RedSeal and ForeScout Federal CTOs Explain how They Jointly Map, Identify and Increase the Resilience of Public Sector Networks

/by

Last month, Wallace Sann, the Public Sector CTO for ForeScout, and I sat down to chat about the current state of cybersecurity in the federal government. With ForeScout, government security teams can see devices as they join the network, control them, and orchestrate system-wide responses.

Many of our customers deploy both RedSeal and ForeScout side by side. I wanted to take a look at how government security teams were dealing with ongoing threats and the need to integrate difference cybersecurity tools into the “cyber stack.”

Our conversation is lightly edited for better clarity.

Wayne:  Describe the challenges that ForeScout solves for customers.

Wallace:  We help IT organizations identify IT resources and ensure their security posture. There’s always an “ah-ha moment” that occurs during a proof of concept. We see customers who swear by STIG, and will say they only have two versions of Adobe. We’ll show them that there are 6-7 versions running.  We tell you what’s on the network and classify it.

Wayne:  We often say that RedSeal is analogous to a battlefield map where you have various pieces of data coming in to update the topography map with the current situation. By placing the data into the context of the topography, you can understand where reinforcements are needed, where your critical assets are and more.

RedSeal’s map gives you this contextual information for your entire enterprise network. ForeScout makes the map more accurate, adapting to change in real time. It lets you identify assets in real time and can provide some context around device status at a more granular or tactical level.

Wallace:  Many companies I speak to can create policies on the fly, but ensuring that networks and endpoints are deployed properly and that policies can be enforced is a challenge.

Wayne:  Without a doubt. We were teaching a class for a bunch of IT professionals, telling them that RedSeal can identify routes around firewalls. If the networking team put a route around it, the most effective firewall won’t work. The class laughed. They intentionally routed around firewalls, because performance was too slow.

Endpoint compliance typically poses a huge challenge too. RedSeal can tell you what access a device has, but not necessarily when it comes online. Obviously, that’s one of the reasons we’re partnering with ForeScout.

Wallace:  ForeScout can provide visibility that the device is online and also provide some context around the endpoint. Perhaps RedSeal has a condition that DLP is running on the endpoint. ForeScout could tell you that DLP is not loaded, and therefore no access allowed.

Wayne: Inventory what’s there. Make sure it’s managed. If not managed, you may not know you were attacked and where they came in or went. If you have that inventory, you can prevent or at least respond quicker.

Another important component is assessing risk and knowing what is important to protect. Let’s say we have two hosts of equal value. If Host 1 is compromised, you can’t leapfrog any further. No other systems will be impacted. If Host 2 is compromised, 500 devices can be compromised including two that may have command and control over payroll or some critical systems. Where do you want to put added security and visibility? On the hot spots that open you up to the most risk!  We put things into network context and enable companies to be digitally resilient.

Wallace:  With so many security concerns to address, prioritization is critical.

Wayne:  IoT is obviously a trend that everyone is talking about and is becoming an increasing concern for agency IT Security orgs. How is ForeScout addressing IoT?

Wallace:  ForeScout provides visibility, classification and assessment. If it has an IP address, we can detect it. Classification is where we are getting better. We want to be able to tell you what that device is. Is it a security camera? A printer? A thermostat? We can classify most common devices, but we want to be 75-90% accurate in device classification. The problem is that many new devices are coming out every day. Many you can’t probe traditionally; it could take the device down.  And, you can’t put an agent on it.  So, we’re using other techniques to passively fingerprint a device (via power over Ethernet, deep packet inspection, and more), so we can get to 95% accuracy.

Wayne:  Do you see a lot IoT at customer sites, and are they concerned?

Wallace:  Some don’t realize they have an issue. Many don’t know that IoT devices are on their networks. We are seeing more cases where we are asked to assess IoT environments and address it. Before, we weren’t asked to take action. We used to be asked how many Windows and Mac devices there were. Now, there is a movement by government agencies to put anything with an IP address (the OT side) under the purview of the CISO.

Wayne:  We see a lot of devices – enterprise and consumer – that aren’t coded securely. IoT devices should be isolated, not connected to your mission critical operating environment.

Wallace:  I was curious how RedSeal handles IoT?

