RedSeal Resilience Report: Cyber Pros Point to “Perfect Storm” as Security Fundamentals Face Crisis

/by

New research from RedSeal indicates four critical areas are in distress:

  • The threat landscape is growing faster than teams can respond
  • Lack of preparation is pervasive
  • Huge gap between perceived and true detection times
  • Compliance– not company strategy – drives cyber planning

Sunnyvale, Calif. – November 3, 2017 – RedSeal, the leader in network modeling and cyber risk scoring, today released the results of its second annual Resilience Report, which found IT Security teams are on the verge of a huge crisis.

The 2017 Resilience Report asked 600 U.S. and UK CISOs and senior IT decision makers about the biggest challenges they face. Across the board, the majority report four areas central to cybersecurity are all at risk –  resources, preparation, detection and overarching strategy – exposing their organizations to significant cyber threats.

Download the full infographic

1. A sophisticated threat landscape, evolving faster than teams can respond

The burgeoning threat volume and complexity is outpacing security teams’ capabilities. More than half (54 percent) of senior cybersecurity professionals think the threat landscape is evolving far faster than their organization can respond. Specifically:

  • 54 percent report they don’t have the tools and resources they need
  • 55 percent can’t react quickly enough to limit damage in the event of a major security incident
  • 79 percent say their organization can’t access insights to prioritize their response to an incident
  • Only one in five (20 percent) are extremely confident their organization will continue running as usual upon discovery of a cyberattack or breach

2. Lack of preparation is pervasive

The 2017 RedSeal Resilience Report found that only 25 percent of respondents’ organizations test their cybersecurity response to a major incident annually, if at all.  It also found a strong correlation: as time since the last test increases, executives’ confidence in the plan decreases.

  • On average, it has been nine months since organizations created a complete blueprint, model or map of their entire network. This means pathways through their constantly changing network – and access to their most valuable assets – are neither confirmed to be secure nor clearly known at all.
  • 55 percent concede they don’t test their strategies frequently enough because it is resource intensive (29 percent), outside their budget (27 percent), or takes too much time (26 percent)

3. There’s a dangerous gap between perceived and true detection times

Once a network is compromised, a cyberattack festers until it’s detected and resolved. Alarmingly, the RedSeal Resilience report reveals an industry-wide discrepancy between how long it takes from when an organization’s network is compromised to when they become aware of the event.

  • Perception:  When ranking their capabilities, cyber pros voted “detection” as their strongest area (40 percent), with respondents reporting it takes an average of six hours to discover an incident
  • Reality: Other studies of the same “time to detect” report drastically different times:

This infers that – despite detection being considered the security teams’ greatest strength – companies are struggling and not fully informed. Take for example, Sonic, which didn’t know they were hacked until their credit card processor informed them of unusual activity. They acknowledged the breach – which compromised more than five million credit cards – 11 days after the first batch of cards were uploaded for sale.

4. Compliance – not strategy – drives security planning

Given the massive financial impact of breaches, cyber strategy should be the C-Suite’s priority. However, 97 percent of respondents report that external regulations play a major role in their cybersecurity and resilience planning and implementation.

  • 92 percent of organizations have had to adapt the way that they meet regulatory requirements due to the use of public cloud platforms such as AWS and Microsoft Azure
    • 12 percent of respondents’ organizations had to do a total rethink
    • 49 percent had to make significant changes
  • Only 27 percent are completely confident their IT systems can support these regulations
    • Therefore, 73 percent of companies which might not meet the requirements for using public clouds – such as AWS, where Deloitte faltered, and Azure, the source of hacks for Dow Jones, Verizon, and RNC to name a few –may be more exposed to attacks and breaches.

“Having any one of these four areas – resources, preparation, detection and overarching strategy –  in crisis is dangerous. Combined, they’re the harbinger of security disaster for any organization,” noted Ray Rothrock, CEO and chairman of RedSeal. “This report underscores the urgency for the leaders of cyber strategy to pivot and aggressively pursue resilience, the ability to maintain business as usual while navigating an attack, as the new gold standard.  Being prepared is the best defense.”

###

The RedSeal Resilience Report 2017

The RedSeal Resilience Report 2017, an inside view into the state of the IT security industry, provides insights into strategies and challenges across the complex cybersecurity landscape.

Each of the 600 CISOs, CIOs and senior IT decision makers (400 U.S. and 200 UK) who participated had sole or majority responsibility for network cybersecurity within their organizations, 25 percent of which have more than 5,000 employees. They bring perspective from across a number of industry sectors including: retail and distribution; healthcare; technology; financial services; energy – oil and gas; manufacturing and production. Global market research firm, Vanson Bourne, conducted the research in the summer of 2017.

The 2016 RedSeal Resilience Report explored the, “Rise of Cyber-Overconfidence in the C-Suite,” and found more than 80 percent of CEOs display “cyber naiveté,” making their global organizations exposed to massive cyber-attacks.

