Blog Archives - Page 26 of 30 - RedSeal

Reluctant Recipient to Willing Participant: Operationalizing RedSeal

/by

by Wayne Lloyd, Federal CTO RedSeal

Not too long ago I had a customer, “Joe”, explain to me how he overcame organizational challenges and got his network team to operationalize the findings from RedSeal.

Joe started by taking advantage of RedSeal features that can be leveraged immediately upon deployment, such as the Best Practice and STIG checks. He generated a report and sent it over to the transport team, convinced that they would recognize the findings’ importance and promptly start remediation efforts.

Unfortunately for Joe, the transport team was busy with their own operational tasks, and he’d just dumped a phonebook worth of problems in their lap.  The first issue they had: More work! More importantly, they had no idea where the data came from and didn’t trust its accuracy. They reacted the same way the people I’ve worked with did; they ignored it. They had to focus on their own priorities. It’s hard to justify overriding operational or mission requirements with new (not mandatory) tasks.

Joe is not the type to be ignored or take no for an answer; he chose another tactic.  He printed three high priority findings and personally showed them to the most receptive network team members. He didn’t present the findings as issues that needed immediate attention but instead, he asked for help in verifying the findings. They reviewed the three findings, validated them as real issues that needed immediate resolution, then thanked Joe for sharing them.

A few days later he did the same thing with the same result.  After weeks of this, the network team came to trust the findings and wanted to know where they came from. He told them it was RedSeal, and they jumped at his offer to have the reports automatically emailed to them. They wanted to learn what else RedSeal could provide.

What I learned from this is if you want to gain acceptance, you can’t just dump mountains of work on an unwitting team that is already over tasked.  You have to slowly gain their trust a little bit at a time.  Show them that you’re really on their side and not there to tell them they are doing things wrong.  Once they have confidence in the data, they will ask for more. Once they gain trust in the results, they will operationalize it into their own workflow as a willing participant… rather than a reluctant recipient.

Using inflight entertainment systems to hack into commercial airline controls?

/by

Recent headlines tell us that “Feds Say That Banned Researcher [Chris Roberts] Commandeered a Plane.” As always, there is more to the story. In fact, there are claims and counter-claims about what Chris Roberts actually did.  The FBI search warrant says he did actually send control commands that impacted the flight path of the aircraft, but this is currently unproven.  The whole incident brings focus on the issue of what is called lateral movement – can someone with access to, for example, the inflight entertainment system of an aircraft use that toe-hold to reach further in to the network to do actual harm?

Once, aircraft control machinery was effectively offline, not connected to any outside networks. But, as we’ve seen in recent coverage (including the loss of Malaysian Airlines Flight 17) aircraft are much more inter-connected than they used to be.  They connect to the outside world in several different ways, ranging from satellite-based networks for flight telemetry to networks used to provide Internet access from passenger seats.  As these networks proliferate, they inevitably touch; and any touch point is something an attacker can use.  The number of possible weak points multiplies over time.

The questions raised by this story are the current frontier of security, and apply well beyond aircraft.  We rely more and more on networks that we cannot easily see or understand.  Defects in one network can open up access to another. Attacks can work upwards like grass through cement, finding weak points and cracking hard defenses.  What all defenders need to learn to do is to use technology to monitor technology. As our networks grow larger than we can understand, human effort and good will are not enough. This is why the current emphasis in security is on automated testing of defenses. We look for lateral movement opportunities, so we can isolate the truly critical things – say an aircraft’s control network – from the far less important, such as the inflight entertainment systems.

What SendGrid can teach us about dependency

/by

The watch-word for the SendGrid breach is “interdependence”.  In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and with every other company they choose to deal with.  This makes an ever-widening attack surface.  (The breaking news about the Chinese “Great Cannon” software shows similar patterns.)  These days, if you visit a website, you can be confident you are actually talking to a huge variety of other organizations who may provide ads, services, traffic monitoring, or any other legitimate services.  One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains!  The problem is that this array of services is very large, and a chain is only as strong as its weakest link.  Attackers only need to find one weak point to start an attack.

