Security Orchestration and Automation Response Solutions (SOAR) and RedSeal

Over the past few years, Security Orchestration, Automation, and Response (SOAR) tools have emerged as multi-faceted and ever-present components in a Security Operations Center (SOC), enabling security teams to centralize incident management, standardize processes, and reduce response times through automation and artificial intelligence (AI).

The security orchestration, automation and response (SOAR) market, as defined by Gartner in 2017, evolved from three previously distinct technologies: Service Oriented Architecture (SOA), security incident response platforms (SIRPs) and threat intelligence platforms (TIPs).

In 2019, Gartner released their latest and most comprehensive research on the SOAR market to date– Market Guide for Security Orchestration, Automation and Response Solutions. In it, Gartner tracks the growth of the market over the past few years, provides a representative list of SOAR vendors, and delivers advice that security practitioners should keep in mind while procuring SOAR tools.

Moreover, AI security is listed in their Top Ten Strategic Technology Trends for 2020, which says:

“AI and ML will continue to be applied to augment human decision making across a broad set of use cases. While this creates great opportunities to enable hyperautomation and leverage autonomous things to deliver business transformation, it creates significant new challenges for the security team and risk leaders with a massive increase in potential points of attack with IoT, cloud computing, microservices and highly connected systems in smart spaces. Security and risk leaders should focus on three key areas — protecting AI-powered systems, leveraging AI to enhance security defense, and anticipating nefarious use of AI by attackers.”

Gartner states that SOAR tool deployment is now more use-case driven than ever. The use cases depend on the maturity of the organization, the capabilities of the SOAR tool, and the processes most ripe for automation, among other things. According to Gartner:

“SOAR selection in 2019 and beyond is being driven by use cases such as:

  • SOC optimization
  • Threat monitoring and response
  • Threat investigation and response
  • Threat intelligence management”

SOAR Doesn’t Know What It Doesn’t Know.

The problem we see with deploying security automation is the quality of the information put into it. How do you deploy a SOAR tool if you don’t know for sure if the data being used is accurate? Is good enough good enough?

Security solutions based on automation can also have blind spots. How do they know that they can see everything? In fact, they don’t know what they don’t know.

RedSeal data can better refine how a SOAR solution makes its decisions to take or not take actions in the above use cases. RedSeal gives a SOAR tool a deep understanding of the network environment it operates in. It is not enough to identify and react to an indicator of compromise, we need to understand what an intruder can reach from there.

Does the device have access to a high value asset (HVA) or to the key cyber terrain of your environment?

If not, don’t worry and carry on with the automated processes.

If yes, then that is an indication to do more investigation and look at how this access could have happened in the first place.

And during a follow-on, after-action review you can investigate important issues like how the intrusion happened in the first place. Only RedSeal shows you what’s on your network, how it’s connected and the associated risk, so you can better prepare for and contain problems within minutes and not days.

What if RedSeal could improve your understanding? Would that interest you?

If yes, click here to set up a time to speak with a RedSeal representative about how to integrate RedSeal with your preferred SOAR tool.

Ten Cybersecurity Fundamentals to Reduce Your Risk of Attack

Due to escalating tensions with Iran and recent cyber activity against a U.S. Government website, DHS’s Cybersecurity and Infrastructure Security Agency team has issued a bulletin warning organizations to be prepared for “cyber disruptions, suspicious emails, and network delays.” DHS recommends preparing by focusing on “cyber hygiene practices” to defend against the known tactics, techniques and procedures (TTPs) of Iran-associated threat actors.  This warning serves as another reminder that adversaries often compromise organizations through failures in assessing and implementing basic security practices.

Based on recent international activities announced by DHS, expectations of retaliation from a known adversarial nation state are more than likely to occur. This is an immediate risk to all public and private organizations in the United States. Organizations need to be able to assess their current security posture and accurately evaluate their cyber hygiene. They need to know what is on their networks, how it is all connected and the risk associated with each asset.

Whether you are hands-on-keyboard technician or an executive responsible for securing your organization, here are ten cybersecurity fundamentals you can implement.

