How to Identify Your Boundary Defense Needs

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) twelfth control for implementing a cybersecurity program is for your organization to control the flow of information transferring between networks of different trust levels. The first sub-control states that an organization should maintain an inventory of all network boundaries. So, the first question you need to ask is: where are your network boundaries?

Back in the days before the Internet was prevalent and mainframes dominated the IT landscape, these boundaries were very well defined. All the company’s information was warehoused in a mainframe centrally controlled by a small group of people. Getting access to the data was a very rigorous process and external links were not common. When external links were established, they were very tightly defined to exchange the minimum amount of information required to conduct business.

With the introduction of Local Area Networks, data started to be distributed within the organization. The IT department frequently was not involved in the deployment of these networks since they were seen as local resources and didn’t include external links. As these data resources grew, departments wanted to share information outside the boundaries of their local network. The Internet facilitated this connectivity, and IT departments needed to get involved to provide a control point for these data flows.

Now jump to the present where organizations have multiple internal data sources deployed in a distributed fashion, and the business owners of the data want to share this information with others to make their operations more efficient. The IT department now needs to understand the network boundaries and the security group needs to control and manage the boundary defense requirements.

To inventory these boundaries, the first step is to understand how your network infrastructure is connected. Assuming you’ve done a good job implementing CIS Control #1 (Inventory and Control of Hardware Assets), you have an initial base to identify all connections to external organizations and the Internet. A secondary pass through this information should focus on identifying internal connectivity. Understand where your organization allows data to flow and identify untrusted links within the organization, like guest wireless access.

The second phase of creating your boundary inventory is to leverage the data gathered in implementing CIS Control #2 (Inventory and Control of Software Assets). By understanding the systems running on your servers, you can start to understand where the users of the data are connecting to the enterprise. Then, map these flows to the hardware inventory to get an understanding of all network boundaries and determine where your organization should focus to implement appropriate security controls.

With automated tools and platforms in place from the first two controls, putting together the initial inventory of network boundaries should be a relatively easy process. Then your security group can start to improve overall boundary defenses as identified in the other sub-controls within the twelfth CIS control (Boundary Defense).

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify the network boundaries that have already been deployed. This, in turn, will allow your organization to improve these boundary defenses in a cost efficient manner.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

CIS Benchmarks Bring Network and Security Teams Together

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) eleventh control for implementing a cybersecurity program is for your organization to actively track, report on, and correct the security configurations for network devices. This involves the use of a configuration management system and robust change control processes. What has been missing is a common set of network device security configurations standards that can be utilized by network and security teams.

As a networking professional for over 30 years, I understand the need to consistently and securely configure network devices. I built “golden templates” to make sure that any time I added a new device, it is configured the same as the last one. I utilized my own knowledge base and vendor recommendations for how to configure these network devices. Sound familiar?

But, network manufacturers frequently provide software updates to add new features, correct bugs, and address identified security holes in their networking devices. How often do we go back to update golden templates and check existing network devices when we install a new software version or use a new feature? In my experience, rarely. Network operations teams are too busy addressing access requirements and network-related support tickets. Checking existing configurations for correctness becomes a summer intern’s job.

Then, the security group starts the important work of establishing policies for how to secure information within your enterprise. Because network devices are part of the security infrastructure, the security analyst starts asking questions of the network operations teams and the divide between groups becomes apparent. The networking teams are addressing access requirements and tickets. They just don’t have the manpower to address the security analyst’s concerns.

To help bridge this internal divide, organizations are turning to security frameworks to allow teams to understand both sides of the equation. A very useful framework comes from CIS. CIS provides CIS Benchmarks, a set of configuration guidelines for the most common networking devices and platforms. These benchmarks have been developed by both security and networking professionals as minimum configuration security standards. Network teams can establish projects to update golden templates and then address security configuration issues on individual devices. By using the CIS Benchmarks, security teams have a set of standards to run an audit of network device configurations — and assess the overall risk to the enterprise when device configurations don’t match the standards.

Federal government agencies have done this for many years using DISA STIGs (Security Technical Information Guides). CIS Benchmarks are similar to these standards, but the Department of Defense has security requirements that are different from many commercial organizations.

