Defense Department’s Secret Weapon for Network Security
Nextgov | Jan 30, 2018
By Ray Rothrock, Chief Executive Officer
Nextgov | Jan 30, 2018
By Ray Rothrock, Chief Executive Officer
Over the last few decades, many network security architecture products have come to market, all with useful features to help secure networks. If we assume that all of these security products are deployed in operational networks, why do we still see so many leaks and breaches?
Some say the users are not leveraging the full capabilities of these products – which is true.
Other say the users are not fully trained on how to use the product. Also true, and probably why they’re not using the full capabilities of their products.
Instead, we might benefit from remembering a basic truism: We humans are lazy.
Most of us, if offered a button that simply says “fix,” will convince ourselves that it will fix any network problem. We’ll buy that button every day of the week.
Our belief in fix buttons has led to a situation where many of us aren’t following standard security practices to secure our networks. When a network is designed or when you inherit a network, there are some basic things that should be done.
One of the first things to do is isolate, or segment, your network. Back in the 1990s, network segmentation was done more for performance reasons than security. As we moved from hubs to large, switched networks, our networks have become flat, with less segmentation. Today, once attackers get in, they can run rampant through a whole enterprise.
If we take the time to say, “Let’s step back a second,” and group our systems based on access needed we can avoid much trouble. For instance, a web server most likely will need access to the internet and should be on a separate network segment, while a workstation should be in another segment, printers in another, IoT in one of its own, and so on.
This segmentation allows better control and visibility. If it’s thought out well enough, network segmentation can even reduce the number of network monitoring security products you need to deploy. You can consolidate them at network choke points that control the flow of data between segments versus having to deploy them across an entire flat architecture. This also will help you recognize what network traffic should and should not be flowing to certain segments based on that network segment’s purpose.
This all seems to make sense, so why isn’t it done? In practice, network segmentation is usually implemented at the start. But, business happens, outages happen, administrators and network engineers are under enormous pressure to implement and fix things every day. All of this causes the network design to drift out of compliance. This drift can happen slowly or astonishingly fast. And, changes may not get documented. Personnel responsible for making the changes always intend to document things “tomorrow,” but tomorrow another event happens that takes priority over documentation.
Network segmentation only works if you can continuously ensure that it’s actually in place and working as intended. It is usually the security teams that have to verify it. But, as we all know, most security and networking teams do not always have the best partnerships. The network team is busy providing availability and rarely has the time to go back and ensure security is functioning.
Even if the security teams are checking segmentation in large enterprises, it is a herculean effort. As a result, validating network segmentation is done only yearly, at best. We can see how automating the inspection of the network security architecture is a clear benefit.
RedSeal enables an automated, comprehensive, continuous inspection of your network architecture. RedSeal understands and improves the resilience of every element, segment, and enclave of your network. RedSeal works with your existing security stack and network infrastructure (including cloud and SDN) to automatically and continuously visualize a logical model of your “as-built” network.
RedSeal’s network modeling and risk scoring platform enables enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital and virtualized world, and to overcome one of the main enemies of cybersecurity – human nature.
Recently RedSeal hosted its annual Federal Customer Forum. One of the panels featured a discussion with several luminaries in the federal government cybersecurity ecosystem. The topic: the importance of the integration and automation of cybersecurity operations.
Those present were:
The following questions and answers were lightly edited for better comprehension:
Why is integration and automation important in defending against cyberattacks?
Not enough time to manage cybersecurity. The mundane tasks use up all the people and there is stuff to do afterwards. Humans need to focus on high level actions. Let the tools talk together and that will increase speed to resolution and limit damage. Attacks are automated by hackers, so defense needs to be automated, too.
Are security vendors doing enough to integrate with each other to support their customers’ needs? If so what have you seen work well? If not, what should we as an industry be doing better?
No. No one vendor does it all, and often have trouble integrating with others, so customers need to do a better job integrating solutions from different vendors or hire a managed security services provider.
When it comes to securing IoT devices, where does responsibility lie? Is it with the manufacturer, the user, or both?
Most say that there should be shared responsibility. Devices should be patchable and upgradable. “Know your network” is hard with IoT. There are many, many more endpoints to worry about. Organizations need to develop safe processes for adding IoT to the networks, and segment them onto less secure networks. Organizations need to develop a patching strategy generally, but specifically for IoT devices.
There was a recent example where drones were purchased by the DOD. It turns out that the chips had been white-label manufactured by Huawei in China. These drones were exfiltrating data without user’s knowledge to parties unknown. This kind of supply chain issue is going to be a bigger problem going forward.
If you were to go into an organization that is standing up a new, from scratch, security stack, what capabilities would you recommend they choose?
Detection is important, but how do you trust the decisions that the software makes? You need to get to the raw, unfiltered data. Also, the key is to set up network segments to prevent intruders from roaming freely across your infrastructure. Third, you need to set up hunt teams to proactively search for those intruders. Fourth, setting up a continuous config management process that inventories unpatched software is mandatory now. Penetration testing is useful, but penetration testers usually quit after they find a way in. What about the other thousands of vulnerabilities that they didn’t find?
Good cybersecurity teams are always looking to tear down silos. Bad ones stick to themselves. Hackers are known for sharing code, tools and vulnerabilities, so it seems obvious that cybersecurity teams should do the same. NOCs and SOCs are starting to talk more, which is a good thing, however cloud and dev ops teams seem to be still off on their own. Executive priorities still drive decision making, and no one can prevent those decisions from creating security issues. Cyber teams need to be stewards of data. Implement CIS 20 and set up a risk management framework. Use table top exercises to train and improve execution, rather than focus on checkboxes and processes.