Wayne:  If there is vulnerability scan data, it tells us what OS, applications running, active ports, host name, MAC address, etc.  Without that data, we can grab some device data, but with ForeScout, can get more context/additional data about the device. ForeScout can tell you the devices are there. RedSeal can ensure that it’s segmented the way it should be. We can tell you it’s there and how you can get to it, people need to make decisions and act. We show IoT devices as a risk.

Wayne:  What are some of the trends that you are seeing that need to be addressed at customer sites?

Wallace:  From a native cloud perspective, we are working on extending the customer on-premise environment and bringing visibility and control to the cloud.   We are also working on making it easier to get security products to work together.  People don’t have the resources for integration and ongoing management.  We’re working to orchestrate bi-directionally with various toolsets to provide actionable intelligence – advanced threat detection, vulnerability assessment, etc.

We can take intel from other vendors, and ForeScout gives us the who, what, when, where from an endpoint to determine if that device should be on a network.

For example, an ATD vendor can detect malware (find it in their sandbox).  They will hand us an incident of compromise (hash, code, etc.).  We’ll look for those IoCs on devices on the network and then quarantine those devices.

Wayne: Security vendors need to work together.  Customers don’t want to be tied to a single vendor.  Thanks for your time today.

 

For more information, visit our websites at RedSeal and ForeScout.

Network Access Modeling Improves Security, Performance and Uptime for FEMA

/by

When disaster strikes, the Federal Emergency Management Agency (FEMA) enterprise network is expanded to include “temporary” mobile data centers that can last from months to years. In this kind of situation, change control, network maps and configurations can get wildly out of control. The security engineers in FEMA’s Security Operation Center (SOC) wanted network visibility. What’s more, they needed continuous monitoring to be able to measure risk and make decisions about how to deploy their scarce time and resources.

After learning more about RedSeal’s security analytics platform, FEMA’s cybersecurity lead realized that it could fill a major void in the agency’s solution set. RedSeal could help him understand the network, measure resilience, verify compliance, and accelerate response to security incidents and network vulnerabilities.

The FEMA SOC team deployed RedSeal to help manage their change control process — by modeling the data centers as they popped up in near real time. As data centers come online, they use RedSeal to ensure the right access is available. In the coming months, the team is expanding use of RedSeal to support their incident response program.

FEMA’s network team also uses RedSeal, to visualize access from disaster sites. Initially, they were shocked by the level of network access sprawl. They had no idea how much gear was on the network at a disaster site or how many security consequences resulted from simple configuration changes.

Now, with RedSeal’s continuously-updated network model, the network team is able to identify everything on the network and rapidly address any configuration changes that cause security, performance, and network uptime issues.

Get a PDF of this article. FEMA: Modeling Network Access

Clear ROI for RedSeal Deployment to Support Vulnerability Assessment Program

/by

An anonymous intelligence agency had a problem.

Their vulnerability assessment program was expensive and sub-optimal. The program was run by two internal employees and 16 contractors. Going to data center to data center, each assessment could take anywhere from 2 months to a full year to conduct.

First, they had to inventory each data center and find all the configuration files. Then they had to review each set up to make sure they were updated and had applied best security practices. At that point, they could create a network map.

Using the map, they could then begin to manually analyze the network for vulnerabilities. Given time and resource constraints, the team was forced to triage.  Ignoring medium and low level vulnerabilities, they focused on a short list of the most critical.

Of course, by the time they completed their analysis, the whole network had changed. The network map was merely a snapshot in time. Plus, the vulnerability assessment reports didn’t include leapfrogs to move deeper into the network.

The agency realized that getting one or two reports per year on a network that had already changed — at a cost of $5 million — was not a situation that could continue.

After researching various cybersecurity tools and getting a glowing review from other cyber teams in the government, the agency’s cybersecurity team realized that RedSeal was the solution they needed.  RedSeal’s continuous monitoring of the config files on the network means that the network map is never out of date. Experts at In-Q-Tel were brought to review RedSeal. Approval was quickly given. On a Monday, their engineers told RedSeal, “We want it on Friday!”

