Visibility: The key to proper Cloud Security Posture Management

Cloud security has become increasingly complex and distributed. The rapid transition to remote work and increased cloud adoption have changed the IT landscape dramatically, which has produced new vectors for cyber attacks and data breaches. Today’s cyber criminals aren’t necessarily trying to knock down doors. Organizations are actually leaving many of them open themselves. According to Gartner, through 2023, “…at least 99% of cloud security failures will be the customer’s fault.”

This is an unsettling prediction, but not entirely surprising given realities that teams face today. The overwhelming complexity of the cloud systems asks for both expertise in both application development and security, which is perhaps unreasonable. The placement of security controls has moved away from security teams and into application development teams.

CSPM: The industry’s response to cloud complexity

To deal with this complexity and constant change, a new market segment has emerged broadly referred to as Cloud Security Posture Management (CSPM), which is typically used by security organizations that want the equivalent visibility and security that they’ve had with on-premise environments.

Current CSPM technology aims to help security teams understand what resources they have in their cloud environments, what security controls are in place, how it is all really configured–and to automate as much of it as possible. And while it is largely successful in accomplishing these feats, CSPM in its current form isn’t without its limitations. As we’ve learned in the past with our approach to securing on-premise networks, visibility plays a fundamental role.

The importance of visibility

It’s not uncommon for organizations to lose track of their cloud deployments over time, considering it only takes a developer and a department credit card to spin up a cloud environment. Nowadays developers are empowered to innovate at speed and scale but who is actually keeping track of these newly-created multi-cloud VPCs, VNETs, and VCNs? Even more worrisome–who is responsible for securing them?

There are always unknowns when networks grow and change, but we also know that tools that provide visibility can give security teams a more accurate, dynamic and comprehensive look at what resources they have, how they are connected and the risks associated with them.

Unfortunately, many CSPM tools present their findings in static, tabular forms and it can be challenging to get an understanding of the relationships between resources, such as between multiple accounts and whether they’re shared or not. Teams are often being asked to secure unmonitored cloud environments and can benefit from a visual, interactive model of their organization’s cloud resources.

This visibility allows security teams to gain full awareness of their cloud footprint and reduce their overall attack surface by understanding the interconnectivity between their resources. Some CSPM tools can show connectivity where there is traffic, but security teams want to calculate how an instance gets to the Internet, what security points it goes through, and through which port and protocols.

Understanding end-to-end access

Current CSPM solutions remain insufficient when it comes to accurately calculating access that can lead to data breaches. Many tools simply call into the APIs of CSPs looking for misconfigurations at the compute and container levels but they don’t fully understand “end-to-end” access. For example, they may only look at a setting in AWS that states a particular subnet is “public” so therefore it’s exposed. That’s not necessarily true because there may have other security controls in place, such as 3rd party firewalls or their own Kubernetes security policy.

For example, perhaps a network security engineer who doesn’t understand native AWS and Azure firewalls instead decides to use a 3rd party firewall from a vendor they’re already familiar with. If that firewall is blocking access to the public-facing Internet, current CSPM tools won’t recognize it, and security engineers can spend their days chasing false positives simply due to a lack of accurate information involving access.

Prioritizing exposed resources

With increased cloud complexity comes increased risk–there were over 200 reported breaches in the past 2 years due to misconfigured cloud deployments. Several of the largest data breaches occurred when cloud misconfigurations left critical resources exposed to untrusted networks, so prioritization efforts should begin there. Unintended access and Shadow IT can also lead to cloud leaks, and so by establishing an “exposure first” security approach, cloud security teams can identify key vulnerabilities and prevent costly breaches.

CSPM is a key ally in the fight to secure the cloud, but security teams need additional visibility and improved accuracy that is still lacking in many

For more information on RedSeal’s CSPM solution, RedSeal Stratus, check out our website. Or sign up for the Pilot program.

Lock Up Your Jewels: Reducing Exposure and Limiting Risk in a Ransomware-Riddled World

Ransomware is on the rise. That’s an often-repeated statement in the headlines — but what does it really mean for companies?

Data tells the tale. According to Tech Republic, attacks surged 57 percent between October 2020 and March 2021, while Purple Sec’s 2021 Cyber Security Trends Report notes that ransomware attacks have grown 350 percent since 2018. What’s more, the average ransomware payment rose by 82 percent to $570,000, with the largest single ransom demand coming in at $100 million.

Now that attackers have successfully breached some business networks, companies are understandably worried about the risk of data exfiltration leading to downtime or revenue losses. As Security Boulevard points out, companies now spend almost $2 million to recover after an attack and, on average, suffer 21 days of downtime. Even more worrisome? Paying up doesn’t guarantee the return of encrypted data. Attackers may decide to keep or destroy data or return for another round of attacks once they know payment is possible.

What’s the bottom line? Reducing exposure and limiting risk requires more than recognizing that ransomware is on the rise. To combat these attacks and safeguard what matters, companies need solid strategies backed by advanced cybersecurity solutions.