As a single project, reconfiguring many networking devices is a challenge. You’ll need to make these security standards part of the existing golden templates and then integrate them with the on-going change management processes. It will take some time to fully migrate to these standards. Consider smaller projects that address a portion of the CIS Benchmarks so you can demonstrate tangible improvements more quickly.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify network devices that do not meet minimum recommended network device configuration standards. Whether you utilize CIS Benchmarks, STIGs, or some other established standard, make sure that these controls receive some attention in your overall cybersecurity strategy.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

Is Process Killing Digital Resilience and Endangering Our Country?

After reading a Facebook comment on “Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” I’m compelled to respond.

I work a lot with the Navy (and the DOD as a whole) as a vendor. I spent 26 years in the intelligence community as a contractor running datacenter operations, transitioning to cybersecurity in the late 1990s.

From my past insider experience to my now outside-in view, “process” is one of the biggest hurdles to effectively defending a network. Process frustrates the talented cyber warriors and process is what managers hide behind when a breach that happened six months or more ago is finally detected.

Process = regulations.

Processes are generally put into place in response to past incidents. Simple knee jerk reactions. But things change. We need to review and change our processes and regulations, and, in some cases completely tear them apart to allow our talented cyber warriors to defend our networks. New regulations would allow them to get into the fight. They may even remain in their jobs longer, rather than leaving for industry — taking expensive training and irreplaceable knowledge with them.

One of my coworkers was on a Cyber Protection Team (CPT) for a major military command. He left to work in a commercial SOC. At one point, his team pitched their services to the top echelon of a service branch. As they introduced my coworker, he was asked why he left military service. My coworker, being an Army Ranger, and then an enlisted sailor, is pretty direct. He said, “Because you’re not in the fight. You’re more worried about the policy and process, while I’m here every day fighting the Russians, Chinese and Iranians.” One officer turns to the others and said, “This is exactly what I mean.”

Too much process and regulation restrict the agility needed for prompt incident response. To resolve incidents quickly (and minimize damage), cyber warriors require trust from their leadership. Trust in their abilities to make quick decisions, be creative, and quickly deploy lessons learned.

The very cyber warriors whose decisions they question are the same ones they blame when things go wrong.

As always, Target is a prime example. It was a low-level cyber warrior who found the “oddity” when doing a packet capture review. He notified Target leadership. But they didn’t act. They ignored him until their credit cards were on the dark web. Then, they went back to the young cyber warrior and fired him. He asked why. After all, he identified the problem first. The response from his leadership was: “Well, you didn’t make your point strong enough for us to take action on.”

The military has the same mentality. But, since many of them have even less knowledge of real-world hacks then private sector management, they take even more time to make decisions. Another friend told me about a time when he was on active duty and found evidence that someone had exploited the network. When he reported it, his leadership kicked it back because there was “not enough evidence.”  He then broke down the exploit and was able to provide the address and phone number of the adversary in Russia. Finally, they acted, but his CO did not want to report it to higher HQ because he was afraid of the fallout.

My friend reminded his CO that they were part of a carrier strike group, and all their data was incorporated into the fleet. Once again, he was ordered to fix it and not report it. He really believed that the only way to protect the group would be to send an anonymous email. This cyber warrior had to choose between disobeying orders and protecting our country.

Let’s not put our talented cyber warriors into this trap. Process and regulations need to be flexible enough to allow these people to protect our country – quickly.

Learn more about RedSeal’s support of cyber protection teams and our approach to digital resilience in the DOD.

 

Understanding and Managing Your Attack Surface

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) ninth control for implementing a cybersecurity program is for your organization to manage the ports, protocols, and services on a networked device that are exposed and vulnerable to exploitation. The intent of the control is for your organization to understand and manage the “attack surface” of its computing assets.

Attack surface can be defined in two dimensions, the network dimension and the server configuration. The network dimension is about attack vectors, or how an attacker can gain access to a device. We assume that attackers come from an untrusted part of the network, such as the Internet. You reduce attack vectors by limiting which devices/servers are accessible from these untrusted network spaces. This is typically done by implementing firewalls within the network infrastructure.

The next attack surface dimension is the ports/protocols/services that are enabled and accessible on the server itself. Start by understanding what ports/protocols/services are required for an application to run on the network. Any that aren’t required should be disabled on the server. For instance, on a public-facing web server only ports 80 (http) and 443 (https) need to be enabled to view web content. Next, pair this basic understanding with an active vulnerability management program. Attackers continue to develop exploits for these commonly used ports. You’ll want to remediate these potential vulnerabilities in a timely fashion to reduce the risk of compromise.