Download the Executive Summary
Download the full infographic

About RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.

Media contacts

US:
Amy Farrell
Finn Partners
Amy.Farrell@finnpartners.com
617-366-7149

Defense Medical Communities Face Digital Resilience Challenges

/by

Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.

The seven cyber sessions were:

  • Risk Management Framework
  • Cybersecurity- Decisions, Habits and Hygiene
  • Are You Cybersecurity Inspection Ready?
  • Incident Response: Before, During and After the Hack- How
  • MHS Medical Device Integration and Security: Details Matter
  • RMF Requirements and Workflows for Medical Devices with the DOD
  • Security for Connected Medical Devices

Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities.  According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.

Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.

Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.

The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.

For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at mvenditto@redseal.net

RedSeal Responds to the Commission on Enhancing National Cybersecurity Report

/by

“Collaboration is about trust, and sharing information with government can be a tough sell to a skeptical business audience. But we must try to get it right. Sharing intelligence is a key to success. The military knows that.

It can be a key to success in cyber, too. As we work to close the trust gap, let’s also move ahead to set standards and let businesses and other organizations pick best-of-breed solutions for their networks. One size does not fit all.”

– RedSeal CEO Ray Rothrock

 

What is the Commission on Enhancing National Cybersecurity?

The Commission on Enhancing National Cybersecurity, established by President Obama early this year, completed and released its report on Dec. 1, 2016, providing detailed short-term and long-term recommendations to strengthen cybersecurity in both the public and private sectors.

According NIST’s website:
The report emphasizes the need for partnerships between the public and private sectors, as well as international engagement. It also discusses the role consumers must play in enhancing our digital security. The report categorizes its recommendations within six overarching imperatives focused on infrastructure, investment, consumer education, workforce capabilities, government operations and requirements for a fair and open global digital economy.

What does the report mean for the current state of cybersecurity?

RedSeal executives have been quoted in several articles responding on the report’s findings:

How can RedSeal help an organization follow the report’s recommendations?

Even with the billions invested in hundreds of network security products, incidents, breaches, and failures are inevitable.

The most forward-thinking business leaders realize that the best approach is to make their networks resilient. Resilience is the ability to stay in business and minimize damage to your customers, your reputation, and your bottom line when the inevitable incident happens. Even though you can never prevent every attack, a resilient network can prevent an incident from becoming a breach, stopping an attacker in his tracks.

So how do you measure and manage your digital resilience? That’s where RedSeal’s security analytics platform comes in.

 

CONTACT US►  HOW REDSEAL WORKS | 2:10

Using RedSeal to Understand Access to the “Shadow Broker” Firewall Vulnerabilities

/by

Recent press coverage has focused a lot of attention on some long-hidden vulnerabilities in firewalls. Network security teams are scrambling to understand whether they are exposed, and to what extent. These notes show how you can use RedSeal to understand the extent of the problem in your specific network.

Nature of the Issues

The current focus is on a set of newly publicized vulnerabilities that had not been uncovered previously, including this Cisco advisory for their ASA products: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

This is not the only vulnerability found in the “Shadow Broker” files, but serves as a good working example. The nature of the vulnerability is a flaw in SNMP, which is very commonly used as an important function of network infrastructure. Simply disabling SNMP is not generally a viable workaround, since SNMP is a vital part of network visibility. (Even if your windshield has a crack in it, it’s not a good response to paint it black.) Instead, organizations have to understand whether they have properly limited access to the vulnerable protocol, and where the locations are that need access.

In other words, a network is in poor shape if anyone, anywhere inside the network can use SNMP to communicate with the firewalls. In that scenario, an attacker anywhere inside the organization can compromise a firewall — an extremely undesirable situation. Such an attacker can surreptitiously monitor traffic, since firewalls are often at critical choke points in networks with a view into all boundary-crossing flows. Worse, if the attacker wants to be disruptive to operations, there are few locations as powerful as a main firewall to cut off the ability of an organization to function and respond.

A well-built organization does not allow SNMP access from anywhere to their key network infrastructure. Instead, they limit access, since SNMP is useful, but not needed by most people in an organization to do their jobs. It has long been a best practice in network architecture to limit access for SNMP only to those locations that need it. But which locations are those exactly? An organization responding to the “Shadow Broker” disclosures has to scramble to quickly understand where they allow SNMP, since these locations are the critical attack surface for these newly revealed attacks.

Finding Access to Firewalls

With RedSeal, it’s very easy to find out whether you are wide open to these SNMP attacks, and if not, to locate where you allow access.

Step 1: Bring up the Security Intelligence Center, using the yellow light bulb icon in the icon bar:

RedSeal_ShadowBroker_1

Step 2: On the left, under Source, click Select, then Browse, then All Subnets, then Replace.  This sets the source for the query to “anywhere”.  You should see this:

RedSeal_ShadowBroker_2

Step 3: On the right, under Destination, click Select, then Browse, and change the View to Primary Capability.  Open the Firewall folder, like this:

RedSeal_ShadowBroker_3

Step 4: To start with, pick just one firewall – in this example, I’ll take the second one on the list, from Vienna.  Hit Replace to add this to the query dialog.

