ICS Security: ‘The Enemy Is in the Wire’
Dark Reading | July 12, 2018
By Wayne Lloyd, RedSeal Federal CTO
Dark Reading | July 12, 2018
By Wayne Lloyd, RedSeal Federal CTO
SIGNAL Magazine | April 9, 2018
By Wayne Lloyd, RedSeal Federal CTO
From an industry perspective there are many advantages to moving aspects of any organization to the cloud. In theory, cloud is more efficient and easier to manage, but organizations like the Defense Department need to make sure they are not bringing along their bad habits and old baggage with them. Legacy networks are hard to understand and have grown out of control in the last few decades. Cloud is as complex as legacy networks, but the difference is who or what is really maintaining them.
Recently RedSeal hosted its annual Federal Customer Forum. One of the panels featured a discussion with several luminaries in the federal government cybersecurity ecosystem. The topic: the importance of the integration and automation of cybersecurity operations.
Those present were:
The following questions and answers were lightly edited for better comprehension:
Why is integration and automation important in defending against cyberattacks?
Not enough time to manage cybersecurity. The mundane tasks use up all the people and there is stuff to do afterwards. Humans need to focus on high level actions. Let the tools talk together and that will increase speed to resolution and limit damage. Attacks are automated by hackers, so defense needs to be automated, too.
Are security vendors doing enough to integrate with each other to support their customers’ needs? If so what have you seen work well? If not, what should we as an industry be doing better?
No. No one vendor does it all, and often have trouble integrating with others, so customers need to do a better job integrating solutions from different vendors or hire a managed security services provider.
When it comes to securing IoT devices, where does responsibility lie? Is it with the manufacturer, the user, or both?
Most say that there should be shared responsibility. Devices should be patchable and upgradable. “Know your network” is hard with IoT. There are many, many more endpoints to worry about. Organizations need to develop safe processes for adding IoT to the networks, and segment them onto less secure networks. Organizations need to develop a patching strategy generally, but specifically for IoT devices.
There was a recent example where drones were purchased by the DOD. It turns out that the chips had been white-label manufactured by Huawei in China. These drones were exfiltrating data without user’s knowledge to parties unknown. This kind of supply chain issue is going to be a bigger problem going forward.
If you were to go into an organization that is standing up a new, from scratch, security stack, what capabilities would you recommend they choose?
Detection is important, but how do you trust the decisions that the software makes? You need to get to the raw, unfiltered data. Also, the key is to set up network segments to prevent intruders from roaming freely across your infrastructure. Third, you need to set up hunt teams to proactively search for those intruders. Fourth, setting up a continuous config management process that inventories unpatched software is mandatory now. Penetration testing is useful, but penetration testers usually quit after they find a way in. What about the other thousands of vulnerabilities that they didn’t find?
Good cybersecurity teams are always looking to tear down silos. Bad ones stick to themselves. Hackers are known for sharing code, tools and vulnerabilities, so it seems obvious that cybersecurity teams should do the same. NOCs and SOCs are starting to talk more, which is a good thing, however cloud and dev ops teams seem to be still off on their own. Executive priorities still drive decision making, and no one can prevent those decisions from creating security issues. Cyber teams need to be stewards of data. Implement CIS 20 and set up a risk management framework. Use table top exercises to train and improve execution, rather than focus on checkboxes and processes.
It appears that you cannot truly protect yourself if you are not using integrated products. Does it make sense to keep buying solutions piecemeal or should security teams look for packages that already integrate?
Most systems integrators do a good job integrating various cybersecurity tools in government. The private sector is much less advanced in this area. Most commercial companies get technologies then push them to a managed services provider.
Do you see threat intelligence playing a big role with federal customers in protecting their networks?
It’s notable that the same old threats pop up all the time. What is unknown is the scary part of the day. For threat detection, we need a faster and faster process of identification, integration and remediation. Hackers share data. We need a better understanding of where the whole threat environment is coming from. That said, we need to protect high value assets (HVA) first. That means mapping out access from HVAs. The average detection time nowadays is 170 days, so you had better set up your organization for maximum resilience. Attacks are now coming from POS systems and, famously, a fish tank in a Las Vegas hotel.
FedScoop | November 2, 2017
Kimberly Baker, RedSeal SVP & GM, Public Sector was named to the 2017 FedScoop 50 in the category of Industry Leadership. The award was given to individuals in the private sector who help drive change by being a valued partner to government and leading teams that help agencies work smarter and lower costs.
Crain’s Washington DC| October 25, 2017
The mistake I made involved who to seek professional guidance from.