Beyond your external attack surface, however, there is an additional dimension. Many current system exploits come from within your own internal network. Hackers regularly use phishing emails and false web links to entice people to click on something that will install some type of malware. This creates a new attack vector to critical assets as an attacker gains a toehold within your trusted internal network.

To manage both your external and internal attack surfaces, you need to use tools and platforms to understand both attack vectors and the ports/protocols/services needed on critical systems. CIS recommends:

  • Using your asset inventories generated from implementing CIS Control #1 (Inventory and Control of Hardware Assets) and Control #2 (Inventory and Control of Software Assets) to map active ports/protocols/services to critical systems.
  • Ensure that only required ports/protocols/services are enabled on these critical systems.
  • Implement mitigating controls in the network, such as application firewalls, host-based firewalls, and/or port filtering tools.
  • Perform regular automated port scans of critical systems to ensure that implemented controls are being effective.
    NOTE: Many servers are not tolerant of port scanning tools due to load on the server. Other solutions exist that allow organizations to validate that only required ports/protocols/services are enabled on critical servers.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding and managing your external and internal attack surfaces. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

The Network Dimension in Vulnerability Management

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) third control for implementing a cybersecurity program is to practice continuous vulnerability management. Organizations that identify and remediate vulnerabilities on an on-going basis will significantly reduce the window of opportunity for attackers. This third control assumes you’ve implemented the first two CIS framework controls — understanding both the hardware that makes up your infrastructure and the software that runs on that infrastructure.

The first two controls are important to your vulnerability management program. When you know what hardware assets you have, you can validate that you’re scanning all of them for vulnerabilities. As you update your IT inventory, you can include new assets in the scanning cycle and remove assets that no longer need to be scanned. And, when you know what software run on your infrastructure, you can understand which assets are more important. An asset’s importance is key to identifying what should be remediated first.

Most vulnerability scanning platforms allow you to rank the importance of systems being scanned. They prioritize vulnerabilities by applying the CVSS (Common Vulnerability Scoring System) score for each vulnerability on an asset and couple it with the asset’s importance to develop a risk score.

The dimension missing from this risk scoring process is understanding if attackers can reach the asset to compromise it. Although you are remediating vulnerabilities, you can still be vulnerable to attacks if what you’re remediating isn’t accessible by an attacker. It may be protected by firewalls and other network security measures. Knowledge of the network security controls already deployed would allow the vulnerability management program to improve its prioritization efforts to focus on high value assets with exposed vulnerabilities that can be reached from an attacker’s location.

Other vulnerability scanning and risk rating platforms use threat management data to augment their vulnerability risk scoring process. While threat management data (exploits actively in use across the world) adds value, it doesn’t incorporate the network accessibility dimension into evaluating that risk.

As you work to improve your vulnerability management program, it’s best to use all the information available to focus remediation efforts. Beyond CVSS scores, the following elements can improve most programs:

  • Information from network teams on new and removed subnets (IP address spaces) to make sure that all areas of the infrastructure are being scanned.
  • Information from systems teams on which systems are most important to your organization.
  • Including network information in the risk scoring process to determine if these systems are open to compromise.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting your vulnerability management goals by providing network context to existing vulnerability scanning information. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

Visibility of IT Assets for Your Cybersecurity Program

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) first control for implementing a cybersecurity program is to understand and manage the hardware assets that make up your IT infrastructure. These hardware assets consist of network devices, servers, workstations, and other computing platforms. This is a difficult goal to achieve, further complicated by the increasing use of virtualized assets, such as public and/or private cloud, Software as a Service (SaaS), and virtualized servers.

In the past, inventorying these assets was relatively simple. When it came in the door, the physical device was given an inventory tag and entered into an asset management system. The asset management system was controlled by the finance group, primarily so assets could be depreciated for accounting records. As the IT world matured, we saw the advent of virtualized systems where a single box could be partitioned into multiple systems or devices. Further evolution in IT technology brought us cloud-based technologies, where a company no longer has a physical box to inventory. Network services are configured and servers are created dynamically. Hence the daunting task of trying to create and manage the IT inventory of any company.

CIS recognizes this and recommends using both active and passive discovery tools to assist. Since no human can keep up with this inventory of physical and virtual devices, discovery tools can help present an accurate picture of IT assets.

