Tag Archive for: as-built model

Why It’s Time for a New Approach to Network Security

COMPUTER BUSINESS REVIEW | 2 March 2017

By Dr. Mike Lloyd, RedSeal CTO

Dr. Mike Lloyd looks at the year ahead for businesses and security and why having an up-to-date, realistic blueprint of your network is now more important than ever.

Barely two months into the New Year and already we face tales of new cybersecurity incidents are flooding in. Whether it’s the theft of sensitive customer data, corporate espionage, damaging ransomware-related outages or state-sponsored hacking, the risks have never been greater. And no organisation can claim to be 100% safe. But with UK firms each suffering an estimated 230,000 attacks on average in 2016, the focus must now be on building resilience into corporate networks to ensure the coming year is a more secure one for organisations.

 

Hol(e)y Routers, Batman!

Most people think about network infrastructure about as much as they think about plumbing – which is to say, not at all, until something really unfortunate happens. That’s what puts the “infra” in the infrastructure – we want it out of sight, out of mind, and ideally mostly below ground. We pay more attention to our computing machinery, because we use them directly to do business, to be sociable, or for entertainment. All of these uses depend critically on the network, but that doesn’t mean most of us want to think about the network, itself.

That’s why SEC Consult’s research into exploitable routers probably won’t get the attention it deserves. That’s a pity – it’s a rich and worthwhile piece of work. It’s also the shape of things to come, as we move into the Internet of Things. (I had a great conversation a little while ago with some fire suppression engineers who are increasingly aware of cyber issues – we were amused by the concept of The Internet of Things That Are on Fire.)

In a nutshell, the good folks at SEC Consult searched the Internet for objects with a particular kind of broken cryptography – specifically, with known private keys. This is equivalent to having nice, shiny locks visible on all your doors, but all of them lacking deadbolts. It sure looks like you’re secure, but there’s nothing stopping someone simply opening the doors up. (At a minimum, the flaw they looked for makes it really easy to snoop on encrypted traffic, but depending on context, can also allow masquerading and logging in to control the device.)

And what did they find when they twisted doorknobs? Well, if you’ve read this far, you won’t be surprised that they uncovered several million objects with easily decrypted cryptography.  Interestingly, they were primarily those infrastructure devices we prefer to forget about.  Coincidence? Probably not. The more we ignore devices, the messier they tend to get. That’s one of the scarier points about the Internet of Things – once we have millions or billions of online objects, who will take care of patching them? (Can they be updated? Is the manufacturer responsible? What if the manufacturer has gone out of business?)

But what really puts the icing onto the SEC Consult cake is that they tried hard to report, advertise, and publicize everything they found in late 2015. They pushed vendors; they worked with CERT teams; they made noise. All of this, of course, was an attempt to get things to improve. And what did they find when they went back to scan again? A 40% increase in devices with broken crypto! (To put the cherry onto that icing, the most common device type they reported before has indeed tended to disappear. Like cockroaches, if you kill just one, you’re likely to find more when you look again.)

So what are we to conclude? We may wish our infrastructure could be started up and forgotten, but it can’t be. It’s weak, it’s got mistakes in it, and we are continuously finding new vulnerabilities. One key take-away about these router vulnerabilities: we should never expose management interfaces. That sounds too trivial to even mention – who would knowingly do such a thing?  But people unknowingly do it, and only find out when the fan gets hit. When researchers look (and it gets ever easier to automate an Internet-wide search), they find millions of items that violate even basic, well-understood practices. How can you tell if your infrastructure has these mistakes? I’m not saying a typical enterprise network is all built out of low-end routers with broken crypto on them. But the lessons from this research very much apply to networks of all sizes. If you don’t harden and control access to your infrastructure, your infrastructure can fail (or be made to fail), and that’s not just smelly – it’s a direct loss of digital resilience. And that’s something we can’t abide.

RedSeal and ForeScout Federal CTOs Explain how They Jointly Map, Identify and Increase the Resilience of Public Sector Networks

Last month, Wallace Sann, the Public Sector CTO for ForeScout, and I sat down to chat about the current state of cybersecurity in the federal government. With ForeScout, government security teams can see devices as they join the network, control them, and orchestrate system-wide responses.

Many of our customers deploy both RedSeal and ForeScout side by side. I wanted to take a look at how government security teams were dealing with ongoing threats and the need to integrate difference cybersecurity tools into the “cyber stack.”

Our conversation is lightly edited for better clarity.

Wayne:  Describe the challenges that ForeScout solves for customers.

Wallace:  We help IT organizations identify IT resources and ensure their security posture. There’s always an “ah-ha moment” that occurs during a proof of concept. We see customers who swear by STIG, and will say they only have two versions of Adobe. We’ll show them that there are 6-7 versions running.  We tell you what’s on the network and classify it.

