networks.  Second, their senior management was asking questions about not “if” they were breached but what they would do “when” they were breached.  This shift in attitude, driven by all the news in recent years about breaches at large, household-name companies, was an “ah ha” moment for me.

Your company will be breached, or you will fall victim to some other network crime.  As CEO, you must prepare yourself for these events.  A lot can be done to prevent most breaches, and to be prepared when one inevitably does happen.  It starts by knowing just how your network is built and operated.  As trite a statement as it is, the truth of the matter is this:  If you don’t know how your network is built, how can you possibly secure it?

Have you asked your CISO what the plan of action is when a cyber attack is successful?  Does your board understand the liability of a successful attack?  Regrettably, it is a matter of when, not if.