Tag Archive for: Breach

RedSeal announces support for 3rd-party firewalls in public clouds

RedSeal unveils support for third-party firewalls in public clouds, empowering enterprises to understand all attack paths to stop breaches

Seamlessly integrates with Next-Generation Firewalls from Palo Alto Networks, Cisco, Fortinet, and Check Point deployed in AWS and Azure clouds

Menlo Park, Calif., August 9, 2023 — RedSeal, a pioneer in cyber attack path management, announces support for third-party Next-Generation Firewalls (NGFWs) deployed in AWS, Azure and other clouds. With this capability, RedSeal continues its mission to enable enterprises to comprehensively understand all attack paths to critical data and applications and reinforce their defenses against evolving cyber threats.

Understanding attack paths to critical resources is paramount for enterprise customers to stay one step ahead in today’s complex hybrid cybersecurity landscape. As organizations increasingly adopt cloud-based services, risk exposure expands, defensive gaps inevitably open up, and defenders have to understand more complex interactions. RedSeal delivers support through prebuilt integrations with leading NGFW vendors including Palo Alto Networks, Cisco, Fortinet and Check Point.

“Today’s cyber threats are relentless and increasingly sophisticated. It is imperative for enterprises to have a comprehensive understanding of all attack paths to critical resources, especially in cloud environments,” said Greg Enriquez, CEO of RedSeal. “Introducing third-party NGFW support, we are reinforcing our commitment to delivering best-in-class cybersecurity solutions.”

RedSeal brings cloud-native and third-party security controls into a single view. This gives unprecedented visibility, eliminating blind spots caused by the different perspectives of separate management consoles. Without a single view, defenses are run in silos. Attackers accumulate anywhere the security team cannot see, so the defensive view must be seamless and complete—something only available through automated multi-vendor analytics.

With RedSeal, enterprises further benefit from:

  • Comprehensive Network Visibility: With RedSeal, enterprises gain a holistic view of their cloud and on-premises infrastructure without the need to install any agents. By mapping the entire hybrid network, customers can identify vulnerabilities, configuration errors, and security gaps.
  • Advanced Attack Path Analysis: With this new NGFW support, RedSeal strengthens its threat analysis capabilities. By assessing access controls, security rules, and network segmentation, enterprises can pinpoint weaknesses and take proactive steps to prevent cyber attacks and breaches.
  • Proactive Risk Prioritization: RedSeal delivers risk-based prioritization and actionable insights by applying network context, including that of third-party NGFWs, enabling organizations to proactively address security loopholes and implement effective security measures.
  • Continuous Compliance: RedSeal safeguards a full range of critical compliance and governance requirements with 100+ built-in integrations including PCI, NERC-CIP, CMMC, NIST, RMF, SAP, CIS, and DISA STIGs. RedSeal uniquely understands CIS controls for both cloud and third-party NGFWs.

“Our platforms provide insights with unprecedented speed and accuracy so that our clients stay ahead of cyber adversaries and thwart potential attacks,” said Dr. Mike Lloyd, Chief Technology Officer at RedSeal.

RedSeal’s support for third-party NGFWs in cloud is available now, enabling organizations to embrace cloud technologies with confidence, secure their data, and protect their business-critical assets from emerging cyber threats.

About RedSeal

RedSeal, a pioneer in cyber attack path management, delivers actionable insights to close defensive gaps across the entire network, on premises and in the cloud. Defenders gain the upper hand by knowing their cyber terrain and risk better than their adversaries do. RedSeal’s proven platform explains what is left open, and what it takes to block it, so that security teams can proactively and efficiently remediate issues, spend less effort on compliance, and stay one step ahead. Hundreds of Fortune 1000 companies and over 75 government agencies, including five branches of the U.S. military, depend on RedSeal for exceptionally secure environments.

Hackers access Bed Bath & Beyond customer data

Digital Commerce 360 | October 31, 2019

For a shopper who was impacted, she should ensure she doesn’t use the same password for her Bed Bath & Beyond account elsewhere. In fact, not reusing passwords is one way consumers can protect themselves from fraud, says Mike Lloyd, chief technology officer from cyber security firm RedSeal Inc.

“It’s important to realize that if you use the same password at your bank as you use for less important services like social media or video streaming, then a bad guy only has to break into whichever company has the weakest security, then steal your passwords and use them everywhere else you go,” Lloyd says.

Is Process Killing Digital Resilience and Endangering Our Country?

After reading a Facebook comment on “Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” I’m compelled to respond.

I work a lot with the Navy (and the DOD as a whole) as a vendor. I spent 26 years in the intelligence community as a contractor running datacenter operations, transitioning to cybersecurity in the late 1990s.