It appears that you cannot truly protect yourself if you are not using integrated products. Does it make sense to keep buying solutions piecemeal or should security teams look for packages that already integrate?
Most systems integrators do a good job integrating various cybersecurity tools in government. The private sector is much less advanced in this area. Most commercial companies get technologies then push them to a managed services provider.
Do you see threat intelligence playing a big role with federal customers in protecting their networks?
It’s notable that the same old threats pop up all the time. What is unknown is the scary part of the day. For threat detection, we need a faster and faster process of identification, integration and remediation. Hackers share data. We need a better understanding of where the whole threat environment is coming from. That said, we need to protect high value assets (HVA) first. That means mapping out access from HVAs. The average detection time nowadays is 170 days, so you had better set up your organization for maximum resilience. Attacks are now coming from POS systems and, famously, a fish tank in a Las Vegas hotel.
SIGNAL Magazine | Dec 1, 2017
By J. Wayne Lloyd, RedSeal Federal CTO
By 2025, an estimated 75 billion or more devices will be connected via the Internet. While the ability to access data on any device from any device multiplies productivity exponentially, it also creates unforeseeable vulnerabilities that organizations are only beginning to understand.
Last year’s Mirai botnet distributed denial-of-service attack, which infected millions of devices, demonstrates the multifaceted challenges federal agencies and private-sector companies face when securing their devices and networks. These challenges will only continue to grow both inside and outside of these domains.
I just came across a WSJ Pro article titled “Inside the NSA: Companies Need to Follow the Basics,” and figured I could offer an “amen.” The NSA gets points for seeing things clearly – but then, I suppose that is their job, whether we like it or not! The area they discuss isn’t easy to write about; in fact, it’s similar to the challenge that investment magazines face. Every month, they have to write about what’s new and interesting as if it will help readers make money, when the best advice is rather boring — buy and hold. What are these magazines supposed to do? Make another cover article out of “Indexing – Still the Great Deal It’s Always Been?”
The same thing happens in network defense. Props to Rob Sloan, the author (and WSJ Pro) for making news out of the point that what we need to do is go back to the basics, and do them well … and then do them well again. The biggest challenge we face in defending our networks is just getting around to doing all the things we already know how to do. Our enemies don’t need to be James Bond villains in super-secret lairs with super-weapons – we leave out many “Welcome to Our Network” mats in the form of unpatched systems and easily evaded perimeters.
The article clearly lays out what we need to do to up our defensive game: first, we have to pay attention to the basics. Second, we have to pay attention to the basics. And yes, third, we have to pay attention to the basics (just like “location, location, location” for real estate). We’re all overwhelmed, but as the article points out, 98% coverage for any given issue isn’t good enough. We need to prioritize and find the 2% we missed, by gathering all our inventory, not just most of it, and testing every asset.
And then, after all that preventative work, we still need to plan for digital resilience. Resilience starts from all that inventory, and mapping of how your business functions and what is critical in your infrastructure. After that, it’s about hardening. And after that, it’s about testing your readiness so you can bounce back from the inevitable assaults. This is exactly what the RedSeal Digital Resilience score measures. We directly quantify the quality of your inventory, then look at hardening, and then at attack readiness.
So, I value the NSA’s perspectives, as reported in the article. The folks at NSA are among the government’s thought leaders for digital resilience. While government execution of cyber ideas isn’t above criticism, their networks are some of the very biggest, and their adversaries are some of the most motivated. For folks in the intelligence community, it’s not paranoia – people really are out to get them, and they plan accordingly. We should listen to their advice.
Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.
The seven cyber sessions were:
Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities. According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.
Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.
Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.
The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.
For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at mvenditto@redseal.net
Forbes | July 11, 2017
By Dr. Mike Lloyd, RedSeal CTO
A healthy, growing business is a risky business. Why? Modern businesses must innovate, change and grow continuously to stay ahead of the competition. Normally, we look at business agility as a good thing — a differentiator; a challenge to be embraced; a way to shake the invisible hand that drives our world. But from a security viewpoint, all this change is a problem, especially for cybersecurity.
SIGNAL Magazine | May 22, 2017
By J. Wayne Lloyd, RedSeal Federal CTO
As the Defense Information Services Agency (DISA) knows, a network that complies with standards is not necessarily secure. DISA’s new evaluation program, the Command Cyber Operational Readiness Inspection (CCORI), is designed to go beyond standards. Its goal is to provide site commanders and federal agencies an understanding of mission operational risks.
SIGNAL | March 16, 2017
The White House’s first federal budget blueprint unveiled Thursday seeks to fund the nation’s cybersecurity efforts by boosting budgets of the U.S. Defense Department and Department of Homeland Security—an initiative officials say will guard against the magnified threat landscape that is only getting worse.
The budget seeks $1.5 billion for the DHS that will help the government modernize federal computer networks that “can no longer sustain themselves,” White House homeland security adviser Thomas Bossert said a day earlier during Cyber Disrupt 2017, an event hosted by the Center for Strategic and International Studies, or CSIS.
SIGNAL | March 10, 2017
A revised NIST guideline raises the risk profile of M&A deals and presents challenges.
Do you work for a cyber company with federal government contracts? If so, hold onto your hat, because $210 billion in government information technology contracts will expire this year and be re-competed.
Federal IT security spending will continue to grow between 2016 and 2021, despite a relatively flat IT market, according to research firm Deltek. The bottom line: More money will be spread out over fewer contracts. This contract streamlining could mean big changes for the industry. “Consolidating contracting into fewer contracts will heighten competition,” reads a portion of the Deltek report. It also could trigger a wave of mergers and acquisitions as competitors expand their in-house capabilities.