Step 5: In the Protocols field, enter “udp” (without the quote marks) and in the Ports field, enter “161”.  This is the port and protocol for basic SNMP communication.  The query dialog now looks like this:

RedSeal_ShadowBroker_4

Step 6: Click the Access button in the icon bar at the bottom.  This will show you a table of all access to the given firewall – in this case, just one row:

RedSeal_ShadowBroker_5

Step 7: To see this visually, click “Show In Topo” at the bottom of this result.  This will take you to the network map, and highlight where you have SNMP access to the firewall.

RedSeal_ShadowBroker_6

This is a “good” result.  Only one location in the network can use SNMP to reach this firewall.  There is still risk – it’s important to investigate any defects, vulnerabilities, or indicators of compromise from the source side of this arrow. But fundamentally, this firewall was secured following best practices – the total amount of the network that can access the SNMP management plane of this device is very limited.

However, in real world networks, the answer will often be messier. RedSeal recommends following the above steps for only one firewall at first, to look at the extent of SNMP access. If your organization shows a good result for the first few firewalls, this is reassuring, but can then lead to harder questions. For example, we can ask a much wider question, covering all the firewalls at once. This should only be attempted after looking at a few individual firewalls, since the full query can generate an overwhelming amount of data.

To ask this broader question, go back to step 4 – in the Security Intelligence Center dialog, click Select on the right, under Destination.  Rather than picking one firewall off the list, we can select the folder of all firewalls, then click Replace.  The query dialog now looks like this:

RedSeal_ShadowBroker_7

Even in a relatively small network, this generates a lot of information.  We can look at the answer visually, using Show in Topo:

RedSeal_ShadowBroker_8

Clearly, this network has not followed the best practice design of limiting access to all firewalls.  Each blue arrow represents some location that has access to a firewall over SNMP.  It is not plausible that so many locations in this network need that access to perform their job functions.  This network needs to focus on internal segmentation.

Checking Firewall Code Versions

As the various vendors release updates, it’s important to track whether you have firewalls that need to be updated urgently – especially those with very wide access.  You can use RedSeal to generate a summary report on the types of firewalls you have, and which versions of software they are running.  One way to report on firewalls by version is as follows:

Step 1: Open Reports tab, select Security Model in the left hand list of reporting areas.

Step 2: Click the + button to create a new report, and select a data type of Network Device

Step 3: On the first tab, name your report “Firewalls by OS” (without the quotes – or pick your own name for the report), like this:

RedSeal_ShadowBroker_9

Step 4: On the second tab (Fields), click Edit, select OS Version on the left list, and click Add to add it to the list of fields in the report.  Click OK.

Step 5: Under Group Report By, change the grouping to “OS Version”

Step 6: Under Display Options, enter 10 in “Limit display of results to the first N rows”.  (This is to abbreviate the report, at least initially.  Some organizations have a great many firewalls, and the first thing to do is to figure out which OS versions you have, with a few listed examples, before digging through too large of an inventory report.)

By this point, tab 2 should look as follows:

RedSeal_ShadowBroker_10

Step 7: Change to tab 3, Filters, and under “Match All”, add a rule for “Primary Capability”, then “Is”, then “Firewall”, like this:

RedSeal_ShadowBroker_11

Step 8: Hit Save. The default choices on tabs 4 and 5 will work well here, to include some counts and a chart.

Step 9: On the Reports tab, run your new report by double-clicking the icon above “Firewalls by OS” (or whatever name you gave your report).

Your browser will pop up requesting log in (if you haven’t logged in previously), then will display a report summary chart like this:

RedSeal_ShadowBroker_12

You may want to focus first on the smaller bars – the unusual outliers in your network infrastructure. This is where overlooked problems – in this case, well down-rev firewall operating systems – can lurk. The report details will include a sample of the firewalls running each code image in your environment, like this:

RedSeal_ShadowBroker_13

As the firewall vendors move to produce new releases to close off these vulnerabilities, you can use a report like this to track how well your operational teams are deploying these important updates.

Conclusions

The recently uncovered vulnerabilities, which appear to have been in use for many years, are further proof that we need to keep our houses in order. An organization with good discipline about internal segmentation, with a well separated network management infrastructure, has less to worry about with these new revelations. But even that organization needs rapid ways to assess whether the discipline has really held up in practice. Are there gaps? If so, where? Even the locations that do have SNMP access to firewalls, are they easy or hard for an attacker to break into?  All of these questions are easy to answer if you have the ability to analyze your as-built, rapidly evolving network infrastructure. RedSeal makes it easy to find answers to these vital questions.