From my past insider experience to my now outside-in view, “process” is one of the biggest hurdles to effectively defending a network. Process frustrates the talented cyber warriors and process is what managers hide behind when a breach that happened six months or more ago is finally detected.

Process = regulations.

Processes are generally put into place in response to past incidents. Simple knee jerk reactions. But things change. We need to review and change our processes and regulations, and, in some cases completely tear them apart to allow our talented cyber warriors to defend our networks. New regulations would allow them to get into the fight. They may even remain in their jobs longer, rather than leaving for industry — taking expensive training and irreplaceable knowledge with them.

One of my coworkers was on a Cyber Protection Team (CPT) for a major military command. He left to work in a commercial SOC. At one point, his team pitched their services to the top echelon of a service branch. As they introduced my coworker, he was asked why he left military service. My coworker, being an Army Ranger, and then an enlisted sailor, is pretty direct. He said, “Because you’re not in the fight. You’re more worried about the policy and process, while I’m here every day fighting the Russians, Chinese and Iranians.” One officer turns to the others and said, “This is exactly what I mean.”

Too much process and regulation restrict the agility needed for prompt incident response. To resolve incidents quickly (and minimize damage), cyber warriors require trust from their leadership. Trust in their abilities to make quick decisions, be creative, and quickly deploy lessons learned.

The very cyber warriors whose decisions they question are the same ones they blame when things go wrong.

As always, Target is a prime example. It was a low-level cyber warrior who found the “oddity” when doing a packet capture review. He notified Target leadership. But they didn’t act. They ignored him until their credit cards were on the dark web. Then, they went back to the young cyber warrior and fired him. He asked why. After all, he identified the problem first. The response from his leadership was: “Well, you didn’t make your point strong enough for us to take action on.”

The military has the same mentality. But, since many of them have even less knowledge of real-world hacks then private sector management, they take even more time to make decisions. Another friend told me about a time when he was on active duty and found evidence that someone had exploited the network. When he reported it, his leadership kicked it back because there was “not enough evidence.”  He then broke down the exploit and was able to provide the address and phone number of the adversary in Russia. Finally, they acted, but his CO did not want to report it to higher HQ because he was afraid of the fallout.

My friend reminded his CO that they were part of a carrier strike group, and all their data was incorporated into the fleet. Once again, he was ordered to fix it and not report it. He really believed that the only way to protect the group would be to send an anonymous email. This cyber warrior had to choose between disobeying orders and protecting our country.

Let’s not put our talented cyber warriors into this trap. Process and regulations need to be flexible enough to allow these people to protect our country – quickly.

Learn more about RedSeal’s support of cyber protection teams and our approach to digital resilience in the DOD.

 

7 Common Breach Disclosure Mistakes

Dark Reading | December 7, 2018

When a breach happens, speed and clarity are vital, adds Mike Lloyd, CTO at RedSeal. Organizations that have fared badly after a breach have always been the entities that mishandled the disclosure, took too long to disclose, miscommunicated the details, or tried to cover up the issues, he says.

“There is always a surprise factor when you realize someone has broken in, but the better you know your own organization, the faster you can respond,” Lloyd says.

Which is more valuable – your security or a cup of coffee?

The drumbeat of media coverage of new breaches continues, but it’s useful sometimes to look back at where we’ve been.  Each scary report of so many millions of records lost can be overwhelming.  It certainly shows that our network defenses are weak, and that attackers are very effective.  This is why digital resilience is key – perfect protection is not possible.  But each breach takes a long time to triage, to investigate, and ultimately to clean up; a lot of this work happens outside the media spotlight, but adds a lot to our sense of what breaches really cost.

Today’s news includes a settlement figure from the Anthem breach from back in 2015 – a final figure of $115 million.  But is that a lot or a little?  If you had to pay it yourself, it’s a lot, but if you’re the CFO of Anthem, now how does that look?  It’s hard to take in figures like these.  So one useful way to look at it is how much that represents per person affected.

Anthem lost 79 million records, and the settlement total is $115 million.  This means the legally required payout comes out just a little over a dollar per person – $1.46 to be exact.

That may not sound like a lot.  If someone stole your data, would you estimate your loss to be a bit less than a plain black coffee at Starbucks?

Of course, this figure is only addressing one part of the costs that Anthem faced – it doesn’t include their investigation costs, reputation damage, or anything along those lines.  It only represents the considered opinion of the court on a reasonable settlement of something over 100 separate lawsuits.

We can also look at this over time, or over major news-worthy breaches.  Interestingly, it turns out that the value of your data is going up, and may soon exceed the price of a cup of joe.  Home Depot lost 52 million records, and paid over $27 million, at a rate of 52 cents per person.  Before that, Target suffered a major breach, and paid out $41 million (over multiple judgements) to around 110 million people, or about 37 cents each.  In a graph, that looks like this:

Which is more valuable – your security or a cup of coffee?

