“Sophisticated code like Gyges was created for a specific purpose by what appears to be a government agency, and it should have remained within the control of that agency,” RedSeal Networks Federal CTO Brandon Hoffman said by email.
Google’s move to set up Project Zero is very welcome. The infrastructure on which we run our businesses and our lives is showing its fragile nature as each new, successful attack is disclosed. Unfortunately, we all share significant risks, not least because IT tends towards “monoculture”, with only a few major pieces of hardware and software being used most of the time. Organizations use the common equipment because it’s cheaper, because it’s better understood by staff, and because we all tend to do what we see our neighbors doing. These upsides come at a cost, though – it means attackers can find a single defect, and it can open thousands or even millions of doors, as we recently saw with Heartbleed. This situation isn’t likely to change soon, so it’s welcome news whenever there are more eyes on the problem, trying to find and disclose defects before attackers do.
Attacks proliferate rapidly – very rapidly, in a quite robust market for newly found, highly effective vulnerabilities. As they do so, it has become crystal clear that traditional passive, reactive methods of defense are insufficient. Google’s investment underscores the critical importance of proactive analysis of potential attack vectors. Any organization that is not developing a set of defenses from proactive analysis through reactive defenses is leaving the door open to attacks. Defenders need ways to automate – to pick up all the discoveries as they are found by the “good guys”, so they can assess their own risk and keep up with remediation. Recent incidents like Code Spaces and Target make clear that the health of enterprises and the careers of their executives are at stake; just expecting defenses to hold without some way to automate validation is not tenable. Hope is not a strategy.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2014-07-21 02:10:302018-08-14 09:01:39Project Zero – A Smarter Way Forward
On an autumn day in 2008 while I was an active, practicing journalist, I sat in my office and interviewed Todd Davis, CEO of LifeLock for my article on scanning the underbelly of the web. Todd is perhaps best known for appearing in ubiquitous advertising and broadcasting his Social Security Number. At the time, it was becoming clear that online threats to identity theft were growing dramatically, and they were introducing their new service to help their customers avoid appropriation of their identity online.
We’ve come a long way since then. So far, in fact, that the NSA has change their strategy in a way that should send a shiver down the back of everyone responsible for enterprise security: They have switched to assuming that security has been compromised.
Let that settle for a moment. The NSA, the organization most responsible for understanding the cyber-security stance of the United States, its allies, and other countries and organizations worldwide has changed its approach to an assumption of breach.
As I noted in Inside the Mind of an Attacker and Inside the Mind of an Attacker (Pt 2), the motivation and environment of attackers has changed. Now, those with the greatest amount of information are agreeing that the situation has shifted.
With more than 100 foreign intelligence agencies targeting assets plus a likely greater number of criminal organizations, you need to decide how you are going to defend against this new environment. What tools and approach will you use once you recognize that evil actors are in your network? What does defense mean with this mindset?
What’s your answer?
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-07-16 02:12:252023-01-20 12:50:38Your Security Has Been Compromised
I recently wrote about the necessity of getting the right data for security analytics. But I’m continuously reminded how typical organizations lack an even roughly complete understanding of their network, or even a map of it. I can understand why this happens – entropy is just as inevitable for organizations as it is in Physics. Records don’t just keep themselves – networks change, and ideally it’s all planned and well controlled, but in practice, emergencies happen, corners get rounded off, triage goes on, and perfect record keeping is lost. I know organizations who aim to have very strong processes, control, and accountability, and while I commend them for it, I find that if I look at their data, I still find enough gaps and unknowns to be a worry. Sure, the mature organizations do better – they don’t tend to have records in the moral equivalent of a shoe-box under the bed (but I see enough of those). But the records still don’t add up.
I think what worries me more are the organizations who know they have information gaps, but don’t treat them as a priority. I see this as driving a car while blindfolded. How is security possibly going to be effective if you can’t map out the infrastructure – the whole infrastructure, warts, labs, virtualization and all – and just look at it, let alone ask decent, proactive questions about how to defend yourself? Imagine physical security – for example, badge reader installation – without having a map of the building, or even a vague idea of the number of doors that need to be secured.