  1. Identify critical data and where it is housed
  2. Know what assets – physical and virtual – are on your network
  3. Harden your network devices, making sure they are securely configured
  4. Review your endpoint data sources to make sure you have full coverage of all endpoints on your network
  5. Ensure that your vulnerability scanner is scanning every subnet
  6. Factor in accessibility to prioritize your highest-risk vulnerabilities and hosts
  7. Make sure only approved or authorized access is allowed, including any third-party access.
  8. Validate that all network traffic goes through your security stack(s)
  9. Identify unnecessary ports and protocols
  10. Identify rules on your network gear to determine if they are valid and applied appropriately

By focusing on cybersecurity fundamentals, RedSeal helps government agencies and Global 2000 companies measurably reduce their cyber risk. With our cyber terrain analytics platform and professional services, enterprises improve their resilience to security events by understanding what’s on their networks and how it’s all connected.

RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. It also prioritizes mitigation based on each vulnerability’s associated risk.

We are proud to be trusted as the central cybersecurity platform in our customers’ defense-in-depth strategy.

CDM Experts: Data Collection, Classification, Analysis Are Keys

Recently, RedSeal Federal CTO Wayne Lloyd was asked to participate in a panel organized by Meritalk on the federal government’s Continuous Diagnostics and Mitigation (CDM) program.

Wayne was joined by CDM experts from Veritas and Splunk. All offered candid assessments of the importance of data classification and collection as the CDM program moves to incorporate a more robust integrated system of dashboards.

Wayne said it was important for organizations to thoroughly understand what their data environments look like. Once they do, data classification becomes easier.

“At RedSeal we help customers model their networks so they can understand what IP space they have and where the data may be residing,” he said. But all of these deployments reveal that the organization “doesn’t know their entire network,” he added.

On the subject of data classification and protection, David Bailey, senior director of U.S. public sector technical sales at Veritas said, “Mission critical data containing patient information for a hospital or the VA should be in tiered storage with the best, maybe multiple, forms of protection, with lots of role-based access controls.” He added that sometimes understanding what data needs to be protected the most is the most important priority.

Adilson Jardim, area vice president for public sector sales engineering at Splunk, said there should be an emphasis on the “continuous” part of CDM, and that it shouldn’t “be a program that ends in five years.”

Click here to read more: https://www.meritalk.com/articles/cdm-experts-data-collection-classification-analysis-are-keys/

To learn more about how RedSeal supports the DHS CDM program, visit “RedSeal and DHS CDM DEFEND

 — Lauren Stauffer, Sr. Director, Market Development

How to Identify Your Boundary Defense Needs

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) twelfth control for implementing a cybersecurity program is for your organization to control the flow of information transferring between networks of different trust levels. The first sub-control states that an organization should maintain an inventory of all network boundaries. So, the first question you need to ask is: where are your network boundaries?

Back in the days before the Internet was prevalent and mainframes dominated the IT landscape, these boundaries were very well defined. All the company’s information was warehoused in a mainframe centrally controlled by a small group of people. Getting access to the data was a very rigorous process and external links were not common. When external links were established, they were very tightly defined to exchange the minimum amount of information required to conduct business.

With the introduction of Local Area Networks, data started to be distributed within the organization. The IT department frequently was not involved in the deployment of these networks since they were seen as local resources and didn’t include external links. As these data resources grew, departments wanted to share information outside the boundaries of their local network. The Internet facilitated this connectivity, and IT departments needed to get involved to provide a control point for these data flows.

Now jump to the present where organizations have multiple internal data sources deployed in a distributed fashion, and the business owners of the data want to share this information with others to make their operations more efficient. The IT department now needs to understand the network boundaries and the security group needs to control and manage the boundary defense requirements.

To inventory these boundaries, the first step is to understand how your network infrastructure is connected. Assuming you’ve done a good job implementing CIS Control #1 (Inventory and Control of Hardware Assets), you have an initial base to identify all connections to external organizations and the Internet. A secondary pass through this information should focus on identifying internal connectivity. Understand where your organization allows data to flow and identify untrusted links within the organization, like guest wireless access.

The second phase of creating your boundary inventory is to leverage the data gathered in implementing CIS Control #2 (Inventory and Control of Software Assets). By understanding the systems running on your servers, you can start to understand where the users of the data are connecting to the enterprise. Then, map these flows to the hardware inventory to get an understanding of all network boundaries and determine where your organization should focus to implement appropriate security controls.

With automated tools and platforms in place from the first two controls, putting together the initial inventory of network boundaries should be a relatively easy process. Then your security group can start to improve overall boundary defenses as identified in the other sub-controls within the twelfth CIS control (Boundary Defense).