Early in my career I was working for AT&T. As a young woman in the telecommunications industry I was feeling like I was working very hard in my sales position and I was doing the things that were part of my job description, but I wasn’t getting the kind of coaching and direction that I felt I needed to adjust course along the way.
“The federal government is finally taking bold steps to fulfill what the Constitution says in its preamble – ‘to provide for the common defense,’ in this case, the common cyber defense.
The actions and budget announced today are an important recognition and investment in the defense of the critical information infrastructure of the United States, and provides an example for governments, businesses, and NGOs worldwide.
The plan recognizes that it is critical to implement platforms with analytics and capabilities to understand complex networks and assist in prioritizing what needs to be done first to improve resilience.
As the president writes in a Wall Street Journal op-ed, ‘we are still in the early days of this challenge.’ Networks will only grow more complex, creating opportunities for hackers and challenges for defenders.
The federal government’s new Chief Information Security Officer should be asking talented agency teams, ‘how are we measuring our cyber results and defenses? How are we thinking about resilience? And how are we determining the first step to take to make our digital infrastructure more resilient?’
Networks were not designed with cyberattacks in mind, so they are not resilient to them. But it’s not too late. Building digital resilience into networks before attacks is the only way to get ahead of the ongoing, automated, and ever more sophisticated attacks.
The proposal by the President can be an excellent step in leading the world to a more cyber resilient future.”
For the third time in a row, I flew down to Texas at the end of the year.
The reason? To attend the important Alamo ACE event presented by the local San Antonio AFCEA chapter. With multiple sessions over three days covering primarily cybersecurity and ISR, the event draws 1500 military and industry leaders.
My takeaway? RedSeal’s cybersecurity analytics platform and approach to proactive digital resilience was validated by a series of senior leaders on the front lines of protecting our nation’s most high value assets. Each of them is shifting focus to solving the root causes of cyber insecurity, rather than deploying a patchwork of tools. They realize that:
These military leaders equate mission assurance with security. This means:
The first session I attended featured Steve Brown, the Vice President of Operations and Cyber Intelligence Center in the Global Cyber Security organization at Hewlett Packard. A former Navy and Wells Fargo senior security leader, Steve saw three big similarities across military and commercial organizations:
What keeps Steve up at night? Globally, 30 billion cyber events per day and 1.4M on his networks! Steve works to make cyber investments about risk and reward. For example, to shorten time lag between attack and response he split up his Red Team and created a Cyber Hunting team. Gathering and sharing intel wherever he can to see risk earlier and proactively take action.
On the same panel was Lt. Gen. (retired) Michael J. Basla now Senior Vice President of Advanced Solutions for L-3 National Security Solutions (L-3 NSS) and former CIO of the US Air Force. According to him, the key challenges for US cybersecurity are:
Later on, I sat in on a session featuring Maj. Gen. Burke E. “Ed” Wilson. He is the Commander, 24th Air Force and Commander, Air Forces Cyber, Joint Base San Antonio-Lackland, Texas.
Gen. Wilson gave a quick overview of the US Air Force’s cyber terrain, including an emphasis on securing their network, base infrastructure and weapons systems. This is a change from the past when the USAF was focused primarily on network defense. Now they also focus on base infrastructure and weapons systems. They struggle with how to provide mission assurance from cyber risk.
On the flight home, reflecting on this conference, I realized the DOD cyber security conversation has changed dramatically. The past focus on audit and inspections has given way to a realization that networks are critical to national security. They deliver the mission. Our military leaders understand the cyber threat to their missions and are now putting their focus behind creating the strongest possible defense.
Blue vs Red. No, not the Rooster Teeth series for the Halo fans out there. For those that do not know how the reference pertains to cyber security: Blue teams can be looked at as the good guys (cyber defenders) and Red teams are the bad guys (attackers). Not to say the Red teams are “bad guys”; their job is to identify weaknesses in order to teach and improve the capabilities of the Blue teams.
The U.S. military runs Red vs Blue cyber war games, and I had the opportunity to participate in them during my time in the Intelligence Community. I quickly learned that all war games (whether simulated kinetic wars or simulated cyber wars) are rigged to make it impossible for the Blue team to win. Reminiscent of Star Trek’s Kobayashi Maru scenario that Captain Kirk had to participate in at the Star Fleet Academy. Why on earth would you do that? So when the real thing happens you won’t be surprised and you’ll know how to handle it.
