Tag Archive for: Automation

Automation, Integration and RedSeal

Automation is one of the trending topics in cybersecurity. The primary reason for automating mundane and repeatable tasks is to allow people to shift focus to problem-solving activities. Organizations can become more resilient to cyber-attacks by directing all the resources to these problem-solving activities.

Integration means the taking multiple tools and combining their processes, whether those tasks are automated or not.

Automation examples include change management collection across a network firewall. Going line by line manually is a tedious and ultimately futile task given the length of log files. Creating a script to identify changes is far easier and more accurate.

In RedSeal, most processes can be automated:

  • Save query
  • Run query
  • Anything scheduled is an automation

Without security automation, analysts must resolve threats manually. This often entails investigating the issue and comparing it against the organization’s threat intelligence to determine its legitimacy, deciding on a course of action, then manually resolving the issue — all on potentially millions of alerts and often with incomplete data.

That means automating individual tools leaves a lot to be desired. That is where the benefits on integration kick in. 30 years ago software applications were rigid and closed off from each other. Fifteen years ago, there were APIs which allowed data to flow easily from one application to another. As of, five years ago, things became more flexible.

Now, integrations are only limited by imagination.

ServiceNow

For security teams using RedSeal, most common integration is ServiceNow for not just ticketing, but identifying stale and missing network assets in the ServiceNow CMDB. RedSeal enriches the ServiceNow inventory data by adding specific location information about the network devices. ServiceNow provides back critical asset information into RedSeal, which in turn identifies risk to these assets—all while the operation is in the ServiceNow Service Management dashboard. RedSeal plus ServiceNow enables network and security teams to automate the resolution of change control requests in a matter of minutes rather than days. Click here to learn more about RedSeal and ServiceNow.

ForeScout

For users of ForeScout, integrating with RedSeal allows them to identify high-risk end points based on RedSeal’s risk score; use RedSeal to identify risk to critical assets; use ForeScout CounterACT to automate risk mitigation; and discover devices that have STIG or other configuration violations. Click here to learn more about RedSeal and ForeScout.

Splunk

The goal of Incident Response is to address and manage a security breach in a way that limits damage and reduces recovery time and costs. Your SIEM solution can identify an Indicator of Compromise (IOC) by analyzing and correlating the massive streams of machine data generated by your IT systems and technology infrastructure.

Through a seamless integration with the Splunk Adaptive Response framework, the combination of RedSeal and Splunk can result in a significant increase in network situational awareness and full visibility of network access paths to/from an IOC to critical assets and contain downstream risk, within minutes. Click here to learn more about RedSeal and Splunk.

Moreover, there are third party tools are custom applications that are grassroots tools that can create specific integrations that provide data exactly when and how they want to meet their enterprises specific requirements.

At the same time you must do what you can to detect and prevent network security incidents, you need a quick response to network attacks that do get through, quickly investigating and containing network security incidents to minimize (or prevent) loss.

Although SIEMs reduce a large volume of data, they still generate more indicators of compromise (IoC) than your team can quickly investigate.  Just locating a compromised device — physically or logically — can be a time-consuming, manual task.

RedSeal’s model of your network provides detailed options.

A RedSeal model of your network — across on-premise, cloud and virtual environments — gives you the detail you need to quickly accelerate network incident response. You will be able to quickly locate a compromised device, determine which assets bad actors can reach from there – and get information to stop them. Since RedSeal’s model includes all possible access paths, you will see the paths a network attacker could take to valuable assets. And, you’ll get specific containment options so you can decide what action to take — from increasing monitoring, to placing honey pots, to changing firewall rules, to simply unplugging the device — decreasing your network incident response time.

What is RedSeal’s Approach to Automation and Integration?

RedSeal has been called by CSO Magazine as a “force multiplier for your existing security products.”

To streamline security teams’ efforts, and further improve network security, RedSeal now integrates into the user interfaces of several leading security products.

The RedSeal security platform integration improves the efficacy of each of these security products, giving their users unprecedented network context within the tools, and in the format they’re already using.

Integrate your technology ecosystem.

RedSeal enhances your existing security investments by adding network topology and connectivity knowledge across all your network environments. You get a comprehensive network-wide view of your security posture.

View our Technology Integration Guide for details on supported devices and software.

Even advanced security systems depend on adjacent solutions to provide a comprehensive and current view into network risk. RedSeal works with Technology Integration Partners to develop deep integrations through integration apps. The apps add value to both products, providing users with exceptional network context within the tools, and in the format, they are already using.