Now, after deploying RedSeal agency wide and setting up 14 instances, they conduct continuous assessments year round across all data centers.  After five years, customer feedback has been 100% positive, “We realize now that we can’t leverage the other cybersecurity tools unless we have RedSeal. RedSeal is core to our cybersecurity and vulnerability management operations.”

Do you have a problem with your time consuming manual vulnerability assessment program? Click here to set up a free trial of RedSeal and choose the better way.

RedSeal software is the best way to measure and manage the digital resilience of your network.

Get a PDF of this article. US Intelligence Agency: Clear ROI

 

RedSeal Platform Named Most Innovative Cybersecurity Product — USA

/by

RedSeal’s cybersecurity analytics platform has been named: Most Innovative Cybersecurity Product – USA as part of Corporate Vision Magazine’s 2016 Technology Innovator Awards.

Corporate Vision is a quarterly publication for CEOs, directors and other top-level professionals looking to improve the way they manage their operations, staff, technology, business partnerships, and supply chains. Readers use the awards to find the best business partners to help and assist with their future ventures.

The publication is headquartered in the UK, but has readers throughout Europe, the United States, Africa, Asia and Australia.

Award winners appear on Corporate Vision’s site for a year.

Getting Federal Agencies Cyber Ready for CSIP

/by

This blog post first appeared in Signal on April 6, 2016

Federal agencies clamor for industry best practices to implement findings resulting from last year’s 30-day “Cybersecurity Sprint,” part of the administration’s broader effort to bolster federal cybersecurity. A new mandatory directive for all civilian government agencies, the Cybersecurity Strategy Implementation Plan (CSIP), provides a series of actions to further secure federal information systems.
To shore up cybersecurity and work toward ensuring network resiliency, the CSIP addresses issues through a number of points, including prioritized identification and protection of high-value assets (HVAs), timely detection and rapid response to incidents, rapid recovery from breaches, recruitment and retention of a highly qualified cyber workforce, and effective acquisition and deployment of technologies.
However, the CSIP does not address other issues, such as how agencies should continuously measure, monitor and increase network resilience; how knowledge of network infrastructure increases the odds of a successful CSIP implementation; and how cyber incident training increases digital resilience.

Protecting high value information assets
The CSIP provides a clear definition of the HVAs that should be identified, prioritized and protected, and because of the dynamic nature of cybersecurity risks, recommends the efforts to safeguard that data be an ongoing activity. But it doesn’t pose a key question that agency officials must ask themselves: Do we need this data? In some cases, the answer is no. Agencies should eliminate unneeded data rather than spend resources protecting it. The nonessential data can be consolidated and isolated, with agencies continuously verifying that the data segmentation is implemented as intended.

Know your network terrain
Under the CSIP, it’s not enough to identify HVAs—the document also requires identification and knowledge of the agency’s network terrain. An agency’s HVAs probably will have hundreds of thousands of endpoints and vulnerabilities, which means agencies should create checklists to understand detailed impacts of cyber incidents on the assets, and ensure appropriate cybersecurity protections are in place. Checklist questions could include: Where are the vulnerable hosts? Is the network configured for security? What if defenses fail? And how resilient is my network? Answers will determine how prepared teams are to handle a cyberthreat.
The only way to effectively address these questions and really understand a network is to create a model and war game it, which can identify perimeter weaknesses; verify assets are segmented and protected; show where intruders can gain access; and pinpoint how to cut them off. Simulated model approaches help cybersecurity teams understand their entire, as-built network, including cloud and virtual networks, and achieve digital resilience to fight cybersecurity attacks.

Train and practice
The need to practice, and then practice again, rings true within cybersecurity as with other industries, from the rigorous training for firefighters to specialized professional athletes. Practice sessions must develop proficiency and specific skill sets necessary for success. Proper training and practice will not happen without management support, which means agencies must allocate time and resources and provide training and education to retain a qualified workforce.
Overall, to achieve network resilience and make rapid response capabilities a part of a CSIP-approved cyber plan, agencies must identify the HVAs worth keeping, model networks to put those assets into context, use standardized metrics to track resiliency and set up continuous training schedules.

For more on this subject, listen to our RedSeal webinar, “Is Your Agency Ready for CSIP?”

You Think Your Network Diagram’s Right?

