What are the security priorities for the post-coronavirus world?

Computer Weekly |  May 11, 2020

Earlier in 2020, Computer Weekly and TechTarget published the results of our annual IT Priorities study, a wide-ranging look at what is currently top of mind for IT buyers. Amid overall softening budgets across the IT landscape, the survey reported that security and risk management were easily top of the heap, with cyber security coming to be seen as more important than cost.

For Redseal CTO Mike Lloyd, who besides 21 patents in cyber security holds a PhD in stochastic epidemic modelling, the future of security after Covid-19 looks uncertain, but then, he adds, isn’t the future always uncertain?

Securing the Supply Chain

CXO Insight ME | March 2020 (Pages 36-37)

Dr. Mike Lloyd, CTO at RedSeal, on how to protect your supply chain from cyberattacks.

“The supply chain combatted the challenge of repeatable quality through standards and audits – organisations establish baselines of what it takes to make a reliable product, and then build the supply chain around those who can meet the standard. The time has come for comparable efforts around cybersecurity and digital resilience across the supply chain.”

10 Hot Cybersecurity Companies To Follow In February 2020

Cybercrime Magazine | January 20, 2020

Cybersecurity is one of the most urgent world issues, meaning February 2020 is no time for indifference. A new year invariably brings new threats as the news cycle is dominated by high-profile hacks and disastrous cases of negligence.

3. RedSeal

San Jose’s RedSeal saw the light of day in 2004 and has spent the intervening years helping companies improve their cyber risk assessments and their scoring and modeling methodologies.

Performing regular vulnerability assessments is critical in modern cybersecurity and the key to staying ahead of emerging threats. That goes double for health care companies (one of RedSeal’s specialties), who are beholden to HIPAA and various other ongoing threat assessment requirements.

Digital Resilience: Book Review by Mark Gorenberg

Book Review  | January 14, 2019

Mark Gorenberg, Founder, Zetta Venture Partners 

Wow. What an amazing read. I was mesmerized by the details and easily way you explained the Target breach all the way through the list of recommendations.  Really great work.

Digital Resilience: Book Review by Diana Chapman Walsh

Book Review  | January 8, 2019

By Diana Chapman Walsh, 12th President of Wellesley College

Fascinating, compelling, a beautifully-written page turner that draws the reader in immediately. I learned a whole new vocabulary—new words to convey new concepts in paragraph after paragraph—introduced elegantly and seamlessly so as not to disrupt the flow of the intriguing story you were unfolding. Concepts like “preemptive mitigation of damage” to augment existing security measures aimed at preventing breaches, which are inevitable. And that because of the “frictionless vulnerability” that accompanies the much-desired ability to communicate without friction. The difference (in time and consequence) between infiltration of the network and “exfiltration” of the data. On and on like this.

A whole fascinating world that reads more like a John Grisham novel than a technical treatise. That’s my comment on the pleasure of reading it; masterfully crafted prose and structure. Beyond that, you make an iron-clad case that (1) cybersecurity is among the most important issues of our time and (2) the digital resilience you describe is indispensable and also possible if senior leadership will educate themselves, institute the changes you advocate, and pay attention. I loved your dark energy-dark matter analogy at the opening of Chapter 7.

Digital Resilience: Book Review by Azure Yu

By Azure Yu, Titans Briefs, The University of Texas at Austin McCombs School of Business

Summary:

Cyberattacks are inevitable and costly in today’s intensively connected world. Undergoing cyberattacks will be the norm rather than the exception for all kinds of organizations, and these attacks will usually have devastating consequences. To survive in this hostile environment, companies have implemented necessary security measures such as firewalls and anti-malware, but these measures are insufficient against the inherent risks of digital networks. Greater connectivity comes with more vulnerability. Rothrock points out that C-suites must use “digital resilience” as a whole-business strategy. Digital resilience allows companies to survive attacks, contain breaches, recover, and continue to operate while under attack. Lack of digital resilience can lead to severe consequences – the 2013 Target breach was an example.

The book describes digital resilience in detail. It covers the history of networks, the technical fundamentals, and the distributed nature of the current state. It paints a vivid picture of the inevitability of a successful attack, given that over a trillion Internet of Things (IoT) devices are connected to the network and each node creates vulnerability. It provides actions business leaders can take toward achieving digital resilience. Here are the eight steps listed in the book to build deep knowledge of your data and networks:

  1. Verifying that the device configurations comply with relevant regulation and industry best practices.
  2. Modeling the network by collecting configuration and operation data of the network devices as often as necessary and without burdening the network.
  3. Visualizing end-to-end access and path details to see intended and unintended access among all parts of the network.
  4. Measuring network resilience and managing it. Rothrock explains the resilience scoring in his RedSeal system in Chapter 6.
  5. Identifying hidden areas of the network to manage risks in those areas – the “scary parts” and unknown part of the network can be significant security risks.
  6. Prioritizing vulnerability patching to allocate resources to patch the most urgent network situation.
  7. Verifying network security policy. It is essential to know if security policies are implemented properly in order to measure the real resilience of a network.
  8. Prioritizing network change control. Businesses need the capability to assess the security impact of potential or proposed changes to the network.

Ray Rothrock: Tech Investor Who Runs on Optimism

Tau Beta Pi – The Bent | April 4, 2018

With Ray Rothrock, Chief Executive Officer

Ray Rothrock, the general manager at the Rockefeller family’s venture capital firm, Venrock, moves fast. When opportunity presents itself–and sometimes even when it does not–he plunges forward, certain that action will create its own luck.

