Just participated in The White House Summit on Cybersecurity at Stanford. The President and all the participants focused on the fact that cyber is the threat of the 21st century, that government alone can’t protect us, and that no company has the resources to completely protect themselves. Recent history confirms this. Thus to collaborate, to share, and to work together is our real only solution. There was plenty of head nods to the Constitution and privacy. Tony Earley, CEO of PG&E, said that we need to work together like we did on the Manhattan Project. Now that is big thinking, and a big call to action. I couldn’t agree more.
Almost since the birth of computer networking, engineers who build and manage computer systems have needed to figure out how to protect them from both intentional attack and unintentional damage. The deeply technical realities of securing computers and networks created a need for security specialists. Recently, the costs and other implications of attacks have created a seismic shift in how businesses must think about cybersecurity. Responsibility for cybersecurity has expanded from the IT engineer to the boardroom, and it’s not going back.
This past week, Cisco published its Annual Security Report. One of the key areas Cisco calls out is “Changing the View Toward Cybersecurity—From Users to the Corporate Boardroom.” The report highlights the increasing importance of security not only within the technical ranks, but also as part of an organization’s strategic oversight. In fact, according to Cisco, “Strategies include considering new approaches to help align people, processes, and technology, making security a topic at the corporate boardroom level, and adopting more sophisticated security controls…”
As I speak with executives and board members of major enterprises, I’m increasingly hearing the same thing: they agree that it’s time for them to understand how their assets are protected, how their security investments are used, and how their networks are being protected before, during and after attacks. Given the complexity of today’s networks, providing them with answers requires automation. Networks aren’t static because businesses are not static. Useful answers need continual assessment and at least daily reports –describing the changes in the enterprise’s risk profile, access paths, and threats. When changes occur, the CEO must ask the question, “Is my network more protected today than yesterday?”
As Cisco’s report states, “The future of cybersecurity hinges on boardroom engagement today.” That engagement requires goals and standards, clear communication, succinct information, and continuous improvement in the face of ever-changing business requirements. Furthermore, the report makes clear the questions that the organization must be able to answer: “Boards also need to start asking tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? And perhaps, the most important question: What else should we know? CIOs need to be prepared to answer those questions from the board, in terms that are meaningful and understandable to board members, and also outline implications for the business of any proposed changes..
With RedSeal, you are able to answer those questions, and not merely in terms of the intended design, but in terms of the reality of your network today. Is your network RedSealed?
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Ray Rothrock, Executive Chairman, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRay Rothrock, Executive Chairman, RedSeal2015-01-26 00:06:452016-02-25 09:02:30Changing how we think about cybersecurity
The idea of the US and UK working together on war-games is a good one. It recognizes that we are in a war, and that we are losing. We need to improve our defensive game. Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.
The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense. War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance. Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations. This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities. The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all. War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first. Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2015-01-16 00:07:322018-08-14 09:00:50US & UK Joint Wargames – let’s not wait for Pearl Harbor
Cyber Infrastructure – the Fifth Domain
The last couple of years has seen an incredible rise in reported incidents of cyber attacks. Research by many organizations, including Check Point Software and Verizon DBIR, indicate that it’s not a reporting bias, cyber attacks are indeed on the rise. The good news for us all, as the New York Times reported, is that President Obama is stepping up the nation’s cyber defenses to meet this threat.
Our nation’s economy and well-being are totally dependent on our networks. To keep our economy moving, information flowing, and ourselves informed, we need to protect and defend these networks. Our cyber infrastructure has become the fifth domain a sovereign nation needs to protect – after air, land, sea and space.
Network Security isn’t a Safety Guarantee
Cyber defense isn’t trivial or easy or cheap. And there are thousands of network security products to choose from. These products usually serve specific purposes in a defense strategy. For example, firewalls, among many things they do, protect the gate through which information flows, like the locks on your door. Intrusion detection on a network is like motion detectors in your home. They can tell you something is happening, but can’t always discriminate between acceptable and bad activity.
When networks are larger, they’re more complex, often overwhelming teams trying to make sense of a breach. There are scores of reporting systems that provide real-time data about break-ins. But even those are not always as useful as management would like. Dave Dewalt’s story on 60 Minutes recently is typical.
But even with the best people, plans, and essentially an unlimited budget like JP Morgan, companies still get hacked. Why aren’t our networks more secure? Why is a breach in the news every day? Because, as our President agrees, it’s time to harden our networks.
Network Hardening: Getting Ahead of Cyber Attackers
Network hardening requires many things. First, it means understanding your network — every element, every device and every path possible. It means understanding potential threats and having outside intelligence about where the threats originate. It means focusing your limited resources on the most important things you can do to protect your business.
