Tag Archive for: Government

Does Your Company have a DFARS NIST 800-171 Time Bomb?

On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS), revising its earlier August 2015 interim rule on Safeguarding Covered Defense Information.

This new interim rule is a ticking time bomb that gives government contractors a deadline of December 31, 2017 to implement all of the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171-Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations —  or lose their contracts.

The NIST Special Publication 800-171 provides federal agencies with requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in non-federal information systems and organizations
  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
  • There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

Cybersecurity and compliance teams at government contractors are searching for technology to automate the necessary, but taxing process of implementing the mandated controls and remaining compliant on an ongoing basis. Organizations are finding that it is one thing to implement the 800-171 controls once, but quite another to implement and monitor them continuously.

RedSeal has a history of support for federal government cybersecurity initiatives. The company’s innovative software platform is installed in numerous DoD, intelligence, and civilian organizations for the purpose of continuous monitoring. At the highest level, RedSeal delivers three core security controls: visibility, verification, and prioritization.

RedSeal’s cybersecurity capabilities align with many of the controls in NIST 800-171. RedSeal supports a total of 26 controls in 7 of the 14 NIST 800-171 security requirements families; at a high level RedSeal supports 800-171 control areas as follows:

NIST CONTROL AREA REDSEAL SUPPORT
Configuration Management Continuous validation of actual system configurations versus desired state across multi-vendor infrastructure.
Risk Assessment & Incident Response Prioritization of vulnerabilities for efficient and effective remediation and response.
Network Security Architecture & Access Control Network map and situational awareness for risk assessment and systems categorization and segmentation validation.
Security Assessment and Continuous Monitoring Analysis of actual, deployed information flow architecture and continuous comparison with desired architecture and policy.
Planning, Program Management and Acquisition Inventory, audit and analysis of network security architecture for legacy, new deployments, and acquired systems.

 

With RedSeal, federal system integrators can significantly reduce the cost and time associated with enforcing compliance against SP 800-171 by automating assessment of many of the SP 800-171 controls. Certain controls have traditionally been difficult to automate, and therefore resource intensive to maintain and audit. However, RedSeal’s unique technology automates and prioritizes these difficult controls, greatly decreasing resource requirements while improving the quality of the control.

The federal government is placing a greater sense of urgency on real-time situational awareness and continuous monitoring to improve the efficiency and effectiveness of responses to emerging security threats, and is now including government contractors in that effort.  By implementing RedSeal, organizations can lower the cost of compliance, increase situational awareness, and improve control activity efficacy in an operationally efficient manner.

Will you defuse this bomb in time?

For more information on how RedSeal can assist with NIST 800-171 controls, please contact Matt Venditto, mvenditto@redseal.net or download a more detailed datasheet on NIST 800-171 here.

RedSeal Wins Contract to Support DISA’s Cyber Network Operations

ARMY TECHNOLOGY NEWS | February 2, 2017

RedSeal has secured a contract to monitor the cyber network operations of the US Defense Information Systems Agency (DISA).

Valued at $33.8m, the contract requires the company to model and monitor the infrastructure of the Joint Regional Security Stacks (JRSS), a US Department of Defense (DoD) programme to create a standard security architecture, which will eventually support more than 95% of the DoD’s network.

U.S. Defense Information Systems Agency (DISA) JRSS Program Chooses RedSeal for Continuous Monitoring of Cyber Network Operations

SUNNYVALE, Calif. – RedSeal (www.redseal.net), a leader in the network modeling and scoring market, announced that the Defense Information Systems Agency (DISA) has awarded a multi-year contract for its network modeling and risk scoring platform valued at $33.8M.

In an effort to create a highly-resilient global DoD network, DISA will use RedSeal to model and continuously monitor the infrastructure of the Joint Regional Security Stacks (JRSS), provide visibility into network segmentation and measure overall resiliency to deliver risk based situational awareness.

JRSS is a Department of Defense (DoD) program that creates a single, standardized, security architecture, which will eventually support more than 95 percent of the DoD’s network. JRSS performs firewall functions, intrusion detection and prevention, enterprise management, virtual routing and forwarding (VRF), and a host of network security capabilities. By deploying JRSS, DISA centralized the security of its networks into regional architectures, moving away from the more vulnerable, locally distributed architectures that are spread across each military base, post, camp, or station.