KCBS Interview on Obama’s information sharing initiative

/by

I recently recorded an interview with KCBS, on Obama’s announcement of the Cyber Threat Intelligence Integration Center.  I do believe this is good news, but I confess, I worry about the way all these proposals indicate how data will go in to the government, with very little said about how anything will ever come out.  In the scope of a 5 minute live interview, there wasn’t a lot of time for that kind of subtlety!

The Next Manhattan Project

/by

Just participated in The White House Summit on Cybersecurity at Stanford.  The President and all the participants focused on the fact that cyber is the threat of the 21st century, that government alone can’t protect us, and that no company has the resources to completely protect themselves.  Recent history confirms this.  Thus to collaborate, to share, and to work together is our real only solution.  There was plenty of head nods to the Constitution and privacy.  Tony Earley, CEO of PG&E, said that we need to work together like we did on the Manhattan Project.  Now that is big thinking, and a big call to action.  I couldn’t agree more.

Changing how we think about cybersecurity

/by

Almost since the birth of computer networking, engineers who build and manage computer systems have needed to figure out how to protect them from both intentional attack and unintentional damage. The deeply technical realities of securing computers and networks created a need for security specialists. Recently, the costs and other implications of attacks have created a seismic shift in how businesses must think about cybersecurity. Responsibility for cybersecurity has expanded from the IT engineer to the boardroom, and it’s not going back.

This past week, Cisco published its Annual Security Report. One of the key areas Cisco calls out is “Changing the View Toward Cybersecurity—From Users to the Corporate Boardroom.” The report highlights the increasing importance of security not only within the technical ranks, but also as part of an organization’s strategic oversight. In fact, according to Cisco, “Strategies include considering new approaches to help align people, processes, and technology, making security a topic at the corporate boardroom level, and adopting more sophisticated security controls…”

As I speak with executives and board members of major enterprises, I’m increasingly hearing the same thing: they agree that it’s time for them to understand how their assets are protected, how their security investments are used, and how their networks are being protected before, during and after attacks. Given the complexity of today’s networks, providing them with answers requires automation. Networks aren’t static because businesses are not static. Useful answers need continual assessment and at least daily reports –describing the changes in the enterprise’s risk profile, access paths, and threats.  When changes occur, the CEO must ask the question, “Is my network more protected today than yesterday?”

As Cisco’s report states, “The future of cybersecurity hinges on boardroom engagement today.” That engagement requires goals and standards, clear communication, succinct information, and continuous improvement in the face of ever-changing business requirements. Furthermore, the report makes clear the questions that the organization must be able to answer: “Boards also need to start asking tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? And perhaps, the most important question: What else should we know? CIOs need to be prepared to answer those questions from the board, in terms that are meaningful and understandable to board members, and also outline implications for the business of any proposed changes..

With RedSeal, you are able to answer those questions, and not merely in terms of the intended design, but in terms of the reality of your network today. Is your network RedSealed?

US & UK Joint Wargames – let’s not wait for Pearl Harbor

/by

The idea of the US and UK working together on war-games is a good one.  It recognizes that we are in a war, and that we are losing.  We need to improve our defensive game.  Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.

The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense.  War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance.  Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations.  This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities.  The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all.  War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first.  Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.

Cyber Infrastructure – the Fifth Domain

/by

Cyber Infrastructure – the Fifth Domain
The last couple of years has seen an incredible rise in reported incidents of cyber attacks.  Research by many organizations, including Check Point Software and Verizon DBIR, indicate that it’s not a reporting bias, cyber attacks are indeed on the rise.  The good news for us all, as the New York Times reported, is that President Obama is stepping up the nation’s cyber defenses to meet this threat.

Our nation’s economy and well-being are totally dependent on our networks. To keep our economy moving, information flowing, and ourselves informed, we need to protect and defend these networks. Our cyber infrastructure has become the fifth domain a sovereign nation needs to protect – after air, land, sea and space.

