How to Navigate the Shifting Healthcare Cybersecurity Landscape

/by

Cyberattacks and data breaches in the healthcare sector are increasing at an alarming rate, especially during the pandemic when patient communications and records moved online.

Between March 2021 and February 2022, over 42,076,805 healthcare records were exposed. Businesses lose an average of $10.10 million per healthcare data breach, while lost or stolen protected health information (PHI) and personally identifiable information (PII) cost the U.S. healthcare industry billions of dollars annually.

Valuable data makes healthcare organizations a prime target for cybercriminals. Meanwhile, the fast-shifting technology landscape makes it more challenging than ever to keep up with the latest cybersecurity best practices.

Let’s look at the many factors causing today’s cybersecurity nightmare and how you can navigate the changing healthcare cybersecurity landscape with the right technology and processes.

The Healthcare Sector Faces Ongoing Cybersecurity Challenges

The healthcare industry is complex. Various factors have come together in recent years to create the perfect storm for bad actors to breach networks and steal data.

High-Value Target Data: PHI and medical records are sought after by criminals because they’re worth 10 to 20 times the value of credit card data on the dark web. Meanwhile, biomedical and pharmaceutical research and development data drive a $160-billion industry. Criminals can often use the stolen credential to breach multiple targeted systems, giving threat actors many ways to cause damage through lateral movements.

Fast Adoption of New Technologies: The healthcare industry has been implementing connected medical devices (medical IoT) at a rapid pace. The equipment often uses unregulated mobile applications for processing and transmitting PHI and PII. Additionally, many facilities don’t have the proper security protocols to support the proliferation of devices connected to their networks — creating a large attack surface cybercriminals can exploit.

Overworked and Undertrained Personnel: Employee training is key to preventing social engineering schemes, phishing scams, and ransomware attacks — after all, it takes only one staff member to open one malicious attachment to infect the entire system. However, many healthcare facilities fail to provide sufficient cybersecurity education to their employees. Even end users with the knowledge and best intention often let their guard down because of environmental factors, such as distraction and excessive workload.

Competing Operational Priorities: Operational needs, often urgent, require personnel to prioritize speed of information sharing over data security. Meanwhile, facilities must comply with large-scale data portability regulations that require them to make health records and other sensitive information available in digital and sharable formats. These processes can increase the risks of data breaches if providers don’t have the proper security measures in place.

Budgetary Constraints: Healthcare organizations have limited IT budgets, and their tech teams are often stretched thin. They spend most resources on acquiring and implementing new technology solutions to stay current and competitive, leaving few to secure and maintain their networks. Many organizations don’t have in-house security teams and often outsource the function without assigning any internal stakeholders to coordinate the activities or monitor the outcomes.

Inconsistent Cyber Hygiene: Many healthcare facilities are stuck with legacy systems that are no longer supported by the vendor and can’t be upgraded with the latest security features. As such, they introduce permanent vulnerabilities into the organizations’ networks. Additionally, integrating new and old technology solutions may create interoperability dependencies, network segmentation risks, and blind spots hackers can exploit.

The Pandemic Caused New Issues in Healthcare Cybersecurity

The healthcare industry played a front-and-center role during the COVID-19 pandemic, which necessitated the rapid adoption of digital technologies. While the accelerated digital transformation brought many benefits, it also created various cybersecurity concerns.

An Abrupt Shift to Remote Working: Many non-frontline functions moved to a remote working environment in response to lockdowns. Healthcare organizations lack the time and resources to provide adequate security training to remote workers, implement endpoint protection capabilities, and develop remote system backup and recovery plans to build business resiliency and protect themselves from the consequences of ransomware attacks and data loss.

Rapid Procurement and Implementation of Security Tools: The rapid transition to cloud-based platforms for the new hybrid work environment increased the likelihood of misconfigured security settings and mismanaged security tool deployments. Many organizations also lack plans to maintain and sustain the new platforms and technologies, leading to oversight and creating opportunities for threat actors to strike.

Duration and Scope of the Global Crisis: The pandemic created long-term uncertainty. It increases the stress on individuals and society, which, in turn, raises the population’s susceptibility to social engineering. Meanwhile, the need for coordinated responses from facilities across the nation and authorities around the world requires unconventional partnerships and data-sharing practices that caused chain reactions, increased risk factors, and exposed vulnerabilities.