/by

Federal agencies are clamoring for information about best practices about to implement the findings of last year’s cybersecurity “sprint.” This new directive, the Cybersecurity Implementation Plan, is mandatory for all federal civilian government agencies. It addresses five issues intended to shore up agency cybersecurity and ensure network resiliency.

So when agencies are done with their implementation, all their networks and assets will be secure, right?

Wrong.

Most of the time the reality of your network and the official network diagram have little to do with each other. You may think it’s accurate…but it’s not.

Recently, I sat down with Jeremy Conway, Chief Technology Officer at RedSeal partner MAD Security, to talk about this. He works with hundreds of clients and sees this issue constantly. Here’s his perspective.

Wayne: Can you give me an example of a client that, because of bad configuration management, had ineffective security and compliance plans?

Jeremy: Sure I can. A few months back, MAD Security was asked to perform an assessment for an agency with terrible configuration management. With multiple data centers, multiple network topologies, both static and dynamic addressing, and multiple network team members who were supposed to report up the hierarchy, we quickly realized that the main problem was that they didn’t know their own topology.  During our penetration test, we began compromising devices and reporting the findings in real time. The compromises were just way too simple and easy.  The client disputed several of the results.  After some investigation, we figured out that the client had reused private IP space identical to their production network for a staging lab network, something no one but a few engineers knew about.  Since we were plugged into the only router that had routes for this staging network, we were compromising all sorts of unhardened and misconfigured devices.  Interestingly enough, this staging network had access to the production network, since the ACLs were applied in the opposite direction — a whole other finding.  To them and their configuration management solution, everything looked secure and compliant. But in reality, they had some major vulnerabilities in a network only a few folks knew about, vulnerabilities that could have been exploited to compromise the production network.

The client was making a common mistake — looking at their network situation only from an outside in perspective, instead also looking at it from the inside out.  They didn’t have enough awareness of what was actually on their network and how it was accessed.

Wayne: That’s a powerful example. How about a situation where an agency’s use of software-defined or virtual infrastructure undermined their access control?

Jeremy:  One hundred percent software defined networks are still rare in our world. However, we had a situation where virtual environments were spun up by the apps team, not the network team, which caused all sorts of issues. Since the two teams weren’t communicating well, the network team referenced network diagrams and assumed compliance.  In reality, the apps team had set up the virtual environment with virtual switches that allowed unauthorized access to PCI data. Running a network mapping exercise with RedSeal would have identified the issue.

Wayne: I imagine that inaccurate network diagrams cause major issues when incident response teams realize that there hasn’t been any auto discovery and mapping of the network.

Jeremy: Yes, this is a must-have feature, in my opinion. When responding to an incident, you have to perform the network-to-host translations manually. Tracking down a single host behind multiple network segments with nothing but a public IP address can take a long time. In a recent incident with multiple site locations this took the client’s network team two working days — which really doesn’t help when you’re in an emergency incident response situation.

RedSeal makes it easy to find which host has been compromised and which path an intruder has taken almost instantaneously.

Moreover, conducting a security architecture review is much quicker and more comprehensive with RedSeal. This used to be a manual process for our team that typically took 2-4 weeks for the average client. RedSeal has cut that time in half for us.  Additionally, with RedSeal the business case for action is stronger and the result is a better overall remediation strategy. How? For one, given an accurate map of the network, HVAs can be prioritized and a triage process can be deployed that allows security teams to focus scarce time and resources on priority recommendations. This visibility into the severity of security issues also allows teams to develop mitigation strategies for patch issues.

Wayne: Jeremy, this has been a great discussion. I hope you’ll come back and do this again.

Continuous Monitoring + Policy Management Leads to Network Resilience and Successful Command Cyber Readiness Inspections

/by

Over the past few years, DISA has been moving network infrastructure into Joint Regional Security Stacks.

DISA’s website says, “A joint regional security stack is a suite of equipment that performs firewall functions, intrusion detection and prevention, enterprise management, virtual routing and forwarding (VRF), and provides a host of network security capabilities…security of the network is centralized into regional architectures instead of locally distributed …JRSS allows information traversing DoD networks to be continuously monitored to ensure response time as well as throughput and performance standards. JRSS includes failover, diversity, and elimination of critical failure points as a means to assure timely delivery of critical information.”