Ransomware Attacks in the Headlines

Although attackers often target smaller businesses to reduce the risk of getting caught, that hasn’t stopped some groups from prioritizing bigger payouts. Case in point: The Colonial Pipeline attack. On May 7th, 2021, staff found a digital ransom note saying that attackers had already exfiltrated data from Colonial’s network. The company immediately suspended both IT and operations, leading to sudden interruptions in fuel delivery along the East Coast. Within a day, Colonial paid the $5 million ransom and began getting their systems re-secured and back online.

Also making the news were attacks using the REvil ransomware-as-a-service (RaaS) suite. According to the Department of Justice, a Ukrainian national was arrested in conjunction with attacks spanning the last three years, including the July 2021 attack of information technology company Kaseya. While Kaseya says it didn’t pay the ransom demanded, it took the company ten days to recover from the attack and bring their software-as-a-service (SaaS) servers back online.

Why is Ransomware on the Rise?

So what’s driving the rise of ransomware? Several factors are converging that make ransomware attacks easier than ever before.

Enhanced RaaS Tools

Taking a cue from legitimate businesses, some capable coders have created ransomware-as-a-service (RaaS) platforms that sell both basic and customized attack tools to interested parties. The result is a win-win for hackers: They take money up-front from buyers while simultaneously reducing their risk since they’re not actually carrying out the attacks. Many RaaS marketplaces now resemble more familiar eCommerce offerings. Attack designers offer promotions, sales, and even customer support to keep clients coming back.

Expanded Attack Surfaces

Ransomware is also on the rise, thanks to expanding attack surfaces. With more potential avenues of attack — via mobile connections, internet of things (IoT) networks, or open-source software deployments — attackers can pick and choose their preferred compromise method. This reality is forcing IT staff to look to secure multiple points of potential compromise.

Evolved Work Environments

With remote and hybrid work here to stay, businesses now face the challenge of securing networks both in the office and at a distance. For many, however, the abrupt initial shift to remote work created insecure frameworks that remain in use but lack proper protection.

What are the Common Attack Vectors?

The constant evolution of technology means that attackers are always exploring new avenues of compromise. For example, the rise in open source software and application programming interfaces (APIs) has changed how businesses design and develop new services while simultaneously expanding the attack surface.

Despite occasional boundary-pushing, however, most attackers prefer to stick with tried-and-true ransomware vectors.

Remote desktop protocol (RDP)

The remote desktop protocol makes it possible for administrators to access servers and desktops anywhere, anytime. But RDP also opens the door to ransomware attacks. If malicious actors steal legitimate account credentials, they can leverage RDP to access networks, install ransomware, and leave without detection.

Phishing

In 2020 alone, bad actors created almost seven million phishing emails and scam pages. Using promises of COVID vaccines or masquerading as instructions from C-suite executives, these emails create a compromise point for ransomware. If attackers can convince users to click on malicious links or provide account information, they can infiltrate networks and deploy ransomware.

Software vulnerabilities

Open-source software tools and APIs make it possible for companies to streamline software development and put them at risk of unknown or zero-day vulnerabilities. If attackers compromise unreported issues, they can gain network access and encrypt data before teams have a chance to respond.

DDoS attacks

Distributed-denial-of-service (DDoS) attacks are now being used in concert with ransomware. In some cases, cybercriminals hit companies with DDoS attacks and demand ransom for restoration of services. In others, DDoS efforts are used as a distraction while ransomware is deployed.

Combatting the Rise of Ransomware Attacks

To combat the rise of ransomware, companies are best served with a multi-step approach designed to reduce both the initial risk and overall impact of ransomware threats.

Step 1: Identify Your Assets

First, pinpoint what you need to protect on your network. Think of the most critical assets as the “crown jewels” of your organization. Where are they located, and how are they currently defended?

Step 2: Prioritize Your Vulnerabilities

Next, conduct a security assessment — either in-house or using a third party — to determine where your risks lie. While on-site IT teams have greater familiarity with your network, using in-house personnel may be a security drawback because they may not recognize potential vulnerabilities. By contrast, third-party evaluators can often attack your network in unexpected ways to discover new or undiscovered weaknesses.

Step 3: Secure Your Workforce

Without a secure workforce, efforts at ransomware reduction won’t be effective. Addressing this issue requires the use of tools such as virtual private networks (VPNs) to protect connections and data. You should also deploy zero-trust security solutions that require two (or more) factor authentication and include robust identity and access management (IAM).

Step 4: Reduce Your Response Time

When attacks occur, you need to react ASAP. This rapid response requires the use of advanced cybersecurity solutions that help unify infosec response with end-to-end visibility that empowers teams to react in real-time.

Keep it Secret, Keep it Safe

Ransomware isn’t going anywhere. Attackers are constantly looking for new ways to compromise systems or leveraging tried-and-true methods to slip past IT security. Add in the risk of RaaS, increasing attack surfaces, and hybrid work, and it’s clear that companies need defensive strategies capable of finding, detecting, and defeating ransomware attacks no matter what form they take and no matter what vector they use.

Ready to ramp up your ransomware defense? Click here and see how Red Seal can help.

State and Local Cybersecurity Threats in 2021: Weathering the Storm

Recent pandemic pressures have created the perfect storm for state and local cybersecurity breaches. With some staff still working from home, state and local agencies face the challenge of deploying defense at a distance over networks, connections, and applications that are often insecure, unencrypted, and in many cases unapproved. What’s more, ransomware has surged — a significant problem since less than 40 percent of state and local staff members have received training on how to prevent cyberattacks.