RedSeal’s mission is to help Global 2000 organizations harden their networks. It gives you the detailed information you need — how your network routes traffic, detailed paths from everywhere to everywhere and how ready your equipment is. It helps you determine where you should focus your resources and what exactly you can do to harden your network – from the most risky or vulnerable places to the least. Prioritization is key to getting ahead of the cyber attackers.
Unemployment is bad, so negative unemployment must be good, right? Um, no. (I’ll steal a line from Douglas Adams: “It’s unpleasantly like being drunk” … “What’s so unpleasant about being drunk?” … “Well, ask a glass of water.”) Security as an industry is short-staffed – critically so, and it’s getting worse.
This came into sharp focus with the recent suit between MasterCard and Nike. I’ve no comment on the specifics of the case, but the general lesson is clear: security geeks are in desperately short supply. When I think of where this industry was just a few years ago, it would have been preposterous to imagine two household name, world class companies unleashing lawyers over such a fracas.
This is why security automation is such a big deal. Security teams everywhere are drowning in unaddressed, basic problems. We know plenty about what we need to do, but we just can’t get it all done – there aren’t enough fingers on the keyboards. (Anyone remember “The 5,000 Fingers of Dr T”?) We need machines to prioritize all the signal overload; there’s no other way to make headway.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2015-01-13 00:09:552018-08-14 09:01:17Security’s Nightmare: Negative Unemployment
I’ve talked about the need to consider your network as the key to improving cyber defenses. Here’s why.
Today’s attacks are “system-level”, supplanting specific server or host exploitations. Cybercriminals today develop sophisticated attack strategies by:
Finding PATHWAYS INTO the network through phishing emails, third parties, or other creative ways.
MOVING MALWARE AROUND the network while masquerading as legitimate traffic.
Identifying legitimate PATHWAYS OUT.
Exfiltrating company assets through these pathways.
Notice this is all about TRAFFIC and PATHWAYS, and who knows the most about these? Your network team.
They know your network and why it is built the way it is. What is their priority? Performance and uptime. They have a wealth of tools that already help them manage to these priorities. So if a security solution gave them additional knowledge about their network that helped manage performance and uptime, they would likely embrace and use it. Although they are now working with firewalls and other security devices by necessity, they still focus on performance. They’ve segmented the network for management and performance reasons, but are now expected to further segment for security.
And they care about one other thing: Access. Access to data and applications by their end users.
Access? Pathways? This is EXACTLY what attackers are exploiting.
So your best bet to combat cybercrime? Bring in the experts who know about access in your network, and leverage their knowledge and experience.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Roberta Gray, Vice President Marketing RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRoberta Gray, Vice President Marketing RedSeal2014-12-22 00:28:352016-02-25 09:05:50Calling in the security experts – your network engineers
Every day we hear about another breach, and most of the time the information we get is fairly consistent – the breach started and finished long before it was discovered. It’s not always clear exactly how or where the attackers were able to get access because they’ve had ample time to cover their tracks. Whatever log or history data we have is massive, and sifting through it to figure out anything about the attack is very difficult and time consuming. We don’t quite know what we’re looking for and much of the evidence has come and gone.
As I survey the cybersecurity market and media coverage, I notice that:
We’ve thrown in the towel, it’s “not if, but when” you’ll be breached.
Many security vendors are now talking about analytics, dashboards, and big data instead of prevention.
Notably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.
We hear a lot about not having enough “security expertise”. Is that really the problem? Or is the problem that the security experts don’t really understand the full complexity of their networks? The network experts understand. These attacks are happening via network traffic – not on a device, nor with a known signature. And what do networking professionals care about? Traffic, and how it’s flowing. I maintain that there’s a lot more expertise that could help in this breach analysis and prevention than we think – we’re just not asking the right people.
In subsequent posts I’ll talk about why the networking team is becoming vital to security efforts, and why understanding how a network is constructed and performs is the best chance we have of improving our defenses.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Roberta Gray, Vice President Marketing RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRoberta Gray, Vice President Marketing RedSeal2014-11-24 00:38:462016-02-25 09:06:12Securing Your Network, or Networking for Security?
I was sitting in a hotel restaurant having breakfast overlooking the Sydney harbor the morning I read the story a couple weeks ago. While it’s half a world away and it may not have crossed your radar, the cost of the breach of the South Korean national identification database is expected to exceed a billion dollars.
I wonder if it’s enough.
As I have spoken with many who are responsible for the day-to-day activities involved in maintaining enterprise technology, I often hear that there isn’t enough impetus to invest in infrastructure security beyond the now-traditional firewalls and IPS/IDS technologies. They all recognize that such reactive tools are essential, but that they only enter the equation after the bad guys are already in the network.