RedSeal is the official continuous monitoring solution for the JRSS. We are actively working with our clients to deploy this feature to help them achieve network resilience.

However, many clients don’t realize that combining continuous monitoring with policy management solves another actual problem: preparing for and passing Command Cyber Readiness Inspections (CCRIs).  Teams have to nearly shut down operations for weeks at a time to prepare for these important events. Failure can affect careers.

CCRIs take place on annual cycles and information networks get wildly out of compliance.  To keep networks operationally compliant, RedSeal monitors configurations daily and send alerts when actions have been taken that violate policy.  Plus, RedSeal is the only platform that allows its customers to verify STIG compliance on all of their Layer 2 & 3 devices as part of their continuous monitoring practice. This, in turn, allows for less prep time needed for CCRIs.

At a recent Centcom briefing by RedSeal, a DISA representative noticed that “it would make more sense if you import PPSMs [ports, protocols and services management] into RedSeal.” This would reduce the time to identify new, daily activity that created non-compliant configurations.  A number of RedSeal customers have successfully deployed the combination of PPSM policies with RedSeal’s continuous monitoring capability.  RedSeal automatically conducts scheduled analysis of the platform to check compliance with PPSMs and alerts on any failures, no matter how small.

Customers have found that automated continuous monitoring plus policy management equals network resilience.   CCRIs can now become a byproduct of daily network and security operations.  Successful real time policy management means more successful, less taxing CCRIs and higher network overall resilience.

President Obama’s $19 Billion Cyber-Defense Budget and Plan is a Bold and Necessary Step

/by

“The federal government is finally taking bold steps to fulfill what the Constitution says in its preamble – ‘to provide for the common defense,’ in this case, the common cyber defense.

The actions and budget announced today are an important recognition and investment in the defense of the critical information infrastructure of the United States, and provides an example for governments, businesses, and NGOs worldwide.

The plan recognizes that it is critical to implement platforms with analytics and capabilities to understand complex networks and assist in prioritizing what needs to be done first to improve resilience.

As the president writes in a Wall Street Journal op-ed, ‘we are still in the early days of this challenge.’ Networks will only grow more complex, creating opportunities for hackers and challenges for defenders.

The federal government’s new Chief Information Security Officer should be asking talented agency teams, ‘how are we measuring our cyber results and defenses? How are we thinking about resilience? And how are we determining the first step to take to make our digital infrastructure more resilient?’

Networks were not designed with cyberattacks in mind, so they are not resilient to them.  But it’s not too late. Building digital resilience into networks before attacks is the only way to get ahead of the ongoing, automated, and ever more sophisticated attacks.

The proposal by the President can be an excellent step in leading the world to a more cyber resilient future.”

Closing (and bolting) the back door in ScreenOS

/by

by Dr. Mike Lloyd, CTO RedSeal

The recently disclosed back door in Juniper’s ScreenOS software for NetScreen firewalls is an excellent reminder that in security, the first and foremost need is to do the basics well.  The details of the vulnerability are complex and interesting (who implanted this, how, and what exactly is involved?), but that is not what matters for defenders.  What matters is knowing whether or not you have basic network segmentation in place.  This may sound counterintuitive – how can something as routine as segmentation solve a sophisticated problem like this?  But this is a textbook example of the benefits of defense in layers – if you think too much about only one method of protection, then complex things at that layer have to be dealt with in complex ways, but if you have layers of defense, you can often solve very complex problems at one layer with very simple controls at another.

The vulnerability in this instance involves a burned-in “skeleton key” password – a password capable of giving anyone who can use it potentially catastrophic levels of control of the firewall.  To compromise your defenses when you have this particular version of software installed, an attacker needs only two things – 1) the magic password string itself, which is widely available, and 2) ability to talk to your firewall.  For point 1, the cat (saber-toothed in this instance) is long since out of the bag, but point 2 remains.  If someone can talk to your firewall and present a credential, they can present the magic one, and in they go, with full privilege to do whatever they want (for example, disabling all the protections you bought the firewall for in the first place).  No amount of configuration hardening can prevent this, since the issue is burned in to the OS itself.  But what if the attacker cannot talk to the firewall at all?  Then the magic password does no good – they cannot present a credential if they cannot talk to the firewall in the first place.

