Mapping Policy to Your Network

/by

A few years ago, I sat in an otherwise empty classroom inside the administration building of a children’s hospital with two members of their security team. We stared at a spreadsheet and a document that described the server and client zones of their network, displayed from a projector like a classroom project. For each zone, we dug into the details of allowed, forbidden, and approved access. This work was precise and detailed, requiring us to step through subnet addressing, host addresses, and the policy documentation over and over again.

mappingEventually, we had mapped the network security architecture policy to their network, though, and this was a critical next step in protecting kids and their families from the potential evil done by those who would attack the network of a children’s hospital.

The work to dig in and map every network to an appropriate zone is significant, but it’s critical. Regardless of your specific requirements, knowing the purpose of every subnet, each type of host collection you have, and mapping them to a reasonable network security architecture is a critical requirement allowing you to draw lines between parts of your network to avoid the situations that Target and Supervalu have found themselves facing.

As attackers and their attacks become ever more sophisticated and patient, your security zones and the implementation of security controls between them is your only real defense. Of course, using automation to monitor those controls and ensure that they are implemented correctly, consistently, and completely is equally vital. More on that in an upcoming post.

Staying on Top of Security

/by

Wall Street values companies based on their performance over time.  That performance is measured in revenue growth and profit, but it is also measured by the reliability with which results can be predicted. Predictable results makes everyone happy.  Wall Street doesn’t like surprises, and neither does a CEO.  At some level, I suppose, the CEO’s job is to grow the business with as few moving parts as possible, eliminating potential surprises that could upset predictable results.

ray-staying-on-topThis becomes difficult when you realize that the very foundation of every modern business, the network, is full of moving parts and is anything but stable. Technology continues to evolve, new products are introduced, and companies are constantly changing their electronic infrastructure in hopes of improving operations and lowering costs.  This double whammy of new products and the desire to lower costs by changing the network brings complexity, potential vulnerabilities and unpredictability to the business. At the end of it all, one should always ask the question – are things getting better, or not?  Is my network improving or not?  And am I more secure or not? How can I know?

I recently met with the chief executive of a Fortune 20 company.  In our discussion I learned that this CEO gets a cyber report every Monday morning.  Not only does it include what attacks or threats his company witnessed, but it includes information on what is happening in the world as it applies to his business.  This sounds a lot like what the President of the United States gets in his daily briefings from the NSC!  I was totally surprised and delighted that he was taking security so seriously.

What does this mean for you, the CEO?  A cyber event is coming, whether you like it or not.  It doesn’t have to be scary or deadly.  Being prepared with a secure network is now the cost of doing business.  The sooner you start, the less impact it’ll have on your company when it happens to you.

Was It Something I Said?

/by

I was in one of those small, interior conference rooms when it first happened. It was very hot outside, with an obvious threat of another day over 100°F and extreme humidity, as well. But, it felt even hotter in the room. I was there to provide insights to members of the network and security teams for a regional retailer, and only a few minutes into the training, it seemed like everything I said resulted in angry rebuttals. As a pretty easy-going guy, I couldn’t figure out how it was that I had offended the senior network engineer so completely. So, I asked her, “What has you so upset about this information?”

“Simple!” she hissed through clenched teeth pointing across the table, “They are going to just use this to beat me up!”

There, in a nutshell, is a fundamental problem with many IT organizations: different teams have different fundamental objectives and instead of working together and understanding the goals in a more holistic way, they end up in an adversarial relationship, something-i-saidfighting for resources and the favor of the CIO, CFO, and CEO.

It starts with the clear distinction between the role of network operations and security. The network team is responsible for making sure that packets get through. Their phone doesn’t ring as long as everyone gets access to what they need and there are no slowdowns. On the other hand, security is responsible for making sure that some packets do not arrive, protecting network assets from unauthorized access and from potential attacks of various kinds. As a result, the two teams often find themselves diametrically opposed to one another.

The solution to this rests with the CIO as typically the executive responsible for all aspects of the network infrastructure. As a result, the CIO is the place where these divergent objectives join to create a single strategy, and she is the one who can provide the context and vocabulary for unification.

How is this done in your organization? How have you seen it done, perhaps in organizations where it doesn’t work so well (since I’m sure your organization doesn’t have this issue!)? What do you need in order to make sure that the entire IT organization is aligned to the same goals?

Technology Similarity Creates a “Groundhog Day” for Data Breaches

/by

PaymentSource | Sep 22, 2014

Were the Home Depot and Target breaches the work of the same attackers? Only a few people seem to be in a position to know, and so far, they aren’t telling. However, we can still learn a lot from the similarity of the incidents. Read Dr. Mike Lloyd’s commentary on this topic in PaymentSource.

