Know What to Protect and Why

/by

In my last article, I discussed the importance of walking the terrain, or knowing your network. I suggested beginning at the at high level: identify your sites, then group your assets by site or facility. This is a great place to start understanding your network because network controls tend to be fairly static. However, discovering network devices like routers often leads to discovering subnets and previously unknown endpoints.

These this begs two questions: Why should I care about my endpoint inventory? What should I do with this data?

Maintaining accurate endpoint inventory data is a daunting task. In modern environments, endpoints are changing all the time. In fact, endpoint entropy continues to grow exponentially. We need to prioritize. There are two aspects of endpoint inventory security professionals should focus on.

The first is to look at your network through the eyes of an adversary and ask, “What is most valuable?” In a military example this might be a bridge, an airfield, or a key logistics site. In the cyber world this might be your credit card holder data, your intellectual property, or the CFO’s laptop. Consider what an adversary might want to accomplish. Are you concerned about a nation state stealing intellectual property? Might someone want to disrupt your operations? Could organized crime try to extort money after encrypting your systems?

Most security professions believe that “everything is important.” While that’s true, we all have limited resources. We need to prioritize where to apply preventative technologies, which vulnerabilities to patch, and what incidents to investigate. It is imperative to identify the key data or systems in order to identify a control framework to protect them.

The second important aspect of endpoint inventory data is using it to maintain the accuracy of your operational systems. Many key security systems depend on the accuracy of endpoint data. Our customers almost always have a CMDB, vulnerability scanner, EDR agents, and a patching system. The numbers coming from these systems never agree. We see CMDBs that are about “80% accurate;” endpoints that aren’t being scanned; endpoints that are missing agents; and some endpoints that aren’t being patched. Being able to quickly see the difference between these operational systems will identify gaps in your operations. For example, if your EDR count is greater than the one from your vulnerability scanner, you can quickly identify the exact systems that are not being scanned. If the count you’re getting from your vulnerability scanner is greater than the one from your patching system, you can quickly identify systems not being patched. Organizations that operationalize this process aren’t just maintaining an inventory count, they’re ensuring a more accurate use of their key operational systems.

Best Practices for Cyber Resilience: Step One, Walk the Terrain

/by

 

You’ve been asked to defend your organization from a myriad of threats: state sponsored attacks, cyber criminals, insiders. But where do you start?

Many years ago, as a young Marine lieutenant I learned that the first step to establishing a defense is to understand what you’re defending. You must know the terrain. Walk the terrain. Understand the key parts of the terrain and all avenues of approach. Then ask yourself how you would attack the same terrain. You must understand your own terrain better than the enemy.

In information security, we haven’t been given the luxury of understanding what we have — but we need to understand what we have to effectively defend it. Our networks were built to optimize for performance and availability, not for security. Understanding our cyber terrain has become a daunting task – but one fundamental to security.

Today, we rely on current inventory management technologies, but they provide just part of the picture. You get an overwhelming amount of detail and yet still struggle to understand how everything interconnects.

Ideally, you’d like to be able to understand what you have, how it’s all connected, and what’s at risk. Specifically, you’ll want to:

  • Visualize each of your sites and the connectivity between them.
  • Locate and identify devices missing from your inventory management and NCCM solutions.
  • Rationalize data from multiple data sources, including vulnerability scanners, CMDBs and EDRs.
  • Quickly determine where an attacker can traverse to in your network — from any point.

Most organizations begin by trying to get their endpoint or host inventory. This seems logical, since that’s where your applications and data are housed. But without an overall picture of how your network is configured, you have a collection of data points that don’t tell a full story.

The first step needs to be organizing your cyber terrain at the highest level. Identify your sites, then group your assets by site or facility. For example, assign devices to your Austin data center, Denver data center, branch offices, and AWS. Next determine the conductivity within and between these sites. This requires an inventory of networking devices and their configurations. You’ll end up with a model of your network devices, security groups and VPCs and quickly be able to get a picture all the connections and interconnections — intentional and unintentional — in your network. Inevitably, you’ll discover unknown network devices.

Then, with this framework in place, you can add your host information.

Real World Versus Cyber Hygiene

/by

As I watch the drama on the news unfold it is striking to me how similar the tactics for defending against a spreading virus are to cyber defense.

Washing your hands equates almost exactly to cyber hygiene tactics like patching.

