It’s clear that corporations want to buy insurance to reduce their exposure to losses from cyber-attacks, and insurers have responded to the need. However, most buyers are dissatisfied – the coverage amounts are low, and the covered events are too narrow. From the insurer’s point of view, it had to be this way, due to historic challenges with visibility into cyber risk and liability.
When everyone wants the same kind of policy, the insurer has to think about the systemic risk, and if that systemic risk is poorly understood, each individual policy has to stay small. Think of everyone in a Medieval town wanting to buy fire insurance at the same time – individually, they all want the same thing, but the insurer can’t take on the combined risk without understanding whether the houses are all in the same town, or made of the same flammable material.
https://www.redseal.net/wp-content/uploads/2017/08/Counting-the-Cost-of-Mega-Cyber-Risk-460550113.jpg498702RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-08-10 09:41:342018-05-03 16:08:30Counting the Cost of Mega Cyber Risk
Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.
The seven cyber sessions were:
Risk Management Framework
Cybersecurity- Decisions, Habits and Hygiene
Are You Cybersecurity Inspection Ready?
Incident Response: Before, During and After the Hack- How
MHS Medical Device Integration and Security: Details Matter
RMF Requirements and Workflows for Medical Devices with the DOD
Security for Connected Medical Devices
Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities. According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.
Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.
Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.
The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.
For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at mvenditto@redseal.net
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Matt Vendittohttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngMatt Venditto2017-08-08 08:34:082018-06-11 10:41:56Defense Medical Communities Face Digital Resilience Challenges
Payment risks and email scams are too complex to pass off to an insurance provider. They call for C-level involvement in making sure the entire trading partner network is secure.
Some CFOs and corporate treasury managers lack a sense of urgency about the need for cybercrime prevention and about the financial hits that could come from cybercrime attacks. Scanning conference rosters, I see an emphasis on cyberinsurance, which ostensibly transfers the risk of loss to someone else, all for the price of a policy. But an effective cybercrime prevention strategy requires much more than that. It requires CFOs to be proactive about making their networks secure.
https://www.redseal.net/wp-content/uploads/2017/07/softwarequality_article_015.jpg4001200RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-07-31 10:09:232018-05-03 16:08:30Time For CFOs to Get Serious About Cybercrime Prevention
Knowing which hosts are involved in a security incident is critical information for anyone who is an incident handler. The quicker the attackers and their targets can be identified the quicker the incident can be stopped. Collecting this information from a plethora of systems and log sources can be difficult and time consuming. Compounding the problem even further Forrester reported that “62% of enterprise security decision makers report not having enough security staff[1].” Lack of resources and time spent verifying devices instead of dealing with the threat right away contribute to the damage done by threat actors.
For an incident response team to perform their job effectively, on top of understanding and responding to threats, they need to understand the network. This includes all entrances to a network, the route information flows through their network, the critical systems needed to run their business, the location of the critical systems within their network, and an understanding of how the attack can spread once the network is compromised. Understanding the network and the topology is the foundation of any good incident response team. How do you protect and contain an outbreak if you don’t understand how it spreads? The network is the medium in which it spreads.
Allowing your incident response team to access the RedSeal appliance will drop your “average time to achieve incident resolution” and “time to containment” KPIs. RedSeal ingests all network device configurations and will show the paths information takes, where the attacks are coming from, and where the targets exist within your network. RedSeal simplifies locating devices by parsing through the NAT, VPN, and Load Balancer configuration files with only a few clicks of the mouse. In a matter of minutes, the incident response team will be able to find where both the target and the attacker exist on the network as well as the path the attack traffic is taking. Otherwise, in most situations, incident response must parse through and follow routing tables manually or engage the network team to get an understanding of the path.
Another challenge incident response teams face is overlooking subnets and devices, especially in large and complex organizations. RedSeal will shine light onto forgotten devices and subnets. Again, with a few clicks of a mouse, RedSeal will analyze the configurations and report if there is a direct connection from untrusted zones to these devices. Once found, the devices can be hardened against threats and appropriate decisions can be made to take them offline, upgrade, or migrate them to a more protected area of the network.
An incident response team’s main goal is to keep the level of impact to an organization down to an acceptable level. It is the time between detection and containment that has the biggest impact on mitigating the severity of the incident and data loss. Stopping the threat faster, before it spreads, also means fewer resources spent in recovering from the impact of the incident. RedSeal reduces the amount of time incident response spends identifying targets, moves the team to stopping the incident faster, and improves your organization’s resiliency against attacks.
[1] Forrester “Breakout Vendors: Security Automation and Orchestration.”
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Nate L. Cash, Senior Director, Federal Professional Services/ Director of Information Securityhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngNate L. Cash, Senior Director, Federal Professional Services/ Director of Information Security2017-07-18 05:00:112020-05-19 09:25:15Accelerate Incident Response and Investigations
UK financial services body the Prudential Regulation Authority (PRA) has issued a warning to insurers regarding the risk of claims for damages arising from cyber-attacks on their customers.