Wayne:  We often say that RedSeal is analogous to a battlefield map where you have various pieces of data coming in to update the topography map with the current situation. By placing the data into the context of the topography, you can understand where reinforcements are needed, where your critical assets are and more.

RedSeal’s map gives you this contextual information for your entire enterprise network. ForeScout makes the map more accurate, adapting to change in real time. It lets you identify assets in real time and can provide some context around device status at a more granular or tactical level.

Wallace:  Many companies I speak to can create policies on the fly, but ensuring that networks and endpoints are deployed properly and that policies can be enforced is a challenge.

Wayne:  Without a doubt. We were teaching a class for a bunch of IT professionals, telling them that RedSeal can identify routes around firewalls. If the networking team put a route around it, the most effective firewall won’t work. The class laughed. They intentionally routed around firewalls, because performance was too slow.

Endpoint compliance typically poses a huge challenge too. RedSeal can tell you what access a device has, but not necessarily when it comes online. Obviously, that’s one of the reasons we’re partnering with ForeScout.

Wallace:  ForeScout can provide visibility that the device is online and also provide some context around the endpoint. Perhaps RedSeal has a condition that DLP is running on the endpoint. ForeScout could tell you that DLP is not loaded, and therefore no access allowed.

Wayne: Inventory what’s there. Make sure it’s managed. If not managed, you may not know you were attacked and where they came in or went. If you have that inventory, you can prevent or at least respond quicker.

Another important component is assessing risk and knowing what is important to protect. Let’s say we have two hosts of equal value. If Host 1 is compromised, you can’t leapfrog any further. No other systems will be impacted. If Host 2 is compromised, 500 devices can be compromised including two that may have command and control over payroll or some critical systems. Where do you want to put added security and visibility? On the hot spots that open you up to the most risk!  We put things into network context and enable companies to be digitally resilient.

Wallace:  With so many security concerns to address, prioritization is critical.

Wayne:  IoT is obviously a trend that everyone is talking about and is becoming an increasing concern for agency IT Security orgs. How is ForeScout addressing IoT?

Wallace:  ForeScout provides visibility, classification and assessment. If it has an IP address, we can detect it. Classification is where we are getting better. We want to be able to tell you what that device is. Is it a security camera? A printer? A thermostat? We can classify most common devices, but we want to be 75-90% accurate in device classification. The problem is that many new devices are coming out every day. Many you can’t probe traditionally; it could take the device down.  And, you can’t put an agent on it.  So, we’re using other techniques to passively fingerprint a device (via power over Ethernet, deep packet inspection, and more), so we can get to 95% accuracy.

Wayne:  Do you see a lot IoT at customer sites, and are they concerned?

Wallace:  Some don’t realize they have an issue. Many don’t know that IoT devices are on their networks. We are seeing more cases where we are asked to assess IoT environments and address it. Before, we weren’t asked to take action. We used to be asked how many Windows and Mac devices there were. Now, there is a movement by government agencies to put anything with an IP address (the OT side) under the purview of the CISO.

Wayne:  We see a lot of devices – enterprise and consumer – that aren’t coded securely. IoT devices should be isolated, not connected to your mission critical operating environment.

Wallace:  I was curious how RedSeal handles IoT?

Wayne:  If there is vulnerability scan data, it tells us what OS, applications running, active ports, host name, MAC address, etc.  Without that data, we can grab some device data, but with ForeScout, can get more context/additional data about the device. ForeScout can tell you the devices are there. RedSeal can ensure that it’s segmented the way it should be. We can tell you it’s there and how you can get to it, people need to make decisions and act. We show IoT devices as a risk.

Wayne:  What are some of the trends that you are seeing that need to be addressed at customer sites?

Wallace:  From a native cloud perspective, we are working on extending the customer on-premise environment and bringing visibility and control to the cloud.   We are also working on making it easier to get security products to work together.  People don’t have the resources for integration and ongoing management.  We’re working to orchestrate bi-directionally with various toolsets to provide actionable intelligence – advanced threat detection, vulnerability assessment, etc.

We can take intel from other vendors, and ForeScout gives us the who, what, when, where from an endpoint to determine if that device should be on a network.

For example, an ATD vendor can detect malware (find it in their sandbox).  They will hand us an incident of compromise (hash, code, etc.).  We’ll look for those IoCs on devices on the network and then quarantine those devices.

Wayne: Security vendors need to work together.  Customers don’t want to be tied to a single vendor.  Thanks for your time today.

 

For more information, visit our websites at RedSeal and ForeScout.

Network Access Modeling Improves Security, Performance and Uptime for FEMA

When disaster strikes, the Federal Emergency Management Agency (FEMA) enterprise network is expanded to include “temporary” mobile data centers that can last from months to years. In this kind of situation, change control, network maps and configurations can get wildly out of control. The security engineers in FEMA’s Security Operation Center (SOC) wanted network visibility. What’s more, they needed continuous monitoring to be able to measure risk and make decisions about how to deploy their scarce time and resources.

