Tag Archive for: Wayne Lloyd

‘Red Teams’ Need to Deliver Context — Let’s Help Them

Working on a Red Team is frustrating. I know, I was on one.

Red Teams work hard penetrating systems, gathering data and presenting findings to senior management only to get strongly dismissive responses- “So what?” This is frequently followed by an order to not to share detailed information with the Defensive Cyber Operations (DCO) teams defending the network. Sometimes the reason is obvious. Sometimes not.

I came to realize that the underlying problem is that the findings don’t include enough information to make an impact on a culture of inertia that comes with the cybersecurity world. I have actually had executive leaders tell me they would lose plausible deniability.

This obviously sub-optimal situation hasn’t changed since my time serving on a Red Team.

The DOD Office of Inspector General just released a new report, “Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions.

This was a check up on the earlier report “Better Reporting and Certification Processes Can Improve Red Teams’ Effectiveness,”  a more easily understandable title.

They investigated three areas to see what had changed in eight years.

  • Did DoD Cyber Red Teams support operational testing and combatant command exercises?
  • Were corrective actions being taken to address DoD Cyber Red Team findings?
  • Did the assessed risks affect the ability of DoD Cyber Red Teams to support DoD missions and priorities?

The results? In a word: No.

The data generated by Red Teams and the teams conducting Defensive Cyber Operations is still not being shared. Worse, even with better procedures, part of the problem is that both the results and the analysis of the results of penetration testing and vulnerability management functions are superficial.

They don’t pass the “so what” test.

But, Red Teams can’t do their job well unless they have an accurate map of the cyber terrain to put information into a larger context. This context is more important for reducing the risk to missions.

Unique in the industry, RedSeal can model and evaluate Layers 2, 3, 4 and now 7 — application-based policies. And, it includes endpoint information from multiple sources.

If both Red Teams and the DCO teams tasked with defending the cyber battlespace can easily analyze 3-4 layers of complex attack depth to connect vulnerabilities exposed to the Internet with pivots and attack paths buried deep in a network’s hybrid infrastructure, their recommendations will be seen as worthy of immediate attention. This will lower the risk to mission in a real way.

Maybe then, senior management will listen, the process will radically improve, and the DOD Inspector General will not have to write a report saying nothing has changed in seven years.

For more information, click here to speak with a RedSeal government cyber expert.

Taking a fresh look at security for the remote workforce

FedScoop Radio | April 30, 2020

Chief information security officers are working diligently to ensure the productivity of temporarily homebound agency employees, while still adhering to the fundamentals of effective cybersecurity practices.

Because employees are connecting from home, often with their own equipment, there is an increased risk of an employee exposing agency networks to a whole host of security risks, says Wayne Lloyd, federal chief technology officer at RedSeal.

Real World Versus Cyber Hygiene

As I watch the drama on the news unfold it is striking to me how similar the tactics for defending against a spreading virus are to cyber defense.

Washing your hands equates almost exactly to cyber hygiene tactics like patching.

Social distancing is nothing more than putting barriers up to prevent the spread of attacks, which is called network segmentation in the cyber world.

What do we do in the cyber world when a system is infected? We quarantine it and try to determine what else could have been infected. Unfortunately for the physical world, there is no automated way to make sure people are practicing proper hygiene, maintaining proper distancing, and isolating infected and vulnerable people. Fortunately, this is not the case for cyber warriors, where RedSeal automates all these arduous tasks.

With RedSeal’s cyber terrain analytics platform and professional services, government agencies improve their resilience to security events by understanding what’s on their networks, how it’s all connected, and the associated risk. RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. RedSeal continually checks to see if a network’s segmentation is working as designed, ranks end point vulnerabilities in order of risk, and adds knowledge of your network to determine how accessible the vulnerability is to untrusted networks and what it will expose if compromised.

So, when a breach does occur, the RedSeal can tell you exactly what is exposed to an attack and deliver the information needed to contain it.

If only the real world had this capability, I might be able to eat at my favorite restaurant tonight.

Click here to lean more about Cyber Hygiene with RedSeal.

A Resilient Infrastructure for US Customs and Border Protection

The Customs and Border Protection agency recently announced an official 2020-2025 strategy to accomplish their mission to “protect the American people and facilitate trade and travel.”

The strategy comprises only three goals, one of which is to invest in technology and partnerships to confront emerging threats. This includes an IT Infrastructure that provides fast and reliable access to resilient, secure infrastructure to streamline CBP work.

So, of everything CBP wants to accomplish in the next five years, delivering a resilient, secure infrastructure is right near the top.