So note that someone who relies on strong password policies has a real problem here.  If you think “it’s OK to allow basic access to my firewalls, nobody can get in unless I give them a credential”, well, that’s clearly not true.  Unfortunately, many network defenses are set up in this way.  If you think about this problem at the password or credential layer, the situation is a disaster.  But if you think about multiple layers, something more obvious and more basic emerges – why do you need to allow anyone, coming from anywhere, to talk to you firewalls at all?  You should only ever need to administer your infrastructure from a well-defined command and control location (using “C&C” in the positive sense used by the military), and you can lock down access so that only people in this special zone can say anything AT ALL to your firewalls and the rest of your infrastructure – you can effectively reduce the attack surface for an attack, directly mitigating the huge risk of this kind of vulnerability.  Thinking in layers moves the question from “how do I prevent someone using the magic password?” (Answer: if you have the vulnerable software, you can’t), over to the easier and better question, “How do I limit access to the management plane of the firewall, to only the zone I run management from?”

2015 Alamo AFCEA Chapter Event (ACE) Speakers Focus on Solving Root Causes of Cybersecurity

/by

For the third time in a row, I flew down to Texas at the end of the year.

The reason? To attend the important Alamo ACE event presented by the local San Antonio AFCEA chapter. With multiple sessions over three days covering primarily cybersecurity and ISR, the event draws 1500 military and industry leaders.

My takeaway? RedSeal’s cybersecurity analytics platform and approach to proactive digital resilience was validated by a series of senior leaders on the front lines of protecting our nation’s most high value assets. Each of them is shifting focus to solving the root causes of cyber insecurity, rather than deploying a patchwork of tools. They realize that:

  • End users can’t manage their own security
  • A global black market has resulted in low prices for hacking toolsets
  • Commercial IT has a multitude of defects that create cyber risk

These military leaders equate mission assurance with security. This means:

  • The network must be survivable against all attacks and available 24×7
  • Users can have different authorizations for data access.
  • The DoD’s cyber supply chain interdependencies must be equally protected or the entire mission is at risk.

The first session I attended featured Steve Brown, the Vice President of Operations and Cyber Intelligence Center in the Global Cyber Security organization at Hewlett Packard. A former Navy and Wells Fargo senior security leader, Steve saw three big similarities across military and commercial organizations:

  1. The same critical data targets across DoD and commercial
  2. The same end user issues
  3. The same need to balance reward with risk

What keeps Steve up at night? Globally, 30 billion cyber events per day and 1.4M on his networks! Steve works to make cyber investments about risk and reward. For example, to shorten time lag between attack and response he split up his Red Team and created a Cyber Hunting team. Gathering and sharing intel wherever he can to see risk earlier and proactively take action.

On the same panel was Lt. Gen. (retired) Michael J. Basla now Senior Vice President of Advanced Solutions for L-3 National Security Solutions (L-3 NSS) and former CIO of the US Air Force. According to him, the key challenges for US cybersecurity are:

  • No matter how well secured we are, they will get to us. Plan for it.
  • Focus on access rather than security
  • We must find successful hacks faster
  • We need to not only have a map of our digital infrastructure, but also know the terrain — including sections in the Cloud.

Later on, I sat in on a session featuring Maj. Gen. Burke E. “Ed” Wilson. He is the Commander, 24th Air Force and Commander, Air Forces Cyber, Joint Base San Antonio-Lackland, Texas.

Gen. Wilson gave a quick overview of the US Air Force’s cyber terrain, including an emphasis on securing their network, base infrastructure and weapons systems. This is a change from the past when the USAF was focused primarily on network defense. Now they also focus on base infrastructure and weapons systems. They struggle with how to provide mission assurance from cyber risk.

On the flight home, reflecting on this conference, I realized the DOD cyber security conversation has changed dramatically. The past focus on audit and inspections has given way to a realization that networks are critical to national security. They deliver the mission. Our military leaders understand the cyber threat to their missions and are now putting their focus behind creating the strongest possible defense.