Vulnerabilities Age Like Dynamite

In NSA: The Silence of the Zero Days, published in Data Breach Today, Mathew Schwartz discusses hackers’ rapid response to newly discovered flaws and/or exploits.

I was struck by a quote from David Hogue, the head of the NSA’s Cybersecurity Threat Operations Center (NCTOC). “Within 24 hours of a vulnerability or exploit being released, it’s weaponized and used against us.”

Vulnerabilities don’t get worse; they just get better for malicious actors. Like dynamite, they get more dangerous with age. Over time hackers develop new and more damaging ways to leverage known vulnerabilities. They become part of malware campaigns like WannaCry and NotPetya, which were based on existing vulnerabilities identified in the NSA leaked Eternal Blue exploit.

He also said, “… the existing state of network defenses wasn’t robust enough to make attackers have to rely on secret exploits that might get burned once used. ‘If you can live off the land, so to speak, you don’t need to dip into your toolkit.’”

The whole article is an excellent read and I recommend you do so. I have three main takeaways for government cyber leaders.

Worry about known vulnerabilities.

Rather than fret over exotic zero-day threats, focus on basic cyber hygiene. RedSeal can help by modeling your “as-built” network, including those in the cloud, by calculating all the ways data—and intruders—can move from one point to any other. Leveraging this knowledge of access, RedSeal ranks identified vulnerabilities based on the true risks to the organization, so your team’s effort is focused and maximized.

When zero days are identified, stay ahead of the onslaught.

When a zero-day exploit is made public, every hacker will be scanning for unpatched machines. RedSeal will identify the systems at the greatest risk and help identify the best course of action for each — whether applying a network change or patching the exposed systems.

Streamline and automate NSA’s Cybersecurity Threat Operations Center (NCTOC) best practices in your environment.

Applying NCTOC’s Top 5 SOC Principles to your organization, means using RedSeal to automate processes and free up humans to engage in high impact activities. RedSeal’s network modeling and risk scoring platform provides actionable intelligence for rapid investigation by identifying exposed assets and prioritizing actions.

Do you have a problem identifying and managing your network’s vulnerabilities? Click here to set up your free trial of RedSeal and choose the better way.

Podcast: How to get ready for a cyber threat

Onward Nation Podcast | May 2018

With Ray Rothrock, Chief Executive Officer

Business owners share the most influential lessons learned throughout their careers, including insights into their daily habits, their most vital priorities that have contributed to their business and personal success, and the most challenging time or situation that could have devastated or even ruined their businesses or careers.

In this episode, RedSeal CEO and “Digital Resilience:  Is Your Company Ready for the Next Cyber Threat?” author Ray Rothrock discusses:

  • Why you can’t predict where the next cyber threat will come from
  • How to get ready for a cyber threat
  • The importance of being prepared to respond to cyber threats with the right people, systems, strategy and processes
  • How RedSeal helps businesses prepare for any potential cyber attack

Building Digital Resilience: Planning For and Recovering From the Next Cyber Attack

KQED WorldAffairs | May 21, 2018

With Ray Rothrock, Chief Executive Officer

Cybercrime and cyberwarfare are both on the rise. From businesses large and small to national governments, the question is not if they will experience a cyberattack, but when, how much damage will be done and how long the recovery process will be. In this week’s episode, we discuss the cybersecurity landscape and how businesses and governments can most effectively work together to mitigate risks.

Joining World Affairs CEO Jane Wales are digital security experts Ray Rothrock, CEO of RedSeal and author of “Digital Resilience,” and Richard Clarke, former U.S. National Coordinator for Security, Infrastructure Protection, and Counterterrorism and most recently, author of “Warnings: Finding Cassandras to Stop Catastrophes.”

Warren Buffett’s Take On Cyber Insurance

Warren Buffett recently made clear how risk-averse his business is when it comes to cyber insurance. Addressing his annual shareholder meeting, he summarized the state of play like this: “I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves”.

These are wise words, from a famously far-sighted individual. However, the question is: What are we going to do about this? Certainly, at RedSeal, we do not think this is acceptable. Businesses rely on insurance providers for several critical things. It starts with the basic concept of insurance: you hand your premiums over to an insurer so that you’ll get some protection against the financial downsides of hard-to-predict and catastrophic events. But the relationships between insurers and those who buy insurance has a symbiotic, mutually beneficial aspect to it as well (as Warren Buffett knows). The two groups aren’t adversaries (despite the frictions that result when it’s time to pay up); they have the same long-term interest in reducing the cost and number of catastrophic events. Think of the way our car safety has improved over the last few decades. Some of that improvement was driven by government regulation, but more of it is a result of insurers offering price breaks for things like raised, central brake lights, or ABS, or alarm systems. Insurers investigate accidents in detail, and have learned which car features cause or prevent accidents. When they price that knowledge into their products, they motivate car buyers, who in turn motivate car makers. You might think car makers should just know what makes cars safer, but they don’t really know how people will behave behind the wheel or how much safety people are willing to buy. The process works well over the long haul because of insurance companies’ critical role in gathering data, quantifying cost/benefit, and pricing that into policies that people can understand.