Read Article

Identify and Close Before the Bad Actor Exploits

/by

It happened again yesterday. I was taking a break on my back porch and listening to the Colorado summer rain when an alert hit my phone: news of another breach. They seem to be coming with a disturbingly increasing regularity and with ever more serious consequences. For example, one company, Code Spaces, was completely destroyed when they refused to pay an attacker who then destroyed their customers’ data. The Energetic Bear group accessed utilities’ networks and could have launched attacks against them. In all likelihood, the number, extent, and veracity of these attacks will simply continue to expand.

telescope-smaller_0So what do you do? The good news is that the steps are well known and understood: place security controls into your network to isolate a set of subnetworks (typically called “zones”) and both set and monitor the potential access paths between the zones. This is the first set of defenses against attacks, and one which many organizations do not fully deploy.

It is common for me to see organizations that partially deploy zones – but do not monitor their implementation. This is akin to the multi-petabyte database that contains one incorrect byte of information: you can trust none of the information as a result.

So, the first step is to create clear and concise zones in your network and to analyze all potential access paths through your network to be sure that your zone rules are respected network-wide.

Do you do this? If so, what’s your approach?

The Reality Gap

/by

A couple years ago in a conference room with a window looking out on the Arizona desert, two of us sat down with a customer to talk about their network. I asked to see their best network diagram, which he left to retrieve. When he returned, he rolled it out to its full length on the conference table. He began telling me of a number of inaccuracies that he knew while I looked in the lower right corner for the annotation.

reality-gapThe plot was years old. When I speak to groups of engineers, I often ask how old they think the average organization’s network diagram is. While the guesses vary from 2 to 5 years, everyone recognizes that they are woefully out of date. And that’s a huge deal for attempting to understand and protect your network.

…by the way, in my experience, the average is 5 years old! As a result, many of the technologies deployed didn’t even exist when the last map was made. Making the map current never seems to get to the top of the priority stack, either.

The truth is that if you can’t see it, you can’t secure it. If you don’t know what your network really looks like, you can’t possibly be certain your security controls are properly deployed. Even if you have designed a security architecture aligned with the best practices of network security zones such as those outlined in the PCI DSS, if your architecture isn’t reflected in the operational network, it’s effectively moot.

Similarly, the network and security design teams create a network design that they intend to align with the architecture.

However, when it gets implemented, does it align? Does it stay aligned as equipment changes, requirements evolve, and needs expand? How would you know?

That, of course, is the 100 million-customer-data-record question.

What do you think is the best answer?

We’re Living in Mud Huts

/by

In the modern world, we depend on so many standards to protect us in our everyday lives – without even realizing it. For example, when we walk into a building we expect it will not fall down, even in an earthquake.  But before we walk in, we don’t demand to see the drawings, the engineering, or the credentials of the builder and inspectors.  We don’t even want to see the final certificate of occupancy: we just assume that the building has been constructed according to good, complete standards.

Regrettably, the networking world is not quite to this standard of design and implementation.  Yet, today we completely depend on the networks for business and assume that they are generally well architected, built well, and up to whatever standards of protection and compliance there are.  However, we continually read warnings about doing banking online on a public WiFi network, or change our passwords because people can steal them from company directories, and so on.  Yikes!

hut1You see, networks have been built by so many people over decades, largely without standards for design, inspection and operation, and have grown so large and complex, that basically it’s as if we were living in mud huts from 2000 BC.  Is that any way to conduct your critical business? In a mud hut, that is easily brought down, vulnerable to natural and man-made disasters, and not very comforting on the security front?

I wouldn’t live in a mud hut.  And I doubt you would either.  So, if your network is large, complex, and built by many people over a long period of time, there is a good chance that it may not be as secure as it should be for your business.  Ask your CISO what standards have been used in building your network.  PCI? FISMA? HIPAA? These are just a few, but they are a good start to addressing the needs of good and proper network architecture and design.  But these standards have to be repeatedly checked because the network in which they are implemented changes all the time.  In reality, there aren’t any great standards.  And until there are, and networks are rebuilt in accordance with them, every CEO needs to understand the risk of running his business out of a mud hut.

What Keeps CEOs Up at Night?

/by

Post 3 – What keeps CEOs up at night?