Of course, I’m preaching to the choir – anyone reading this blog probably already understands that this is important. I sometimes wonder if the real challenges are political, not technical or intellectual. When a security team can’t get the blueprints to the network, what exactly is going on? Is it overload? Is it lack of people to go hunt down what’s missing? Or is it the classic challenge of “nagging for a living”? Many security teams I meet don’t have direct access to the network assets that are critical to defensive posture. This means they have to ask, or beg, or cajole the NetOps team into providing data. The strength of that team-to-team relationship seems to be a really important issue. I’ve seen organizations vary hugely in speed and success with data analytics, depending on whether someone in Team Security has a buddy in Team Networking or not. Perhaps the worst cases I’ve seen involve outsourced IT and networking – then it can get to levels nothing short of passive-aggressive.
Got war stories? Advice? Rotten fruit? Comments welcome …
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2014-07-14 02:13:292023-01-20 15:58:39Driving Blindfolded
Recently, on a rainy Colorado afternoon, I sat down at my kitchen table to decide how I was going to upgrade our home security system. Just as anyone who has gone through this process would do, I walked around the house and looked at all of the possible ways an intruder could attempt to enter. I thought like an attacker, and determined how I would defend against any attempt to gain access.
This is how all physical security defense is done: analyze all possible access paths and put defenses into place at each one: locks, sensors, access codes, lights, and other approaches combine to create a defensive shield.
While this approach is obvious for physical defense, it’s rarely employed in defense of enterprise systems and networks. Instead, many organizations rely on the equivalent of a guard sitting at one entrance expecting to see all access attempts when there are other doors to breach and a back fence that can be scaled.
One of the reasons for this approach is the incredible complexity of even the most basic enterprise network. With dozens to tens of thousands of extremely complex devices interconnected in an entwined web of cables and wireless meshes, it is, quite literally, impossible for humans to parse much less accurately understand and manage. You need systems to do it for you.
Much like home automation is coming into the mainstream with both Google and Apple offering integrated means for monitoring and managing everything from temperature and lights to locks and door status, automation for networks to be sure that your network is configured the way you expect and doing it the way you want it to be done is mission critical.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-07-09 02:14:532016-02-25 09:21:27Inside the Mind of an Attacker — Part 2
I remember when I first started trying to solve network security problems, using fancy network analytics. I applied the classic suspension of disbelief that’s necessary to work on any emerging technology – first, you assume all the hard problems will be easy, and second, you assume the impossible ones will just go away. Happily, much of this is true – it’s funny how well it works. Only later do you learn which problems are the truly hard ones.
What’s hard about network security analytics? Well, not the security, and not the analytics – we’ve found we can do plenty on both of those that pays off really well, given the data. The pesky data, now that’s a different kettle of enchiladas.
At first, I didn’t want to talk about data gaps – that sounded like a challenge to good analytics. I was half right. Eventually, enough CISO’s got it through my skull that uncovering data gaps may be pointing to reasons why analytics will be held back, but it’s also major value, in and of itself. I was being dense – if we try to analyze security data, and we find it’s got holes in it, well, this means the security team didn’t know what was going on to start with! Turning up these gaps is one of those inconvenient truths. These days we’ve gotten pretty good at it.
But then what? Typical security organizations are drowning in data, so how can I complain about needing more? Well, facts are just facts; useful information, or better yet, actionable intelligence is something else altogether. We stockpile data from sensors, but we struggle to find useful signal in there. We deploy automated signal reduction engines, but they just turn mountains of alerts into hills of alerts, and we still don’t have time or people enough to climb those. And along come these network security analytics people saying “what you need is more data”. Hmmm.
Of course, what we need is the RIGHT data, processed the right way, at the right time.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2014-07-07 02:18:592018-08-14 09:02:21Data, Data Everywhere, nor Any Time to Think
This morning, I woke up, walked downstairs, and performed my morning rituals, including a review of OmniFocus on my iPad to see what was on tap for today. I looked at my list of projects, my next actions, and those items that are due in the next few days. Then, I went to work.
In many homes across the world, days began in similar fashion. Some of those reviewing their projects, however, had a decidedly different thematic thread: their projects have the goals of breaking into the networks and servers of key government and industry organizations for purposes of espionage, theft, or disruption. And they get paid to do it.
Some of us remember the earliest days of the Internet when servers were open to all. In fact, anyone could log onto the root account at Richard Stallman’s server and create their own personal account. My, how far we’ve come when breaking into networks and systems is a career path!
In the early days of people breaking into systems and networks, most actors were solo and focused on showing their own skills while demonstrating the weakness of those they attacked. Early viruses and worms (like the Morris Worm) were often the result of bugs in the target systems and mistakes in the attacking code.