Benefits:

  • Contextual and actionable insights by RedSeal within host applications
  • Relevant and focused data inside the application and the workflow that you are already familiar with
  • No need for another application on your already-crowded desktop
  • The power of RedSeal without additional training/IT resources required
  • Free of cost and available now

Click here to read more about RedSeal’s integrations.

Improving Cloud Security With Segmentation And Automation

Forbes | February 12, 2021

by  Mike Lloyd

As a security professional, I tried for several years to keep IoT devices out of my house. However, my anti-IoT crusade just isn’t working anymore. Why? Because, as I’ve discovered, you really have to go to extreme measures to find non-IoT devices for your home. Whether it’s an irrigation system for your lawn, a new alarm system or even solar panels for your roof, just about every home accessory now comes with a prominent IoT footprint.

Leading Federal Cybersecurity Experts Agree: Federal Agencies Need Integrated and Automated Approach

Recently RedSeal hosted its annual Federal Customer Forum. One of the panels featured a discussion with several luminaries in the federal government cybersecurity ecosystem. The topic: the importance of the integration and automation of cybersecurity operations.

Those present were:

  • Wayne Lloyd, RedSeal (Moderator)
  • Kevin Phan, Splunk
  • Tim Jones, ForeScout
  • Wade Woolwine, Rapid7
  • John America, Mystek Systems

The following questions and answers were lightly edited for better comprehension:

Why is integration and automation important in defending against cyberattacks?

Not enough time to manage cybersecurity. The mundane tasks use up all the people and there is stuff to do afterwards. Humans need to focus on high level actions. Let the tools talk together and that will increase speed to resolution and limit damage. Attacks are automated by hackers, so defense needs to be automated, too.

Are security vendors doing enough to integrate with each other to support their customers’ needs? If so what have you seen work well? If not, what should we as an industry be doing better?

No. No one vendor does it all, and often have trouble integrating with others, so customers need to do a better job integrating solutions from different vendors or hire a managed security services provider.

When it comes to securing IoT devices, where does responsibility lie? Is it with the manufacturer, the user, or both?

Most say that there should be shared responsibility. Devices should be patchable and upgradable. “Know your network” is hard with IoT. There are many, many more endpoints to worry about. Organizations need to develop safe processes for adding IoT to the networks, and segment them onto less secure networks. Organizations need to develop a patching strategy generally, but specifically for IoT devices.

There was a recent example where drones were purchased by the DOD. It turns out that the chips had been white-label manufactured by Huawei in China. These drones were exfiltrating data without user’s knowledge to parties unknown. This kind of supply chain issue is going to be a bigger problem going forward.

If you were to go into an organization that is standing up a new, from scratch, security stack, what capabilities would you recommend they choose?

Detection is important, but how do you trust the decisions that the software makes? You need to get to the raw, unfiltered data. Also, the key is to set up network segments to prevent intruders from roaming freely across your infrastructure. Third, you need to set up hunt teams to proactively search for those intruders. Fourth, setting up a continuous config management process that inventories unpatched software is mandatory now. Penetration testing is useful, but penetration testers usually quit after they find a way in. What about the other thousands of vulnerabilities that they didn’t find?

Good cybersecurity teams are always looking to tear down silos. Bad ones stick to themselves. Hackers are known for sharing code, tools and vulnerabilities, so it seems obvious that cybersecurity teams should do the same. NOCs and SOCs are starting to talk more, which is a good thing, however cloud and dev ops teams seem to be still off on their own. Executive priorities still drive decision making, and no one can prevent those decisions from creating security issues. Cyber teams need to be stewards of data. Implement CIS 20 and set up a risk management framework.  Use table top exercises to train and improve execution, rather than focus on checkboxes and processes.

It appears that you cannot truly protect yourself if you are not using integrated products. Does it make sense to keep buying solutions piecemeal or should security teams look for packages that already integrate?

Most systems integrators do a good job integrating various cybersecurity tools in government. The private sector is much less advanced in this area. Most commercial companies get technologies then push them to a managed services provider.

Do you see threat intelligence playing a big role with federal customers in protecting their networks?

It’s notable that the same old threats pop up all the time. What is unknown is the scary part of the day. For threat detection, we need a faster and faster process of identification, integration and remediation. Hackers share data. We need a better understanding of where the whole threat environment is coming from. That said, we need to protect high value assets (HVA) first. That means mapping out access from HVAs. The average detection time nowadays is 170 days, so you had better set up your organization for maximum resilience. Attacks are now coming from POS systems and, famously, a fish tank in a Las Vegas hotel.