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify the network boundaries that have already been deployed. This, in turn, will allow your organization to improve these boundary defenses in a cost efficient manner.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

CIS Benchmarks Bring Network and Security Teams Together

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) eleventh control for implementing a cybersecurity program is for your organization to actively track, report on, and correct the security configurations for network devices. This involves the use of a configuration management system and robust change control processes. What has been missing is a common set of network device security configurations standards that can be utilized by network and security teams.

As a networking professional for over 30 years, I understand the need to consistently and securely configure network devices. I built “golden templates” to make sure that any time I added a new device, it is configured the same as the last one. I utilized my own knowledge base and vendor recommendations for how to configure these network devices. Sound familiar?

But, network manufacturers frequently provide software updates to add new features, correct bugs, and address identified security holes in their networking devices. How often do we go back to update golden templates and check existing network devices when we install a new software version or use a new feature? In my experience, rarely. Network operations teams are too busy addressing access requirements and network-related support tickets. Checking existing configurations for correctness becomes a summer intern’s job.

Then, the security group starts the important work of establishing policies for how to secure information within your enterprise. Because network devices are part of the security infrastructure, the security analyst starts asking questions of the network operations teams and the divide between groups becomes apparent. The networking teams are addressing access requirements and tickets. They just don’t have the manpower to address the security analyst’s concerns.

To help bridge this internal divide, organizations are turning to security frameworks to allow teams to understand both sides of the equation. A very useful framework comes from CIS. CIS provides CIS Benchmarks, a set of configuration guidelines for the most common networking devices and platforms. These benchmarks have been developed by both security and networking professionals as minimum configuration security standards. Network teams can establish projects to update golden templates and then address security configuration issues on individual devices. By using the CIS Benchmarks, security teams have a set of standards to run an audit of network device configurations — and assess the overall risk to the enterprise when device configurations don’t match the standards.

Federal government agencies have done this for many years using DISA STIGs (Security Technical Information Guides). CIS Benchmarks are similar to these standards, but the Department of Defense has security requirements that are different from many commercial organizations.

As a single project, reconfiguring many networking devices is a challenge. You’ll need to make these security standards part of the existing golden templates and then integrate them with the on-going change management processes. It will take some time to fully migrate to these standards. Consider smaller projects that address a portion of the CIS Benchmarks so you can demonstrate tangible improvements more quickly.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify network devices that do not meet minimum recommended network device configuration standards. Whether you utilize CIS Benchmarks, STIGs, or some other established standard, make sure that these controls receive some attention in your overall cybersecurity strategy.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

Is Process Killing Digital Resilience and Endangering Our Country?

After reading a Facebook comment on “Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” I’m compelled to respond.

I work a lot with the Navy (and the DOD as a whole) as a vendor. I spent 26 years in the intelligence community as a contractor running datacenter operations, transitioning to cybersecurity in the late 1990s.

From my past insider experience to my now outside-in view, “process” is one of the biggest hurdles to effectively defending a network. Process frustrates the talented cyber warriors and process is what managers hide behind when a breach that happened six months or more ago is finally detected.

Process = regulations.

Processes are generally put into place in response to past incidents. Simple knee jerk reactions. But things change. We need to review and change our processes and regulations, and, in some cases completely tear them apart to allow our talented cyber warriors to defend our networks. New regulations would allow them to get into the fight. They may even remain in their jobs longer, rather than leaving for industry — taking expensive training and irreplaceable knowledge with them.

One of my coworkers was on a Cyber Protection Team (CPT) for a major military command. He left to work in a commercial SOC. At one point, his team pitched their services to the top echelon of a service branch. As they introduced my coworker, he was asked why he left military service. My coworker, being an Army Ranger, and then an enlisted sailor, is pretty direct. He said, “Because you’re not in the fight. You’re more worried about the policy and process, while I’m here every day fighting the Russians, Chinese and Iranians.” One officer turns to the others and said, “This is exactly what I mean.”

Too much process and regulation restrict the agility needed for prompt incident response. To resolve incidents quickly (and minimize damage), cyber warriors require trust from their leadership. Trust in their abilities to make quick decisions, be creative, and quickly deploy lessons learned.

The very cyber warriors whose decisions they question are the same ones they blame when things go wrong.

As always, Target is a prime example. It was a low-level cyber warrior who found the “oddity” when doing a packet capture review. He notified Target leadership. But they didn’t act. They ignored him until their credit cards were on the dark web. Then, they went back to the young cyber warrior and fired him. He asked why. After all, he identified the problem first. The response from his leadership was: “Well, you didn’t make your point strong enough for us to take action on.”