Today, governments across the world are applying their resources investing in full-time staff to break into systems and networks in other parts of the world. From the Syrian Electronic Army to the People’s Army, the US Government, and organized crime, attacks come from many different sources looking for a variety of results. This means the mentality is professional, organized, and coordinated, and the attackers are motivated by a variety of results, from financial to patriotic.the early days of people breaking into systems and networks, most actors were solo and focused on showing their own skills while demonstrating the weakness of those they attacked. Early viruses and worms (like the Morris Worm) were often the result of bugs in the target systems and mistakes in the attacking code.
Knowing this, it’s essential that you determine the best way for you to defend against these attackers. They aren’t going to give up, so you need to be diligent and focused on your defenses. And we’ll talk more about that next time.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-07-02 02:20:192016-02-25 09:22:06Inside the mind of an attacker
“With so much business being conducted with suppliers online, Mike Lloyd, chief technology officer for RedSeal Networks, recommended companies map out and monitor all network connections.”
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-07-01 08:02:012018-05-03 16:09:09Ideas for defending against cyberespionage
I recently attended a gathering of Wall St CISOs, one of whom referred to the “negative unemployment” in our industry. I thought this was a great phrase, and I’ve found it’s a quick way to get across some quite deep points about current security.
At first, it just sounds cute, but in practice, it’s about as cute as the Oil Crisis. Bad guys have figured out how to make money by attacking our weak defenses. We’re scrambling to catch up. The C-Suite and the board are more accommodating than they have ever been – something to do with the recent dismissal of the Target CEO, I shouldn’t wonder. We know we need people, so we go to hire them, and what do we find? Bad resumes.
Have you found it easy to hire the talent you need? If so, lucky you – feel free to drop hints in the comments section (or just gloat – your peers tell me they aren’t having it so easy).
It makes for an ugly choice. Do we hold standards high, waiting for people with the right skills to come along? Or do we hope to train people new to the field? As I look around, I can see our discipline soaking up some people of – how should I put it? – marginal aptitude. I’ve seen this before – I remember the go-go days of the late 90’s, when Silicon Valley start-ups sucked in all kinds of people with no business working in such environments. When that went all pear-shaped, it wasn’t so bad – sure, some stock options suddenly lost a zero or two in value, but it’s not really fair to whine about that. Watching the same thing happen in corporate IT security is a much scarier proposition.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2014-06-30 02:28:522018-08-14 09:02:00Negative Unemployment
Botnets have been around for many years, but Distil Networks’ recently-released research shows that their use not only continues to grow dramatically, but that use is becoming more sophisticated. In having the bots focus their attacks during off-hours, the attackers may have a greater window of opportunity for damage before discovery.
This underscores the need to expand security analytics beyond the reactive focus of IPS/IDS to also include complete proactive analysis of what could happen. For example, analyzing all of the possible paths into and through an enterprise network–including from vendors and partners–within the overall context of the complete, complex network, allows the enterprise to ensure limited access before any paths are probed by a bot.
The botnets are a primary contributor to the distributed denial of service attacks, for instance, which are reported to have volumes up to 300Gbps.
As we have seen from widespread and newsworthy breaches over the past few years, it is very difficult to react quickly to an attack in progress. While such defenses are critical, equally vital are analytics that determine and monitor the effectiveness of the entire network as a system including all of its security controls and system vulnerabilities in context. This is one of the reasons RedSeal’s analytics include the complete set of possible network paths and not simply flows currently active in the network.
The key to winning the game is leverage. Knowing more, being more proactive, being certain that your intentions are realized by technology. How can you know?
Recently, I have seen firewall configuration files containing well over 150,000 lines of configuration. These devices live within networks with thousands of other devices that forward packets according to a variety of rules (routing, access control, load balancing, and more). The only way to know what’s really going on is to perform an in-context analysis of the network. This is very difficult to do well, and impossible to do without automation. Furthermore, if you don’t do it, you are relegated to playing Whack-A-Mole with the probes and attacks that are being launched against you, probably at the rate of thousands per day.
Use automation as a proactive offense against what could be launched even as you continue to deploy reactive systems to respond to attacks that make it through your defenses.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-06-23 02:30:062023-01-20 16:24:58Defending Against Botnets
In order to provide you with the best experience possible we might sometimes track information about you. Sometimes this may involve writing a cookie. We use this information for things like experience enrichment, analytics and targeting advertising. We recommend allowing these functions to get the most out of your experience.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.