 

Note the escalating price per affected customer. This is pretty startling, as a message to the CFO.  Take your number of customers, multiply by $1.50, and see how that looks.  Reasonably, we can expect the $1.50 to go up.  Imagine having to buy a Grande Latte for every one of your customers, or patients that you keep records on, or marketing contacts that you track.  The price tag goes up fast!

Uber Hack: A Bad Breach, But A Worse Cover-Up

The Uber hack is a public lesson that a breach may be bad, but a cover-up is worse.  (See Nixon, Richard.)  It was a foolish mistake to try to hide an attack of this scale, but then, the history of security is a process where we all slowly learn from foolish mistakes.  We live in an evolutionary arms race – our defenses are forced to improve, so the attackers mutate their methods and move on.  Academically, we know what it takes to achieve ideal security, but in the real world, it’s too expensive and invasive to be practical.  (See quantum cryptography for one example.)  Companies rushing to grow and make profits (like Uber) aggressively try to cut corners, but end up finding out the hard way which corners cannot safely be cut.

It’s likely that the stolen data was, in fact, deleted.  Why?  On the one hand, we would likely have seen bad actors using or selling the data if it were still available.  That is, from the attacker’s point of view, data like this is more like milk than cheese – it doesn’t age well.  Many breaches are only detected when we see bad guys using what they have stolen, but nobody has reported a series of thefts or impersonations that track back to victims whose connection is that they used Uber.

But we can also see that the data was likely deleted when we think about the motives of the attackers.  Our adversaries are thoughtful people, looking for maximum payout for minimum risk.  They really don’t care about our names, or trip histories, or even credit card numbers – they just want to turn data into money, using the best risk-reward tradeoff they can find.  They had three choices: use the data, delete it, or both (by taking Uber’s hush money, but releasing the data anyway).  The problem with “both” is thieves are worried about reputation – indeed, they care more about that than most.  (“To live outside the law, you must be honest” – Bob Dylan.)   Once you’ve found a blackmail victim, the one thing you don’t do is give up your power over them – if the attackers took the money but then released the data anyway, they could be sure Uber would not pay them again if they broke in again.  The cost/benefit analysis is clear – taking a known pot of money for a cover-up is safer and more repeatable than the uncertain rewards of using the stolen data directly.

What Equifax Tells Us About Cybersecurity

What Equifax Tells Us About Cyber Security

By Richard A. Clarke

This month it is Equifax. Previously it was Yahoo and before that Target. Each new breach seems to set a new record of how many pieces of personal identifiable information have been compromised. It is easy to get inured to these news stories, especially since the media generally does not deduce any lessons from them. Many people come away thinking that data breaches are just something that we have to accept. But do we? What are we to take away from these recurring stories about huge hacks?

I have been working on cybersecurity for two decades now, initially from the White House and now in the private sector. Here is what I think should be our reaction to the Equifax story and similar breaches.

First, it is not impossible to secure major networks. Some companies and government agencies have quietly achieved sufficiently secure networks that they do not experience major data losses. It is, however, not easy to achieve.

Second, the essential ingredient to securing a network is not software or hardware. It is people – trained and skilled people. This country has an extreme shortage in such personnel. Despite the good salaries that are available in cybersecurity, there is a mismatch between what colleges are producing and what is needed. Colleges are simply under-producing cybersecurity graduates. There are hundreds of thousands of vacant jobs and even more positions that are being filled by under qualified staff.

Most colleges produce computer science majors or have graduate programs, however, they do not require education in cybersecurity as a condition for obtaining those degrees. Although it is sometimes derided by computer science faculty as too much like a “trade” and insufficiently academic, the truth is that cybersecurity is more difficult than basic computer science. Cybersecurity skills are built on top of knowledge about computer science.

In the absence of a focused and funded national initiative to significantly increase the number of cybersecurity trained graduates, corporations and government agencies will continue to fail at securing sensitive data.

Third, securing networks is expensive. Most companies spend only 3-5 percent of their Information Technology budget on security. These are the companies that get hacked. Most corporations have never properly priced in the cost of cybersecurity to their overall cost of doing business. There is a popular misconception in the business world about what it costs to run a major network. The original cost of security for a network was relatively low in the 1990s when most companies began building out their information technology infrastructure. The threat environment was significantly more benign then than it is now. Moreover, the security products available in the 1990s were limited to relatively inexpensive anti-virus, firewalls, and intrusion detection/prevention systems.

Today’s large networks require encryption, network discovery, threat hunting, data loss prevention, multifactor authentication, micro-segmentation, continuous monitoring, endpoint protection, intelligence reporting, and machine learning to detect and prioritize anomaly alarms. Corporations can no longer accurately be described in categories such as airlines, banks, or hospitals. They are all more accurately thought of as computer network companies that deal in aircraft, money management, or patients. If your company cannot do its business when your network goes down, then you are first and foremost an information technology company, one that specializes in whatever it is you do.