Navigating the Cybersecurity Nightmare in Healthcare: Today’s complex cybersecurity landscape isn’t easy to navigate, especially in the high-stakes healthcare sector. The rise of remote work and telemedicine, plus the proliferation of connected medical devices, has increased the attack surface dramatically. Budget constraints, competing priorities, and lack of employee training leave a lot of opportunities for hackers to exploit. Also, healthcare providers must comply with increasingly stringent data privacy laws to avoid fines and lawsuits.

A Multi-Layer Approach to Cybersecurity: You need a multi-prong approach to address various challenges. The process starts with gaining visibility across all your network environments to understand who has access to what information. Then, prioritize vulnerabilities and resolve gaps in your scan coverage.

Don’t forget to address all your cloud platforms, especially if you have a hybrid environment that combines cloud applications with legacy software where the connections can become weak links and blind spots. Moreover, you must stay current with all relevant data privacy laws, adhere to the latest security configuration standards, and ensure that your vendors and partners are also compliant to protect your data from supply chain attacks.

RedSeal can help you build a solid foundation by creating in-depth visualizations of your security infrastructure. We then use the insights to prioritize your vulnerabilities and automate your compliance process. Get in touch to see how we can help you assess, remediate, and mitigate your security processes and infrastructure.

How Secure Is Your Pharma Research Data?

/by

The use of big data and advanced analytics is now essential for innovation across the pharmaceutical and healthcare industries. However, working with vast amounts of data — experimental data, clinical trial data, patient data — has become a double-edged sword as organizations face immense challenges in protecting data integrity and ensuring data security in today’s digital environment.

Meanwhile, the global pharmaceutical market will grow above $2 billion by 2028 at a compound annual growth rate (CAGR) of 5.7% between 2022 and 2028. With revenue depending on research and innovation and more of the processes going digital, pharma research data has become a prime target for threat actors who use various means to breach companies’ systems and steal their sensitive information.

Let’s review key data security issues that pharma research companies face and how to protect your sensitive information to help you navigate the complex cybersecurity environment.

Is Pharma Research Data Secure?

Unfortunately, no. The pharmaceutical industry has seen many data breaches in recent years.

In an analysis of 20 pharma companies, five had experienced over 200,000 data exposures and breaches. Some had as many as 400,000 exposures. Another study revealed that over 50% of hospitals, biotech firms, and pharmaceutical companies have more than 1,000 sensitive files accessible to all employees. 33% of these organizations have over 10,000 files exposed to every staff member.

IBM’s Cost of Data Breach 2022 report found that data breaches cost the pharma industry an average of $5.01 million between March 2021 and March 2022. Additionally, the high data regulation environment means these companies see costs accrue years following a breach due to regulatory and legal fees, further impacting an organization’s financial health.

Data breaches in the pharma industry can also lead to direr consequences than in many other sectors. For example, leaked intellectual properties and clinical trial data can lead to reputational damage and lost revenue that could take years to remedy.

Top Pharma Research Data Security Issues

Here are the key cybersecurity challenges faced by pharma companies:

Supply Chain Attacks: Pharma research requires collaboration among various parties, such as research institutions, suppliers, contractors, and partners. The complex ecosystem creates a large attack surface threat actors can exploit. For example, they can infiltrate your network via a vendor with a less secure system. Without complete visibility into their environment, many organizations are left in the dark until it’s too late.

Ransomware Attacks: Due to the need to access critical information in their research, pharma companies are prime targets for ransomware attacks. Especially in companies with lax access controls, hackers can infect just one employee’s device with malware to infiltrate the entire network and lock down access to data for the whole company.

Phishing Scams: Threat actors can use social engineering techniques to trick employees, partners, and researchers into giving up their credentials to access the company’s network and exfiltrate data. Again, an organization without proper access control makes it much easier for hackers to move laterally across its systems.

Emerging Technologies: New platforms, cloud technologies, and Internet of Things (IoT) devices are invaluable in accelerating research and development processes. But they also present inherent cybersecurity risks because of the expansive environment and numerous endpoints. If companies spread their data on multiple platforms without mapping their inventory, they could leave sensitive data out in the open.

Mergers and Acquisitions (M&A): The pharmaceutical industry saw 182 M&A deals in Q2 2022. When two companies merge, their IT infrastructures must work seamlessly with each other, including their cybersecurity protocols and monitoring systems. Mapping all the data to maintain visibility and assessing vulnerabilities can be challenging, leaving the new entity at a higher risk of compromise.