Active discovery tools leverage network infrastructure to identify devices by some form of communication to the device. Network teams are generally opposed to these tools because they introduce extra network traffic. Tools that attempt to “ping” every possible IP address are not efficient. They are also identified as potential security risks, since this is the same behavior that hackers generally use. Newer discovery strategies have evolved that are significantly more network friendly yet do a good job identifying the devices in your IT infrastructure. These newer, active discovery strategies target specific network IP addresses to gather information about a single device. When the information is processed, it can reveal information about other devices in the network.

Passive discovery tools are placed on the network to listen and parse traffic to identify all devices. Passive discovery tools do not add significantly to network traffic, but they need to be placed correctly to capture data. Some computing devices may never be identified because they are infrequently used, or their traffic never passes by a passive discovery tool. Newer passive discovery tools can integrate information with active discovery tools.

Most organizations need a combination of discovery tools. Active discovery tools should minimize their impact to the network and the devices they communicate with. Passive discovery tools can discover unknown devices. IT groups can do a gap analysis between the two tools to assess what is under management and what isn’t (frequently referred to as Shadow IT). This combined approach will provide the best strategy for understanding and managing all assets that make up an IT infrastructure.

Without this first step, having visibility into what these IT assets are and how they are connected, the remaining CIS controls can only be partially effective in maturing your cybersecurity strategy.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting the first control, while providing benefit to implementing many of the other controls that make up the CIS Control framework. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

I See A Milestone, Not Just Another Funding Round

I’m delighted with the deal RedSeal just announced with STG.  I’ve worked in several start-ups — from the earliest stage, when the whole company could share a single elevator, all the way through acquisition by huge global corporations. My favorite times are when we’re all actively engaged with customers and the company has a sense of purpose and momentum. This is one of those times.

My feeling that this is a rite of passage – like leaving college – is because we’re moving from the category “VC-backed startup” into “privately-held serious company.”  Startups are like children – energetic, exciting, and allowed to get away with things. We expect more of grownups, that they can move forward, create and meet goals. It’s challenging, but it’s also fundamentally empowering, and I’m proud to move on to this next stage.

We’ve also chosen a true partner in STG, and they have chosen us. I may be stretching an analogy, but I’m pleased to say that we’ve dated long enough to learn that we see eye to eye. We agree about the potential for growth and are excited about working together towards a common vision. RedSeal, now with STG’s support, will be able to grow, innovate and deliver digital resilience to more and more customers, while we all continue to enjoy what we do. Each day is better than the last.

The Importance of Speed in Incident Response


 

By RedSeal Federal CTO Wayne Lloyd

Have you seen CrowdStrike’s “Global Threat Report: Adversary Tradecraft and The Importance of Speed”?

Just released at RSA Conference 2019 this year, the key takeaway is that nation states and criminal organizations are increasing both the speed and sophistication of their cyber tactics. This isn’t a surprise, but the report presents more detail on just how little time we have.

CrowdStrike defines “breakout time” as “the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network.”

The report shows a more granular examination of breakout time by clocking the increasing average speed of major nation state actors, including the breakout speeds of Russia, China, North Korea, Iran, and others.

So what can you do?

According to the report, basic hygiene is still the most important first step in defending against these adversaries — including user awareness, vulnerability and patch management and multi-factor authentication.

The CrowdStrike report continues:

With breakout time measured in hours, CrowdStrike recommends that organizations pursue the ‘1-10-60 rule’ in order to effectively combat sophisticated cyberthreats:

  • Detect intrusions in under one minute
  • Perform a full investigation in under 10 minutes
  • Eradicate the adversary from the environment in under 60 minutes

Organizations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads out from its initial entry point, minimizing impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.

RedSeal and the 1-10-60 Benchmark

A RedSeal model of your network – across on-premise, cloud and virtual environments — gives you the detail you need to quickly accelerate network incident investigation. You’ll be able to quickly locate a compromised device, determine which assets bad actors can reach from there – and get information to stop them. Since RedSeal’s model includes all possible access paths, you’ll see specific paths the network attacker could take to valuable assets. And, you’ll get specific containment options so you can decide what action to take — from increasing monitoring, to placing honey pots, to changing firewall rules, to simply unplugging the device — decreasing your network incident response time.

Network security incident response that used to take hours, if not days, to determine becomes available immediately.