So how do we make this work for cyber insurance? Today, the market for cyber insurance is growing rapidly. Companies want the product, insurers are selling large numbers of policies, and there is still more demand than insurers can comfortably supply. The main thing holding insurers back is the ability to correlate good or bad security behavior against real incident rates. We’re close – the security industry knows a lot about good security, in much the same way that car makers know how to make a car safer, but they aren’t sure about the cost/benefit for any given action. This means we’re spring loaded – there’s market demand, there’s a lot of knowledge about security, but the last critical ingredient is the ability for actuaries at insurance companies to compute the hard-quantified payoffs (change in “Annualized Loss Expectancy” would be the technical term).

This is why RedSeal is working with XL Catlin on innovative ways to measure the cyber practices of companies buying insurance. It’s an exciting time – something we don’t get to say often about the insurance business!

GDPR: Are You Ready?

Security Advisor Middle East | May 2018 

Article on pages 6-8

“The biggest issue that IT and security heads need to focus on is mapping out how their business operates. Under regulations like GDPR, it is not enough to evade breaches (by luck or by skill); rather, GDPR requires you to demonstrate that you take customer privacy seriously in every aspect of your business process. To demonstrate this, you must be able to map out your whole business — people, processes and technology.” — Dr. Mike Lloyd, RedSeal CTO

Is Your Company Ready for the Next Cyber Threat?

Skip Pritchard | May 17, 2018

With Ray Rothrock, Chief Executive Officer

Security incidents are up 66% year-over-year since 2009. Despite this alarming statistic, 80% of CEOs report that they are confident in their company’s cybersecurity. Cybercrime is on the rise. Are you prepared? 

Cybersecurity expert Ray A. Rothrock shares the tactics used by hackers and then arms management with the tools to prevent these hacks in his new book Digital Resilience: Is Your Company Ready for the Next Cyber Threat?

Cyber Crime on Sale

Enterprise Channels MEA| Cyber Sentinels Supplement | May 2018 

Article on pages 40-42

The increase in connected devices and the rapid explosion of cloud-based services have given rise to cybercrime, which has become the greatest threat to every organization in the world.

Digital Resilience: Is Your Company Ready for the Next Cyber Threat?

Entrepreneur Effect | May 14, 2018

With Ray Rothrock, Chief Executive Officer

Cybercrime is an epidemic, and every business is at risk. For management, the question is not if you will be compromised, but when. 80% of CEOs are very confident in their company’s cybersecurity strategies, despite the fact that security incidents have surged 66% year-over-year since 2009 (PricewaterhouseCoopers). In fact, few are prepared, explains cybersecurity expert Ray A. Rothrock, who demystifies cyber risk and clearly outlines strategies for both surviving attacks and thriving even while under assault.

New Study: Closing the Gaps in Cybersecurity Resilience at U.S. Government Agencies

“Closing the Gaps in Cybersecurity Resilience at U.S. Government Agencies,” a new survey of civilian, defense and intelligence agencies, suggests that the cybersecurity threat landscape is evolving quicker than they can respond.

Two-thirds of federal IT executives say their agency‘s ability to withstand a cyber event, and continue to function, is moderately to highly mature.

However, a number of gaps in cybersecurity resilience remain. 6 in 10 defense or intelligence agency IT executives — and 55% at civilian agencies — say their agencies “don’t have all the tools and resources needed to detect and respond to cyberthreats.”


Cyber Incident Response

While about 2 in 3 federal IT officials claim their agency can detect cybersecurity incidents — and more than half claim they can respond — within 12 hours, officials stress the need for more skilled cybersecurity help to confirm there aren’t deeper, undiscovered threats lurking in networks.

Cybersecurity Resilience

Federal IT executives are very or somewhat confident that their agencies can absorb a cyberattack and continue to function. But more than half of civilian executives — and 6 in 10 at defense/ intelligence agencies — say their agencies don’t have all the tools and resources needed to meet their security objectives

Evolving Threat Landscape

The majority of IT executives believe the threat landscape is evolving quicker than their agencies can respond. More than 6 in 10 agreed if their agency could automate more monitoring and mitigation activities, it would be more secure.

Obstacles and Priorities

Executives are investing most heavily in fiscal 2019 into data and network protection tools and threat intelligence. But more than 3 in 4 agree there’s more that their agency could do to fortify their cyber resilience. They also need help overcoming a talent shortage and conflicting funding priorities.


The Study

The survey included more than 100 federal government IT, cybersecurity and mission, business and program executives. All respondents are involved either in identifying IT and network security requirements, evaluating or deciding on solutions and contractors, allocating budgets, or implementing or maintaining cybersecurity solutions. The study was completed in the first quarter of 2018, released May 1st by CyberScoop and FedScoop, and underwritten by RedSeal.

CyberScoop is the leading media brand in the cybersecurity market with more than 350,000 unique monthly visitors and 240,000 daily newsletter subscribers, reporting on news and events impacting technology and top cybersecurity leaders across the U.S.

Download the report, Closing the gaps in cybersecurity resilience at U.S. Government agencies, for detailed findings and guidance on how prepared agencies are to continue operating during an attack

XL Catlin and RedSeal Launch Cyber Insurance Industry’s First Dynamic Measure of Resilience to Gauge Risk, Improve Cybersecurity and Insurance Terms

Advisen | May 14, 2018 

XL Catlin ( and RedSeal ( announced a new, dynamic approach to cyber insurance, which uses an objective measurement of a network’s resilience to help underwriters more thoroughly evaluate their clients’ risks over time, helps clients continue to improve their cybersecurity and potentially improve their insurance terms.