How to Protect Pharma Research Data:

Here are some steps pharma companies can take to protect their research data:

  1. Visualize Access Across Your Network Environment: You can’t protect what you can’t see. You must map your environment and all digital assets to connect the dots, identify blind spots, reveal inconsistencies, and interpret access control. You can then prioritize vulnerabilities based on access and eliminate gaps in your scanner coverage.
  2. Deploy End-to-End Encryption for Data Sharing: Use a robust encryption solution to support data sharing within the organization and with third parties. This way, authorized personnel can use sensitive information without risking exposure. Choose a scalable, database-agnostic encryption technology that can be deployed in the cloud or on-premises to help protect data at rest, in transit, and in use.
  3. Enforce a Zero-Trust Policy and Least-Privilege Access: Least-privilege access is a vital component of a zero-trust framework that continuously authenticates a user’s identity to allow access to protected information. Access control is granted based on the principle that end users should see no more than the data they need to do their job. This approach can help minimize damage even if an employee’s account is compromised and limit a hacker’s lateral movement within your network.
  4. Implement a Comprehensive Incident Response Plan: It’s not a matter of if but when your infrastructure will come under attack, and a well-designed incident response plan is key to containing the damage and minimizing loss. Having an up-to-date model of your network can help accelerate incident response by locating the compromised device and determining which digital assets hackers can reach from the entry point.

Protect Pharma Research Data with a Bird’s-Eye View of Your Network

The first step in strengthening your defense is to know where all your data is and who can access the information. The insights can help you identify vulnerabilities, take remediation actions, and implement continuous compliance monitoring. But mapping all the moving parts, including every connection to the internet, is easier said than done.

RedSeal Stratus gives you an in-depth visualization of the topography and hierarchy of your security infrastructure. It helps you identify critical assets inadvertently exposed to the internet and shows your multi-cloud inventory and connectivity, so you can quickly detect changes in the environment.

Get in touch to see how we can help you proactively improve your security posture and protect your pharma research data.

Tales from the Trenches: Vol 5 — Octet Dyslexia

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series, Bill Burge, RedSeal Professional Services exposes inconsistencies in policy definitions with RedSeal.

Octet Dyslexia

Numbers are a tricky business and more numbers equals more tricky, and sometimes our brains see what they want to see and not what is actually there.

While working on PCI audit prep using RedSeal Zones & Policies with a large manufacturer/distributor/retailer we were going over what Internet access existed from the Internet into their cardholder environment.

The customer had two external address blocks and some were allowed access through this path.

I’ll make up the address blocks, as 12.53.22.0 and 15.43.22.0.  In the table of access results was a block of inbound address that was 12.43.22.0 (or something like that).

I asked the customer about this external address block and they said “yeah, we have two external blocks”.  We did a few laps around this like the old “Who’s on first?” routine.

It wasn’t until I put a sample from this range along with samples from their two ranges that they were finally about to SEE that it was an amalgamation of their two ranges, just enough to fool the hurried mind.

A quick Whois determined that the range belonged to a Chinese university, IN CHINA.

We were able to use other features of RedSeal to determine all the device configurations that referenced this block and submit change requests to get them remediated.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

 

Tales from the Trenches: Vol 4 — Leveraging the Tools You Already Have

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Chris Naish, Sr. Sales Engineer, Federal at RedSeal explores prioritizing your risk mediation with RedSeal.

Leveraging the Tools You Already Have

Sometimes, you just need help understanding what you already have the ability to do…

Often while walking with customers along their RedSeal journeys, they’ll ask me, “Hey, what’s this Risk tab?”…

To prepare them for the coming screen of boxes of different colors and sizes, I preface the conversation by saying, “This might look intimidating at first, but I promise it’s not. It will make more sense shortly.” …

I’ll first take a brief detour to the Vulnerabilities tab in RedSeal and reiterate how on this tab, you’re essentially looking at the vulnerabilities in your environment one at a time. For any selected vulnerability, you’re able to see the related Host Count in the top frame, as well as the actual number of instances in the bottom frame (these counts may differ if the vulnerability in question can affect a host on more than one port).

Next, I’ll move over to the Risk tab and explain that by way of contrast, each of the boxes of different colors and sizes on the Risk map represents one of the hosts in your network. You can select any host and get related details in the bottom frame, including the vulnerabilities on that host.

But *why* are they all different colors and sizes?

The key to understanding the Risk Map layout is to click on Risk Map Controls on the left-hand side. Here you’ll be shown a series of drop-down menus, each with multiple options, which dictate how the host boxes appear, as well as how they’re grouped.

With this foundation laid, I explain that the main use case of the Risk tab is determining Mitigation Priority according to YOUR specific RedSeal topology. Say for example that you’re working with someone new to your patching team, who’s only responsible for Campus hosts. And they’re sitting next to you while you show them RedSeal’s capabilities. After a brief detour to Maps & Views to show them a RedSeal topology map that includes a Campus area, I might go back to the Risk tab and make this distinction: if you show them a simple Risk view, it may be perceived as overwhelming if you have a fair amount of vulnerabilities in your ENTIRE network that need to be patched. By way of contrast, if you INSTEAD manipulate the Risk Map Controls (and save the resulting layout) to display a Topology-based Mitigation Priority View, now the host(s) of concern for the Campus portion of your network can easily be seen. This can be done via the following drop-down menu selections: Group: First By Topology, Then By Primary Subnet; Appearance: Color By Downstream Risk, Size By Risk.

At this point, a customer’s wheels usually start turning and ideas come forth on how to make use of these concepts in THEIR RedSeal model and increase its’ value.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.  

Tales from the Trenches: Vol 3 — Security Operations and Network Operations are always at odds. Or are they?

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Brad Schwab, Senior Security Solutions Consultant tackles the potential friction between two departments with RedSeal.

Security Operations and Network Operations are always at odds. Or are they?

Empirically, using the greatest technical brevity, you could explain the two areas as:

  • Security Operations (SecOps) is about limiting where network traffic goes. They are also usually responsible for Vulnerability Scanners
  • Network Operations (NetOps) is about the uninterrupted, fast, network traffic flow

As you can see, these departments could easily be at odds – one is the brakes, the other the throttle. So, yes, they usually are at odds. Everything one wants can easily create work for the other, resulting in a back-and-forth pendulum of requests. SecOps to NetOps, “I need these ports shut down, they are creating security exposure…” NetOps to SecOps, “sure, you deal with the backlash…” Outcome, Finance to NetOps, “I can’t print paychecks…” NetOps emails SecOps the Finance department email and goes dark…. Net affect, neither department likes the other…

How does this involve RedSeal you may ask? RedSeal is in the unique position to work with both SecOps and NetOps and help both realize their Operational Goals and allow visibility into outcomes beforehand so that situations like the above don’t happen. This creates a positive working relationship between the teams.

Working with a large Health Organization, we were at the end of a Proof of Concept, and were having a meeting with the CISO, and the heads of SecOps, “Wendy”, and NetOps, “Bill”. We had been having problems with the NetOps people not providing the access required to gather device configuration files across the entire network fabric. NetOps was claiming they didn’t have the time. On the sly, we also heard that they thought providing us with the ability to gather the configs would only make work for them.

During this meeting Wendy was talking about the mountain of scan data she had and that prioritization was key to her work. I demonstrated how RedSeal could prioritized her patching routine(s) based on Network Access. Which, wait for it, requires the network device configuration files. Knowing that SecOps and NetOps were not friends, I decided to see if I could get a dialogue going, and at the same time incent NetOps to get us the access we required to gather the config files. So, I posed the question to Wendy of SecOps, “Wendy, are you scanning the entire network?” She said “yes.” I asked how she knew she could reach every host on the entire network? She said, “Bill told me I could.” I then said to Bill, “Is that what goes on the upcoming Audit, “Bill told me I could scan the entire network…”. Before he could reply I said, wouldn’t you like actual documentation showing that Wendy’s network reach was complete and entire network scans could and were taking place?

That is when the CISO chimed in and said “yes, we need that. How do we get that?” I said that if I had all the config files, I could provide you, Ms. CISO with your required audit documentation, which would eliminate Bills’ manual effort to supply the always asked for “ACL’s of all devices, not just the edge.” And, in addition, I can prioritize Wendy’s mitigation procedures and show the actual trending decrease in your exposure as her team works through the tickets. What followed was over an hour-long discussion of how RedSeal could provide value, focusing of tasks, and reduction of effort to both NetOps and SecOps, plus provide progress reporting to the CISO.

During the rest of the deployment NetOps was always willing to listen and quickly respond quickly to requests. The final outcome was that both teams, SecOps and NetOps, embraced the RedSeal Secure Methodology of Discover, Investigate and Act.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.  

Tales from the Trenches: Vol 2 — They have access to WHAT?!

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series, Nate Cash, Senior Director, Federal Professional Services/ Director of Information Security at RedSeal looks at a unique application for RedSeal, eliminating potential threats before they could happen.

They have access to WHAT?!

I’m always surprised at the new use-cases we come up with on site with RedSeal. There is a lot of information about a customer’s environment that allows us to answer questions pretty easily, if you know where to look. One Monday morning as I showed up to the office, before I was able to grab coffee, a SOC analyst stopped me at the door to ask me a very simple question, “We have a bunch of site-to-site VPNs with a few business partners, what can they access?”

On the surface this seems like a simple request, “How quickly do you need this information?” I responded. “Last Saturday.” Suddenly the caffeine rush I needed seemed like a long ways off. Turns out, one of the business partners of this customer was breached over the weekend and they notified this customer of the potential. The SOC had been manually mapping out the configs and drawing the paths on the white board, when I came in.

Staring at the board I thought, “There has to be a better way.” When the eureka moment happened. I fired up RedSeal and found the devices which lead to the business partners. In order to map across the VPN tunnels, we needed the config files from the other end. Of course, our business partners were not going to give that up, so I took the configs from our end, and reversed the ACLs changed the IPs based on the tunnel configs and reimported them into RedSeal.

10 min later we were able to answer the question, “what does this business partner have access to?” the answer, 1 server in the DC on 3 ports. But that one server had access to over 20 other servers which increased the downstream risk. This was a fun exercise where we got to see the power of RedSeal and how it can be used to quantify the real risk to the organization and reduce it by putting controls into place.

Once the incident was contained, we decided to go through, and hand jam the rest of the business partners VPN configurations into the model so the SOC would have this information in the event another partner was compromised. After writing up the configs and placing them into the model we found a couple of business partners with configurations that allowed any traffic on any port across.

Firewall engineers know, that sometimes during troubleshooting they’ll configure a device to allow anything across and verify that the firewall is or is not blocking an application. My theory is that these two partners were having issues with traffic going across or getting the VPN tunnel up, and put these rules in as placeholders, probably around two or three A.M. and when things “worked” they were going to come back later to fix them, and never got the time.

But this exercise allowed us to find a major security misconfiguration. If one of those two business partners with the ‘allow any traffic’ were the ones compromised over the weekend this story would have had a much different outcome. In security having a complete picture of your environment is key to being secure. What you don’t know can hurt you.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.  

Tales from the Trenches: Vol 1 — In security, consistency is key.

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

The first in this series is by Nate Cash, Senior Director, Federal Professional Services/ Director of Information Security at RedSeal.

In security, consistency is key.

Once at a customer site while going through the install of RedSeal, we were going over the hardening standards. I clicked on a couple of configurations to start showing how we could go about setting up best practice checks. I had inadvertently pulled up a device which has not been updated in over five years. The customer was shocked, this is one of the many times where I have had to stop mid-sentence while the person I worked with, reached out to someone to “fix the problem.”

The problem is not the fact the device is had not been updated, but somehow their process missed it. This device was just one of many. The first thing we did with RedSeal was develop a set of custom checks to see how many devices passed or failed the latest hardening standard. Once set we started data collections. In 15 min we saw 30% of the devices were not running their latest hardening standards. 

30% of their network devices were not using the latest encryption, had management ACLs set to an old subnet which was now known as their guest subnet, inconsistent SSH versions, telnet still enabled, and some devices pointed to old radius servers, falling back to local accounts. Luckily their firewall blocked the guest subnet from anything internal but, their network management tool still couldn’t access 100% of the devices.

Fixing the underlying problem, not the result of the problem.

With the latest hardening standards in hand, the network engineers got an emergency change request and started logging in to update their configurations. Each device required firmware upgrades, followed by configuration changes. While this was a big undertaking, each day that passed we could grab the numbers and see trending on remediation and report to management.

Once we got the model complete, we found a couple of firewalls that blocked their network management solution from accessing 100% of their network devices. Once the customer opened their firewall, the networking team could start pushing the config to all of the devices. 

As luck would have it, the customer was currently undergoing a review of a new hardening standard. We took the new standard, and I showed them how to create checks for each of the configuration points. At the end of the day, the customer had 75 individual checks for each of the network devices. Upon data collection RedSeal will run those checks against each of the configurations automatically and we could ensure that all network devices passed all of checks required for their baseline configuration. 

This customer had a unique process where devices about to be deployed were plugged into the network and received a static DHCP address. Their network management tool would push the baseline to the config, then the engineers would login the next day to assign the interface Ips per the documentation. The rest of the hardened config was automagically configured by the tool. With this in hand, we were able to add the ‘staging area’ to RedSeal. With every data collection we noticed random inconsistencies where some device would get the whole config and others did not, using those same checks. 

Using RedSeal and custom checks this customer is able to push configs, then double check the config took properly before deploying out into their network. They had better visibility ensuring that all of their devices were hardened, were more confident that automating the work were consistently driving the results they wanted, had a double check with the automation, and essentially reduced their risk significantly, just by checking the configs of their network devices.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.  

InfoSeCon Roundup: OT Top of Mind with Many

/by

The RedSeal team recently attended the sold-out ISSA Triangle InfoSeCon in Raleigh. It was energizing to see and talk to so many people in person. People were excited to be at in-person events again (as were we!) and we had some great discussions at our booth on how RedSeal can help customers understand their environment and stay one step ahead of threat actors looking to exploit existing vulnerabilities. 

Visibility was a top topic at the booth, but I want to focus this blog on our panel discussion, titled ”OT: Still a Security Blindspot”, which, of course, has visibility as a core need. While I was expecting that this topic would be of interest to quite a few attendees, I was not expecting the great reception we received, nor the number of people that stayed behind to talk to us. We had so many great questions, that we have decided to host a webinar with the same title, where we will share some of the same information, and expand it to address some additional topics based on attendee interest. 

I want to highlight some key points we shared during the session:

We started the session talking about OT networks – what they are, and how they exist across all verticals in some way, shape or form (it is not just manufacturers!).  We did share a life sciences customer example to close the session (think about all of the devices in a hospital connected to the Internet – and what could happen if they were hacked!).

Then we got into the “risk” part of the discussion. We shared how OT networks are targeted via vulnerable devices and highlighted actual consequences from some real-life examples. We focused on the Mirai botnet and potential motives from threat actors:  

  • Botnets can simply to be annoying or attention getting, interrupting business 
  • Ransomware has traditionally been for cash or equivalent, but now can also be for deliberate intentional damage
  • Nation State – with espionage as a goal – to disrupt or compromise organizations or governments

Our panelists from Medigate by Claroty provided their perspective based on discussions with their customers. They explained that for many organizations OT was an afterthought when accessing security risks. The audience appeared to agree with this assessment. Unfortunately, this meant that OT has often been the quickest way to cause serious damage at an organization. They have seen this within the 1500+ hospitals they work with. They shared a couple of examples, which clearly demonstrated what can happen if you have vulnerable OT devices:

  • Turning off the air conditioning at a hospital in Phoenix AZ during the summer shut EVERYTHING down
  • Operating rooms must be kept at very specific temps and humidity levels. A customer in CA whose dedicated O.R. HVAC was impacted ended up losing $1M in revenue PER DAY while it was down

One of the reasons that the security risks for OT devices has not been addressed as well as they should is that OT devices have typically been managed by the Facilities organizations, who do not have the training and expertise needed for this task. We did spend some time talking about who “owns” managing and securing these OT devices. Luckily, there is growing awareness of the need for visibility into both OT and IT devices as part of an overall security strategy, and there are emerging solutions to address this need. 

We also spent time discussing how complex managing OT/IT becomes when companies have distributed sites or complex supply chains. The Medigate panelists shared how some of their Life Sciences customers have sites with different OT network topologies, and some even have a mismatch between the topology of the individual site and its production logic. This means there are usually multiple redundant, unmonitored connections at each site, which provides threat actors with numerous opportunities to penetrate the OT network and, once inside, to move laterally within it. 

This led to a conversation among the panelist on how to address the IT/OT visibility needs:

  1. First step: gain visibility into where OT is and then integrate it with existing IT security infrastructure 
  2. Ongoing: alignment and collaboration between and across IT and OT security, as well as with a range of third-party vendors, technicians, and contractors
  3. End goal: enable all teams (facilities, IT, security, networking, etc.) speak the same language from the same source of truth

The above is just a brief review of some of the topics covered during the panel discussion. If you are interested in hearing more about how to address IT/OT visibility needs and hear about how customers are addressing these needs or find out more about RedSeal, please visit our website or contact us today!

IT/OT Convergence

/by

Operational Technology (OT) systems have decades of planning and experience to combat threats like natural disasters – forces of nature that can overwhelm the under-prepared, but which can be countered in advance using well thought out contingency plans. Converging IT with OT brings great efficiencies, but it also sets up a collision between the OT world and the ever-changing threats that are commonplace in the world of Information Technology. 

A Changing Threat Landscape 

The security, reliability, and integrity of the OT systems face a very different kind of threat now – not necessarily more devastating than, say, a flood along the Mississippi, or a hurricane along the coast – but more intelligent and malicious. Bad actors connected over IT infrastructure can start with moves like disabling your backup systems – something a natural disaster wouldn’t set out to do. Bad actors are not more powerful than Mother Nature, but they certainly are more cunning, and constantly create new attack techniques to get around all carefully planned defenses. This is why the traditional strategies have to change; the threat model is different, and the definition of what makes a system “reliable” has changed. 

In the OT world, you used to get the highest reliability using the oldest, most mature equipment that could stay the same, year after year, decade after decade. In the IT world, this is the worst possible situation – out of date electronics are the easiest targets to attack, with the most known vulnerabilities accumulated over time. In the IT world of the device where you are reading this, we have built up an impressive and agile security stack in response to these rapidly evolving threats, but it all depends on being able to install and patch whatever software changes we need as new Tactics, Techniques and Procedures (TTP’s) are invented. That is, in the IT world, rapid change and flexible software is essential to the security paradigm. 

Does this security paradigm translate well to the OT world?

Not really. It creates a perfect storm for those concerned with defending manufacturing, energy, chemical and related OT infrastructure. On the one hand, the OT machinery is built for stability and cannot deliver the “five nines” reliability it was designed for if components are constantly being changed. On the other hand, we have IT threats which can now reach into OT fabric as all the networks blend, but our defense mechanisms against such threats require exactly this rapid pace of updating to block the latest TTP’s! It’s a Catch-22 situation. 

The old answer to this was the air gap – keep OT networks away from IT, and you can evade much of the problem. (Stuxnet showed even this isn’t perfect protection – humans can still propagate a threat across an air gap if you trick them, and it turns out that this isn’t all that hard to do.) Today, the air gap is gone, due to the great economic efficiencies that come from adding modern digital communication pathways to everything we might need to manage remotely – the Internet of Things (IoT).

How do we solve this Catch-22 situation?

So, what can replace the old air gap? In a word, segmentation – it’s possible, even in complex, blended, IT/OT networks to keep data pathways separate, just as it’s essential for the same reason that we keep water pipes and sewer pipes separate when we build houses. The goal is to separate vulnerable and critical OT systems so that they can talk to each other and be managed remotely, but to open only these pathways, and not fall back to “open everything so that we can get the critical traffic through”. Thankfully, this goal is achievable, but the bad news is it’s error prone. Human operators are not good at maintaining complex firewall rules. When mistakes inevitably happen, they fall into two groups:

  1. errors that block something that is needed
  2. errors that leave something open

The first kind of error is immediately noticed, but sadly, the second kind is silent, and, unless you are doing something to automatically detect these errors and gaps, they will accumulate, making your critical OT fabric more and more fragile over time. 

One way to combat this problem is to have a second set of humans – the auditors – review the segmentation regularly. Experience shows, though, that this just propagates the problem – no human beings are good at understanding network interactions and reasoning about complex systems. This is, however, a great job for computers – given stated goals, computers can check all the interactions and complex rules in a converged, multi-vendor, multi-language infrastructure, and make sure only intended communication is allowed, no more and no less.

In summary, IT/OT convergence is inevitable, given the economic benefits, but it creates an ugly Catch-22 scenario for those responsible for security and reliability – it’s not possible to be both super-stable and agile at the same time. The answer is network segmentation, not the old air gapped approach. The trouble with segmentation is it’s hard for humans to manage, maintain and audit without gaps creeping in. Finally, the solution to resolve this Catch-22 is to apply automation – using software such as from RedSeal to automatically verify your segmentation and prevent the inevitable drift, so that OT networks are as prepared for a hacker assault as they are for a natural disaster. 

CNAPP: The Future of Cloud Security

/by

The cloud has arrived. According to data from the Cloud Security Alliance (CSA), 89% of organizations now host sensitive data or workloads in the cloud. But increased use doesn’t necessarily mean better protection: 44% of companies feel “moderately” able to protect this data, and 33% say they’re only “slightly” confident in their defense.

With cloud networks growing exponentially, businesses need a new way to handle both existent and emerging threats. Cloud-native applications protection platforms (CNAPP) offer an integrated, end-to-end security approach that can help companies better manage current conditions and prepare for future attacks.

What is CNAPP?

As noted by research firm Gartner in their August 2021 Innovation Insight for Cloud-Native Application Protection Platforms report (paywall), CNAPP is “an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.”

The goal of CNAPP solutions is to protect cloud-based applications across their entire lifecycle, from initial deployment and integration to regular use and maintenance to eventual end-of-life. Rather than taking a point-based approach to security that sees companies adopting multiple solutions which may (or may not) work in tandem to solve security issues, CNAPP looks to provide a single user interface and a single source of truth for all cloud-related security processes.

In effect, this approach prioritizes the centralization of cloud security processes to help companies better manage disparate applications and services.

Why Is Security in the Cloud so Challenging?

Effective security relies on effective attack path analysis – the categorization and protection of pathways. In a traditional infrastructure model, these pathways were relatively simple, stretching from internal resources to Internet applications and back.

Highways offer a simple analogy. Say that your resources are in San Francisco, California, and the Internet is in San Jose. Different highways offer different paths to the same destination. Installing checkpoints along these highways, meanwhile, makes it possible for companies to ensure that cars heading into San Francisco or back to San Jose have permission to do so. If they don’t, they’re not allowed to proceed.

The cloud significantly complicates this process by adding a host of new destinations and attack pathways, both on the ground and in the air. Where companies might have managed 50 potential points of compromise, in the cloud this number could be 5000 or 50,000 —and is constantly growing. Plus it is 100x easy to misconfigure the points of compromise.

As a result, there are both more vehicles traveling and more routes for them to travel, in turn making it 100x more complicated to see and secure the cloud. This in turn, increases the risk of traffic getting into or out of your network without the proper permissions, resulting in everything from lateral compromise to ransomware payloads to advanced persistent threats (APTs).

Clouds also create a challenge when it comes to third-party protection. While cloud-native applications are evolving to meet new enterprise requirements, well-known or specialized third-party solutions are often tapped for additional security controls or to provide enhanced functionality. In our traffic example, this means that different checkpoints are managed by different vendors that may not always speak the same language or use the same metrics. This means it’s possible for one of these checkpoints to report a false positive or negative, in turn putting your local cloud environment at risk.

How Can CNAPP Help Companies Address Cloud Security Challenges?

CNAPP solutions makes it possible to centralize security management for greater visibility and control. According to Gartner, this is accomplished via five key components:

  1. Infrastructure as Code (IAC) Scanning
    IAC scanning helps companies identify potential issues with distributed configurations across their network. This is especially critical as infrastructure provisioning becomes more and more automated. Without the ability to regularly scan for potential weak points, IAC becomes a potential liability.
  2. Container Scanning
    Containers are a critical part of cloud computing. By making it possible to package applications in a platform- and service-agnostic framework, it’s easy for companies to deploy new services without rebuilding code from the ground up. The caveat? Containers that have been compromised present serious risks. As a result, container scanning is critical.
  3. Cloud Workload Protection Platforms (CWPPs)
    CWPPs are designed to discover workloads within both cloud and on-premises infrastructure and then perform vulnerability assessments to determine if these workloads pose potential risks based on current policies and if any actions are required to remediate this risk.
  4. Cloud Infrastructure Entitlement Management (CIEM)
    CIEM tools help handle identity and access across the cloud. By automatically granting, revoking, and administering access to cloud services, the judicious application of CIEM solutions make it possible for companies to adopt a principle of least privilege approach to access.
  5. Cloud Security Posture Management (CSPM)
    CSPMs automate the process of identifying and remediating risk across IaaS, PaaS, and SaaS deployments in enterprise clouds. These tools provide the data-driven foundation for risk visualizations and assessments that empower effective incident response.

Working together, these solutions make it possible for companies to see what’s happening in their cloud network environments, when, and why, in turn allowing IT teams to prioritize alerts and take immediate action. Consider the RedSeal Stratus CNAPP solution, which provides companies with a “blueprint map” of their entire cloud framework to identify where resources are located and full attack path analysis to identify where they are exposed.

In the context of our highway example, RedSeal Stratus makes it possible to map every possible path and checkpoint taken, in addition to providing information about each exposed resource at risk in San Francisco and who can get to them within minutes. This makes it possible to assess the net effective reachability of all aspects of your cloud and pinpoint areas that require specific action.

What Comes Next for CNAPP?

Put simply, CNAPP is the future of cloud security, but it’s not a monolithic, one-size-fits-all solution. Given the rapidly-changing scope and nature of cloud services, CNAPP solutions won’t be one-vendor affairs but rather a consolidation of differing vendor specialties under a unified platform model that provides a single pane of glass visibility for users.

Moving forward, companies should expect an increasing focus on the data residing in the resources as the core component of CNAPP. This includes not only a focus on how they are accessible and permissions but on positively identifying where they’re located, what they’re doing, who is accessing them, risks and how they interact with other services and solutions both on-Premise and cloud.

CNAPP is coming of age. Make sure you’re ready for the next generation of cloud security with RedSeal