“The JRSS stacks are located at strategic military installations around the world, creating a massive, varied and dispersed network that supports critical military services. Its resilience is a matter of international security,” said Kimberly Baker, VP and GM RedSeal Public Sector. “From Fort Meade, the Joint Management Program monitors, manages and controls DoD digital operations all over the world. They need effective metrics to understand the real-time health of the global network, and RedSeal proved to be the best choice for ensuring its resilience under relentless probing and attack.”

To further improve the resilience of their networks – and as a result of this agreement – DISA will be providing RedSeal’s powerful modeling and risk scoring platform to all U.S. Army networks, USAF boundary networks, and several other COCOM networks.

“The new cyber battleground is inside the network, not at the perimeter,” said Ray Rothrock, chairman and CEO of RedSeal. “DISA chose RedSeal because our platform will help them more clearly manage and measure their cyber strategies and investments. This selection by DISA underscores the value RedSeal delivers to military and federal organizations, as well as enterprises at-large. As a company, we’re proud to help DISA’s teams be more resilient by being better prepared to sustain critical operations and protect high-value assets.”

About RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.

Trump Administration Should Read and Heed Obama Cyber Report

SIGNAL | January 31, 2017

By Ray Rothrock

As the nation deals with intelligence reports of Russian hacks of the U.S. presidential election, some of us in industry are pondering how President Donald Trump will tackle cybersecurity issues.

He already has a good road map. In December, the Commission on Enhancing National Cybersecurity issued its “Report on Securing and Growing the Digital Economy.” Kudos are in order. It is high time the executive branch dug deeply into cybersecurity issues.

 

Shadow Brokers Turn Out the Lights

The Shadow Brokers are turning out the lights. On their way out they dumped another suite of alleged National Security Agency hacking tools.  Unlike last time, where the released exploits focused on network gear from vendors such as Cisco and Fortinet, these tools and exploits target Microsoft Windows operating systems.  Most of the sixty plus exploits are already detected by antivirus vendors, such as Kaspersky, and it is a safe bet that all antivirus vendors will detect them shortly.

In Shadow Brokers’ farewell post, they say they are leaving the account open for someone to deposit 10,000 bitcoins — the equivalent of $8.2 million — to obtain the entire cache of alleged NSA hacking tools. To date, no one has paid the requested amount.  With such a high price it has been speculated that the Shadow Brokers never seriously expected anyone to pay. This leads some to believe they are associated with a nation state who is trying to cause headaches for US spy agencies and the administration.

What can be done to protect your systems from these tools and exploits?  Basic security practices of course.  Keep your systems up to date with patches and operating system releases.  Practice your usual good cyber hygiene such not clicking on links in emails.  Be conscientious about what you plug into your home or business computers as a lot of malware can spread through external hard drives and USB sticks.

Also, it is imperative to have good backups and test your backups.  Many times after a breach occurs, organizations find out too late that they’ve never tested their restore procedures to verify they have good backups. Or, they learn that their backups have been infected with malware from previous backups of compromised systems.

Have an incident response plan in place and practice your incident response plans regularly. Having a plan is great. But you need to practice to make sure your team can execute your plan. Plans without practicing is the equivalent of a firefighter knowing it takes water to put a fire out, but not knowing how to get the water off of the fire truck and onto the fire.

Know your network; and consider using RedSeal.   Even if you don’t use us, knowing your network will lead to greatly enhanced resilience and enable your incident responders to keep business and mission critical systems online and functioning during an incident.  Security is not sexy, despite what Hollywood depicts. There is no silver bullet that will magically make your network impervious.  It takes hard work and continuous effort to build and maintain resilient networks.  So, do you know yours — completely?

RedSeal Cloud Security

On the Way to SDN and the Cloud: Building Resilient Networks

Willis H. Ware, a research scientist at the Rand Corporation working for the United States Air Force in 1967, predicted that ARPAnet would be a disaster if security wasn’t built into the project.

He was overruled.

In January 2013, the Final Report of the Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat was issued and confirmed what Willis knew back in 1967.