Social distancing is nothing more than putting barriers up to prevent the spread of attacks, which is called network segmentation in the cyber world.

What do we do in the cyber world when a system is infected? We quarantine it and try to determine what else could have been infected. Unfortunately for the physical world, there is no automated way to make sure people are practicing proper hygiene, maintaining proper distancing, and isolating infected and vulnerable people. Fortunately, this is not the case for cyber warriors, where RedSeal automates all these arduous tasks.

With RedSeal’s cyber terrain analytics platform and professional services, government agencies improve their resilience to security events by understanding what’s on their networks, how it’s all connected, and the associated risk. RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. RedSeal continually checks to see if a network’s segmentation is working as designed, ranks end point vulnerabilities in order of risk, and adds knowledge of your network to determine how accessible the vulnerability is to untrusted networks and what it will expose if compromised.

So, when a breach does occur, the RedSeal can tell you exactly what is exposed to an attack and deliver the information needed to contain it.

If only the real world had this capability, I might be able to eat at my favorite restaurant tonight.

Click here to lean more about Cyber Hygiene with RedSeal.

A Resilient Infrastructure for US Customs and Border Protection

/by

The Customs and Border Protection agency recently announced an official 2020-2025 strategy to accomplish their mission to “protect the American people and facilitate trade and travel.”

The strategy comprises only three goals, one of which is to invest in technology and partnerships to confront emerging threats. This includes an IT Infrastructure that provides fast and reliable access to resilient, secure infrastructure to streamline CBP work.

So, of everything CBP wants to accomplish in the next five years, delivering a resilient, secure infrastructure is right near the top.

Both Verizon’s Data Breach Investigations Report and Crowdstrike’s Global Threat Report agree that more than 90 percent of intrusions are due to failures in basic, continuous cyber fundamentals. These include patching, ensuring network devices are deployed securely, and firewall rules and access control lists enforce the network segmentation you intended.

These cybersecurity fundamentals can be tedious and repetitive, but they are the foundation of security and beyond that, cyber resilience.

Cyber resilience has three parts:

  1. Being hard to hit
  2. Having the ability to detect immediately
  3. Responding rapidly.

RedSeal is a solution purpose built to improve and track resilience.

We give you a way to measure resilience and improve the security of your infrastructure.

RedSeal’s cyber terrain analytics platform identifies cyber defensive gaps, runs continuous virtual penetration tests to measure readiness, and helps an organization capture a map of its entire network infrastructure. The RedSeal platform delivers continuous monitoring through the collection and correlation of change, configuration assessment and vulnerability exposure information. Turning these capabilities into cyber resilience measurements gives managers, boards of directors and executive management the understandable and actionable security metrics they need to drive towards digital resilience.

Cyberattack surfaces and complexity are only expanding as all commercial, US government and DOD networks modernize and move to cloud and software defined networks (SDN). Automating the basics so organizations and departments can be digitally resilient continuously in the face of an attack has never been more necessary.

To ensure its IT infrastructure is resilient and secure as it is rolled out, the CBP needs to focus on mastering the cyber fundamentals and measuring that progress by deploying RedSeal’s cyber terrain analytics platform. Click here to learn more.

Security Orchestration and Automation Response Solutions (SOAR) and RedSeal

/by

Over the past few years, Security Orchestration, Automation, and Response (SOAR) tools have emerged as multi-faceted and ever-present components in a Security Operations Center (SOC), enabling security teams to centralize incident management, standardize processes, and reduce response times through automation and artificial intelligence (AI).

The security orchestration, automation and response (SOAR) market, as defined by Gartner in 2017, evolved from three previously distinct technologies: Service Oriented Architecture (SOA), security incident response platforms (SIRPs) and threat intelligence platforms (TIPs).

In 2019, Gartner released their latest and most comprehensive research on the SOAR market to date– Market Guide for Security Orchestration, Automation and Response Solutions. In it, Gartner tracks the growth of the market over the past few years, provides a representative list of SOAR vendors, and delivers advice that security practitioners should keep in mind while procuring SOAR tools.

Moreover, AI security is listed in their Top Ten Strategic Technology Trends for 2020, which says:

“AI and ML will continue to be applied to augment human decision making across a broad set of use cases. While this creates great opportunities to enable hyperautomation and leverage autonomous things to deliver business transformation, it creates significant new challenges for the security team and risk leaders with a massive increase in potential points of attack with IoT, cloud computing, microservices and highly connected systems in smart spaces. Security and risk leaders should focus on three key areas — protecting AI-powered systems, leveraging AI to enhance security defense, and anticipating nefarious use of AI by attackers.”