The result is an increasing volume of local and state government cybersecurity threats, which are occurring across the country. For example, GovTech reported that an issue with third-party software exposed more than 38 million health records across states, including Texas, Indiana, Maryland, and New York. Another case reported by Healthcare IT News detailed a smaller-scale breach in California caused by a single employee that occurred over ten months and exposed both patient and employee data.

With hybrid work here to stay and cyberattacks on the rise, government organizations need to improve cybersecurity practices. They must focus on protecting against breaches that can compromise data, impair operations, and cause significant expenses.

Identifying the Biggest Barriers in Effective Defense

Before agencies can deploy better cybersecurity measures, they must identify critical vulnerabilities and threat vectors. And while every state and local government faces unique data handling and security challenges, three barriers to effective defense are common: visibility, accessibility, and resiliency.

Visibility

Traditionally, state and local governments have been behind the curve when it comes to technology adoption. As noted by research firm Deloitte, however, evolving citizen expectations around access and ease of use “will require uprooting outdated systems and practices and replacing them with new models.” As a result, agencies are now looking to expand their agility to streamline service availability and improve collaboration. To meet these goals, many have integrated and deployed cloud-based software, platforms, and infrastructure.

While these solutions offer improved agility and efficiency, they introduce significant new security risks. IT teams can not keep track of every app and service in use, which reduces visibility while simultaneously expanding the total attack surface.

Accessibility

For most state and local governments, the problem here isn’t too little access for employees that require it — it’s too much for those that don’t. One common example of excessive access occurs when staff complete one project and move to another. In many cases, their existing permissions aren’t revoked. Instead, new access is simply layered on top of the old, which creates a security risk. And with insider threats often more challenging to detect than their external counterparts, it’s now critical for agencies to identify, control, and correct for excessive access.

Resiliency

Most state and local governments have familiar security controls such as firewalls and antivirus scanners in place to catch potential threats. However, many lack the tools and tactics required to remediate issues when they occur, mitigate the amount of damage done and get services back up and running.

The result is IT environments that are primed to respond but struggle with resiliency. To effectively manage evolving threat landscapes, state and local governments need security plans and policies covering all aspects of an attack — from initial compromise to identification, isolation, remediation, and restoration.

Exploring the Issue of State and Local Breaches

So what do these breaches look like in practice? Let’s explore the impact of three recent scenarios.

1) New York State, January 2020

In January 2020, New York state officials found themselves up against a massive cyberattack that disabled access to databases used by the state’s civil service, environmental department, and police force. Likely the work of foreign actors, the hack went unreported for months, even as officials looked to restore critical access.

As noted by Security Today, the state received word about a potential flaw — and available patch — for its Citrix-based systems in December 2019. Unfortunately, the state did not install the patch in time to prevent the issue. As a consequence, more than 80,000 state devices were vulnerable to malware compromise. While it appears attackers didn’t access any citizen data, the state had to cover the costs of a three-week forensic investigation of more than 40 servers.

2) Multiple Municipalities, June 2021

Local government cybersecurity teams often look to save time and money by using the same services as other municipalities. It makes sense: They’ve been proven to work with government systems and generally have a track record for reliability.

However, if service providers become compromised, the results can be far-reaching. As reported by ZDNet, that’s what happened across dozens of municipalities in the US when a Massachusetts software provider used misconfigured Amazon S3 buckets. As a result, more than 1,000 gigabytes (GB) of data and 1.6 million files were exposed. Compromised data included email addresses, physical addresses, and driver’s license information, along with deed and tax records.

3) Oldsmar, Florida, February 2021

A cyberattack on Oldsmar, Florida in 2021 didn’t compromise data access or expose files. Instead, it nearly poisoned the town’s 15,000 residents. On February 5th, a plant operator at the local water treatment facility received an alert that someone had gained remote system access. The attacker opened multiple applications and services and then increased the concentration of sodium hydroxide — also called lye — to 100 times its normal level. Fortunately, operators were able to retake control and cancel the change quickly and prevent disastrous consequences.

Grant Funding for State and Local Governments

The good news is some new help is on the horizon for local and state government cybersecurity, thanks to the $1.2 trillion infrastructure package. The plan includes $1 billion in cybersecurity grants to help local and state governments boost their defense. If approved, the new program would offer $200 million worth of grants in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025. In addition, the plan funds creation of a response and recovery fund at the Cyber and Infrastructure Security Agency (CISA), which would give an additional boost to cybersecurity efforts.

Mitigating the Impact of Cybersecurity Threats

Mitigating the impact of local and state cybersecurity threats depends on a strategy of defense in depth. In practice, this requires a three-step approach: Identification, evaluation, and implementation.

Identification focuses on finding potential threats in current cyber defenses — such as those tied to open source software, authorized apps, excessive access, and unintended exposure to the Internet. Evaluation includes internal and external assessment of existing security policies to see what’s working, what isn’t, and what vulnerabilities state and local governments need to prioritize. Finally, implementation looks to deploy security solutions that directly address key concerns, such as comprehensive cloud security services that provide visibility into public, private, and hybrid stacks simultaneously to empower threat detection and response.