Both Verizon’s Data Breach Investigations Report and Crowdstrike’s Global Threat Report agree that more than 90 percent of intrusions are due to failures in basic, continuous cyber fundamentals. These include patching, ensuring network devices are deployed securely, and firewall rules and access control lists enforce the network segmentation you intended.

These cybersecurity fundamentals can be tedious and repetitive, but they are the foundation of security and beyond that, cyber resilience.

Cyber resilience has three parts:

  1. Being hard to hit
  2. Having the ability to detect immediately
  3. Responding rapidly.

RedSeal is a solution purpose built to improve and track resilience.

We give you a way to measure resilience and improve the security of your infrastructure.

RedSeal’s cyber terrain analytics platform identifies cyber defensive gaps, runs continuous virtual penetration tests to measure readiness, and helps an organization capture a map of its entire network infrastructure. The RedSeal platform delivers continuous monitoring through the collection and correlation of change, configuration assessment and vulnerability exposure information. Turning these capabilities into cyber resilience measurements gives managers, boards of directors and executive management the understandable and actionable security metrics they need to drive towards digital resilience.

Cyberattack surfaces and complexity are only expanding as all commercial, US government and DOD networks modernize and move to cloud and software defined networks (SDN). Automating the basics so organizations and departments can be digitally resilient continuously in the face of an attack has never been more necessary.

To ensure its IT infrastructure is resilient and secure as it is rolled out, the CBP needs to focus on mastering the cyber fundamentals and measuring that progress by deploying RedSeal’s cyber terrain analytics platform. Click here to learn more.

Security Orchestration and Automation Response Solutions (SOAR) and RedSeal

Over the past few years, Security Orchestration, Automation, and Response (SOAR) tools have emerged as multi-faceted and ever-present components in a Security Operations Center (SOC), enabling security teams to centralize incident management, standardize processes, and reduce response times through automation and artificial intelligence (AI).

The security orchestration, automation and response (SOAR) market, as defined by Gartner in 2017, evolved from three previously distinct technologies: Service Oriented Architecture (SOA), security incident response platforms (SIRPs) and threat intelligence platforms (TIPs).

In 2019, Gartner released their latest and most comprehensive research on the SOAR market to date– Market Guide for Security Orchestration, Automation and Response Solutions. In it, Gartner tracks the growth of the market over the past few years, provides a representative list of SOAR vendors, and delivers advice that security practitioners should keep in mind while procuring SOAR tools.

Moreover, AI security is listed in their Top Ten Strategic Technology Trends for 2020, which says:

“AI and ML will continue to be applied to augment human decision making across a broad set of use cases. While this creates great opportunities to enable hyperautomation and leverage autonomous things to deliver business transformation, it creates significant new challenges for the security team and risk leaders with a massive increase in potential points of attack with IoT, cloud computing, microservices and highly connected systems in smart spaces. Security and risk leaders should focus on three key areas — protecting AI-powered systems, leveraging AI to enhance security defense, and anticipating nefarious use of AI by attackers.”

Gartner states that SOAR tool deployment is now more use-case driven than ever. The use cases depend on the maturity of the organization, the capabilities of the SOAR tool, and the processes most ripe for automation, among other things. According to Gartner:

“SOAR selection in 2019 and beyond is being driven by use cases such as:

  • SOC optimization
  • Threat monitoring and response
  • Threat investigation and response
  • Threat intelligence management”

SOAR Doesn’t Know What It Doesn’t Know.

The problem we see with deploying security automation is the quality of the information put into it. How do you deploy a SOAR tool if you don’t know for sure if the data being used is accurate? Is good enough good enough?

Security solutions based on automation can also have blind spots. How do they know that they can see everything? In fact, they don’t know what they don’t know.

RedSeal data can better refine how a SOAR solution makes its decisions to take or not take actions in the above use cases. RedSeal gives a SOAR tool a deep understanding of the network environment it operates in. It is not enough to identify and react to an indicator of compromise, we need to understand what an intruder can reach from there.

Does the device have access to a high value asset (HVA) or to the key cyber terrain of your environment?

If not, don’t worry and carry on with the automated processes.

If yes, then that is an indication to do more investigation and look at how this access could have happened in the first place.

And during a follow-on, after-action review you can investigate important issues like how the intrusion happened in the first place. Only RedSeal shows you what’s on your network, how it’s connected and the associated risk, so you can better prepare for and contain problems within minutes and not days.

What if RedSeal could improve your understanding? Would that interest you?

If yes, click here to set up a time to speak with a RedSeal representative about how to integrate RedSeal with your preferred SOAR tool.