After learning more about RedSeal’s security analytics platform, FEMA’s cybersecurity lead realized that it could fill a major void in the agency’s solution set. RedSeal could help him understand the network, measure resilience, verify compliance, and accelerate response to security incidents and network vulnerabilities.

The FEMA SOC team deployed RedSeal to help manage their change control process — by modeling the data centers as they popped up in near real time. As data centers come online, they use RedSeal to ensure the right access is available. In the coming months, the team is expanding use of RedSeal to support their incident response program.

FEMA’s network team also uses RedSeal, to visualize access from disaster sites. Initially, they were shocked by the level of network access sprawl. They had no idea how much gear was on the network at a disaster site or how many security consequences resulted from simple configuration changes.

Now, with RedSeal’s continuously-updated network model, the network team is able to identify everything on the network and rapidly address any configuration changes that cause security, performance, and network uptime issues.

Get a PDF of this article. FEMA: Modeling Network Access

You Think Your Network Diagram’s Right?

Federal agencies are clamoring for information about best practices about to implement the findings of last year’s cybersecurity “sprint.” This new directive, the Cybersecurity Implementation Plan, is mandatory for all federal civilian government agencies. It addresses five issues intended to shore up agency cybersecurity and ensure network resiliency.

So when agencies are done with their implementation, all their networks and assets will be secure, right?

Wrong.

Most of the time the reality of your network and the official network diagram have little to do with each other. You may think it’s accurate…but it’s not.

Recently, I sat down with Jeremy Conway, Chief Technology Officer at RedSeal partner MAD Security, to talk about this. He works with hundreds of clients and sees this issue constantly. Here’s his perspective.

Wayne: Can you give me an example of a client that, because of bad configuration management, had ineffective security and compliance plans?

Jeremy: Sure I can. A few months back, MAD Security was asked to perform an assessment for an agency with terrible configuration management. With multiple data centers, multiple network topologies, both static and dynamic addressing, and multiple network team members who were supposed to report up the hierarchy, we quickly realized that the main problem was that they didn’t know their own topology.  During our penetration test, we began compromising devices and reporting the findings in real time. The compromises were just way too simple and easy.  The client disputed several of the results.  After some investigation, we figured out that the client had reused private IP space identical to their production network for a staging lab network, something no one but a few engineers knew about.  Since we were plugged into the only router that had routes for this staging network, we were compromising all sorts of unhardened and misconfigured devices.  Interestingly enough, this staging network had access to the production network, since the ACLs were applied in the opposite direction — a whole other finding.  To them and their configuration management solution, everything looked secure and compliant. But in reality, they had some major vulnerabilities in a network only a few folks knew about, vulnerabilities that could have been exploited to compromise the production network.

The client was making a common mistake — looking at their network situation only from an outside in perspective, instead also looking at it from the inside out.  They didn’t have enough awareness of what was actually on their network and how it was accessed.

Wayne: That’s a powerful example. How about a situation where an agency’s use of software-defined or virtual infrastructure undermined their access control?

Jeremy:  One hundred percent software defined networks are still rare in our world. However, we had a situation where virtual environments were spun up by the apps team, not the network team, which caused all sorts of issues. Since the two teams weren’t communicating well, the network team referenced network diagrams and assumed compliance.  In reality, the apps team had set up the virtual environment with virtual switches that allowed unauthorized access to PCI data. Running a network mapping exercise with RedSeal would have identified the issue.

Wayne: I imagine that inaccurate network diagrams cause major issues when incident response teams realize that there hasn’t been any auto discovery and mapping of the network.

Jeremy: Yes, this is a must-have feature, in my opinion. When responding to an incident, you have to perform the network-to-host translations manually. Tracking down a single host behind multiple network segments with nothing but a public IP address can take a long time. In a recent incident with multiple site locations this took the client’s network team two working days — which really doesn’t help when you’re in an emergency incident response situation.

RedSeal makes it easy to find which host has been compromised and which path an intruder has taken almost instantaneously.

Moreover, conducting a security architecture review is much quicker and more comprehensive with RedSeal. This used to be a manual process for our team that typically took 2-4 weeks for the average client. RedSeal has cut that time in half for us.  Additionally, with RedSeal the business case for action is stronger and the result is a better overall remediation strategy. How? For one, given an accurate map of the network, HVAs can be prioritized and a triage process can be deployed that allows security teams to focus scarce time and resources on priority recommendations. This visibility into the severity of security issues also allows teams to develop mitigation strategies for patch issues.

Wayne: Jeremy, this has been a great discussion. I hope you’ll come back and do this again.