Battening Down the Hatches

State and local governments now face a trifecta of security challenges: remote work, ransomware, and worker education. The combination creates ideal circumstances for malicious actors. By taking advantage of ideal compromise conditions, attackers can breach government networks, access critical services, and exfiltrate citizens’ data.

The result is a growing need to batten down the digital hatches by creating and implementing an in-depth strategy to help build robust, reliable, and resilient security infrastructure. To prevent risks and a host of unwanted outcomes, state and local governments need to prioritize cybersecurity.

Ready to boost cyber resiliency and better weather the storm? Click here to see a demo of RedSeal’s cloud security solution in action.

Join us!

Hear from Shannon Lawson, CISO, City of Phoenix, how the state and local agency leaned toward hardening their environment from attacks, recognized exposures, secured infrastructures, mitigated risks, and stayed compliant. The live webinar is January 18, 2022. Register now and don’t miss out!

Why Cloud Security Posture Management Is Essential to Your Overall Security Plan

I think we’d all agree the last year and a half has brought disruption, and cloud security wasn’t exempt. The Covid-19 crisis has dramatically expanded attack surfaces as companies transitioned to remote work and embraced the cloud. But let’s be clear: the cloud is not a magic bullet. Yes, the cloud is relatively new and exciting, and it does prevent some of the old security mistakes. And yes, the cloud does close off some previously vulnerable spaces. But at the same time, it opens up new ways to do things wrong.

This is where a strategy called cloud security posture management (CSPM) comes in. The goal of CSPM is to find and reduce attack surfaces, and then eliminate misconfigurations through continuous monitoring of cloud infrastructure. This is important, because more than 99% of cloud breaches have their root cause in customer misconfigurations and mistakes, according to Gartner.

House on fire

I like to use the analogy of a brick house. Even if a house is made of perfect bricks, is it immune to falling down? No. Naturally, when you build a house, you want to make sure the bricks you’re using are solid. But even then, the house can still fall if built incorrectly. Cloud innovators push an approach called “shift left” (meaning detecting problems sooner in the build process), but this is no replacement for checking the final result. After all, no matter how carefully you check a building’s blueprints, the final structure will inevitably be different.

CSPM automates the process of ensuring the individual bricks are OK, but more importantly, makes sure the house as a whole is constructed properly, so it won’t collapse when the big bad wolf (or a squad of hackers) comes along and tries to blow it down.

But what makes CSPM so compelling from a security standpoint is that it’s proactive, not reactive like endpoint management or extended detection and response (XDR). These are analogous to fire alarms for your building. Alarms are necessary for sure, but you have to actually prevent some fires, not just wait and react. So, while firefighting is critical, part of your budget should be for tools that prevent fires in the first place and plan ahead for resilience of your infrastructure when a fire does break out.

CSPM is all about being proactive and putting the right processes in place so that fewer fires start, and spread less when they do happen. Sure, mistakes and misconfigurations will still happen. CSPM recognizes this reality, but proactively hunts for the ingredients that drive security fires rather than just accepting that they can’t be stopped.

The fantasy of DevSecOps

Your developers are not security gurus. The framework called DevSecOps advocates adding security practitioners into the software development and DevOps teams. DevSecOps strives to find a happy balance between development teams that want to release software quickly and security teams that prioritize protection. But, to me, this is too optimistic a notion – it glosses over the fundamental differences that must exist between security thinkers and app developers. Developers think “how can I make this work?”, but security is about thinking backwards – “how can this be abused?”

Security is also fundamentally a big-picture problem, where all interactions have to be considered. Getting back to the building analogy, CSPM lets you compare the final structure to the blueprints used to construct it. It allows you to examine the building to see whether there are any flaws or points of structural weakness that the bad guys can exploit to get in. Humans aren’t good at continuous detail checking, but it’s a great job for automated software.

Context is king

Context is everything. The blueprints don’t tell you whether you’re building on sand or building on bedrock. CSPM provides that critical context not just for one section of your structure but for the entire building and its surroundings.

CSPM also automatically determines whether all the cloud applications and services across your entire organization are configured correctly and securely. It’s simply not possible to hire enough security professionals to do that on their own. It’s not that people you have aren’t good; it’s that you’ll never have enough people who are experts in all the rapidly changing cloud languages and configurations.

Bad guys are actively hunting for new openings in your cloud. CSPM is quickly becoming one of the best ways to close the gaps in your security posture and shut the door on those who intend to do you harm.

Check out RedSeal Stratus – our new CSPM tool that offers the worlds most accurate, reliable, and actionable approach to calculating access and exposure. You can join the pilot program now!

Cloud Security Posture Management (CSPM) Done Right

Cloud security is maturing – it has to. We’ve had too many face-palm worthy incidents of organizations hearing “hey, I found your data in a world readable S3 bucket”, or finding a supposedly “test” server exposed that had production data in it. Happily, we are emerging out of the Wild West phase, and some order and maturity is emerging, and along with it, new lingo.