Gartner states that SOAR tool deployment is now more use-case driven than ever. The use cases depend on the maturity of the organization, the capabilities of the SOAR tool, and the processes most ripe for automation, among other things. According to Gartner:

“SOAR selection in 2019 and beyond is being driven by use cases such as:

  • SOC optimization
  • Threat monitoring and response
  • Threat investigation and response
  • Threat intelligence management”

SOAR Doesn’t Know What It Doesn’t Know.

The problem we see with deploying security automation is the quality of the information put into it. How do you deploy a SOAR tool if you don’t know for sure if the data being used is accurate? Is good enough good enough?

Security solutions based on automation can also have blind spots. How do they know that they can see everything? In fact, they don’t know what they don’t know.

RedSeal data can better refine how a SOAR solution makes its decisions to take or not take actions in the above use cases. RedSeal gives a SOAR tool a deep understanding of the network environment it operates in. It is not enough to identify and react to an indicator of compromise, we need to understand what an intruder can reach from there.

Does the device have access to a high value asset (HVA) or to the key cyber terrain of your environment?

If not, don’t worry and carry on with the automated processes.

If yes, then that is an indication to do more investigation and look at how this access could have happened in the first place.

And during a follow-on, after-action review you can investigate important issues like how the intrusion happened in the first place. Only RedSeal shows you what’s on your network, how it’s connected and the associated risk, so you can better prepare for and contain problems within minutes and not days.

What if RedSeal could improve your understanding? Would that interest you?

If yes, click here to set up a time to speak with a RedSeal representative about how to integrate RedSeal with your preferred SOAR tool.

Ten Cybersecurity Fundamentals to Reduce Your Risk of Attack

/by

Due to escalating tensions with Iran and recent cyber activity against a U.S. Government website, DHS’s Cybersecurity and Infrastructure Security Agency team has issued a bulletin warning organizations to be prepared for “cyber disruptions, suspicious emails, and network delays.” DHS recommends preparing by focusing on “cyber hygiene practices” to defend against the known tactics, techniques and procedures (TTPs) of Iran-associated threat actors.  This warning serves as another reminder that adversaries often compromise organizations through failures in assessing and implementing basic security practices.

Based on recent international activities announced by DHS, expectations of retaliation from a known adversarial nation state are more than likely to occur. This is an immediate risk to all public and private organizations in the United States. Organizations need to be able to assess their current security posture and accurately evaluate their cyber hygiene. They need to know what is on their networks, how it is all connected and the risk associated with each asset.

Whether you are hands-on-keyboard technician or an executive responsible for securing your organization, here are ten cybersecurity fundamentals you can implement.

  1. Identify critical data and where it is housed
  2. Know what assets – physical and virtual – are on your network
  3. Harden your network devices, making sure they are securely configured
  4. Review your endpoint data sources to make sure you have full coverage of all endpoints on your network
  5. Ensure that your vulnerability scanner is scanning every subnet
  6. Factor in accessibility to prioritize your highest-risk vulnerabilities and hosts
  7. Make sure only approved or authorized access is allowed, including any third-party access.
  8. Validate that all network traffic goes through your security stack(s)
  9. Identify unnecessary ports and protocols
  10. Identify rules on your network gear to determine if they are valid and applied appropriately

By focusing on cybersecurity fundamentals, RedSeal helps government agencies and Global 2000 companies measurably reduce their cyber risk. With our cyber terrain analytics platform and professional services, enterprises improve their resilience to security events by understanding what’s on their networks and how it’s all connected.

RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. It also prioritizes mitigation based on each vulnerability’s associated risk.

We are proud to be trusted as the central cybersecurity platform in our customers’ defense-in-depth strategy.

CDM Experts: Data Collection, Classification, Analysis Are Keys

/by

Recently, RedSeal Federal CTO Wayne Lloyd was asked to participate in a panel organized by Meritalk on the federal government’s Continuous Diagnostics and Mitigation (CDM) program.

Wayne was joined by CDM experts from Veritas and Splunk. All offered candid assessments of the importance of data classification and collection as the CDM program moves to incorporate a more robust integrated system of dashboards.

