Is AI Resilient Enough for Security?

SIGNAL Magazine | October 22, 2018

By Dr. Mike Lloyd, RedSeal CTO

Machines need to be hard to fool and reliable under pressure.

Artificial intelligence can be surprisingly fragile. This is especially true in cybersecurity, where AI is touted as the solution to our chronic staffing shortage.

It seems logical. Cybersecurity is awash in data, as our sensors pump facts into our data lakes at staggering rates, while wily adversaries have learned how to hide in plain sight. We have to filter the signal from all that noise. Security has the trifecta of too few people, too much data and a need to find things in that vast data lake. This sounds ideal for AI.

Resilient regulation can help end the tech-consumer stalemate

The Hill | October 21, 2018

By Ray Rothrock, RedSeal CEO

The reason for the absence of meaningful dialogue and meaningful movement is that the two sides persist in choosing the wrong adjectives. They argue over preemptive federal legislation versus state legislation. They fight over tough legislation versus soft legislation.

What they should do is discard all of these modifiers and instead embrace, together, just one type of legislation: resilientWe need privacy regulation that promotes the resilience of data privacy and security. And we need it whether we run Google and Facebook or use Google and Facebook.

FICO & US Chamber of Commerce Score Cyber-Risk Across 10 Sector

Dark Reading | October 16, 2018

Media, telecom, and technology firms are far more likely to experience a data breach in the near future than organizations in sectors including energy, construction, and transportation.

A score “taken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street,” says Mike Lloyd, CTO of RedSeal. “You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside.”

If You Protect Everything, Are You Protecting Anything?

Government Technology Insider | October 12, 2018

With Nate Cash, Senior Network Security Engineer

For decades, cybersecurity professionals have been tasked with protecting organizational IT assets, whether hardware, software, systems, or data. But have they been setting priorities for cybersecurity?

This is a monumental task, especially when the technology environment not only continues to change but is accelerating – just look at the spread of the Internet of Things. IT folks may be told to protect “everything,” but they know it’s an impossible task. They don’t have unlimited resources, after all.

In particular, organizations suffer from a skills gap.

DriveScale TechNow Podcast with Ray Rothrock

DriveScale TechNow Podcast | October 3, 2018

With Ray Rothrock, RedSeal CEO

In this edition of TechNow with Tom Lyon, Tom talks to Ray Rothrock, venture capitalist, nuclear engineer, cyber security expert, and current CEO of RedSeal, a firm that helps organizations quantify their digital resilience.

RedSeal Named 2018 Cloud Security Excellence Award Winner

TMC | October 1, 2018

TMC’s Cloud Computing Magazine has named RedSeal as a winner of their 2018 Cloud Computing Security Excellence Awards. The awards honor solutions in two categories: those that most effectively leverage cloud platforms to deliver network security, and those providing security for cloud applications.

Cloud Computing magazine is the industry’s definitive source for all things cloud – from public, community, hybrid and private cloud to security and business continuity, and everything in between.

Cybersecurity: Duck and Cover or Stand Up and Do Business?

CEOWORLD | October 1, 2018

By Ray Rothrock, RedSeal CEO

Cybersecurity isn’t working today.  In 2016, the Ponemon Institute reported that each of the 383 companies it surveyed had a “26 percent probability of a material data breach involving ten thousand lost or stolen records” within the “next twenty-four months.” Take this beyond two years—say to the projected life of your business—and you must accept the certainty of data breach. If cybersecurity were working, that certainty would not exist.

What has gone wrong with cybersecurity?

The exponential development of digital technology has left it in the cyber dust.

RedSeal and DHS CISO’s Current Priorities

In early August, at MeriTalk’s Cyber Security Brainstorm, Paul Beckman, chief information security officer (CISO) at the Department of Homeland Security (DHS), said that his biggest new priorities are:

  • Increasing use of software-defined networking (SDN)
  • Adopting a zero-trust model
  • Optimizing DHS’ security operations centers (SOC)

He added that the ability to leverage micro segmentation in cloud or SDNs is an efficient way to provide network data security services.

Which is true to an extent.

Unfortunately, Mr. Beckman puts too much trust in SDN security. If that word “software” does not concern you, then you are not thinking about the problem hard enough.  Humans make and deploy software and humans make mistakes, even in something called “software-defined.” They often don’t see what’s exposed as they build out their architecture. They may have intended to have something segmented and not realize it isn’t.

SDNs grow and change quickly. An equally agile modeling solution can ensure that any mistakes are caught and fixed rapidly. There can easily be millions of rules to check as workloads spin up and down too fast for any human to keep up. RedSeal will validate all your security rules over time to ensure that configuration drift doesn’t cause segmentation violations.

Agencies can create risks, too, by making multiple changes over time without comprehending the combined effect those changes have on end-to-end security. This problem is exacerbated by SDNs because of the ease and speed of change they offer. To reduce the risks and realize the true power of SDNs, agile change control should be part of your approval process. This will allow you to model changes at machine speed to see exactly what effect a change will have on end-to-end security.

Added to architecture, updating and workflow issues, is the fact that most SDNs exist in hybrid data center environments, connected to other SDNs, public clouds and physical assets. RedSeal’s model of your network includes all your environments, so you can see access between and within each one. While I agree that SDNs are an improvement on the earlier way of providing security services, they are not a silver bullet.

Mr. Beckman also said, “One of the things that I think we are, as an IT organization, going to be evolving to, is that zero-trust model. Traditionally the perimeter was your primary means of defense, but once you got into the squishy center, you were generally a trusted entity. That needs to go away.”

With zero trust, he said that you need to authenticate everything a user is trying to access inside the perimeter. It’s a great idea for any organization to trust no one on the inside of a network and make them prove they’re authorized to be there. But what happens when credentials are compromised? It is harder to do today, after implementation of two factor authentication procedures and password managers, but not impossible. Hackers still find a way.

Lastly, Mr. Beckman wants to consolidate 16 independent SOCs into four or five centers operating in a “SOC-as-a-service” format. These kinds of consolidation efforts have happened before. The government has put a lot of effort into merging SOCs, only to have them split apart again due to performance issues or mission requirements.

What is new and admirable is a focus on grading the performance of each individual SOC. Identifying poor performers and merging them with high-scoring SOCs seems like a logical way to take advantage of the limited numbers of highly skilled security professionals and improve outcomes. Again, this sounds good in theory. We will see how it works in real life environments.

For more information about how RedSeal meets the DHS’s highest priorities this year, visit our website at: www.redseal.net/government.

“Zero Trust” Is the Opposite of Business

Infosecurity Magazine| September 14, 2018

By Dr. Mike Lloyd, RedSeal CTO

The term zero trust has been cropping up a lot recently, with even a small conference on the topic recently. It sounds like an ideal security goal, but some caution is warranted. When you step back and consider the reason security is important – keeping organizations running – it’s not so clear that zero trust is really what we want.

I see the label zero trust as an over-reaction to the challenges we face in security. To the extent that the term means “be less trusting”, I agree. Look at our lack of success in stopping breaches.

Big Companies Have An Achilles Heel

Cybersecurity Intelligence| September 10, 2018

“From a cybersecurity perspective, when you’re an insurance company and you’re writing a policy for somebody, how do you charge them for it? We measure the risk and give them the metrics to charge for that policy,” said Steve Timmerman, VP of marketing and business development at RedSeal, which offers enterprise software that builds a model of a company’s network, identifies vulnerabilities, and provides a digital resiliency score that allows insurers to write a cyber premium based on that score.