The report’s findings made for sober reading:

  • The United States cannot be confident that our critical information technology systems will work under attack. This is also true for our allies, rivals, public and private networks.
  • The DoD and its contractor base are high priority targets that have already sustained staggering losses of system design information.
  • The DoD should expect cyber attacks to be part of all conflicts in the future, and should not expect enemies to play by our version of the rules.
  • There is evidence of attacks that exploit known vulnerabilities in the domestic power grid and critical infrastructure systems.
  • The impact of a destructive cyber attack on the civilian population would be even greater:
    • In a short time, food and medicine distribution systems would be ineffective.
    • Law enforcement and emergency personnel capabilities could be barely functional in the short term and dysfunctional over sustained periods.
    • Expect physical damage to control systems.
    • Months to years could be required to rebuild and reestablish basic infrastructure operation.

So… the current situation is really bad.

Does cloud computing and the rise of software defined networks (SDNs) make things better? Government and enterprises are receiving huge benefits by moving into the cloud.  You can quickly and efficiently create an SDN, but cloud computing and software defined anything is still software. And software will have errors. How do you test or QA it? Is your central control node secure? How much do you know, really?

If this word “software” doesn’t scare you, then you’re not thinking about it hard enough.

In the Defense Science Board Task Force’s report, the seventh recommendation is to build a cyber resilient force and a set of standards and requirements that incorporate cyber resiliency into the cyber critical survivable mission systems.

What is their definition of resilience?
Resilience: Because the Defense Department’s capabilities cannot necessarily guarantee that every cyber attack will be denied successfully, the Defense Department must invest in resilient and redundant systems so that it may continue its operations in the face of disruptive or destructive cyber attacks on DoD networks.”– Ash Carter, Secretary of Defense, April 2015

The report highlights a need to continuously model and test DoD’s systems to determine how resilient they are. This requires a measurement or a metric for resilience.

Managing and measuring cyber resilience Up until now measuring cyber resilience has been an impossible challenge. Now, RedSeal’s cybersecurity analytics platform has been deployed successfully by federal agencies and departments. With RedSeal you can:

Understand your cyber terrain
You have to understand your cyber terrain in order to secure it, defend it, and respond to incidents appropriately and swiftly.  Operating without understanding your network is like stumbling around your unlit house at night looking for the burglar that just broke in.

Model and measure
With a network sand table, defenders can now see where their high value assets (HVAs) are and answer important questions:

  • How can they be accessed?
  • How exposed are they?
  • Are defenses deployed in the appropriate places?
  • Exactly where are the sensor-reported incidents?

Verify compliance, establish and manage standard policies
RedSeal lets you know if your network is constructed as you think it is –to allow only authorized access to your data. RedSeal reads in information from devices on your network, including those parts hosted in the cloud. Then, it calculates the access actually allowed from any point on your network to any other and updates as changes are made, so you can verify and maintain compliance with regulations and policies.

 Understand the security impact of network changes
RedSeal enables you to simulate attacks before they happen.  You can understand your defensive posture by finding the weak points and measuring ease of compromise.

Understand access in hybrid networks
Cloud providers have cloud solutions to manage your cloud-based network. But most organizations don’t have a pure cloud network; their networks are hybrid. You have some infrastructure that you manage, some in the cloud, and some virtualized. We show organizations how all parts of their networks connect to everything else.

Cloud providers don’t know what your legacy environment looks like. You need to be able to draw together your physical and cloud infrastructure in more than just a picture.  At RedSeal, we believe you have to understand end to end behaviors of your networks. To do this, we do very deep access calculations based on the configuration files of all your network devices – virtual or not.  RedSeal determines how your infrastructure actually works, so you can continually validate that you built what you thought you were building.

You can ask all kinds of questions of your RedSeal network model. You can determine if the back end of your cloud infrastructure is accessible from the internet – and how. You can see paths that reach from the real world to the virtual world. We’ve invested a lot of time and effort at RedSeal, so you can see your cloud infrastructure and how it connects to your physical or virtual infrastructure.

RedSeal provides security metrics  
RedSeal gives you an overview of your network, measuring:

  1. The completeness of your inventory of assets and systems. It identifies devices you may not know about.
  2. All the connections between devices.
  3. How well your network devices are configured for security.
  4. The actual risk to your data, based on how accessible known vulnerabilities are.

