Tag Archive for: digital resilience score

Scanning for Flaws, Scoring for Security

Krebs on Security | December 2018

“You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside,” Dr. Mike Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.

FICO & US Chamber of Commerce Score Cyber-Risk Across 10 Sector

Dark Reading | October 16, 2018

Media, telecom, and technology firms are far more likely to experience a data breach in the near future than organizations in sectors including energy, construction, and transportation.

A score “taken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street,” says Mike Lloyd, CTO of RedSeal. “You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside.”

The Only Cybersecurity Metric That Matters for Digital Resilience

While the focus on cybersecurity has never been higher, the cybersecurity community – a combined team of solution providers, CISOs, boards and others– haven’t been able to stop most attacks from being successful.

Why?

We have focused too much of our efforts on network perimeters, working to detect and prevent cyber attacks. We haven’t done enough to build resilience INSIDE the network, the part of the equation we can control and quantify with a security metric.

Organizations need to build resilience into their infrastructures and adopt an end-end digital resilience strategy to survive and thrive.

How big is the problem? There are 1400+ vendors focused on cybersecurity. Nearly $100B was spent on information security just in 2016. Yet billions of records have been compromised.

The reason is we have not addressed fundamental issues inside the network. Companies need to build resilience into their infrastructure and adopt a corporate-wide digital resilience strategy with a corporate-wide security metric.

A few years back, RedSeal gathered 800 surveys during the RSA Conference. We learned that:

  • Practitioners are drowning in data
  • They can’t measure the performance or impact of their security efforts
  • Current solutions can’t turn data into action
  • They need useful cybersecurity metrics

The problem with measuring security is that security is the absence of something. You can’t report how often you were NOT on the cover of Washington Post. Many people start by counting what they are doing. But this measures busy-ness, not business. How can you show actual improvements in cybersecurity?

The Shifting Terrain and Digital Resilience

According to the 2016 TechCrunch CIO Report, 82% of global IT leaders report significant labor shortages in cybersecurity. This, combined with issues such as software defined everything, digital transformation, hybrid datacenters, IoT, and shadow IT, means a big shift in thinking is required. We don’t have enough people to throw at the problem.

Digital resilience is a comprehensive strategy across all IT functions and business processes to minimize the impact of cyber attacks and network interruptions. It’s a different way of thinking.  Being resilient means simultaneously striving to minimize each attack and being able to recover quickly from a strike. Resilient organizations have fewer, smaller incidents, understand and respond to them faster, and can rapidly return to normal operations afterwards.

It’s not enough to see the devices in your “as-built” infrastructure – you have to really understand how they are configured and automatically get a list of vulnerabilities.

And that list of vulnerabilities is a problem; there are too many to act on. Even knowing asset value and vulnerability severity aren’t enough to fully understand the risk. You need to understand if they can be accessed. A high value asset with a vulnerability that is segmented behind a firewall is not as big a risk as one that is slightly lower in value, but has an open path to the internet.

RedSeal’s Digital Resilience Score

Resilient organizations must focus on three main areas—being hard to hit, being ready for an attack when it comes, and being able to recover quickly.

RedSeal helps these organizations identify defensive gaps, run continuous penetration tests to measure readiness, and map their entire network infrastructure.

From these capabilities, RedSeal calculates one unified number, so managers, boards of directors and executive management have the understandable and actionable cybersecurity metric they need to drive towards digital resilience.

RedSeal’s Digital Resilience Score focuses on three essential questions:

  • Do you have defects that are easy to hit? RedSeal evaluates how weaknesses from incorrectly configured devices and third-party software could impact you.
  • Can an attacker reach your valuable assets? RedSeal evaluates how well your network is structured, identifying attack pathways and chains of vulnerability that reduce your ability to withstand and recover from attack.
  • Is your network understanding complete? By identifying previously unknown parts of your network, RedSeal evaluates how well you know what your digital infrastructure looks like. With a complete picture, you can be sure you’re managing all assets on your network. During an attack, you’ll be able to understand where an attacker can reach. And, you’ll be able to recover much more quickly.

Instead of getting stuck in an ineffective focus on measuring activity, resilient organizations use RedSeal’s Digital Resilience Score (DRS). This cybersecurity metric works like a creditworthiness score, deducting pointing for defensive gaps, weaknesses revealed by attack simulations, and blind spots in your network awareness. A higher score means there is a higher likelihood that your business can withstand an incident and keep running.

It’s the cybersecurity metric that matters for digital resilience.

RedSeal Cloud Security

On the Way to SDN and the Cloud: Building Resilient Networks

Willis H. Ware, a research scientist at the Rand Corporation working for the United States Air Force in 1967, predicted that ARPAnet would be a disaster if security wasn’t built into the project.

He was overruled.

In January 2013, the Final Report of the Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat was issued and confirmed what Willis knew back in 1967.