Wayne said it was important for organizations to thoroughly understand what their data environments look like. Once they do, data classification becomes easier.

“At RedSeal we help customers model their networks so they can understand what IP space they have and where the data may be residing,” he said. But all of these deployments reveal that the organization “doesn’t know their entire network,” he added.

On the subject of data classification and protection, David Bailey, senior director of U.S. public sector technical sales at Veritas said, “Mission critical data containing patient information for a hospital or the VA should be in tiered storage with the best, maybe multiple, forms of protection, with lots of role-based access controls.” He added that sometimes understanding what data needs to be protected the most is the most important priority.

Adilson Jardim, area vice president for public sector sales engineering at Splunk, said there should be an emphasis on the “continuous” part of CDM, and that it shouldn’t “be a program that ends in five years.”

Click here to read more: https://www.meritalk.com/articles/cdm-experts-data-collection-classification-analysis-are-keys/

To learn more about how RedSeal supports the DHS CDM program, visit “RedSeal and DHS CDM DEFEND

 — Lauren Stauffer, Sr. Director, Market Development

How to Identify Your Boundary Defense Needs

/by

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) twelfth control for implementing a cybersecurity program is for your organization to control the flow of information transferring between networks of different trust levels. The first sub-control states that an organization should maintain an inventory of all network boundaries. So, the first question you need to ask is: where are your network boundaries?

Back in the days before the Internet was prevalent and mainframes dominated the IT landscape, these boundaries were very well defined. All the company’s information was warehoused in a mainframe centrally controlled by a small group of people. Getting access to the data was a very rigorous process and external links were not common. When external links were established, they were very tightly defined to exchange the minimum amount of information required to conduct business.

With the introduction of Local Area Networks, data started to be distributed within the organization. The IT department frequently was not involved in the deployment of these networks since they were seen as local resources and didn’t include external links. As these data resources grew, departments wanted to share information outside the boundaries of their local network. The Internet facilitated this connectivity, and IT departments needed to get involved to provide a control point for these data flows.

Now jump to the present where organizations have multiple internal data sources deployed in a distributed fashion, and the business owners of the data want to share this information with others to make their operations more efficient. The IT department now needs to understand the network boundaries and the security group needs to control and manage the boundary defense requirements.

To inventory these boundaries, the first step is to understand how your network infrastructure is connected. Assuming you’ve done a good job implementing CIS Control #1 (Inventory and Control of Hardware Assets), you have an initial base to identify all connections to external organizations and the Internet. A secondary pass through this information should focus on identifying internal connectivity. Understand where your organization allows data to flow and identify untrusted links within the organization, like guest wireless access.

The second phase of creating your boundary inventory is to leverage the data gathered in implementing CIS Control #2 (Inventory and Control of Software Assets). By understanding the systems running on your servers, you can start to understand where the users of the data are connecting to the enterprise. Then, map these flows to the hardware inventory to get an understanding of all network boundaries and determine where your organization should focus to implement appropriate security controls.

With automated tools and platforms in place from the first two controls, putting together the initial inventory of network boundaries should be a relatively easy process. Then your security group can start to improve overall boundary defenses as identified in the other sub-controls within the twelfth CIS control (Boundary Defense).

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify the network boundaries that have already been deployed. This, in turn, will allow your organization to improve these boundary defenses in a cost efficient manner.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

CIS Benchmarks Bring Network and Security Teams Together

/by

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) eleventh control for implementing a cybersecurity program is for your organization to actively track, report on, and correct the security configurations for network devices. This involves the use of a configuration management system and robust change control processes. What has been missing is a common set of network device security configurations standards that can be utilized by network and security teams.

As a networking professional for over 30 years, I understand the need to consistently and securely configure network devices. I built “golden templates” to make sure that any time I added a new device, it is configured the same as the last one. I utilized my own knowledge base and vendor recommendations for how to configure these network devices. Sound familiar?

But, network manufacturers frequently provide software updates to add new features, correct bugs, and address identified security holes in their networking devices. How often do we go back to update golden templates and check existing network devices when we install a new software version or use a new feature? In my experience, rarely. Network operations teams are too busy addressing access requirements and network-related support tickets. Checking existing configurations for correctness becomes a summer intern’s job.

Then, the security group starts the important work of establishing policies for how to secure information within your enterprise. Because network devices are part of the security infrastructure, the security analyst starts asking questions of the network operations teams and the divide between groups becomes apparent. The networking teams are addressing access requirements and tickets. They just don’t have the manpower to address the security analyst’s concerns.