RedSeal’s smartphone app provides a measurement and trend summary for executives or “on the go” security management.

Why is the RedSeal Digital Resilience Score important?

  • Gives you a measure of security effectiveness so you know where to allocate resources and funding.
  • Helps you understand your security posture: are you better today than you were yesterday?
  • Allows seniors staff to empirically understand network risk.
  • Grades different networks across various departments or agencies
  • Verifies networks are designed and operating for security as intended

For more on this subject, listen to the free webinar, On the Way to SDN and the Cloud: Building Resilient Networks.

RedSeal CEO: Executives Need “Visualization” to Help Determine Cybersecurity Effectiveness

GOVERNMENT SECURITY NEWS | December 22, 2016

The past two weeks have been affirming ones for Ray Rothrock and his team at RedSeal.

Just hours after his company shared their findings regarding corporate executives and their cyber naivete – including an alarming statistic showing more than 80 percent of CEOs are confident in their companies’ strategies even as cyber incidents continue to rise – officials from Yahoo announced they discovered a breach that originated three years ago and compromised the data of more than a billion users.

RedSeal Recognized as Best Cyber Operational Risk Intelligence by GSN Homeland Security Awards Program

Government Security News | Dec 19, 2016

Government Security News announced today that RedSeal has been recognized for Best Cyber Operational Risk Intelligence as part of its 8th annual Homeland Security Awards Program.

Judging in this category is based on a combination of increase in client organization’s security, technological innovation or improvement, filling a recognized government IT security need, and the flexibility of a solution to meet current and future organizational needs.

Cybersecurity Pros Tell Trump to Heed Commission’s Recommendations

SC Magazine | December 6, 2016

Cyber industry executives are weighing in on the presidential Commission on Enhancing National Cybersecurity’s  Report on Securing and Growing the Digital Economy identifying several areas they feel the commission nailed when it comes to improving our nation’s cybersecurity and what the upcoming Trump administration needs to focus upon.

Centralize Cybersecurity? Secretary Pritzker Doesn’t Think So

Last month, Secretary of Commerce Penny Pritzker appeared in front of the President’s Commission on Enhancing National Cybersecurity and the subsequent article in FedScoop caught my attention.

She is very concerned that the President’s Commission could mandate that all US Federal Government information technology be consolidated under one organization’s authority. According to Secretary Pritzker, a mandate like this would make it difficult for an agency’s leadership to enforce cyber security initiatives addressing their specific needs.

In other words, one size does not fit all.

Is she correct to be worried? It may be worthwhile to turn our eyes to our northern neighbor, Canada, where this consolidation is taking place right now. Canada frequently looks to our government before adopting a new practice. In this instance we can learn from their experience.

Currently, the Canadian government, including their equivalent of the Department of Defense and Intelligence community, is reorganizing and consolidating many small agencies into fewer larger agencies called Portfolios. This consolidation is not just on the cyber security front; the entire government is moving from 47 individual agencies to 28. This reorganization and consolidation is causing a lot of internal uproar since many former agency CIOs and CISOs now have to report to someone else. Former leaders no longer have a say in what they used to manage, with the authority moved to others higher up in the organizational chart. Additionally, the Canadian government is consolidating their 308 data centers into 40 to 80 super data centers. This will be a huge undertaking similar to our consolidation into Trusted Data centers. It is still too early to know if it will be worth the growing pains. But, I wonder if Canada’s governmental eye is being taken off the cyber ball.

Secretary Pritzker raises some interesting questions that we should fully consider:

  1. Is over- or under- centralization a root cause of the government’s less-than-perfect response to cybersecurity?
  1. Where should “authority, responsibility and capability” (and budget!) for improving cybersecurity lie? A White House cyber czar? The new federal CISO? The Cabinet Secretary level?
  1. Is a hybrid approach best? A mix of centralized cybersecurity services with agency specific toolsets?
  1. Should there be a united fedciv.gov network like .mil? A unified email system for all fedciv employees?
  1. As the Canadians are doing, would it be better to reorganize cybersecurity efforts independently of the agencies they serve rather than doing everything all at once?

All in all, there are a lot of similarities between what is currently happening in Canada and the organizational recommendations that may come out of the President’s commission. I’m suggesting the US could learn a lot from our northern neighbor and ally.