Tales from the Trenches: Vol 10 — You Don’t Know What You Don’t Know
Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.
In this edition of the series Michael Wilson, Senior Network Security Engineer, explains how RedSeal empowers customers to verify their contractors are following security best practices and have their organization’s best interest in mind.
You Don’t Know What You Don’t Know
In my customer’s environment, the network is segmented and managed by both the customer and several contracted partners. It is a difficult task to have visibility into an entire network that is distributed across several different contracted partners, let alone keep track of all of the devices and changes that can occur across a network. The adage of ‘you don’t know what you don’t know’ is very relevant in a situation like this. RedSeal has the ability to provide my customer with a single pane of glass to see all these network segments that are managed by different contracted partners.
The customer’s RedSeal deployment runs daily collection tasks, and the customer can see any changes that occur to their network from day to day. One morning, I logged into RedSeal and started my daily maintenance tasks, which includes ensuring that data collections ran correctly, and analysis was performed successfully, and I noticed that there was an increase in device count. This was a cause for investigation, as new devices being brought into RedSeal without any new data collection tasks is a possible indicator of compromise.
I notified the customer, and I started to investigate. I noticed that these changes occurred in the customer’s SDWAN environments. This SDWAN environment uses clusters to manage edge devices, and the customer has devices spread around in many different locations. The environment is managed by one of the customer’s contracted organizations and, previously, the environment used 4 clusters to serve all the customer’s edge devices in this SDWAN environment. The additional devices that RedSeal discovered were an additional 20 clusters that upped the total from 4 to 24. Once I started to arrange the new clusters on the map, I started to see that these new clusters were connected in such a way that they were serving specific geographic regions of the customer’s environment. This indicated the contracted partner was making significant changes to the SDWAN environment and the new devices were likely not an indicator of compromise.
Once I determined that this was likely a planned network change, I asked the customer if they were aware that these changes were planned and being implemented to the network. They were not aware of any plans and changes being implemented. I asked the customer to immediately verify that the changes were planned, and the customer discovered that not only were these changes planned, but they had never been notified of these planned changes. This demonstrated a significant lack of communication between the customer and their contracted partners. I was able to use RedSeal not only to discover network changes that occurred on the network, but a fundamental operational flaw of the entire customer’s workflow surrounding network changes. It gave the customer the ability ‘to know what they didn’t know’.
The risks that the customer was unknowingly accepting (and by default, unable to mitigate or remove) through this lack of communication was that the contracted partner was making changes to the customer’s network, which contains devices that have Payment Card Industry (PCI) data running through them. By making changes without consulting the customer, the contracted partner was potentially exposing the customer to a disastrous breach of customer financial information. The reason this could be the case is that the contracted partner does not control the entire customer network and changes in their network segment may unknowingly lead to security holes in other parts of the network that is managed by either the customer directly or another contracted partner. To top it off, the customer would have had no idea of this risk because they were unaware of what was happening on their network. RedSeal was able to become the stop gap and identify that risk and provide the information needed to make an informed and educated decision on what risks to accept, mitigate, or remove.
Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.