How Defense Contractors Should Prepare for a Cyber Proxy War With Iran

ClearanceJobs | January 10, 2020

A plan of action should include some key fundamentals, explained Wayne Lloyd, federal CTO for RedSeal, a cyber terrain modeling company. This can include: Identifying critical data and where it is housed; knowing what assets – physical and virtual – are on your network; hardening your network devices, making sure they are securely configured; reviewing endpoint data sources to make sure you have full coverage of all endpoints on your network; and ensure that your vulnerability scanner is scanning every subnet.

What’s your agency’s cyber resiliency score?

FedScoop | January 8, 2020

Eighteen months have passed since that day on June 27, 2017, when an IT administrator, working for the world’s largest shipping conglomerate, watched helplessly as one computer monitor screen after another in Maersk’s Copenhagen headquarters went black.

The question as we head into 2020 is, what lessons can we take away from that incident — and in particular, what should leaders operating federal agencies be doing differently today as a result?

Network Resilience vs. Cyber Resilience

SIGNAL Magazine | January 6, 2020

There are certainly similarities between network resilience and cyber resilience. The foundation for both is the ability to maintain business or mission capabilities during an event, such as a backhoe cutting your fiber cables or a nation-state actively exploiting your network. But there are also significant differences.

Is Process Killing Digital Resilience and Endangering Our Country?

After reading a Facebook comment on “Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” I’m compelled to respond.

I work a lot with the Navy (and the DOD as a whole) as a vendor. I spent 26 years in the intelligence community as a contractor running datacenter operations, transitioning to cybersecurity in the late 1990s.

From my past insider experience to my now outside-in view, “process” is one of the biggest hurdles to effectively defending a network. Process frustrates the talented cyber warriors and process is what managers hide behind when a breach that happened six months or more ago is finally detected.

Process = regulations.

Processes are generally put into place in response to past incidents. Simple knee jerk reactions. But things change. We need to review and change our processes and regulations, and, in some cases completely tear them apart to allow our talented cyber warriors to defend our networks. New regulations would allow them to get into the fight. They may even remain in their jobs longer, rather than leaving for industry — taking expensive training and irreplaceable knowledge with them.

One of my coworkers was on a Cyber Protection Team (CPT) for a major military command. He left to work in a commercial SOC. At one point, his team pitched their services to the top echelon of a service branch. As they introduced my coworker, he was asked why he left military service. My coworker, being an Army Ranger, and then an enlisted sailor, is pretty direct. He said, “Because you’re not in the fight. You’re more worried about the policy and process, while I’m here every day fighting the Russians, Chinese and Iranians.” One officer turns to the others and said, “This is exactly what I mean.”

Too much process and regulation restrict the agility needed for prompt incident response. To resolve incidents quickly (and minimize damage), cyber warriors require trust from their leadership. Trust in their abilities to make quick decisions, be creative, and quickly deploy lessons learned.

The very cyber warriors whose decisions they question are the same ones they blame when things go wrong.

As always, Target is a prime example. It was a low-level cyber warrior who found the “oddity” when doing a packet capture review. He notified Target leadership. But they didn’t act. They ignored him until their credit cards were on the dark web. Then, they went back to the young cyber warrior and fired him. He asked why. After all, he identified the problem first. The response from his leadership was: “Well, you didn’t make your point strong enough for us to take action on.”

The military has the same mentality. But, since many of them have even less knowledge of real-world hacks then private sector management, they take even more time to make decisions. Another friend told me about a time when he was on active duty and found evidence that someone had exploited the network. When he reported it, his leadership kicked it back because there was “not enough evidence.”  He then broke down the exploit and was able to provide the address and phone number of the adversary in Russia. Finally, they acted, but his CO did not want to report it to higher HQ because he was afraid of the fallout.

My friend reminded his CO that they were part of a carrier strike group, and all their data was incorporated into the fleet. Once again, he was ordered to fix it and not report it. He really believed that the only way to protect the group would be to send an anonymous email. This cyber warrior had to choose between disobeying orders and protecting our country.

Let’s not put our talented cyber warriors into this trap. Process and regulations need to be flexible enough to allow these people to protect our country – quickly.

Learn more about RedSeal’s support of cyber protection teams and our approach to digital resilience in the DOD.

 

By working together, our government can provide a unified front in the face of an evolving threat landscape

Nexgov | March 8, 2019

By RedSeal Federal CTO Wayne Lloyd

During the recent State of the Union address, President Trump spoke of many threats that face our nation, however, he missed a big one. Cyberattacks from China, Russia, Iran, other nation-state actors and cyber criminals alike are on the rise and have the potential to impact industry, our economy and the government functions many rely on. Cybersecurity is a growing part of our national security and the federal government must take steps to improve our preparedness and response times.