Tag Archive for: Breach

Securing Your Network, or Networking for Security?

Every day we hear about another breach, and most of the time the information we get is fairly consistent – the breach started and finished long before it was discovered.    It’s not always clear exactly how or where the attackers were able to get access because they’ve had ample time to cover their tracks.   Whatever log or history data we have is massive, and sifting through it to figure out anything about the attack is very difficult and time consuming.  We don’t quite know what we’re looking for and much of the evidence has come and gone.

As I survey the cybersecurity market and media coverage, I notice that:

  1.   We’ve thrown in the towel, it’s “not if, but when” you’ll be breached.
  2.   Many security vendors are now talking about analytics, dashboards, and big data instead of prevention.

person-thinking-networkNotably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.

We hear a lot about not having enough “security expertise”.  Is that really the problem?  Or is the problem that the security experts don’t really understand the full complexity of their networks?  The network experts understand.  These attacks are happening via network traffic – not on a device, nor with a known signature.   And what do networking professionals care about?  Traffic, and how it’s flowing.   I maintain that there’s a lot more expertise that could help in this breach analysis and prevention than we think – we’re just not asking the right people.

In subsequent posts I’ll talk about why the networking team is becoming vital to security efforts, and why understanding how a network is constructed and performs is the best chance we have of improving our defenses.

Anticipating attack: top 10 ways to prevent a breach

Last week, I spent most of my time in a conference room at RedSeal headquarters presenting our RedSeal Certification training to a mix of our customers and recent additions to the RedSeal team. Showing those in attendance the broad set of capabilities of the system reminded me how important it is to be very clear about the steps for anticipating attack and putting together automation and operations to protect your enterprise and its assets.

telescope-smaller_0Here is my top 10 list:

  1. Scan your hosts for vulnerabilities
  2. Prioritize and schedule patching
  3. Place modern security controls at all ingress and egress points
  4. Monitor all ingress and egress traffic, triggering alerts and interception of inappropriate traffic
  5. Standardize your device configurations
  6. Create a set of network security zones
  7. Review your network’s access paths
  8. Compare access to network security policy
  9. Track approvals of access between critical zones
  10. Monitor and report on access found each day

How does your approach compare to this list? What do you think I’m missing? Is there anything I included that you think shouldn’t be here?

Identify and Close Before the Bad Actor Exploits

It happened again yesterday. I was taking a break on my back porch and listening to the Colorado summer rain when an alert hit my phone: news of another breach. They seem to be coming with a disturbingly increasing regularity and with ever more serious consequences. For example, one company, Code Spaces, was completely destroyed when they refused to pay an attacker who then destroyed their customers’ data. The Energetic Bear group accessed utilities’ networks and could have launched attacks against them. In all likelihood, the number, extent, and veracity of these attacks will simply continue to expand.

telescope-smaller_0So what do you do? The good news is that the steps are well known and understood: place security controls into your network to isolate a set of subnetworks (typically called “zones”) and both set and monitor the potential access paths between the zones. This is the first set of defenses against attacks, and one which many organizations do not fully deploy.

It is common for me to see organizations that partially deploy zones – but do not monitor their implementation. This is akin to the multi-petabyte database that contains one incorrect byte of information: you can trust none of the information as a result.

So, the first step is to create clear and concise zones in your network and to analyze all potential access paths through your network to be sure that your zone rules are respected network-wide.

Do you do this? If so, what’s your approach?

Another Day, Another Breach

On Wednesday, August 20th, UPS announced that a breach may have compromised customer data during up to 105,000 transactions between January and August. While UPS is to be commended for coming forward so quickly, this breach underscores the truth that organizations with highly sophisticated and advanced capabilities in information technology aren’t inoculated against breaches. It is easy to think that organizations that are breached must not be focused on their technology or current in their capabilities. This breach shows us how very wrong that thinking is. In fact, just last month, Fortune wrote an article about how challenging UPS’s analysis must be, and how they solve it with technology.

Ultimately, this is a lesson to every organization that the combination of complexity and continuous change–including planned and organic growth of technology deployed and the inexorable advancement of technology–mean that it’s virtually impossible to even be aware of all the potential paths of attack, much less be able to protect against them. Gone are the days of having sufficient understanding of the network in the heads of one or two people, allowing fast and accurate analysis and countermeasures.

Unfortunately, today no human being can possibly know what the network is capable of allowing to happen.

It is critical for all enterprises to deploy not only reactive security analysis such as IDS/IPS, but also to use a cyberattack prevention system to analyze their entire network as it is actually implemented, to expose all potential paths and to provide guidance in plugging inappropriate holes. Otherwise, we will continue to see more and more breaches, with broader and more devastating impact. Enterprises must take action by using cyberattack prevention to avoid being the next casualties.

Breaches Reach the Board Room

The discussion of cyber security is finding its way into the board room.  Everyone has read about a breach like the ones at Target, or Neiman Marcus, or Sony.  They also probably now have the word “Heartbleed” in their lexicon whereas six months ago most people would have thought this was a medical condition.  Directors surely must be thinking about whether this could happen to them and what they should do.  Just framing the discussion is often difficult because people simply have little or no background.  They need to know what is going on and what the risks to the company are.

The first interested director is probably the chair of the audit committee.  She or he should be active in asking key questions about security, processes, and what operationally is being done.  This is no different than asking if procedures for check signing are set up and being managed, or about how the shrinkage in retail or warehouse operations is being managed and monitored.  Cyber security has a complete parallel to these issues.

war-room-jpgOf course I can’t speak for every board of directors, but a couple of companies on whose boards I serve have a line item on the agenda – usually during the audit committee report – to discuss cyber.  Regrettably, the discussion usually lasts less than five minutes even though the headlines in the newspaper are full of corporate issues around being breached.  I can’t tell if it is a lack of appreciation of how serious the problem is, or if there is even a real problem.  I can’t tell if it is one of those “if I don’t ask, then I don’t have to know” problems.   Solving any problem first requires acknowledgement of the problem.  And the cyber attack problem is getting top billing in the news, just not in the board room.