Fourth, because almost every American has now had their personally identifiable data stolen in one of these breaches, it should no longer be acceptable to use (or request) social security numbers, dates of birth, mother’s maiden names, and other publicly available identifiers to authenticate a user. Stop using them. Alliances of corporations should develop other, more advanced forms of identification that they would all use. In the jargon of the tech world, what we need are federated (more than one company employing it), multi-factor authentication. Even the government could use one or more of such systems, but if the government creates it there will be push-back from those fearing government abuse of civil liberties.

Finally, many companies and executives in them will continue to mismanage corporate cybersecurity and divulge sensitive data in the absence of significant penalties for failure. Today, even CEOs who are dismissed because of data breaches walk away with eye watering bonuses and severance packages. They do not suffer personally for their failure as managers.

Former White House cybersecurity official Rob Knake has observed that oil companies only got serious about oil spill prevention when they began to be fined based on the number of gallons that they spilled. He suggests that we hit companies that lose personally identifiable data with a heavy penalty for each bit of data compromised. In addition, companies should be required by federal law (not by the existing hodge-podge of conflicting state laws) to notify the government and individuals promptly when data has been compromised.

In sum, major cyber breaches do not have to be a regularly occurring phenomenon. They can be significantly reduced if we as a nation have a program to produce many more trained cybersecurity professionals, if corporations appropriately price in the cost of security, and if there are real financial consequences for companies that spill personal data into the hands of criminals and hostile nations.

Richard A. Clarke was Special Advisor to the President for Cybersecurity in the George W. Bush Administration and is the author of eight books including CYBER WAR.

What SendGrid can teach us about dependency

The watch-word for the SendGrid breach is “interdependence”.  In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and with every other company they choose to deal with.  This makes an ever-widening attack surface.  (The breaking news about the Chinese “Great Cannon” software shows similar patterns.)  These days, if you visit a website, you can be confident you are actually talking to a huge variety of other organizations who may provide ads, services, traffic monitoring, or any other legitimate services.  One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains!  The problem is that this array of services is very large, and a chain is only as strong as its weakest link.  Attackers only need to find one weak point to start an attack.

US & UK Joint Wargames – let’s not wait for Pearl Harbor

The idea of the US and UK working together on war-games is a good one.  It recognizes that we are in a war, and that we are losing.  We need to improve our defensive game.  Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.

The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense.  War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance.  Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations.  This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities.  The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all.  War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first.  Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.

Cyber Infrastructure – the Fifth Domain

Cyber Infrastructure – the Fifth Domain
The last couple of years has seen an incredible rise in reported incidents of cyber attacks.  Research by many organizations, including Check Point Software and Verizon DBIR, indicate that it’s not a reporting bias, cyber attacks are indeed on the rise.  The good news for us all, as the New York Times reported, is that President Obama is stepping up the nation’s cyber defenses to meet this threat.

Our nation’s economy and well-being are totally dependent on our networks. To keep our economy moving, information flowing, and ourselves informed, we need to protect and defend these networks. Our cyber infrastructure has become the fifth domain a sovereign nation needs to protect – after air, land, sea and space.

Network Security isn’t a Safety Guarantee
Cyber defense isn’t trivial or easy or cheap.  And there are thousands of network security products to choose from. These products usually serve specific purposes in a defense strategy.  For example, firewalls, among many things they do, protect the gate through which information flows, like the locks on your door.   Intrusion detection on a network is like motion detectors in your home. They can tell you something is happening, but can’t always discriminate between acceptable and bad activity.

When networks are larger, they’re more complex, often overwhelming teams trying to make sense of a breach.  There are scores of reporting systems that provide real-time data about break-ins.  But even those are not always as useful as management would like. Dave Dewalt’s story on 60 Minutes recently is typical.

But even with the best people, plans, and essentially an unlimited budget like JP Morgan, companies still get hacked. Why aren’t our networks more secure? Why is a breach in the news every day?  Because, as our President agrees, it’s time to harden our networks.

Network Hardening: Getting Ahead of Cyber Attackers
Network hardening requires many things.  First, it means understanding your network — every element, every device and every path possible.  It means understanding potential threats and having outside intelligence about where the threats originate.  It means focusing your limited resources on the most important things you can do to protect your business.

RedSeal’s mission is to help Global 2000 organizations harden their networks. It gives you the detailed information you need — how your network routes traffic, detailed paths from everywhere to everywhere and how ready your equipment is.  It helps you determine where you should focus your resources and what exactly you can do to harden your network – from the most risky or vulnerable places to the least.  Prioritization is key to getting ahead of the cyber attackers.