The military has the same mentality. But, since many of them have even less knowledge of real-world hacks then private sector management, they take even more time to make decisions. Another friend told me about a time when he was on active duty and found evidence that someone had exploited the network. When he reported it, his leadership kicked it back because there was “not enough evidence.”  He then broke down the exploit and was able to provide the address and phone number of the adversary in Russia. Finally, they acted, but his CO did not want to report it to higher HQ because he was afraid of the fallout.

My friend reminded his CO that they were part of a carrier strike group, and all their data was incorporated into the fleet. Once again, he was ordered to fix it and not report it. He really believed that the only way to protect the group would be to send an anonymous email. This cyber warrior had to choose between disobeying orders and protecting our country.

Let’s not put our talented cyber warriors into this trap. Process and regulations need to be flexible enough to allow these people to protect our country – quickly.

Learn more about RedSeal’s support of cyber protection teams and our approach to digital resilience in the DOD.

 

Understanding and Managing Your Attack Surface

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) ninth control for implementing a cybersecurity program is for your organization to manage the ports, protocols, and services on a networked device that are exposed and vulnerable to exploitation. The intent of the control is for your organization to understand, reduce and manage the “attack surface” of its computing assets.

Attack surface can be defined in two dimensions, the network dimension and the server configuration. The network dimension is about attack vectors, or how an attacker can gain access to a device. We assume that attackers come from an untrusted part of the network, such as the Internet. You reduce attack vectors by limiting which devices/servers are accessible from these untrusted network spaces. This is typically done by implementing firewalls within the network infrastructure.

The next attack surface dimension is the ports/protocols/services that are enabled and accessible on the server itself. To reduce your attack surface, start by understanding what ports/protocols/services are required for an application to run on the network. Any that aren’t required should be disabled on the server. For instance, on a public-facing web server only ports 80 (http) and 443 (https) need to be enabled to view web content. Next, pair this basic understanding with an active vulnerability management program. Attackers continue to develop exploits for these commonly used ports. You’ll want to remediate these potential vulnerabilities in a timely fashion to reduce the risk of compromise.

Beyond your external attack surface, however, there is an additional dimension. Many current system exploits come from within your own internal network. Hackers regularly use phishing emails and false web links to entice people to click on something that will install some type of malware. This creates a new attack vector to critical assets as an attacker gains a toehold within your trusted internal network.

To manage and reduce both your external and internal attack surfaces, you need to use tools and platforms to understand both attack vectors and the ports/protocols/services needed on critical systems. CIS recommends:

  • Using your asset inventories generated from implementing CIS Control #1 (Inventory and Control of Hardware Assets) and Control #2 (Inventory and Control of Software Assets) to map active ports/protocols/services to critical systems.
  • Ensure that only required ports/protocols/services are enabled on these critical systems.
  • Implement mitigating controls in the network, such as application firewalls, host-based firewalls, and/or port filtering tools.
  • Perform regular automated port scans of critical systems to ensure that implemented controls are being effective.
    NOTE: Many servers are not tolerant of port scanning tools due to load on the server. Other solutions exist that allow organizations to validate that only required ports/protocols/services are enabled on critical servers.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding and managing your external and internal attack surfaces. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.

The Network Dimension in Vulnerability Management

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) third control for implementing a cybersecurity program is to practice continuous vulnerability management. Organizations that identify and remediate vulnerabilities on an on-going basis will significantly reduce the window of opportunity for attackers. This third control assumes you’ve implemented the first two CIS framework controls — understanding both the hardware that makes up your infrastructure and the software that runs on that infrastructure.

The first two controls are important to your vulnerability management program. When you know what hardware assets you have, you can validate that you’re scanning all of them for vulnerabilities. As you update your IT inventory, you can include new assets in the scanning cycle and remove assets that no longer need to be scanned. And, when you know what software run on your infrastructure, you can understand which assets are more important. An asset’s importance is key to identifying what should be remediated first.

Most vulnerability scanning platforms allow you to rank the importance of systems being scanned. They prioritize vulnerabilities by applying the CVSS (Common Vulnerability Scoring System) score for each vulnerability on an asset and couple it with the asset’s importance to develop a risk score.

The dimension missing from this risk scoring process is understanding if attackers can reach the asset to compromise it. Although you are remediating vulnerabilities, you can still be vulnerable to attacks if what you’re remediating isn’t accessible by an attacker. It may be protected by firewalls and other network security measures. Knowledge of the network security controls already deployed would allow the vulnerability management program to improve its prioritization efforts to focus on high value assets with exposed vulnerabilities that can be reached from an attacker’s location.