What if they could actually keep them out?
Doing so requires more. It requires proactive cyber attack prevention. It requires getting your arms around everything that is possible on your network and not just what is currently happening or has happened in the past. The distinction is critical, and often missed because it is so difficult to understand the millions of potential paths, the implications of the compounding effects of routers, firewalls, and load balancers quickly become overwhelming. Many organizations punt on the overall picture and focus in on individual devices and cleaning up their configurations, and while such work is good and important, it ignores the bigger picture: if there are circumstances, however unlikely, that would allow packets to circumvent the controls or the intrusion systems, all the defenses in the world will fail to protect the organization.
Many of the breaches we are seeing these days are the result of these kinds of situations.
So, will a billion dollar bill be a sufficient wake up call for those responsible for investing in cyber security?
As I sat in one of RedSeal’s headquarters conference rooms last week discussing with two customers their approach to securing their networks, I was reminded how, even in the midst of our diversity, there are some fundamental truths about security and best practices. eWe’ve come up with five of the top network security best practices.
First and ultimately, it’s about people. There is only so much that automation can do, and often we put it in place to discover, determine, or deconstruct the errors people make. One of the primary options we have in this area is to continuously educate and communicate wise choices to limit the potential security incidents. The ultimate best practice is prevention. Creating a security-sensitive business culture is therefore a prime best practice.
Second, identify your critical assets and rank all of your assets based on their importance to your business. This is part of knowing what you are protecting. Once you know what assets are important, you can determine whether or not you are appropriately defending them. If you don’t have them clearly identified, critical assets may remain unprotected and open for attack.
Third, create a zoned network security architecture to delineate between ranks of assets and communication between them, providing for buffer zones that can deflect attacks. The common DMZ network was the first of the general-purpose zones to come into widespread use, and recommendations like those in the PCI DSS add additional zones like Cardholder Data and Wireless to the mix. Having your own clear definitions is critical.
Fourth, being clear about the access that is generally allowed between those zones, that is forbidden, and that is approved for certain business reasons is the next step. Know what access you want to have available and what access you want to make sure isn’t possible. For example, it’s likely you’ll want to prohibit login protocols from any outside link into your network. Some access limitations are also created for you by external standards. For example, PCI DSS makes clear that access into Cardholder from the Internet is prohibited, and access from Cardholder outbound to the Internet is also forbidden.
And fifth, once you’ve defined all of these aspects of your network security, it is criticcal to use automation to make sure that your network correctly implements this design. I have seen many instances where networks are not doing what the design intended. Almost without fail, there are errors in configurations that cause unexpected access, or at least consequences that were not intended. The massive interconnectivity of the network often allows potential paths that can circumvent controls under circumstances that are uncommon but possible. All of these possibilities require the use of automation to continuously review and check the devices and the network for any potential consequence, to provide as much protection as possible.
While this isn’t easy to do by human analysis, RedSeal can model and analyze this kind of information for you every day. You can know what you don’t know. It’s worth it!
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-10-24 00:44:432016-02-25 09:06:46Top 5 Network Security Best Practices
Last week, I spent most of my time in a conference room at RedSeal headquarters presenting our RedSeal Certification training to a mix of our customers and recent additions to the RedSeal team. Showing those in attendance the broad set of capabilities of the system reminded me how important it is to be very clear about the steps for anticipating attack and putting together automation and operations to protect your enterprise and its assets.
Here is my top 10 list:
Scan your hosts for vulnerabilities
Prioritize and schedule patching
Place modern security controls at all ingress and egress points
Monitor all ingress and egress traffic, triggering alerts and interception of inappropriate traffic
Standardize your device configurations
Create a set of network security zones
Review your network’s access paths
Compare access to network security policy
Track approvals of access between critical zones
Monitor and report on access found each day
How does your approach compare to this list? What do you think I’m missing? Is there anything I included that you think shouldn’t be here?
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2014-10-17 00:46:362016-02-25 09:07:07Anticipating attack: top 10 ways to prevent a breach
In order to provide you with the best experience possible we might sometimes track information about you. Sometimes this may involve writing a cookie. We use this information for things like experience enrichment, analytics and targeting advertising. We recommend allowing these functions to get the most out of your experience.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Notably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.
First and ultimately, it’s about people. There is only so much that automation can do, and often we put it in place to discover, determine, or deconstruct the errors people make. One of the primary options we have in this area is to continuously educate and communicate wise choices to limit the potential security incidents. The ultimate best practice is prevention. Creating a security-sensitive business culture is therefore a prime best practice.
Here is my top 10 list: