Zero Trust 2.0: Why RedSeal Is Key to Executing a Zero Trust Strategy

/by

In February 2023, a 21-year-old Massachusetts Air National Guard member accessed and posted hundreds of classified documents on voice over Internet Protocol (VoIP) and instant messaging platform Discord. The impacts were far-reaching. Not only is the Air Force working to understand how top secret information could be leaked so easily, but the base where the leak happened has been stripped of its current intelligence mission.

However, according to Don Yekse, the Navy’s chief technology officer (CTO), implementing a zero trust approach could have improved both detection and response times, reducing the severity of the attack.

To help public and private organizations better manage their zero trust deployments, the Cybersecurity and Infrastructure Security Agency (CISA) released version 2.0 of its Zero Trust Maturity Model (ZTMM). Efforts are also underway to develop and implement what’s known as zero trust network access (ZTNA) version 2.0, which focuses on a more granular approach to ZTNA.

In this piece, we’ll cover the current state of zero trust security, why it matters to organizations, and how RedSeal can help companies navigate the shift to ZTNA 2.0.

Zero Trust Security: Why It Matters, How It Helps, and Where It’s Used

The core principle of zero trust security is simple: Never trust, always verify. No matter the user, no matter the device, and no matter the request, zero trust asks for verification.

Consider a team manager logging in to the same admin portal at the same time every day, using the same device as they have for the past few years. Under a zero trust model, history doesn’t guarantee access. Instead, verification is required, which might take the form of two-factor authentication such as a one-time text code or identity verification via email confirmation.

Why Zero Trust Matters

Zero trust makes it more difficult for unauthorized users to gain network access. Implemented effectively, zero trust can improve cybersecurity without increasing complexity for authorized users. For example, the integration of mobile authentication tools can boost security while minimizing friction.

Statistics showcase the growing impact of zero trust. Consider that 80% of organizations now have plans to implement zero trust, and 96% of security decision-makers say that zero trust is “critical” to business success. Given that attacks such as ransomware have been on a steady rise — the volume of attacks increased 17% from 2021 to 2022 — zero trust is more critical than ever to help companies identify potential threats before they compromise key systems.

Benefits of Zero Trust

Zero trust offers multiple benefits for businesses.

First is reduced security risk. By replacing trust with verification, companies can reduce the risk of potential breaches. Even if attackers manage to steal user credentials, additional verification can frustrate their efforts.

ZTNA also provides greater control over security policies. For example, companies may leverage automated controls that lock out users after a certain number of failed attempts or that shunt traffic to a designated location for further evaluation. Perhaps one of the biggest benefits of zero trust, however, is visibility. Because zero trust requires continuous monitoring of devices and networks, implementing ZTNA naturally boosts overall visibility.

Common Zero Trust Use Cases

One common zero trust use case is reducing third-party risk. Given the increasing number of third-party applications used by companies and third-party providers that may have access to company networks, implementing zero trust can limit the risk of compromise from an unexpected source.

Other use cases include the security of Internet of Things (IoT) and legacy devices on business networks. In the case of IoT, ZTNA can help provide consistent security practices across both local and cloud networks. For legacy devices such as industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems, zero trust can help limit the chance of unauthorized insider access.

Zero Trust 2.0

Zero trust isn’t static. As a result, efforts are underway to supplement existing ZTNA solutions with “Zero Trust 2.0.” There are three primary differences between ZTNA 1.0 and 2.0.

1. Granular Controls

ZTNA 2.0 replaces the coarse controls of version 1.0 with more granular options. For example, under the 1.0 model, access is all or nothing. Users could either access all app services or none. In ZTNA 2.0, access can be restricted on a per-function basis.

2. Continuous Inspection

Many ZTNA 1.0 deployments use what’s known as the “allow and ignore” model. This means once users are verified and access is granted, this access remains in place indefinitely, ignoring any changes. ZTNA 2.0 reconfirms identity each time.

3. Comprehensive Protection

ZTNA 2.0 continuously verifies trust and inspects security to detect potential problems. This creates a dynamic security environment capable of responding as issues emerge. 

The Zero Trust Maturity Model

CISA has now released ZTMM version 2.0. The five pillars remain unchanged. Management of identity, devices, networks, applications, workloads, and data is required for effective ZTNA deployments. Where the model expands is maturity.

Under ZTMM 2.0, companies at the “Traditional” level still have manually configured lifecycles and static security policies. “Initial” maturity includes limited automation and increased visibility, while “Advanced” delivers on centralized visibility and identity control. Finally, companies at the  “Optimal” level of maturity use fully automated processes that self-report and are underpinned by dynamic policies.

How RedSeal Can Help Advance Your Zero Trust Strategy

Identity and information are key components of zero trust. Companies often think in terms of who is trying to access IT environments and what they’re trying to access.

But these aren’t the only considerations in creating an effective zero trust environment. Organizations also need to consider how and where. Where are critical assets located on local systems? In cloud networks? And how can these assets be accessed? It’s critical to create an inventory of IT environments including devices, ports, and protocols. In addition, companies need to understand external connectivity — what potential access routes exist and what risks do they pose?

At a small scale, the process of identifying who, what, where, and how is straightforward. Once companies move into the cloud, however, challenges emerge. With most organizations now using at least two and likely more cloud providers in addition to on-site storage and compute, complexity rapidly ramps up. Consider that service providers often have their own terminology for similar processes. For example, while both Google and AWS offer virtual private clouds (VPCs), they’re not the same. Each has its own set of features, functions, and vernacular.

In other words, different services speak different languages, making zero trust 2.0 implementation challenging. RedSeal makes it possible to create an IT lingua franca — a consistent translation that allows companies to automate and orchestrate key tasks across multiple environments.

RedSeal solutions also help with inventory and segmentation. By mapping and discovering all connections and endpoints across both cloud and on-site networks, companies can create complete inventories of all solutions and services, then create segmentation policies that reduce total risk in the event of an attack.

Taking on ZTNA 2.0

Effectively implementing zero trust 2.0 requires complete network knowledge. While who and what are the starting points, they’re not enough without where and how. RedSeal helps companies consolidate the pieces by creating a comprehensive inventory and asset map backed by a common defensive language.

Ready to take on ZTNA 2.0 and master the maturity model? See how RedSeal can help.

Exploring the Implications of the New National Cyber Strategy: Insights from Security Experts

/by

In March 2023, the Biden Administration announced the National Cybersecurity Strategy, which takes a more collaborative and proactive approach.

RedSeal teamed up with cyber security experts, Richard Clarke, founder and CEO of Good Harbor Security Risk Management, and Admiral Mark Montgomery (ret.), senior director of the Center of Cyber and Technology Innovation, to discuss the latest strategy. Both have developed previous national cybersecurity strategies so we couldn’t be more privileged to hear their take on the newest national strategy’s impact on cybersecurity regulations. This blog covers the importance of harmonizing the rules, trends in resilience planning, the role of cyber insurance, the transfer of liability, and the need to keep pace with AI and quantum computing. Keep reading to learn more, or click here to listen in.

Expanding Cybersecurity Regulations

Although this is the first time the administration gives a clear and intentional nod to cybersecurity regulations, the federal government has regulated every other major sector for over 20 years. This step makes sense. Clarke points out, sectors with heavy cyber regulations have fared better in the past two decades than those without. Montgomery predicts that most changes will happen in areas where regulations are lagging, such as water, oil pipelines, and railroads.

But many agencies don’t have the resources for effective enforcement. The government must thus use a combination ofregulations, incentives, and collaboration to achieve meaningful outcomes.

The Importance of Harmonizing the Rules

The new strategy aims to “expand the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonize regulations to reduce the burden of compliance.” But the expansion of cybersecurity regulations must come hand in hand with better coordination.

Clarke observes, today’s regulations aren’t well-coordinated. Agencies must share lessons learned and align their approaches. Private sectors will benefit from the standardization of various regulations to streamline compliance, reducing cybersecurity complexity and lowering costs.

However, coordination and standardization doesn’t mean a one-size-fits-all solution. Agencies must tailor their regulations to each specific sector. The good news is that we can apply the same network security technologies to any industry and encourage knowledge-sharing across verticals. For instance, we can take the high standards from the defense industry and apply them to healthcare and transportation without reinventing the wheel.

A Focus on Resilience Planning

The cybersecurity definition of resilience has evolved as the world has become more digital. We will get hacked. It is a certainty. Instead of only looking to protect systems from attacks, regulatory mandates must also focus on prompt recovery. The government should also hire industry experts to assess digital resilience plans and stress-test them for reliance.

Cyber resilience must be applied to national security as well as private business. Transportation infrastructure must be able to operate without extended interruption. The economy (e.g., the power grid and financial systems) is our greatest weapon, and must keep functioning during conflicts and crises. Lastly, we must have the tools to quickly and effectively battle disinformation, a new frontier in the fight against nation-state threats.

The Impact of the Internet of Things (IoT)

Regulations must also cover IoT devices, but focus on the networks instead of the thousands of individual endpoints. Clark suggests that organizations should install sensors on their networks and conduct regular vulnerability scans. Montgomery adds to this, emphasizing the need for certification and labeling regimens as part of a long-term plan to make vendors responsible for their products’ performance and security.

Shifting Liability to Vendors

Speaking of making vendors responsible for their products’ performance and security, the new strategy intends to transfer liability to software vendors to promote secure development practices, shift the consequences of poor cybersecurity away from the most vulnerable, and make our digital ecosystem more trustworthy overall.

Clarke agrees that this approach is necessary, but holds that the current regulatory framework can’t support the legal implementation. IT lobbyists, some of the most well-funded and influential players on Capitol Hill, will make enforcement of such a shift an uphill battle. Clarke believes that, unfortunately, this hard but necessary shift may not happen until a tragedy shakes the nation and leaves it the only way forward.

Keeping Pace with AI and Quantum Computing

We, as a nation, have many issues to consider around AI, including beyond security. Clarke points out that we must establish rules about transparency: what’s the decision-making process? How did AI get to a conclusion? Is it searching an erroneous database? Is the outcome biased? Large language models (LLMs) are constantly learning, and adversaries can poison them to impact our decision-making.

While AI is the big problem of the moment, we can’t afford to continue ignoring quantum encryption challenges, cautions Montgomery. We have already fallen behind and must spend a substantial sum today to prepare for what’s in store in 10 years. We must start building quantum security into our systems instead of attempting to jury-rig something on later, adds Clarke.

The Rise of Cyber Insurance and Real-time Monitoring

Montgomery predicts that, if run properly, the cyber insurance market can bring these pieces together. Insurance companies may, for instance, encourage proactive measures by reducing premiums for organizations that invest in cybersecurity upfront and establish a track record of reliability and resiliency.

But organizations must prove they’re continuously protected instead of merely showing “point in time” compliance to take advantage of lower premiums. Real-time monitoring will play a critical role in lowering premiums and maintaining cybersecurity.

A Step in the Right Direction

The new National Cyber Strategy introduces timely and much-needed shifts. We must harmonize regulations to maximize the benefits without overburdening the private and public sectors.

In anticipation of the impending changes, organizations must approach their cybersecurity strategies proactively and implement the right tools and services to stay compliant. These include a comprehensive network security solution for complete visibility and ongoing monitoring, cloud security tools to protect all IT assets, and professional services to ensure airtight implementation and continuous compliance.

RedSeal has extensive expertise and experience in delivering government cybersecurity and compliance solutions. Get in touch to see how we can help you stay ahead in today’s fast-evolving digital environment.

Advisory Notice: MOVEit Transfer Critical Vulnerability

/by

CVE: CVE-2023-35708

Description:

Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment. In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

Recommended Mitigation Steps:
  1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
      • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
      • It is important to note that until HTTP and HTTPS traffic is enabled again:
        • Users will not be able to log on to the MOVEit Transfer web UI.
        • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
        • REST, Java and .NET APIs will not work.
        • MOVEit Transfer add-in for Outlook will not work.
      • SFTP and FTP/s protocols will continue to work as normal.
  2. As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. 
 
For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2023/page/Security-Policies-Remote-Access_2.html
  3. Apply the Patch
    As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same when staying on a major release to apply the patch.
  4. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
  5. Please bookmark the Progress Security Page and refer to it to ensure you have all of the latest updates.
How Can RedSeal Help?
  • By bringing Host Data into your RedSeal instance, we can identify hosts with the targeted CVE in both the “Endpoint Data” tab, as well as the “Vulnerabilities” tab.
  • First be sure to update your CVE definitions on your endpoint scanning system and run a data collection in RedSeal.
  • If the vulnerability does not show up at first, try changing the radio button to “Show All Vulnerabilities”
  • Next, search specifically for the CVE in question:
  • In the bottom details pane, you will get a list of hosts that are affected by the MOVEit vulnerability. Right click on a device and select “Show in Maps and Views”:
  • Now that you have identified which subnets these hosts live on, you can run detailed path queries from “Untrusted” to the subnet and IP in question, on TCP ports 80 and 443, to find out which firewalls are in the path and should have blocks placed on them.
Alternative Steps

An alternative method to obtain a comprehensive list of network segments is to use the Zones and Policies feature in RedSeal. Following steps 1-4 above:

  • Set up a new view in Zones and Policies and have Group A be “Untrusted”, and Group B be “Affected Hosts”.
  • Add all your Untrusted Subnets to the “Untrusted” group, and all the hosts to your “Affected Hosts” group.
  • Set up access rules between the two, such as “Approval Required”, or “Access Forbidden”, and run analysis.

Once complete, you will have a comprehensive listing of every source that can get to the specific destinations, and even run detailed path queries directly from that menu to find your firewall rules.

The Shifting Landscape of Cybersecurity: Top Considerations for CISOs

/by

1. AI Is Changing the Game

The increasing use of generative AI tools such as ChatGPT comes with both defensive and offensive impacts. On the defensive side, companies can leverage these solutions to analyze security data in real time and provide recommendations for incident response and security vendors developers can write code faster. As for the offensive impact, attackers may be able to optimize malware coding using these same AI tools or leverage code released unknowingly by a security vendor’s developer. If malicious actors can hide compromising code in plain sight, AI solutions may not recognize the potential risk. And if hackers ask generative AI to circumvent network defenses leveraging code released unknowingly, the impact could be significant.

As a result, according to The Wall Street Journal & Forbes, JPMorgan Chase, Amazon, Bank of America, Citigroup, Deutsche Bank, Goldman Sachs and Wells Fargo are limiting employees’ ChatGPT use and we expect to see other companies follow.

2. Market Forces Are Shaping Security and Resilience

The looming economic recession is shaping corporate practices around security and resilience. While many IT teams will see their budgets unchanged or even increased in 2023 compared to 2022, security professionals should also expect greater oversight from C-suite executives, including chief information officers (CIOs), chief information security officers (CISOs), and chief financial officers (CFOs).

Both CIOs and CISOs will expect teams to justify their spending rather than simply giving them a blank slate for purchasing, even if the budget is approved. CFOs, meanwhile, want to ensure that every dollar is accounted for and that security solutions are helping drive business return on investment.

Consider network and cloud mapping solutions that help companies understand what’s on their network, where, and how it’s all connected. From an information security perspective, these tools have value because they limit the frequency and severity of IT incidents. But from a CFO perspective, the value of these tools ties to their ability to save money by avoiding the costs that come with detection, remediation, and the potential reputation fallout that occurs if customer data is compromised and acts as a force multiplier across multiple teams.

3. Multiple Vendor Architecture Is Everywhere

Firewall options from cloud vendors do not meet the enterprise’s security requirement. Enterprises are deploying traditional firewalls (ex. Palo Alto Network, Cisco or Fortinet) in their clouds. They are using cloud workload protection tools from vendors such as Crowdstrike or SentinelOne.

On-premises or cloud deployments cannot be treated in a silo. An adversary could get in from anywhere and go anywhere. The infrastructure has to be treated as one with proper segmentation. Pure-play cloud companies are also switching to on-premises collocated data centers to save on their rising cloud costs.

4. Public Oversight Impacts Private Operations

The recently announced National Cybersecurity Strategy takes aim at current responsibilities and long-term investments. According to the Strategy, there must be a rebalancing of responsibilities to defend cyberspace that shifts away from individuals and small businesses and “onto the organizations that are the most capable and best-positioned to reduce risks for all of us.” The strategy also recommends that businesses balance short- and long-term security investments to provide sustained defense over time.

To help companies achieve these goals, the Cybersecurity and Infrastructure Security Agency (CISA) recently released version 1.0.1 of its cross-sector cybersecurity performance goals (CPGs). Many of these goals fall under the broader concept of “security hygiene,” basic tasks that all companies should complete regularly but that often slip through the cracks.

For example, CPG 2.F recommends that companies use network segmentation to limit the impact of Indicator of Compromise (IOC) events. CPG 1.A, meanwhile, suggests that companies inventory all IT and OT assets in use, tag them with unique identifiers, and update this list monthly.

While no formal announcements have been made, it’s possible that under the new strategy, CISA will shift from providing guidance to enforcing regulatory expectations. For example, FDA may mandate pharmaceutical companies to submit their compliance to CISA CPGs.

5. IT and OT Meet in the Middle

RSA 2023 also touched on the continued merger of IT and OT environments. For many companies, this is a challenging shift. While IT solutions have been navigating the public/private divide for years, many OT frameworks are still not designed to handle this level of connectivity.

The result? A rapidly increasing attack surface that offers new pathways of compromise. Consider an industrial control system (ICS) or supervisory control and data acquisition (SCADA) system that was historically air-gapped but now connects to internal IT tools, which in turn connect to public cloud frameworks. If attackers are able to compromise the perimeter and move laterally across IT environments into OT networks, they will be able to encrypt or exfiltrate customers’ personal and financial data. Given the use of trusted credentials to access these systems, it could be weeks or months before companies notice the issue.

To mitigate the risks, businesses are looking for ways to segment IT and OT plus continuously validate segmentation policies are met. This starts with the discovery and classification of OT devices along with the development of standards-based security policies for both IT and OT functions. These two networks serve different aims and need to avoid the risk of any lateral movement between the networks.

Old, New, and Everything in Between

OT threats are on the horizon, companies need to prioritize basic security hygiene, and economic downturns are impacting IT budgets. These familiar frustrations, however, are met by the evolution of AI tools and the development of new national strategies to combat emerging cyber threats. As we look towards the second half of the year, the lessons learned can help companies better protect what they have and prepare for the next generation of cybersecurity threats. Take on the new cybersecurity landscape with RedSeal. Reach out to see how we can help you. 
[/av_textblock]

Accidental Cloud Exposure – A Real Challenge

/by

The recent disclosure that Toyota left customer data accidentally exposed for a decade is pretty startling, but can serve as a wake up call about how cloud problems can hide in plain sight.

It’s not news that humans make mistakes – security has always been bedeviled by users and the often foolish choices that they make. Administrators are human too, of course, and so mistakes creep in to our networks and applications. This too is a perennial problem. What’s different in the cloud is the way such problems are hard to see, and easy to live with until something bad happens. Cloud isn’t just “someone else’s computer”, as the old joke goes – it’s also all virtual infrastructure. If you’ve never seen how cloud infrastructure is really built and managed, you may not realize how inscrutable it all is – think of it like a computer in an old movie from the 1970’s, all blinking lights and switches on the outside, but no way to see what is really happening inside. These days, we are used to visual computers and colorful phones, where we can see what we are doing. Cloud infrastructure is not like that – or at least, is not if you just use the standard management interfaces that are frustrating, opaque, and vendor specific. Are there ways you can escape the lock-in to your specific cloud vendor? Sure – inventions like Kubernetes free you up, but the price is even worse visibility as you drive everything through shell scripts, CLI commands, and terminals. The 1970’s computer has moved up to the 1980’s green screen, but it’s a far cry from anything visual.

I don’t mean to just pick nits with the old-world interfaces of cloud – this isn’t a debate about style, it’s a problem with real world consequences, especially for security. You can’t see through a storm cloud in the sky, and similarly, you really can’t see what’s going on inside most cloud applications today, let alone ensure that everything is configured correctly. Sure, there are compliance checkers that can see how individual settings are configured, but trusting these is like saying a piece of music is enjoyable because every note was tuned exactly – that rather misses the big picture of what makes music good, or what makes a cloud application secure.

This is why you need to be able to separate security checking from the CI/CD pipelines used to set up and run cloud infrastructure. The much-hyped idea of DevSecOps has proven to be a myth – embedding security into DevOps teams is no more successful than embedding journalists with platoons of soldiers. The two tribes don’t see the world the same way, don’t have the same objectives, and largely just frustrate each other’s goals.

Central security has to be able to build the big picture, and needs to check the ultimate result of what the organization has set up. Ideas like “shift left” are good, but do not cover the whole picture, as the Toyota exposure makes clear. Every detail of the apps was working, and was quite likely passing all kinds of rigorous low level checks. But just like checking whether each note is tuned correctly, while not listening to the piece as a whole, Toyota lost track of the big picture, with all the embarrassment that goes with admitting a ten year pattern of unintended exposure.

Solving this is the motivating mission at RedSeal. We know what it takes to build a big picture view, and then assess exposure at a higher level, rather than getting stuck in implementation details. It’s the only way to make sure the song plays well, or the application is built out sensibly. This is why we build everything starting from a map – you can’t secure what you can’t see. This map is complete, end-to-end, covering what you have in the cloud and what you keep on your premises. We can then visually overlay exposure, so you get an immediate, clear picture of whether you have left open access to things that surprise you. We can give you detailed, hop-by-hop explanation of how that exposure works, so that even people who are not cloud gurus can understand what has been left open. We can then prioritize vulnerabilities based on this exposure, and on lateral movement. And finally, we can boil it all up into a score that senior management can appreciate and track, without getting lost in the details. As Toyota found to their cost, there are an awful lot of details, and it’s all too easy to lose the big picture.

What Is Cloud-Native Application Protection Platform (CNAPP), An Extension of CSPM

/by

Modern businesses are increasingly storing data in the cloud and for a good reason — to increase agility and cut costs.

But as more data and applications migrate to the cloud, the risk of data and systems being exposed increases. Conventional methods for addressing security aren’t equipped to manage containers and server-less environments. Therefore, gaps, silos, and overall security complexity increase.

This is where Cloud-Native Application Protection Platform (CNAPP), an extension of Cloud Security Posture Management (CSPM), excels. This new cloud platform combines the features of CSPM, Cloud Infrastructure Entitlement Management (CIEM), Cloud Workload Protection Platforms (CWPPs), CI/CD security, and other capabilities into a unified, end-to-end encrypted solution to secure cloud-native applications across the full application lifecycle.

Where CNAPP/CSPM Vendors Fall Short

It’s important to point out that many CNAPP vendors focus on providing security measures, such as CIS compliance checks or a basic “connectivity” view and segmentation to protect an organization’s applications and infrastructure in the cloud. These measures help prevent malicious actors from gaining unauthorized access to an organization’s resources, but they don’t necessarily provide visibility into potential exposures that may exist in an application’s design or configuration, thus providing a false sense of security.

Most vendors can correlate resources to compliance or identity violations, but the network context of these solutions is often limited, leading to a lack of visibility into the hidden attack surface. This results in insights that are often irrelevant and unactionable, causing security teams to chase false positives or negatives and reducing their overall effectiveness. Additionally, the shortcomings of these solutions can cause DevOps teams to lose trust in the security measures in place, hindering their confidence in the infrastructure.

The most critical gap is CNAPP vendors lack the ability to calculate net effective reachability, which determines the network’s overall connectivity, including identification of potential points of failure or bottlenecks. In simple terms, they cannot accurately determine if their critical resources are exposed to the Internet. Without this information, security teams will be unable to identify the main cause of a problem or effectively prioritize potential threats. The result is inefficiencies and delays in the security response process, leaving the company vulnerable to attacks and flag false positives/negatives to the DevOps teams.

To identify exposures, organizations need to conduct assessments that look for end-to-end access from the internet that drive up risks to the organization from malicious activities such as insufficient authentication or authorization, unvalidated input/output, SQL injection, cross-site scripting (XSS), insecure file uploads, and more.

What Is CNAPP?

CSPM is an automated set of security tools designed to identify security issues and compliance risks in cloud infrastructure.

CNAPPs consolidate the capabilities and functionalities offered by CSPM and CWPPs, providing centralized access to workload and configuration security capabilities. They help teams build, deploy, and run secure cloud-based apps in today’s heavily dynamic public cloud environments.

A CNAPP solution comes with a single control panel with extensive security features such as automation, security orchestration, identity entitlement management, and API identification and protection. In most cases, these capabilities are used to secure Kubernetes workloads.

How Does CNAPP Work?

CNAPP uses a set of technologies, such as runtime protection, network segmentation, and behavioral analytics, to secure cloud-native applications and services. CNAPP provides a holistic view of the security of cloud applications by monitoring and implementing security protocols across the entire cloud application profile.

CNAPP works by identifying the different components that exist in a cloud-native application, such as containers and microservices, and then applying security controls to every component. To do this, it uses runtime protection to monitor the behavior of the application and its components in real time. It leverages methods such as instrumentation to identify vulnerabilities in the application.

Also, CNAPP uses network segmentation to separate different parts of the application and reduce communication between them, thus reducing the attack surface. In addition, CNAPP includes features such as incident response and compliance management to help businesses respond quickly to security incidents, as well as ensure that apps and services comply with industry standards and regulations.

Why Is CNAPP Important?

Cloud-native application environments are quite complex. Teams have to deal with app workloads that continuously move between the cloud, both private and public, with the help of various open-source and custom-developed code. These codes keep on changing as release cycles increase, with more features being rolled into production and old code is replaced with new.

To deal with the challenges of ensuring the security of highly dynamic environments, IT teams often have to put together multiple types of cloud security tools. The problem is that these tools offer a siloed, limited view of the app risk, increasing the company’s exposure to threats. DevSecOps teams often find themselves having a hard time manually interpreting information from multiple, disjointed solutions and responding quickly to them.

CNAPPs help address these challenges by combining the capabilities of different security tools into one platform to provide end-to-end cloud-native protection, allowing security teams to take a holistic approach to mitigate risk and maintain security and compliance posture.

CNAPP with RedSeal

The challenge most enterprises face is that they cannot get clear visibility of their entire network. Most networks are hybrid, with both public and private cloud environments, along with a physical network framework. This provides siloed visibility, which raises security risks.

When CSPM, CWPPs, CIEM, and CI/CD security work together, companies can quickly get a glimpse of what is happening on their network, allowing IT teams to take immediate action.

RedSeal Cloud, a CNAPP solution, provides organizations with a view of their entire cloud framework to identify where key resources are located and a complete analysis of the system to identify where it’s exposed to attacks. RedSeal maps every path and checkpoint, and calculates the net effective reachability of all aspects of your cloud, enabling you to quickly pinpoint areas that require immediate action. Furthermore, it avoids false positives and negatives, and supports complex deployments with different cloud gateway and third-party firewall vendors.

The Right CNAPP Tool for Reliable Cloud Security Management

Ensuring the security of assets in the cloud has never been more important.

Companies can leverage CNAPP capabilities to secure and protect cloud-based applications, from deployment to integration, including regular maintenance and eventual end-of-life. That said, CNAPP solutions are not one-size-fits-all options but rather a combination of different vendor specialties under a single platform, proving single-pane-of-glass visibility to users.

Companies wanting to adopt CNAPPs should focus on how vendors interpret the underlying cloud networking infrastructure, the per-hop policies at every security policy point, including third-party devices, to identify any unintended exposure, and how the solution interacts with other services, both on-premises and in the cloud.

In summary, every company should ask potential CNAPP vendors:

  • How do they uncover all attack paths to their critical resources and expose the hidden attack surface?
  • How do they calculate the net effective reachability to the critical resources on those paths?

RedSeal’s CNAPP solution, RedSeal Cloud, lets security teams know if critical cloud resources are exposed to risks, get a complete visualization of their cloud infrastructure, and obtain detailed reports about CIS compliance violations.

Want to know how you can stop unexpected exposure and bring all your cloud infrastructure into a single comprehensive visualization? Book a demo with our team to get started!

The Hidden Attack Surface: What’s Missing in Your Cloud Security Strategy?

/by

It happens all the time. A company has the right security policies in place but misconfigures the environment. They think they are protected. Everything looks fine. They locked the doors and boarded up the windows to the room where the crown jewels are kept, but nobody noticed that the safe that holds the jewels is no longer in that room. Accidentally, it was moved to another location, which is left wide open.

Here’s another common scenario. When working in the cloud, someone in your company can easily turn on a policy that allows anyone to gain access to your critical resources. Or, maybe you grant temporary access to a vendor for maintenance or troubleshooting but then forget to revoke the access. There may be legitimate reasons to grant access, but if that resource is compromised, your cloud can be infected.

Cloud Environments Are Constantly Evolving and Easy to Misconfigure

The challenge in today’s cloud environment is that things are never static. Things are spinning up constantly, new endpoints are being added, and new connections are being made. Cloud users can easily misconfigure or forget to revoke access to critical resources. So you lock the front door and think you’re safe when the back door might be open or someone is opening and closing new windows all the time.

Nearly seven in 10 organizations report dealing with cyberattacks from the exploitation of an unknown or unmanaged asset connected to the internet. With today’s complex cloud, multi-cloud, and hybrid cloud environments, uncovering the hidden attack surface is crucial to uncover every potential resource that could be compromised.

What is the Hidden Attack Surface?

Uncovering the hidden attack surface involves knowing all unknown resources in your cloud and finding all attack paths to the resources – not just the most likely paths like most CNAPP/CSPM vendors. Finding all attack paths requires deep intelligence to map the full cloud network and determine every potential exposure point.

Cybercriminals are constantly looking for pathways, or hidden attack paths, to get to your crown jewels. With today’s emphasis on cybersecurity, companies rarely leave the front door open to let hackers walk right in. But there may be vulnerabilities that do allow access and then a pathway to reach the jewels. It may be a twisted and convoluted path, but it gets hackers where they want to go.

An attack path analysis details every endpoint and connection to show how threat actors could enter your house and travel the path to find what they’re looking for. By highlighting every possible path and policy detail associated with these pathways, you gain comprehensive visibility into your network.

This information details the traffic that can enter or exit a hop on the attack path and what controls are enabling them to uncover areas of unintended access to critical cloud resources.

Mapping the Entire Infrastructure

Some other solutions are also inadequate to map the entire infrastructure.

Let’s say you have someone conducting penetration testing. Pen testing focuses on the major attack points but doesn’t identify every single way, inside out, to connect to those resources. Think of it this way: You want to drive from San Jose to San Francisco. Nearly everyone making that drive will use the 101 or 280. But 880 can also connect, and there are thousands of side routes that you could use to make the ride. It may take a long time, but you’ll ultimately get to your destination.

Pen tests focus on the most typical routes. Plus, routes are constantly changing. They don’t take into account that new subdivision that didn’t exist last week that allows through traffic. You may segment your data, but new pathways evolve that suddenly allow lateral movement. Without real-time attack path analysis, you may be secure one moment and insecure the next.

Not All Attack Path Analysis Vendors Work the Same Way

When looking to analyze attack paths, it’s crucial to choose the right vendor. Not everyone approaches attack path analysis the same way, and the wrong solution may give you a false sense of security.

Just like penetration testing, most CNAPP/CSPM companies focus on the same major pathways. For example, if you’re using AWS and want to know which resources may be exposed, most vendors will check AWS security groups, AWS network access control lists (NACL), and AWS gateways. But are they also checking gateways such as AWS Transit Gateways, Third Party Firewalls, Load Balancers and all other cloud networking resources.

Effective security demands that you view everything end-to-end including every endpoint, pathway, and policy. While you may start with the obvious paths, it’s not enough. Attackers know that the most obvious spots are usually protected, so they’re constantly probing for the path that’s not so obvious and less likely to be guarded. This is uncovering the hidden attack surface that results in most cloud security breaches.

Comprehensive Attack Path Analysis with RedSeal

RedSeal uncovers the hidden attack surface by providing a comprehensive attack path analysis of every possible entry point and pathway within your infrastructure to determine what resources may be exposed. Besides end-to-end mapping, RedSeal also shows you how the exposure occurred and provides remediation guidance.

You get:

  • A list of all resources, subnets, and instances that are deemed critical, grouped by AWS accounts, Azure subscriptions, AWS VPCs, Azure VNETs, tags, and subnets
  • Specific ports, protocols, and services that are open and exposed — e.g., HTTPS (443), SSH/TCP (22), SMTP/TCP (25), RDP with exposure details
  • Full attack path analysis to critical resources,  highlighting all possible paths and the security policy details associated with each path
  • Details about what and where traffic can enter, what controls are enabling entry, and the paths attackers can take once they gain entrance

You can complement your cloud service provider’s operational tools by getting a real-time evaluation of all affected resources across multiple cloud environments. Using an agent-less, API-based approach, RedSeal Stratus uncovers all resources deployed within your environment and lets you view them in a single pane of glass.

Not only do you get a comprehensive view of your cloud infrastructure and insight into potential exposure points, but you also get a roadmap for remediation. Stratus identifies and calculates every possible path, port, and protocol — not just active traffic — to help you prioritize your remediation efforts. Security teams can then perform root cause analysis and raise a remediation ticket for resource groups that may be impacted by security policies.

This ticket would include information about the affected resources, verification, remediation steps, and the potential risk if they are not mitigated.

RedSeal mitigates exposure with:

  • Out-of-the-box (OOTB) reporting
  • Simple, agent-less deployment
  • Continuous risk assessment
  • Drill-down capabilities with remediation guidance
  • Seamless integration with ticketing and remediation systems like Jira

RedSeal’s cloud security solutions can bring all multi-cloud environments into one comprehensive, dynamic visualization and know the unknowns. This allows you to protect your cloud, conform to best practices and gain continuous monitoring for compliance.

Learn more by downloading our Solution Brief: Stop Unintended Exposure.

Tales from the Trenches: Vol 10 — You Don’t Know What You Don’t Know

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Michael Wilson, Senior Network Security Engineer, explains how RedSeal empowers customers to verify their contractors are following security best practices and have their organization’s best interest in mind.

You Don’t Know What You Don’t Know

In my customer’s environment, the network is segmented and managed by both the customer and several contracted partners. It is a difficult task to have visibility into an entire network that is distributed across several different contracted partners, let alone keep track of all of the devices and changes that can occur across a network. The adage of ‘you don’t know what you don’t know’ is very relevant in a situation like this. RedSeal has the ability to provide my customer with a single pane of glass to see all these network segments that are managed by different contracted partners.

The customer’s RedSeal deployment runs daily collection tasks, and the customer can see any changes that occur to their network from day to day. One morning, I logged into RedSeal and started my daily maintenance tasks, which includes ensuring that data collections ran correctly, and analysis was performed successfully, and I noticed that there was an increase in device count. This was a cause for investigation, as new devices being brought into RedSeal without any new data collection tasks is a possible indicator of compromise.

I notified the customer, and I started to investigate. I noticed that these changes occurred in the customer’s SDWAN environments. This SDWAN environment uses clusters to manage edge devices, and the customer has devices spread around in many different locations. The environment is managed by one of the customer’s contracted organizations and, previously, the environment used 4 clusters to serve all the customer’s edge devices in this SDWAN environment. The additional devices that RedSeal discovered were an additional 20 clusters that upped the total from 4 to 24. Once I started to arrange the new clusters on the map, I started to see that these new clusters were connected in such a way that they were serving specific geographic regions of the customer’s environment. This indicated the contracted partner was making significant changes to the SDWAN environment and the new devices were likely not an indicator of compromise.

Once I determined that this was likely a planned network change, I asked the customer if they were aware that these changes were planned and being implemented to the network. They were not aware of any plans and changes being implemented. I asked the customer to immediately verify that the changes were planned, and the customer discovered that not only were these changes planned, but they had never been notified of these planned changes. This demonstrated a significant lack of communication between the customer and their contracted partners. I was able to use RedSeal not only to discover network changes that occurred on the network, but a fundamental operational flaw of the entire customer’s workflow surrounding network changes. It gave the customer the ability ‘to know what they didn’t know’.

The risks that the customer was unknowingly accepting (and by default, unable to mitigate or remove) through this lack of communication was that the contracted partner was making changes to the customer’s network, which contains devices that have Payment Card Industry (PCI) data running through them. By making changes without consulting the customer, the contracted partner was potentially exposing the customer to a disastrous breach of customer financial information. The reason this could be the case is that the contracted partner does not control the entire customer network and changes in their network segment may unknowingly lead to security holes in other parts of the network that is managed by either the customer directly or another contracted partner. To top it off, the customer would have had no idea of this risk because they were unaware of what was happening on their network. RedSeal was able to become the stop gap and identify that risk and provide the information needed to make an informed and educated decision on what risks to accept, mitigate, or remove.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

Top Reasons State and Local Governments Are Targeted in Cyberattacks

/by

Ransomware attacks affected at least 948 U.S. government entities in 2019 and cost local and state governments over $18 billion in 2020. These agencies are prime targets for cyberattacks. Their dispersed nature, the complexity of their networks, the vast amounts of valuable personal data they process and store, and their limited budget prevent them from staying current with the latest best practices.

Strengthening your defense starts with understanding the top reasons why threat actors choose to target state and local governments. Then, implement the latest technologies and best practices to protect your organization from attacks.

Reason 1: The Vast Number of Local and State Government Agencies

There are 89,004 local governments in the U.S., plus numerous special districts and school districts. That equates to 2.85 million civilian federal employees and 18.83 million state and local government employees — each representing a potential target for threat actors.

Since it takes only one person to click on one malicious link or attachment to infect the entire system with ransomware, the large number of people who have access to sensitive data makes government entities prime targets for social engineering attacks.

Moreover, the dispersed nature of these networks makes it extremely challenging for government agencies to gain visibility of all the data and activities. When one agency suffers an attack, there are no procedures or methods to alert others, coordinate incident response plans, or prevent the same attack from happening to other entities.

Reason 2: These Agencies Process Valuable Personal Information

How much personal data have you shared with state and local government agencies? Somewhere in their dispersed systems reside your social security number, home addresses, phone numbers, driver’s license information, health records, etc. The information is attractive to cybercriminals because they can sell it on the dark web or use it for identity theft.

Many of these agencies also hire contractors and sub-contractors to handle their computer systems or process user data. The more people with access to the data, the larger the attack surface — creating more opportunities for supply chain attacks where criminals target less secure vendors to infiltrate their systems.

Without the know-how or resources to partition their data or implement access control, many government agencies leave their door wide open for criminals to access their entire database. All malicious actors have to do is target one of the many people who can access any part of their systems.

Reason 3: They Can’t Afford Security Experts and Advanced Tools

Almost 50 percent of local governments say their IT policies and procedures don’t align with industry best practices. One major hurdle is that they don’t have the budget to offer wages that can compete with the private sector and a workplace culture to attract and retain qualified IT and cybersecurity professionals.

Meanwhile, cybercriminals are evolving their attack methods at breakneck speed. Organizations must adopt cutting-edge cybersecurity software to monitor their systems and detect intrusions. Unfortunately, the cost of these advanced tools is out of reach for many government entities due to their limited budgets.

Moreover, political considerations and bureaucracy further hamstring these organizations. The slow speed of many governmental and funding approval processes makes preparing for and responding to fast-changing cybersecurity threats even more challenging.

Reason 4: IoT Adoption Complicates the Picture

From smart building technology and digital signage to trash collection and snow removal, Internet of Things (IoT) tools, mobile devices, and smart technologies play an increasingly vital role in the day-to-day operations of local governments.

While these technologies help promote cost-efficiency and sustainability, they also increase the attack surface and give hackers more opportunities to breach a local government’s systems and networks —  if it fails to implement the appropriate security measures.

Unfortunately, many agencies jump into buying new technologies without implementing proper security protocols. Not all agencies require IoT devices to perform their functions. You should therefore balance the cost and benefits, along with the security implications, to make the right decisions.

How Government Agencies Can Protect Themselves Against Cyberattacks

An ounce of prevention is worth a pound of cure. The most cost-effective way to avoid the high costs of ransomware attacks and data breaches is to follow the latest cybersecurity best practices. Here’s what state and local governments should implement to stay safe:

  • Complete visibility into your entire IT infrastructure to provide a comprehensive view into all the possible hybrid network access points to understand what’s connected to your network and what data and files are most at risk. This way, you can prioritize your data security resources.
  • Intrusion detection and prevention systems (IDS and IPS) protect your wired and wireless networks by identifying and mitigating threats (e.g., malware, spyware, viruses, worms), suspicious activities, and policy violations.
  • A mobile device management (MDM) solution allows administrators to monitor and configure the security settings of all devices connected to your network. Admins can also manage the network from a centralized location to support remote working and the use of mobile and IoT devices.
  • Access control protocols support a zero-trust policy to ensure that only compliant devices and approved personnel can access network assets through consistent authentication and authorization, such as multi-factor authentication (MFA) and digital certificates.
  • Strong spam filters and email security solutions protect end users from phishing messages and authenticate all inbound emails to fence off social engineering scams.
  • Cybersecurity awareness training for all employees and contractors helps build a security-first culture and makes cybersecurity a shared responsibility, which is particularly critical for fending off social engineering and phishing attacks.
  • A backup and disaster recovery plan protects agencies against data loss and ransomware attacks by ensuring operations don’t grind to a halt even if you suffer an attack.

Final Thoughts: Managing the Many Moving Parts of Cybersecurity

Cybersecurity is an ongoing endeavor, and it starts with building a solid foundation and knowing what and who is in your systems.

You must map your networks, take inventory of every device, and know where all your data is (including the cloud) to gain a bird’s-eye view of what your security strategy must address. Next, assess your security posture, evaluate your network against your policies, and prioritize resources to address the highest-risk vulnerabilities. Also, you must continuously monitor network activities and potential attack paths to achieve constant visibility, prioritize your efforts, and meet compliance standards.

State and local governments worldwide trust RedSeal to help them build digital resilience. Request a demo to see how we can help you gain visibility of all network environments to jumpstart your cybersecurity journey.

Tales from the Trenches: Vol 9 — The Law of Unintended Consequences, OR Some Doors Swing Both Ways

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Bill Burge, RedSeal Professional Services, explains how RedSeal can show you ALL the access from a network change, not just the one access you are expecting.

The Law of Unintended Consequences, OR Some Doors Swing Both Ways

“The law of unintended consequences” states that the more complex the system, the greater the chance that there is no such thing as a small change.

While working with a customer in the early days of my RedSeal Professional Services tenure, I looked for an opportunity to prove the capability of Zones & Policies. In an unfamiliar environment, the easy starting point is creating a policy that examines the access from “Internet to all internal subnets.”

It is easy to setup and easy to discuss the results, UNLESS the results say that most of the Internet can get to most of the internal network.

I thought “I MUST have done something wrong!” I got the impression that the customer felt the same thing, even though neither of us came right out and said it. So, I tore into it.

Using some ad hoc access queries and Detailed Path queries, we figured out the problem and why.

After looking into it, thinking something was amiss, it turned out that RedSeal was RIGHT. It seems there had been a pair of firewall rules for DNS requests:
SRC: inside, SRC PORT: any, DST: outside, DST PORT: 53, PROTOCOL: UDP
(and for the responses)
SRC: outside, SRC PORT: 53, DST: inside, DST PORT: any, PROTOCOL: UDP

At some point, because DNS resolutions got large enough that the responses did not fit in a single UDP packet, DNS needed to include TCP. So, someone simply made a small change and added TCP to each of these rules.

The unintended consequence was that you could reach just about any internal system from the Internet IF you initiated your request from port 53.

After this was verified by the firewall and networking teams, I might have well gone home. Everybody disappeared into meetings to discuss how to fix it, whether it could be done immediately or later that night, etc.

A little time later, I ALMOST felt guilty to point out that they had done pretty much the same thing with NTP, on port 123. (Almost…)

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.