Other vulnerability scanning and risk rating platforms use threat management data to augment their vulnerability risk scoring process. While threat management data (exploits actively in use across the world) adds value, it doesn’t incorporate the network accessibility dimension into evaluating that risk.

As you work to improve your vulnerability management program, it’s best to use all the information available to focus remediation efforts. Beyond CVSS scores, the following elements can improve most programs:

  • Information from network teams on new and removed subnets (IP address spaces) to make sure that all areas of the infrastructure are being scanned.
  • Information from systems teams on which systems are most important to your organization.
  • Including network information in the risk scoring process to determine if these systems are open to compromise.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting your vulnerability management goals by providing network context to existing vulnerability scanning information. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

Visibility of IT Assets for Your Cybersecurity Program

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) first control for implementing a cybersecurity program is to understand and manage the hardware assets that make up your IT infrastructure. These hardware assets consist of network devices, servers, workstations, and other computing platforms. This is a difficult goal to achieve, further complicated by the increasing use of virtualized assets, such as public and/or private cloud, Software as a Service (SaaS), and virtualized servers.

In the past, inventorying these assets was relatively simple. When it came in the door, the physical device was given an inventory tag and entered into an asset management system. The asset management system was controlled by the finance group, primarily so assets could be depreciated for accounting records. As the IT world matured, we saw the advent of virtualized systems where a single box could be partitioned into multiple systems or devices. Further evolution in IT technology brought us cloud-based technologies, where a company no longer has a physical box to inventory. Network services are configured and servers are created dynamically. Hence the daunting task of trying to create and manage the IT inventory of any company.

CIS recognizes this and recommends using both active and passive discovery tools to assist. Since no human can keep up with this inventory of physical and virtual devices, discovery tools can help present an accurate picture of IT assets.

Active discovery tools leverage network infrastructure to identify devices by some form of communication to the device. Network teams are generally opposed to these tools because they introduce extra network traffic. Tools that attempt to “ping” every possible IP address are not efficient. They are also identified as potential security risks, since this is the same behavior that hackers generally use. Newer discovery strategies have evolved that are significantly more network friendly yet do a good job identifying the devices in your IT infrastructure. These newer, active discovery strategies target specific network IP addresses to gather information about a single device. When the information is processed, it can reveal information about other devices in the network.

Passive discovery tools are placed on the network to listen and parse traffic to identify all devices. Passive discovery tools do not add significantly to network traffic, but they need to be placed correctly to capture data. Some computing devices may never be identified because they are infrequently used, or their traffic never passes by a passive discovery tool. Newer passive discovery tools can integrate information with active discovery tools.

Most organizations need a combination of discovery tools. Active discovery tools should minimize their impact to the network and the devices they communicate with. Passive discovery tools can discover unknown devices. IT groups can do a gap analysis between the two tools to assess what is under management and what isn’t (frequently referred to as Shadow IT). This combined approach will provide the best strategy for understanding and managing all assets that make up an IT infrastructure.

Without this first step, having visibility into what these IT assets are and how they are connected, the remaining CIS controls can only be partially effective in maturing your cybersecurity strategy.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting the first control, while providing benefit to implementing many of the other controls that make up the CIS Control framework. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.

I See A Milestone, Not Just Another Funding Round

I’m delighted with the deal RedSeal just announced with STG.  I’ve worked in several start-ups — from the earliest stage, when the whole company could share a single elevator, all the way through acquisition by huge global corporations. My favorite times are when we’re all actively engaged with customers and the company has a sense of purpose and momentum. This is one of those times.

My feeling that this is a rite of passage – like leaving college – is because we’re moving from the category “VC-backed startup” into “privately-held serious company.”  Startups are like children – energetic, exciting, and allowed to get away with things. We expect more of grownups, that they can move forward, create and meet goals. It’s challenging, but it’s also fundamentally empowering, and I’m proud to move on to this next stage.

We’ve also chosen a true partner in STG, and they have chosen us. I may be stretching an analogy, but I’m pleased to say that we’ve dated long enough to learn that we see eye to eye. We agree about the potential for growth and are excited about working together towards a common vision. RedSeal, now with STG’s support, will be able to grow, innovate and deliver digital resilience to more and more customers, while we all continue to enjoy what we do. Each day is better than the last.