The PRA recommendations include the carrying out of stress testing of their capability to respond to a large number of claims at once – no doubt inspired by the recent WannaCry and notPetya attacks.
https://www.redseal.net/wp-content/uploads/2017/07/Cyber-Insurance-1.jpg8881252RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-07-13 05:51:312018-12-10 12:45:24SC Media asks the industry: Is cyber attack insurance worth it?
Security teams will gain holistic view of their entire network and boost productivity
SUNNYVALE, Calif. – Today RedSeal increased its capabilities for modeling complex networks by adding a new integration with Cisco Application Centric Infrastructure (ACI). The integration between RedSeal’s network modeling and risk-scoring platform and Cisco ACI expands customers’ ability to create one, unified model of their hybrid datacenters —including devices that are on-premise, virtualized, and/or in a public cloud — and to conduct queries across all of these environments.
The digital infrastructure of today’s modern enterprise includes a complex array of on-premise, cloud and virtualized networks, which are constantly changing, making a complete and detailed understanding of the current state of a network a time-consuming and complex task. RedSeal’s ability to model complete hybrid datacenters – including software-defined networks (SDNs) in VMWare NSX and now Cisco ACI, as well as previously announced enhanced modeling of Amazon Web Services Virtual Private Clouds (VPCs) – gives customers a comprehensive view of their entire as-built network.
The Cisco ACI integration builds on RedSeal’s ability to provide critical visibility into access controls for these hybrid datacenter environments, as well as alert users to violations of customized policies they have established for their organizations. This capability also helps security teams be more productive by allowing them to quickly and accurately model devices and associated policies within the Cisco ACI fabric.
“Enterprise security teams are struggling, as they’re understaffed and under pressure. When it comes to understanding network access across and within all of their network fabrics, they’re in the dark,” said Kurt Van Etten, product VP at RedSeal. “They need a holistic view of their network that’s deeply integrated with their current security solutions. The integration of Cisco’s ACI fabric with the RedSeal platform provides this visibility, giving enterprise security teams much needed context for prioritizing vulnerabilities, accelerating incident response, managing compliance, and improving the overall resilience of their infrastructure.”
________________
About RedSeal RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-07-12 05:00:282018-06-11 13:42:15RedSeal Further Expands Its Hybrid Datacenter Modeling Capability with Seamless Integration with Cisco ACI
Threats are constantly evolving and, just like everything else, tend to follow certain trends. Whenever a new type of threat is especially successful or profitable, many others of the same type will inevitably follow. The best defenses need to mirror those trends so users get the most robust protection against the newest wave of threats. Along those lines, Gartner has identified the most important categories in cybersecurity technology for the immediate future.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-07-11 10:50:102018-05-03 16:08:30CSO Online: RedSeal Named in Top Security Tools of 2017
A healthy, growing business is a risky business. Why? Modern businesses must innovate, change and grow continuously to stay ahead of the competition. Normally, we look at business agility as a good thing — a differentiator; a challenge to be embraced; a way to shake the invisible hand that drives our world. But from a security viewpoint, all this change is a problem, especially for cybersecurity.
https://www.redseal.net/wp-content/uploads/2017/07/Dr.Mike-in-Forbes_July11.png10601726RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-07-11 10:45:212018-12-10 12:45:29Business Agility And Security Automation (Or, How The Government Sometimes Gets It Right)
RedSeal CEO Ray Rothrock joined Cheddar TV’s “Closing Bell” show to discuss the impact of cyberattacks on sales and stock prices, and our own government’s ability to be resilient.
Ray’s segment starts at the 1:25:24 mark of the video.
https://www.redseal.net/wp-content/uploads/2017/07/Screen-Shot-2017-07-07-at-7.41.03-AM.jpg6361200RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-07-07 10:17:562018-12-17 14:44:11RedSeal CEO Joins Cheddar TV’s “Closing Bell” to Talk Petya, Cyberattack Impact on Business
The most recent malware campaign hitting Ukraine and the rest of the world is a wiper style malware which is packaged with several propagation mechanisms including the same weaponized Windows SMBv1 exploit utilized by WannaCry. What was initially thought to be a variant of the 2016 Petya ransomware has now been shown to be a professionally developed cyber-attack masquerading as run-of-the-mill ransomware gone wild. In fact, security researchers have demonstrated that, despite demanding a ransom payment, the payload irreversibly wipes the hard drives of infected systems with no way to decrypt even if a ransom is paid to the specified wallet.
Purpose & Impact
The motivation behind the attack appears to be one of destruction and disruption. Indeed, it has had a devastating impact on enterprise’s operations world-wide as it is designed to rapidly spread throughout corporate networks, irreversibly wiping hard drive in its wake. The initial infection is believed to have targeted Ukrainian businesses and government, managing to wreak havoc in the country’s financial, manufacturing, and transportation industries. Even Chernobyl radiation monitoring systems were impacted, forcing technicians to switch to manual monitoring of radiation levels. ExPetr managed to quickly spread worldwide to thousands of computers in dozens of countries with significant disruption to major enterprises across industries as varied as shipping, pharmaceuticals, and law. Over 50% of the companies being attacked worldwide are in the industrial manufacturing or oil & gas sectors.