Gartner divides the emerging ideas into three main disciplines – CASB, CWPP, and CSPM. Think of these as if you’re securing a (pre-pandemic!) office building. CASB is your ID badge reader, and CWPP is your video surveillance. Cloud Security Posture Management (CSPM) is everything else you do to secure your building, like having a security guard walk around to look for gaping holes in the wall, or the sounds of someone drilling through a safe.

CSPM is arguably the hardest area to understand, since it’s so broad, but that same breadth is what makes it the most important to get right. In comparison, having no badge readers at all would be bad, but you don’t have to go overboard – you just need a reasonable check that you’re not letting everyone in. Posture management is different – CSPM isn’t a point solution, it’s the approach of always asking “what else have we forgotten?”

CSPM in more detail

If you ask for a crisp definition of CSPM, it’s hard to find one – after all, Posture Management can refer to the mindset of “how could we be attacked, what are the consequences if it happens, and what can we do it mitigate it?” I find it easiest to split this into three main questions – what have you got, what are you doing to protect it, and what’s the level of risk? All of these are familiar to experienced security professionals – we’ve been asking these same questions about IT networks forever. So why is it different in Cloud?

For legacy on-premises networks, the hardest question was “what have you got?” – rapid growth and technology change made keeping an accurate inventory challenging. Cloud disrupts this in some interesting ways. Each cloud account has a controller for the software defined network, which solves one problem, but then goes and creates another. It’s impossible for any network to exist in a software defined cloud that the controller did not create for you. This means you can always tell exactly how big any one cloud network is. Problem solved, right? Not so fast – anyone who’s tried to inventory cloud footprint realizes that this same controller is changing things so quickly you can’t keep up. It’s also so easy to add new cloud networks that people do it and then forget to tell security, so the inventory problem just moves up a level – not “find the missing router”, but “find the missing cloud account”.

In CSPM, most of the key innovations are focused on the second question – “what are your protections, and are they working?” Cloud disrupted this too, bringing innovations that are incompatible with a lot of the traditional security stack. It’s not that question 3 – risk assessment – is unimportant. It’s just that it isn’t so deeply impacted by the differences between cloud, hybrid, and on-prem. Risk assessment is strategy, not tactics.

So why has cloud disrupted the question of whether you have working protections in place? Well, going back to the start of the article, that unintended exposure of a cloud storage bucket represents a mistake we simply couldn’t make until there was a cloud. Sure, every cloud comes with many strong security controls. But that’s the problem – there are so many enforcement controls that are all new, all different, and are like nothing we did for the past 40 years in on-premises data centers. Novelty is great for innovation, but terrible for security. Coordinating all the new controls and ensuring they are used correctly is the core job for CSPM. Basic checklists aren’t enough – just as we’ve found with all previous network technologies, a network built out of individual compliant elements can still fail as a system, like a house built out of perfectly formed bricks which can still fall down if assembled incorrectly.

This is why the core discipline in CSPM is visibility, so you can achieve end to end understanding of what is exposed and what is not. Figuring out access – what can reach what, and especially, what is exposed to the Internet – sounds so basic, but has become explosively complicated. It’s impossible to hire enough certified security professionals with deep enough understanding of all the cloud dialects used across an organization. So the only solution is to focus on CSPM – building up a map of your cloud assets, then looking across all the layers to ask “what is exposed?”

For more information on RedSeal’s CSPM solution, RedSeal Stratus, check out our website. Or sign up for our Pilot Program and test drive RedSeal Stratus yourself!

Where is the new “Security Stack” hiding?

Security challenges resulting from migrating the security stack to the cloud

The days of the traditional security stack are numbered, brought on by the maturity of shared resource computing and the rapid migration to the public cloud due to the COVID-19 pandemic. This blog will explore a brief history of fortification, its impact on the early internet security architectures, and today’s challenges. I’ll conclude with a few suggestions that every security professional should consider.

From the beginning, cave dwellings were used to protect that of value. Humans have long considered, planned, and implemented various fortification methods. A city wall built around valuable, trusted assets is commonplace from our very early history. Fortification walls were used to protect individuals, tribes, and countries and could be made more secure by adding additional layers. The extra layers of defense increased the protection by the means known as “defense in depth” whereby a compromise in one other layer would sufficiently hinder further advancement or retreat by the attacker.

Fast forward to the late 20th century, many Request for Comments (RFC) drafted, outlined the internet foundation by focusing on moving datagrams from point A to point B. The primary concern was redundancy, resiliency, and reliable delivery of information. However, in the last few years of the 20th century, three essential security concepts were explored: confidentiality, integrity, and availability, known as the “CIA Triad.” Think of CIA as security that attempts to ensure information from the sender can:

  1. only be read by the receiver
  2. while in transit, the data has not been changed or tampered with
  3. the information reaches the intended audience

The 21st century brought a flurry of security and technologies based on ancient, fortified city walls. These defense in depth architectures often made the incorrect assumption that data inherited implicit trust based on location. For instance, data inside a corporate network was not scrutinized equally to data outside the corporate network. These initial security tools – the “Security Stack” – were often placed at the ingress/egress points of the network to inspect, analyze, prioritize, route, and scan for nefarious activities or threats from outside the network perimeter.