Ask yourself, does the CEO get a report on cyber security, just like s/he gets a P&L or sales report?  Cyber is dynamic, and it’s a constantly changing front of action, just like sales.  Unfortunately, this is now part of every business and it takes away from business.  But I bet it’ll take much less away than a full breach.

Is Nothing Sacred Anymore?

It’s unthinkable: hackers targeting that sacrosanct American institution, the sports team? The recent incident in which the Houston Astros’ internal trade discussion were hacked and posted on the Internet shows that, today, no target is off limits.  Jeff Luhnow, GM for the Astros, was quite right when he said: batter_swinging_baseball_bat_at_a_pitched_ball_0515-1104-1601-5532_tn“It’s a reflection of the age we living in. People are always trying to steal information” The main problem that encourages this kind of illegal activity is that it’s really relatively easy.  Nobody thinks the hacker who stole the information from the Astros was heavily funded by a foreign government, or anything like that.  Indeed, it’s quite possible the person or people involved had no more motivation than curiosity, and found it easy to get in. The challenge, of course, is that every business has secrets – how it approaches negotiation, or the pricelist for its upcoming products, or its next quarter of advertising plans.  All that information is useful to others if it’s exposed.  Many businesses like the Astros have treated IT security as a “high end” problem – something for banks, the military, or energy companies to worry about.  But it’s just not possible to operate that way anymore – the risk of corporate embarrassment, or worse, is escalating.  Attackers are finding our complex defenses are badly deployed, badly coordinated, and easy to walk through.  All the attacker needs is persistence, and the search for a forgotten, unlocked “side door” onto the business can be largely automated.  Defenders need to understand all the gaps, and how all the security defenses work together, even if their only target is “good enough” security.  As the Astros have found, the standards of “good enough” are rising rapidly.

A Question of When, not If

Breached!  This is the new watchword in the executive office suite these days.  Ever since Brian Krebs revealed to the world that Target had been breached, every company is on notice.   While the primary role of the CEO is revenue and growth, there are a host of other activities that support revenue and growth.  Namely, the company’s employees and its data infrastructure are critically important for every company.  But what about the network?

Having been an investor in network infrastructure for a couple of decades, I know chances are very high that your company’s network has been built over decades, by scores of people of varying skill levels.  Chances are your network is very complex, beyond what any person or team can truly understand.  Chances are your network runs your business more than you really appreciate, and without it your business would stop.  It’s just as important as your manufacturing and supply chain, or your service centers, or your employees.  The network is a strategic asset of the corporation.

tweezersThis was brought home in a powerful way when I recently attended a cyber security meeting in London.  In addition to briefings with a number of industry analysts, this meeting also included a panel discussion with about 15 CISOs from various industries like finance, not-for-profit, publishing, media, banking, and manufacturing.  To a person these CISOs said two things.  First, their greatest need was skilled personal to run their networks.  Second, their senior management was asking questions about not “if” they were breached but what they would do “when” they were breached.  This shift in attitude, driven by all the news in recent years about breaches at large, household-name companies, was an “ah ha” moment for me.

Your company will be breached, or you will fall victim to some other network crime.  As CEO, you must prepare yourself for these events.  A lot can be done to prevent most breaches, and to be prepared when one inevitably does happen.  It starts by knowing just how your network is built and operated.  As trite a statement as it is, the truth of the matter is this:  If you don’t know how your network is built, how can you possibly secure it?

Have you asked your CISO what the plan of action is when a cyber attack is successful?  Does your board understand the liability of a successful attack?  Regrettably, it is a matter of when, not if.

Defending Against Botnets

Botnets have been around for many years, but Distil Networks’ recently-released research shows that their use not only continues to grow dramatically, but that use is becoming more sophisticated. In having the bots focus their attacks during off-hours, the attackers may have a greater window of opportunity for damage before discovery.

This underscores the need to expand security analytics beyond the reactive focus of IPS/IDS to also include complete proactive analysis of what could happen. For example, analyzing all of the possible paths into and through an enterprise network–including from vendors and partners–within the overall context of the complete, complex network, allows the enterprise to ensure limited access before any paths are probed by a bot.

The botnets are a primary contributor to the distributed denial of service attacks, for instance, which are reported to have volumes up to 300Gbps.

As we have seen from widespread and newsworthy breaches over the past few years, it is very difficult to react quickly to an attack in progress. While such defenses are critical, equally vital are analytics that determine and monitor the effectiveness of the entire network as a system including all of its security controls and system vulnerabilities in context. This is one of the reasons RedSeal’s analytics include the complete set of possible network paths and not simply flows currently active in the network.

The key to winning the game is leverage. Knowing more, being more proactive, being certain that your intentions are realized by technology. How can you know?

Recently, I have seen firewall configuration files containing well over 150,000 lines of configuration. These devices live within networks with thousands of other devices that forward packets according to a variety of rules 250px-whackamole(routing, access control, load balancing, and more). The only way to know what’s really going on is to perform an in-context analysis of the  network. This is very difficult to do well, and impossible to do without automation. Furthermore, if you don’t  do it, you are relegated to playing Whack-A-Mole with the probes and attacks that are being launched against  you, probably at the rate of thousands per day.

Use automation as a proactive offense against what could be launched even as you continue to deploy reactive systems to respond to attacks that make it through your defenses.