As a CEO, getting a good night’s sleep is harder and harder these days.  We used to worry about competition, labor problems, regulatory issues, financing issues, sales and, if our company was public, our stock price.  In the 21st century there is a new worry – cyber threat.  Cyber attacks are real and they can be devastating.  Cyber threats come in all shapes, sizes, types, and intentions.  And they are, for the most part, completely automated.

ceo-night1Every business depends on its networks, and we have every indication that dependency is increasing at a dramatic pace.  These networks and the technology that makes them run are constantly changing.  They evolve to suit the needs of business, and they are improved in performance and security by new products.  Unfortunately, they are often built without a big view architecture in mind: “just make it work” is often the order of the day.

As CEO, knowing that these networks run more and more of your business, you should be asking your team – is it better today than yesterday?  Is it more secure today than yesterday?  What happened on our network yesterday?

Getting this data in a standard, understandable form is no small task.  Further, because things change often, the CEO needs to know the answer to this question often.  The geeks still build and operate the networks though the business people use them – kind of like cars and roads.  You don’t need to know how they are built, but you do need to know they are safe and reliable.  As CEO, you must care whether your network is safe and reliable and that you have a team in place that can do make it so.

Somewhere Over the Spreadsheet

/by

Two years ago I was standing in front of a group of security geeks in Santa Barbara for BSides LA talking about the sophisticated tools that most network engineers use — like “ping” and “traceroute” and even Excel — and about how the broad range of tools available typically didn’t get used in a primordial jungle of our enterprise networks. Recently, Wired concurred, outlining the widespread use of spreadsheets for a broad range of business functions.

new-spreadsheet1It is embarrassingly common for us to find the majority of network management information in spreadsheets. Lists of devices, lists of firewall rules, hierarchies of networks. All laid out in nicely formatted tabs within multiple spreadsheet workbooks, often stored in SharePoint or Google Docs. But, always, devoid of context and the real meaning of the elements.

This isn’t to say that there isn’t a place for spreadsheets, of course, but I would challenge you to think through how you are using them and whether or not they are giving you the information you need to know rather than believe what your network is really doing.

For example, a couple years ago I was visiting a major retailer as they were working through their PCI audit. They presented the auditor with an annotated spreadsheet containing all of the firewall rules within their infrastructure. The auditor, for his part, recognized that evaluating firewall rules out of context masks the reality of the way a network operates, and asked to review the PCI zones using RedSeal. The insights for the organization and the auditor were rapid and clear, and the organization was able to take steps to improve their overall security as a result.

So, although spreadsheets are valuable for building lists of the “stuff” that makes up your environment, they are no substitute for automation that can show you and tell you what you don’t know you don’t know. What do you keep in spreadsheets? What do you wish your spreadsheets could tell you? What’s the strangest experience you’ve had with spreadsheets?

JIE-READY STEP 4: Develop artifacts for IA and ATO

/by

The design and implementation phases of JRSS and JIE will, very likely, receive a significant amount of scrutiny from Information Assurance (IA) to ensure that numerous standards and guidelines are followed. The goal of this scrutiny is to obtain an Authorization to Operate (ATO). There are many different components of the IA process and developing artifacts to support the ATO effort (unfinished sentence?). RedSeal will provide some unique analysis artifacts that without RedSeal would be extremely cumbersome and time-consuming to obtain. At a high level these items include STIG checking for devices, segment access validation, validation of configuration against standard or gold build, and logical zone compliance.

jiestep4RedSeal’s model of the network will allow for faster artifact development and the development of these artifacts BEFORE deployment. The RedSeal platform has the capability to combine any components of the model (hosts, devices, subnets, etc.) into logical groups. These are referred to as zones (sometimes also called segments or enclaves). Because RedSeal understands all the access in the network, the platform is capable of presenting and measuring all access into and out of the zone and between all other zones or the network at large. It is also possible to write business or policy decisions against those access paths and track those decisions for compliance purposes. This RedSeal use case will assist JRSS and JIE with meeting or exceeding the Department of Defense Ports, Protocols, and Services Management (PPSM) guidelines. These guidelines will be applied to the Joint Regional Security Stack (JRSS) and the components that comprise the stack.

Assessing network access by logically zoning or grouping is one piece of the puzzle. RedSeal will also be assessing the components of the JRSS for compliance with other standards of configuration as mentioned earlier, such as STIGs and gold builds. These device level checks are somewhat customizable as well. Certain components of STIGs require modification to meet the environment, and RedSeal allows for that customization within STIG specific checks. It also allows for full customization or creation of device-level checks in the event a new verification check is needed. Within the RedSeal platform, not only is the security of the network analyzed, the security of the component stack providing the security services is analyzed and verified as well.

The Department of Defense has already begun building JRSS and assessing legacy networks. Understanding that legacy infrastructure, ensuring it is effective and efficient, assessing security and meeting compliance during design and migration and beyond, are critical steps. Are you ready for JIE? RedSeal Networks is.