The problem with relying on perimeter-based security alone is people. People have always been migratory, traveling beyond the city walls. Speaking for myself, I have worked remotely, assisting companies with network security for 20+ years. As a “road warrior”, my network connections are from hotels, public hotspots, and client networks that have traversed untrusted networks. To prevent unauthorized access, my company had had to apply additional security controls to allow me to be connected successfully behind the “security stack.”

Between 2006 and 2010, the concept of shared computing resources took hold, and the promise of more computing power for less cost fueled a steady adoption rate over the next decade. Cloud service providers (CSPs) like Amazon, Microsoft, Google, Oracle, and others saw a steady, predictable increase in the use of shared resources located within a CSPs network, A.K.A “Public Cloud Network.” However, with the advent of cloud computing, the lines between trusted and untrusted networks were further obscured, and the need for visibility into and across disparate networks became more evident.

2020 brought with it a pandemic that forced hundreds of millions of employees to connect from untrusted sources and work remotely, in many cases bypassing the traditional security stacks intended to provide defense in depth. Corporations faced an unforeseen lack of visibility and conventional tools failed.  This rapid migration of corporate workloads (applications) to cloud computing combined with a disintegration of the traditional security stack has resulted in an environment of ever-increasing attacks and ransomware.

Post pandemic, the traditional security stack has dispersed. Some components still reside in on-premises networks, some in the public/private clouds, some at the network perimeter edge, and some on the endpoint device. The critical lesson is that the “edge” is no longer the boundary of location. The new “edge” is now the boundary of information. Data is the new edge.

To achieve security in modern networks, visibility is now more critical than ever. Complex architectures based on, IaaS, PaaS, SaaS, and On-Premises resources combined with new wide-area transport systems like SD-WAN, and a myriad of security filters in the form of cloud regions, accounts, VPC/VNETs, Network ACLs, Security Groups, and tools like SASE (Secure Access Service Edge), and Transit Gateways are indeed the new modern “Security Stack.” To secure this modern-day infrastructure, the corporation needs unparalleled visibility, awareness of where vulnerabilities exist, and connectivity across all network clouds and on-premise.

Finally, here is a message for the CISO or security professional searching for solutions. Ask yourself the following questions and seek answers for any you are unsure of.

  1. How well do your security teams understand cloud inventory?
  2. How do you check to see if resources are unintentionally exposed to the internet?
  3. How do you validate cloud segmentation policies and remediate them?
  4. How do you prioritize vulnerabilities in a public cloud environment?

For tips on how to “Safeguard Your Cloud Journey with a Comprehensive Security Solution” download our data sheet.

The Impact of the ONC Cures Act on API Security

In March 2020, the US Department of Health and Human Services issued the 21st Century Office of the National Coordinator (ONC) Final Rule, also known as the ONC Cures Act Final Rule. This Final Rule supports secured, limitless access, exchange, and use of Electronic Health Information (EHI).

ONC Cures Act Final Rule, apart from providing patients and their healthcare providers secure yet seamless access to health information, aims to increase innovation and trigger competition. With more competition comes innovation, as new entrants offer much wider healthcare choices and solutions for patients.

Summary of the ONC Cures Act Regulations

Due to the COVID-19 pandemic, the US Department of Health and Human Services provided an extension for compliance to the ONC Cures Act Final Rule. This extension ended on April 5, 2021.

According to the National Law Review, organizations subject to the Cures Act should have the following in place:

  • An efficient configuration of digital patient portals to provide electronic health information (EHI) to patients without needless delay
  • An up-to-date release of information policies
  • A thorough assessment of contracts and arrangements involving EHI with any third parties should be conducted to achieve compliance with information blocking prohibitions
  • Preparation of real-world testing plans, EHI data export, Application Programming Interfaces (APIs) with latest HL7 Fast Healthcare Interoperability Resources (FHIR) capabilities, and various other capabilities targeted for 2021 and 2022

ONC Cures Act Final Rule calls on the healthcare industry to adopt standardized APIs that allow individuals or patients to access and better use of EHI using smartphone applications securely and quickly.

Identity and Security Requirements of the Regulations

ONC Cures Act Final Rule, as explained in the Federal Register, lays out conditions for the compliance certification of healthcare providers. Those conditions include support for standards and published APIs that allow health information “to be accessed, exchanged, and used without special effort” and “access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.” The aim of the Final Rule is nationwide transparent data portability with standardized yet agile data exchange processes.

Along with that, ONC Cures Act Final Rule can avoid many security risks associated with healthcare APIs, such as inadequate SSL certification validation, the vulnerability of Simple Object Access Protocol (SOAP), and accountability issues, to name a few.

The following are the specific identity and healthcare security requirements of the ONC Cures Act Final Rule:

ONC Cures Act Final Rule that allows agility of EHI also puts limits on information blocking and anti-competitive practices of the healthcare providers. The Code of Federal Regulations, with a few exceptions, allows patients to decide upon the healthcare applications that can access their EHI.

Vulnerabilities of the APIs

ONC Cures Act Final Rule ushers in an era of the widespread adoption of standardized APIs by the healthcare industry all over the globe. On the one hand, it helps individuals or patients securely access and easily makes use of EHI using smartphone applications. On the other hand, since APIs deal with sensitive data that can be easily accessible over the internet, they are vulnerable to sophisticated cyberattacks. Without question, healthcare organizations need enhanced digital healthcare security and vigilant monitoring to protect sensitive and private patient information.