Advice for Entrepreneurial Engineers

ASME | Feb 22, 2018

By Ray Rothrock, Chief Executive Officer

Entrepreneurs are everywhere today—from Silicon Valley to incubators and tech hubs around the world. While many startups are in tech, others involve engineers who use digital tools and 3-D printing to invent new products or reinvent existing ones. So, what should potential entrepreneurs consider before leaping? I don’t have a definitive answer, but after 25 years of funding startups, more than 40 successful investments, and eight initial public offerings, I see some patterns that work.

RedSeal Resilience Report: Cyber Pros Point to “Perfect Storm” as Security Fundamentals Face Crisis

New research from RedSeal indicates four critical areas are in distress:

  • The threat landscape is growing faster than teams can respond
  • Lack of preparation is pervasive
  • Huge gap between perceived and true detection times
  • Compliance– not company strategy – drives cyber planning

Sunnyvale, Calif. – November 3, 2017 – RedSeal, the leader in network modeling and cyber risk scoring, today released the results of its second annual Resilience Report, which found IT Security teams are on the verge of a huge crisis.

The 2017 Resilience Report asked 600 U.S. and UK CISOs and senior IT decision makers about the biggest challenges they face. Across the board, the majority report four areas central to cybersecurity are all at risk –  resources, preparation, detection and overarching strategy – exposing their organizations to significant cyber threats.

Download the full infographic

1. A sophisticated threat landscape, evolving faster than teams can respond

The burgeoning threat volume and complexity is outpacing security teams’ capabilities. More than half (54 percent) of senior cybersecurity professionals think the threat landscape is evolving far faster than their organization can respond. Specifically:

  • 54 percent report they don’t have the tools and resources they need
  • 55 percent can’t react quickly enough to limit damage in the event of a major security incident
  • 79 percent say their organization can’t access insights to prioritize their response to an incident
  • Only one in five (20 percent) are extremely confident their organization will continue running as usual upon discovery of a cyberattack or breach

2. Lack of preparation is pervasive

The 2017 RedSeal Resilience Report found that only 25 percent of respondents’ organizations test their cybersecurity response to a major incident annually, if at all.  It also found a strong correlation: as time since the last test increases, executives’ confidence in the plan decreases.

  • On average, it has been nine months since organizations created a complete blueprint, model or map of their entire network. This means pathways through their constantly changing network – and access to their most valuable assets – are neither confirmed to be secure nor clearly known at all.
  • 55 percent concede they don’t test their strategies frequently enough because it is resource intensive (29 percent), outside their budget (27 percent), or takes too much time (26 percent)

3. There’s a dangerous gap between perceived and true detection times

Once a network is compromised, a cyberattack festers until it’s detected and resolved. Alarmingly, the RedSeal Resilience report reveals an industry-wide discrepancy between how long it takes from when an organization’s network is compromised to when they become aware of the event.

  • Perception:  When ranking their capabilities, cyber pros voted “detection” as their strongest area (40 percent), with respondents reporting it takes an average of six hours to discover an incident
  • Reality: Other studies of the same “time to detect” report drastically different times:

This infers that – despite detection being considered the security teams’ greatest strength – companies are struggling and not fully informed. Take for example, Sonic, which didn’t know they were hacked until their credit card processor informed them of unusual activity. They acknowledged the breach – which compromised more than five million credit cards – 11 days after the first batch of cards were uploaded for sale.

4. Compliance – not strategy – drives security planning

Given the massive financial impact of breaches, cyber strategy should be the C-Suite’s priority. However, 97 percent of respondents report that external regulations play a major role in their cybersecurity and resilience planning and implementation.

  • 92 percent of organizations have had to adapt the way that they meet regulatory requirements due to the use of public cloud platforms such as AWS and Microsoft Azure
    • 12 percent of respondents’ organizations had to do a total rethink
    • 49 percent had to make significant changes
  • Only 27 percent are completely confident their IT systems can support these regulations
    • Therefore, 73 percent of companies which might not meet the requirements for using public clouds – such as AWS, where Deloitte faltered, and Azure, the source of hacks for Dow Jones, Verizon, and RNC to name a few –may be more exposed to attacks and breaches.

“Having any one of these four areas – resources, preparation, detection and overarching strategy –  in crisis is dangerous. Combined, they’re the harbinger of security disaster for any organization,” noted Ray Rothrock, CEO and chairman of RedSeal. “This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard.  Being prepared is the best defense.”

###

The RedSeal Resilience Report 2017

The RedSeal Resilience Report 2017, an inside view into the state of the IT security industry, provides insights into strategies and challenges across the complex cybersecurity landscape.

Each of the 600 CISOs, CIOs and senior IT decision makers (400 U.S. and 200 UK) who participated had sole or majority responsibility for network cybersecurity within their organizations, 25 percent of which have more than 5,000 employees. They bring perspective from across a number of industry sectors including: retail and distribution; healthcare; technology; financial services; energy – oil and gas; manufacturing and production. Global market research firm, Vanson Bourne, conducted the research in the summer of 2017.

The 2016 RedSeal Resilience Report explored the, “Rise of Cyber-Overconfidence in the C-Suite,” and found more than 80 percent of CEOs display “cyber naiveté,” making their global organizations exposed to massive cyber-attacks.

Download the Executive Summary
Download the full infographic

About RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.

Media contacts

US:
Amy Farrell
Finn Partners
Amy.Farrell@finnpartners.com
617-366-7149

Defense Medical Communities Face Digital Resilience Challenges

Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.

The seven cyber sessions were:

  • Risk Management Framework
  • Cybersecurity- Decisions, Habits and Hygiene
  • Are You Cybersecurity Inspection Ready?
  • Incident Response: Before, During and After the Hack- How
  • MHS Medical Device Integration and Security: Details Matter
  • RMF Requirements and Workflows for Medical Devices with the DOD
  • Security for Connected Medical Devices

Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities.  According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.

Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.

Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.

The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.

For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at mvenditto@redseal.net