The only thing that was a shock to the U.S. military during the war of the Pacific in World War II was Kamikazes. The U.S. military had war-gamed every scenario to include a sneak attack on Pearl Harbor. They never imagined suicide attacks in that day and age so it wasn’t part of the games. But, with that single exception, they were prepared to deal with everything that occurred.
I often describe how RedSeal can help Blue teams when I give demonstrations. RedSeal’s native ability to calculate every possible access path and attack vector is basically a cheat for Blue teams. Just as Kirk defeated the Kobayashi Maru scenario by changing the rules (or cheating.) Historically, Blue teams have had to find every possible path into the network and every possible attack vector or exposed vulnerability in order to defend the network. This takes vast amounts of time and effort, and many times is impossible to achieve. The Red team only has to find one way in, and they have all the time in the world to do it.
A lot of Blue team personnel attend our conferences where they get energized about the possibilities RedSeal can open up for them. RedSeal allows the Blue teams to identify the most critical or highest risk access paths and attack vectors in the network, automatically, every day. There are other Blue teams who are known as auditors or vulnerability assessment teams. They look at snapshots of a network’s security posture and network resiliency. Typically these audits are manual, labor intensive and time consuming efforts that consist of collecting and reading network configuration files, reviewing vulnerability scan data, and performing analysis to merge the data into actionable reports. RedSeal can automate this process, turning what could take weeks or months into just a few days, so Blue teams can cover greater portions of the enterprise faster.
Then there are those sneaky Red team people. Remember them? They only have to find one way in. I don’t get many of them openly announcing themselves at conferences but they do pop up from time to time. They ask, “Can we use RedSeal to automate the analysis to find ways in and pivot or leapfrog through the network?” Well, the answer is yes. As you move through the network and collect data, you can feed it into RedSeal to figure out your next move or moves. There is a misconception that breaches are blitzkrieg style attacks — meaning that once the attacker is in, it is game over. In fact, most of the time they have to continue to move through the network to achieve their objective — and then get out with the data without being detected. If you have a model of the network that shows where access is and is not and what vulnerabilities could be leveraged as you push deeper into the enterprise, it removes the unknowns and allows you to move with more certainty towards your goal.
RedSeal is a tool to defeat an impossible scenario. Whether it’s faster time to exploitation or to identification and remediation, RedSeal allows both Red and Blue teams to accomplish their goals faster and with more accuracy through automation. Live long and prosper!
by Wayne Lloyd, Federal CTO RedSeal
Not too long ago I had a customer, “Joe”, explain to me how he overcame organizational challenges and got his network team to operationalize the findings from RedSeal.
Joe started by taking advantage of RedSeal features that can be leveraged immediately upon deployment, such as the Best Practice and STIG checks. He generated a report and sent it over to the transport team, convinced that they would recognize the findings’ importance and promptly start remediation efforts.
Unfortunately for Joe, the transport team was busy with their own operational tasks, and he’d just dumped a phonebook worth of problems in their lap. The first issue they had: More work! More importantly, they had no idea where the data came from and didn’t trust its accuracy. They reacted the same way the people I’ve worked with did; they ignored it. They had to focus on their own priorities. It’s hard to justify overriding operational or mission requirements with new (not mandatory) tasks.
Joe is not the type to be ignored or take no for an answer; he chose another tactic. He printed three high priority findings and personally showed them to the most receptive network team members. He didn’t present the findings as issues that needed immediate attention but instead, he asked for help in verifying the findings. They reviewed the three findings, validated them as real issues that needed immediate resolution, then thanked Joe for sharing them.
A few days later he did the same thing with the same result. After weeks of this, the network team came to trust the findings and wanted to know where they came from. He told them it was RedSeal, and they jumped at his offer to have the reports automatically emailed to them. They wanted to learn what else RedSeal could provide.
What I learned from this is if you want to gain acceptance, you can’t just dump mountains of work on an unwitting team that is already over tasked. You have to slowly gain their trust a little bit at a time. Show them that you’re really on their side and not there to tell them they are doing things wrong. Once they have confidence in the data, they will ask for more. Once they gain trust in the results, they will operationalize it into their own workflow as a willing participant… rather than a reluctant recipient.
Just participated in The White House Summit on Cybersecurity at Stanford. The President and all the participants focused on the fact that cyber is the threat of the 21st century, that government alone can’t protect us, and that no company has the resources to completely protect themselves. Recent history confirms this. Thus to collaborate, to share, and to work together is our real only solution. There was plenty of head nods to the Constitution and privacy. Tony Earley, CEO of PG&E, said that we need to work together like we did on the Manhattan Project. Now that is big thinking, and a big call to action. I couldn’t agree more.