More than anything else, implementing and maintaining enhanced API security is an exhaustive process. It also incurs extra expenditure on updating features or fixing bugs. This scenario demands a significant part of the API development lifecycle to maintain security.

Another concern is the consistent testing of API security. This complicated process requires hiring the right talent to identify and expose API security issues before the launch of the application.

Leveraging Cloud Solutions

According to IBM, The widespread global cloud migration can amplify the cost of cybercrime damage by nearly $300,000. As more enterprises migrate to the cloud, sensitive corporate data becomes vulnerable to cyberattacks, technical glitches, and data storage issues.

However, the increased technical difficulties, expenses, and larger talent pools associated with the integration, management, and dissemination of EHI can be overcome by cloud solutions. Today, many healthcare providers have embraced the power of healthcare cloud computing to meet the ONC Cures Act Final Rule requirements and to future-proof their Information Technology (IT) environment.

Cloud solutions eliminate the additional time and cost associated with traditional storage systems. An integrated data ecosystem that can feed multiple data centers can be easily deployed within a short period with lesser complications using cloud solutions.

Additionally, cloud solutions can empower healthcare providers to scale up and scale down their data processing resources as demands fluctuate. As an added benefit, the pay-per-use business model implemented by most cloud solutions providers worldwide makes the expensive resource procurement associated with traditional storage systems a thing of the past.

Another advantage of cloud computing infrastructure is that it provides access to data through open-source tools. That means no more data locked in silos and unwanted license expirations common with other proprietary storage solutions.

Cloud Is the Future of Healthcare

The future is healthcare cloud computing. ONC Cures Act Final Rule is the call from the future. EHI should flow smoothly and safely. Healthcare IT should provide more portable, interoperable, and patient-centric healthcare solutions. And cloud solutions are the only way forward.

RedSeal, a hybrid cloud security solution provider, helps you identify all your resources and how they are connected in your complex network environment. It allows easier validation of your security policies and prioritizes the security issues that can breach your most valuable network assets. RedSeal constantly monitors your network to find out glitches in your networking setup and ensure whether it meets the compliance standards and organizational policy.

RedSeal Cloud is a Software as a Service (SaaS)-based Cloud Security Posture Management solution that provides your cloud solutions security team with increased visibility and understanding of the provider’s infrastructure. RedSeal Cloud can help you manage the increased digital healthcare security risks with an up-to-date visualization of cloud solutions infrastructure and detailed identification of digital resources exposed to the internet. Your security team will also be bestowed with updated knowledge of Kubernetes accounts and policies.

Register for a demo to see RedSeal Cloud in action.

Understanding What’s In My Cloud

Today’s business applications run in an environment that would be unrecognizable to IT professionals 10 years ago. The rise of virtualization and the cloud has finally cut the ties to specific hardware, and all but the most exotic workloads can now be run anywhere — on virtual machines in your physical buildings, or on a cloud vendor of your choice. The underlying cloud technologies are powerful, but with that power comes great responsibility. Security teams struggle to keep up, because the new technologies focus on agility, rapid rate of change, and dynamic response — all of these are positive buzzwords to most people in a business, but all of them are bad news to security. Ask any military commander — defense is far easier when your resources are home in a well-built fort, and far harder when your troops are constantly moving, shifting location into unfamiliar terrain.

It’s not all doom and gloom, however. Cloud innovation takes away certain legacy risks — after all, you can’t leave an open password on a key router in the middle of your network infrastructure if you don’t control the routers any more! The trouble is that the change to new ways of building and managing modern apps (often referred to as DevOps) closes out some old challenges, but opens just as many new ones. Cloud gives you new kinds of rope, and it’s different from the old rope, but you can still get just as tangled up in the complexities.

Some security fundamentals remain, though. No matter what kind of infrastructure you own or rent, you still need to pursue the basics:

1.    Find all your stuff

2.    Categorize it so you know what’s most important

3.    Harden the individual elements to avoid easy compromise

4.    Map out and run your defenses as a system, so you can be a hard target

The most basic discipline of all is inventory — cyber security experts and industry guidance all agree that you must start there. Inventory in cloud is not like inventory in conventional networks, though, so the same old principle has to be thought about differently in a cloud world.

The good news with the cloud is that each virtual network has a “God of the Cloud” — a central controller, run by the cloud provider that you can talk to via a proprietary API. I call it a “God”, because no endpoints can exist in that small virtual network that the controller did not create. This means you can always find a completely reliable resource for each virtual network — someone who knows the inventory. Problem solved, right? Well, not so fast — it’s certainly very different from legacy on-premises networks, but that’s hardly all there is to it. There are three major problems when talking to each cloud controller — finding the controllers, speaking their language, and keeping up with the changes.