How it Spreads
Researchers have identified several distinct mechanisms utilized by the ExPetr malware to penetrate enterprises’ perimeter defenses for an initial infection as well as lateral movement after a successful compromise. The malware’s lifecycle is split into three distinct phases: 1) initial infection, 2) lateral movement, and finally 3) wiping the compromised system. The initial infection is believed to have spread by a malicious payload delivered through a highjacked auto-update mechanism of accounting software used by businesses in Ukraine. Alternatively, ExPetr has been observed to achieve initial infection through phishing and watering hole attacks. Next, once inside, the malware utilizes a different array of techniques to self-propagate and move laterally. Critically, ExPetr attempts to infect all accessible systems with the same Windows SMBv1 vulnerability as last month’s WannaCry attack over TCP ports 445 and 139. The malware is also able to spread laterally by deploying credential stealing packages in search of valid admin and domain credentials. It will leverage any stolen credentials to copy itself through normal Windows file transfer functionality (over TCP ports 445 and 139) and then remotely execute the copied file using the standard administrative tools, PSEXEC or WMIC.
Figure 1: Visualizing all accessible areas of the network from a compromised system.
How Digital Resilience Helps
Because one of the primary ways the ExPetr malware spreads is through the same Windows SMBv1 vulnerability addressed by Microsoft’s MS17-010 patch in March 2017, the same prevention and mitigation techniques described in depth in RedSeal’s WannaCry response are effective. To review:
Assess and limit exposure by using an access query to discover any assets accessible through TCP ports 445 or 139 from untrusted networks like the Internet or a 3rd party.
Identify vulnerable hosts and prioritize remediation efforts based on risk to the enterprise by importing vulnerability scanner findings and sorting based on risk score.
Isolate critical assets and contain high risk or compromised systems by discovering and eliminating unnecessary access to or from sensitive areas of the network.
Continuously monitor compliance with network segmentation policies by analyzing the relevant rules in RedSeal’s Zones & Policy.
Accelerate incident response by reactively or proactively discovering the blast radius from a compromised system, understanding which assets are network-accessible and deploying the relevant mitigating controls.
Figure 2 Results of an access query revealing what access exists from all subnets leading to the critical assets over TCP 139 or 445.
While applying the MS17-010 patch to vulnerable systems per a risk-based prioritization of vulnerable hosts is necessary, it is not sufficient to mitigate or prevent infection. ExPetr moves laterally through normal file-transfer and administrative capabilities using stolen credentials. As such, it is important to also reduce the attack surface of production and other mission critical assets through sensible network segmentation techniques, paying close attention to access over ports 445 and 139. RedSeal users can accomplish this by running an access query to determine what can reach critical systems through the implicated ports. Next, access that is not necessary or out of compliance can be cut off by examining the detailed path to see all network devices touched along the path and determine the optimal placement of a network countermeasure, such as a firewall rule, to eliminate the unnecessary access.
Figure 3 Detailed Path from the DMZ to a critical asset is 6 hops long with several routers and firewalls along the way
Conclusion
Cyber attacks are getting more efficient, more aggressive, and more destructive. Only a digitally resilient organization with full visibility into their network composition and security posture can hope to avoid falling victim, or to mitigate fallout in the event of compromise. Reducing your attack surface is essential to decreasing risk. This can best be done by adhering to standard IT best practices including implementing a robust backup strategy, a vulnerability management program, and a segmented internal network. In this day and age, network segmentation and micro-segmentation are increasingly important as attackers and malware routinely get past perimeter defenses, and often move laterally with impunity due to a lack of internal boundaries. RedSeal helps customers gain visibility into their network as it is built today, providing assurance through continuous monitoring of compliance with network access and segmentation policies. With the increased visibility and understanding, digitally resilient organizations can perform risk-based prioritization of remediation and mitigation activity to efficiently marshal resources and minimize overall enterprise risk.
For more information on how RedSeal can help you become resilient, please contact info@redseal.net.
https://www.redseal.net/wp-content/uploads/2017/06/RedSeal_ExPetr-Blog_1.png495840Emil Kiner, Sr. Product Managerhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngEmil Kiner, Sr. Product Manager2017-06-30 05:12:342018-06-11 10:11:58Digital Resilience Helps Mitigate or Prevent the ExPetr/NotPetya/ GoldenEye Malware
In order to provide you with the best experience possible we might sometimes track information about you. Sometimes this may involve writing a cookie. We use this information for things like experience enrichment, analytics and targeting advertising. We recommend allowing these functions to get the most out of your experience.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Figure 1: Visualizing all accessible areas of the network from a compromised system.
Figure 2 Results of an access query revealing what access exists from all subnets leading to the critical assets over TCP 139 or 445.