Network Security isn’t a Safety Guarantee
Cyber defense isn’t trivial or easy or cheap.  And there are thousands of network security products to choose from. These products usually serve specific purposes in a defense strategy.  For example, firewalls, among many things they do, protect the gate through which information flows, like the locks on your door.   Intrusion detection on a network is like motion detectors in your home. They can tell you something is happening, but can’t always discriminate between acceptable and bad activity.

When networks are larger, they’re more complex, often overwhelming teams trying to make sense of a breach.  There are scores of reporting systems that provide real-time data about break-ins.  But even those are not always as useful as management would like. Dave Dewalt’s story on 60 Minutes recently is typical.

But even with the best people, plans, and essentially an unlimited budget like JP Morgan, companies still get hacked. Why aren’t our networks more secure? Why is a breach in the news every day?  Because, as our President agrees, it’s time to harden our networks.

Network Hardening: Getting Ahead of Cyber Attackers
Network hardening requires many things.  First, it means understanding your network — every element, every device and every path possible.  It means understanding potential threats and having outside intelligence about where the threats originate.  It means focusing your limited resources on the most important things you can do to protect your business.

RedSeal’s mission is to help Global 2000 organizations harden their networks. It gives you the detailed information you need — how your network routes traffic, detailed paths from everywhere to everywhere and how ready your equipment is.  It helps you determine where you should focus your resources and what exactly you can do to harden your network – from the most risky or vulnerable places to the least.  Prioritization is key to getting ahead of the cyber attackers.

Security’s Nightmare: Negative Unemployment

/by

Unemployment is bad, so negative unemployment must be good, right?  Um, no.  (I’ll steal a line from Douglas Adams: “It’s unpleasantly like being drunk” … “What’s so unpleasant about being drunk?” … “Well, ask a glass of water.”)  Security as an industry is short-staffed – critically so, and it’s getting worse.

This came into sharp focus with the recent suit between MasterCard and Nike.  I’ve no comment on the specifics of the case, but the general lesson is clear: security geeks are in desperately short supply.  When I think of where this industry was just a few years ago, it would have been preposterous to imagine two household name, world class companies unleashing lawyers over such a fracas.

This is why security automation is such a big deal.  Security teams everywhere are drowning in unaddressed, basic problems.  We know plenty about what we need to do, but we just can’t get it all done – there aren’t enough fingers on the keyboards.  (Anyone remember “The 5,000 Fingers of Dr T”?)  We need machines to prioritize all the signal overload; there’s no other way to make headway.

Calling in the security experts – your network engineers

/by

I’ve talked about the need to consider your network as the key to improving cyber defenses.  Here’s why.

Today’s attacks are “system-level”, supplanting specific server or host exploitations.  Cybercriminals today develop sophisticated attack strategies by:

  1. Finding PATHWAYS INTO the network through phishing emails, third parties, or other creative ways.
  2. MOVING MALWARE AROUND the network while masquerading as legitimate traffic.
  3. Identifying legitimate PATHWAYS OUT.
  4. Exfiltrating company assets through these pathways.

Notice this is all about TRAFFIC and PATHWAYS, and who knows the most about these?   Your network team.

They know your network and why it is built the way it is.   What is their priority?    Performance and uptime.   They have a wealth of tools that already help them manage to these priorities.  So if a security solution gave them additional knowledge about their network that helped manage performance and uptime, they would likely embrace and use it.  Although they are now working with firewalls and other security devices by necessity, they still focus on performance.  They’ve segmented the network for management and performance reasons, but are now expected to further segment for security.

And they care about one other thing:  Access.   Access to data and applications by their end users.

Access?  Pathways?  This is EXACTLY what attackers are exploiting.

So your best bet to combat cybercrime?  Bring in the experts who know about access in your network, and leverage their knowledge and experience.

Get the latest news, invites to events, and threat alerts

CONTACT US
RedSeal Japan
Distinguished Vendor badge 2025

Footer
Connect on LinkedIn