Click here to learn more about RedSeal’s support of incident response teams and how it will improve your agency’s digital resilience.

Using the CIS Top 20 Controls to Implement Your Cybersecurity Program

By Kes Jecius, Senior Consulting Engineer

I have the privilege of working with security groups at many different enterprise companies. Each of them is being bombarded by many different vendors who offer security solutions. No surprise, the common estimate is that there are approximately 2,000 vendors offering different products and services to these companies.

Each of these companies struggles with determining how to implement an effective cybersecurity program. This is made more difficult by vendors’ differing views on what is most important. On top of this, companies are dealing with internal and external requirements, such as PCI, SOX, HIPAA and GDPR.

The Center for Internet Security (www.cisecurity.org) offers a potential solution in the form of a framework for implementing an effective cybersecurity program. CIS defines 20 controls that organizations should implement when establishing a cybersecurity program. These controls fall into three categories:

  • Basic – Six basic controls that every organization should address first. Implementation of solutions in these 6 areas forms the foundation of every cybersecurity program.
  • Foundational – Ten additional controls that build upon the foundational elements. Think of these as secondary initiatives once your organization has established a good foundation.
  • Organizational – Four additional controls that are that address organizational processes around your cybersecurity program.

Most organizations have implemented elements from some controls in the form of point security products. But many don’t recognize the importance of implementing the basic controls before moving on to the foundational controls – and their cybersecurity programs suffer. By organizing your efforts using CIS’s framework, you can significantly improve your company’s cyber defenses, while making intelligent decisions on the next area for review and improvement.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a platform solution that provides significant value in 7 of the 20 control areas and supporting benefit for an additional 10 controls. Additionally, RedSeal has pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

 

Cyber Protection Teams – Hands On

By Aaron Gosney, RedSeal Senior Sales Engineer and Dave Lundgren, RedSeal DOD Technical Account Manager

To help Cyber Protection Teams (CPTs) understand how RedSeal helps them secure cyber terrain, we’ve developed a hands-on scenario-based workshop. We’ve held this workshop for different parts of the DOD, and, more recently for federal civilian cyber operators at CyberScoop’s DC Cyber Week.

While lots of people talk about incident response and investigation, it’s always more effective to show how important RedSeal and digital resilience can be.  We use a scenario to teach CPTs that there is a faster way, even if they don’t know that it’s possible. In fact, many attendees don’t know much about RedSeal. Even those who are aware of RedSeal typically have a limited idea of what the platform can do.

Before the workshop starts, we put a laptop in front of every participant and tell them what they’re going to experience. Attendees are excited to “drive” RedSeal in a real-world environment and avoid a dry lecture. This hands-on, non-formal format is popular and effective. It creates lots of interactive moments and good conversations among the attendees.

RedSeal in the Real World

The workshop’s mission concept is to assess, correct, and maintain the overall cybersecurity of a location that will be used by leaders of many countries gathered for sensitive discussions and negotiations.

Attendees are asked to imagine that they’re part of a team has been sent to this remote location. They’ll have to evaluate cloud, traditional, IOT, and IIOT networks. We guide each person through the process of analyzing network access and vulnerability exposure across the network, prioritizing remediation efforts, and verifying that the network is secure.

RedSeal for Network Mapping and Automation

We show attendees how, in a matter of hours, RedSeal can collect and analyze all the network and vulnerability information to create actionable intelligence. They see that attempting this process manually would be impossible given the time constraints. It would take years to manually review the millions of lines of text in the combined config files of an entire enterprise network. RedSeal automates this process and generates accurate, up-to-date network context that is essential to an effective cybersecurity program.

We also show them that RedSeal’s network topology map is not static but can be moved around and adjusted. Attendees organize all the network information into an easy and clear graphic representation of the devices and how they connect with each other. Then they can query for potential network access or vulnerability exposure.

The workshop generates a lot of discussion. We are asked for deeper information about deploying RedSeal at scale in an enterprise and for more information on our integrations with products from vendors such as Cisco, Tenable, Splunk, and ForeScout.

We get great feedback from workshop attendees.  One said, “this is one of the most realistic scenarios I’ve seen in a cybersecurity workshop.”  Another said, “I wish more vendors would do events like this.” And, a cyber analyst said, “Wow. This helped me to understand how powerful RedSeal is.”

We will continue to refine the workshop so that it continues to engage people and demonstrate what is possible with RedSeal.