The good news is a cloud account comes with an API you can talk to and get a complete inventory of the assets it knows about. The bad news is your company has many, many accounts. And even once you locate them all, they will speak a proprietary and changing language — the Amazon language for the AWS API is different from Microsoft’s for Azure, or Google’s, or Oracle’s. You need a network linguist to make sense of it all, and pull together a single view of your clouds — in all flavors. And since security is central by its nature (because it needs to look at the complete picture), that means security has the unenviable task of needing to speak all the languages — fluently — at once. This is hard, but it’s a great job for automated software.

Equally, the rate of change in the cloud is something automated software can tackle far more effectively than humans can. Cloud assets have ugly names — often just a long stream of gibberish assigned by a robot, to make it easy for other robots. You’ll need your own robot interpreter to even identify one asset, let alone track it as it moves and changes. The nature of the cloud is highly dynamic — instances are spun up and killed on demand, and they move far faster than, say, a classic vulnerability scanner can keep up with. If you want to see your final as-built infrastructure (and you need to, since this is what your adversary is looking at too), you need software to keep up with all the changes, track the assets, and untangle the myriad ways that cloud assets are marked. There are tags, there are labels, there are unique ID’s, and there are security groups. Every vendor has subtly different rules, and just to add to the confusion cloud vendors don’t even agree on what a cloud network should be called, but they all offer the same idea.

At the end of the day, security is about adapting and keeping up, as the pace of change keeps speeding up. Cloud is just the latest evolution, where names change, details shift, but the core principles remain — first and strongest of all is inventory. This is why we at RedSeal build software to automate all the communication and mapping, so that you can visually scan your cloud footprint, understand your security posture, and make optimal moves to increase your security and reduce your risk.

For more information, check out our overview of RedSeal Stratus Maps and Inventory capabilities to learn more about how you can Map Your AWS Infrastructure Including Connectivity Paths.

RedSeal and Cloud Security Posture Management

According to Gartner’s Innovation Insight for Cloud Security Posture Management, this year (2021), “50% of enterprises will unknowingly and mistakenly have exposed some applications, network segments, storage, or APIs directly to the public internet”. And by 2023, “…at least 99% of cloud security failures will be the customer’s fault.”

What do these statistics say about the changing face of cybersecurity? Twenty years ago, the most common source of security failures was naïve user behavior, typically clicking on a malicious email attachment or link. In on-premise environments, this is still a common vector of infection, but in the cloud the problem is not naïve users, it is overwhelmed administrators. 99% of cloud security failures will be the customer’s fault, because cloud platforms and applications will simply be misconfigured. Let that sink in. Simple misconfigurations were never the primary source of security failures in the past.

Administrators aren’t stupid; they misconfigure systems because they are overwhelmed. Of course, there is a chronic shortage of security talent, but that has been true for decades. What has changed, with the advent of cloud computing, is the overwhelming complexity of the systems. Cloud security controls and best practices are very different from those used in on-premise environments. Those available in AWS are similar, but different from those in Azure, or Google Cloud. Kubernetes has a unique security model of its own, and all these environments are changing constantly.

To deal with this complexity and constant change, a new family of technology has emerged broadly referred to as Cloud Security Posture Management (CSPM). The goal of these technologies is to help admins understand what resources they have in their cloud environments, what security controls are in place, how it is all really configured, and whether it meets various compliance standards.

For more than a decade, RedSeal has been in the business of helping customers understand their on-premise networks i.e. what devices are on the network, how they are connected, and the security implications of their configuration. We do this by creating a detailed model of their network that can be compared against best practices, compliance standards, and the customer’s intended network design (customers are almost always surprised with how different their network is from what they originally intended). Put simply, customers use us to find and correct network misconfigurations.

With data centers and networks moving to the cloud, our customers are increasingly asking us to help them find and correct cloud misconfigurations as well. They need an accurate model of their cloud environments to understand questions like how many cloud accounts they really have, what resources are in each, what security controls are in place, what is the aggregate effect of all those security controls on resource access, and are any resources inadvertently exposed to the internet. They often have a basic design for their cloud but are unsure if their implementation is consistent with their intentions. The truth is, it never is, and they need a product that can provide them with a reality check.

At RedSeal, our mission is to provide organizations with technology that allows them to understand their network, hybrid, and cloud security posture. Because cloud technology is so complex, and changing so quickly, organizations need powerful technology to understand their implementation. They need to model their environment, so they can easily spot flaws. Our tag line is “See and Secure” because you can’t secure what you don’t understand.

For more information on RedSeal Stratus, our new CSPM solution, click here.

For more information of ways that RedSeal can help avoid unintended internet exposure, check out our Solution Brief.

If you’re concerned about your EKS Security, click here.

CISA and FBI Publishes List of Top Vulnerabilities Currently Targeted by Foreign Sponsored Hacking Groups

RedSeal Cyber Threat Series

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly released a report on the top 10 vulnerabilities consistently being scanned, targeted, and exploited by foreign sponsored hacking groups.

All 10 of the vulnerabilities are known and have patches available from their vendors.

Exploits for many vulnerabilities are available publicly and have been used by various malware and ransomware groups and other nation-state actors.

RedSeal customers should:

  1. Create and run daily reports until all systems with the 10 vulnerabilities are patched
  2. Contact your RedSeal sales representatives or email info@redseal.net for additional details

References:

https://us-cert.cisa.gov/ncas/alerts/aa20-133a