To help bridge this internal divide, organizations are turning to security frameworks to allow teams to understand both sides of the equation. A very useful framework comes from CIS. CIS provides CIS Benchmarks, a set of configuration guidelines for the most common networking devices and platforms. These benchmarks have been developed by both security and networking professionals as minimum configuration security standards. Network teams can establish projects to update golden templates and then address security configuration issues on individual devices. By using the CIS Benchmarks, security teams have a set of standards to run an audit of network device configurations — and assess the overall risk to the enterprise when device configurations don’t match the standards.

Federal government agencies have done this for many years using DISA STIGs (Security Technical Information Guides). CIS Benchmarks are similar to these standards, but the Department of Defense has security requirements that are different from many commercial organizations.

As a single project, reconfiguring many networking devices is a challenge. You’ll need to make these security standards part of the existing golden templates and then integrate them with the on-going change management processes. It will take some time to fully migrate to these standards. Consider smaller projects that address a portion of the CIS Benchmarks so you can demonstrate tangible improvements more quickly.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify network devices that do not meet minimum recommended network device configuration standards. Whether you utilize CIS Benchmarks, STIGs, or some other established standard, make sure that these controls receive some attention in your overall cybersecurity strategy.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

Is Process Killing Digital Resilience and Endangering Our Country?

/by

After reading a Facebook comment on “Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” I’m compelled to respond.

I work a lot with the Navy (and the DOD as a whole) as a vendor. I spent 26 years in the intelligence community as a contractor running datacenter operations, transitioning to cybersecurity in the late 1990s.

From my past insider experience to my now outside-in view, “process” is one of the biggest hurdles to effectively defending a network. Process frustrates the talented cyber warriors and process is what managers hide behind when a breach that happened six months or more ago is finally detected.

Process = regulations.

Processes are generally put into place in response to past incidents. Simple knee jerk reactions. But things change. We need to review and change our processes and regulations, and, in some cases completely tear them apart to allow our talented cyber warriors to defend our networks. New regulations would allow them to get into the fight. They may even remain in their jobs longer, rather than leaving for industry — taking expensive training and irreplaceable knowledge with them.

One of my coworkers was on a Cyber Protection Team (CPT) for a major military command. He left to work in a commercial SOC. At one point, his team pitched their services to the top echelon of a service branch. As they introduced my coworker, he was asked why he left military service. My coworker, being an Army Ranger, and then an enlisted sailor, is pretty direct. He said, “Because you’re not in the fight. You’re more worried about the policy and process, while I’m here every day fighting the Russians, Chinese and Iranians.” One officer turns to the others and said, “This is exactly what I mean.”

Too much process and regulation restrict the agility needed for prompt incident response. To resolve incidents quickly (and minimize damage), cyber warriors require trust from their leadership. Trust in their abilities to make quick decisions, be creative, and quickly deploy lessons learned.

The very cyber warriors whose decisions they question are the same ones they blame when things go wrong.

As always, Target is a prime example. It was a low-level cyber warrior who found the “oddity” when doing a packet capture review. He notified Target leadership. But they didn’t act. They ignored him until their credit cards were on the dark web. Then, they went back to the young cyber warrior and fired him. He asked why. After all, he identified the problem first. The response from his leadership was: “Well, you didn’t make your point strong enough for us to take action on.”

The military has the same mentality. But, since many of them have even less knowledge of real-world hacks then private sector management, they take even more time to make decisions. Another friend told me about a time when he was on active duty and found evidence that someone had exploited the network. When he reported it, his leadership kicked it back because there was “not enough evidence.”  He then broke down the exploit and was able to provide the address and phone number of the adversary in Russia. Finally, they acted, but his CO did not want to report it to higher HQ because he was afraid of the fallout.

My friend reminded his CO that they were part of a carrier strike group, and all their data was incorporated into the fleet. Once again, he was ordered to fix it and not report it. He really believed that the only way to protect the group would be to send an anonymous email. This cyber warrior had to choose between disobeying orders and protecting our country.

Let’s not put our talented cyber warriors into this trap. Process and regulations need to be flexible enough to allow these people to protect our country – quickly.

Learn more about RedSeal’s support of cyber protection teams and our approach to digital resilience in the DOD.