The report’s findings made for sober reading:

  • The United States cannot be confident that our critical information technology systems will work under attack. This is also true for our allies, rivals, public and private networks.
  • The DoD and its contractor base are high priority targets that have already sustained staggering losses of system design information.
  • The DoD should expect cyber attacks to be part of all conflicts in the future, and should not expect enemies to play by our version of the rules.
  • There is evidence of attacks that exploit known vulnerabilities in the domestic power grid and critical infrastructure systems.
  • The impact of a destructive cyber attack on the civilian population would be even greater:
    • In a short time, food and medicine distribution systems would be ineffective.
    • Law enforcement and emergency personnel capabilities could be barely functional in the short term and dysfunctional over sustained periods.
    • Expect physical damage to control systems.
    • Months to years could be required to rebuild and reestablish basic infrastructure operation.

So… the current situation is really bad.

Does cloud computing and the rise of software defined networks (SDNs) make things better? Government and enterprises are receiving huge benefits by moving into the cloud.  You can quickly and efficiently create an SDN, but cloud computing and software defined anything is still software. And software will have errors. How do you test or QA it? Is your central control node secure? How much do you know, really?

If this word “software” doesn’t scare you, then you’re not thinking about it hard enough.

In the Defense Science Board Task Force’s report, the seventh recommendation is to build a cyber resilient force and a set of standards and requirements that incorporate cyber resiliency into the cyber critical survivable mission systems.

What is their definition of resilience?
Resilience: Because the Defense Department’s capabilities cannot necessarily guarantee that every cyber attack will be denied successfully, the Defense Department must invest in resilient and redundant systems so that it may continue its operations in the face of disruptive or destructive cyber attacks on DoD networks.”– Ash Carter, Secretary of Defense, April 2015

The report highlights a need to continuously model and test DoD’s systems to determine how resilient they are. This requires a measurement or a metric for resilience.

Managing and measuring cyber resilience Up until now measuring cyber resilience has been an impossible challenge. Now, RedSeal’s cybersecurity analytics platform has been deployed successfully by federal agencies and departments. With RedSeal you can:

Understand your cyber terrain
You have to understand your cyber terrain in order to secure it, defend it, and respond to incidents appropriately and swiftly.  Operating without understanding your network is like stumbling around your unlit house at night looking for the burglar that just broke in.

Model and measure
With a network sand table, defenders can now see where their high value assets (HVAs) are and answer important questions:

  • How can they be accessed?
  • How exposed are they?
  • Are defenses deployed in the appropriate places?
  • Exactly where are the sensor-reported incidents?

Verify compliance, establish and manage standard policies
RedSeal lets you know if your network is constructed as you think it is –to allow only authorized access to your data. RedSeal reads in information from devices on your network, including those parts hosted in the cloud. Then, it calculates the access actually allowed from any point on your network to any other and updates as changes are made, so you can verify and maintain compliance with regulations and policies.

 Understand the security impact of network changes
RedSeal enables you to simulate attacks before they happen.  You can understand your defensive posture by finding the weak points and measuring ease of compromise.

Understand access in hybrid networks
Cloud providers have cloud solutions to manage your cloud-based network. But most organizations don’t have a pure cloud network; their networks are hybrid. You have some infrastructure that you manage, some in the cloud, and some virtualized. We show organizations how all parts of their networks connect to everything else.

Cloud providers don’t know what your legacy environment looks like. You need to be able to draw together your physical and cloud infrastructure in more than just a picture.  At RedSeal, we believe you have to understand end to end behaviors of your networks. To do this, we do very deep access calculations based on the configuration files of all your network devices – virtual or not.  RedSeal determines how your infrastructure actually works, so you can continually validate that you built what you thought you were building.

You can ask all kinds of questions of your RedSeal network model. You can determine if the back end of your cloud infrastructure is accessible from the internet – and how. You can see paths that reach from the real world to the virtual world. We’ve invested a lot of time and effort at RedSeal, so you can see your cloud infrastructure and how it connects to your physical or virtual infrastructure.

RedSeal provides security metrics  
RedSeal gives you an overview of your network, measuring:

  1. The completeness of your inventory of assets and systems. It identifies devices you may not know about.
  2. All the connections between devices.
  3. How well your network devices are configured for security.
  4. The actual risk to your data, based on how accessible known vulnerabilities are.

RedSeal’s smartphone app provides a measurement and trend summary for executives or “on the go” security management.

Why is the RedSeal Digital Resilience Score important?

  • Gives you a measure of security effectiveness so you know where to allocate resources and funding.
  • Helps you understand your security posture: are you better today than you were yesterday?
  • Allows seniors staff to empirically understand network risk.
  • Grades different networks across various departments or agencies
  • Verifies networks are designed and operating for security as intended

For more on this subject, listen to the free webinar, On the Way to SDN and the Cloud: Building Resilient Networks.

RedSeal CEO Survey

CEOs Reveal Cyber Naiveté as Incidents Rise and Losses Mount

Study Commissioned by RedSeal Exposes Significant Disconnect Between CEOs’ Confidence in Defense Strategies and Actual Results, Points to Requirement for Real-Time Measures of Network Security

Download our Executive Summary.


SUNNYVALE, Calif.  –
RedSeal (www.redseal.net), a leader in the cybersecurity analytics market, today released the results of a CEO study, which surveyed perceptions of – and confidence in –  their cybersecurity posture.

The study found that more than 80 percent of CEOs are very confident in their firm’s cybersecurity strategies, despite the fact that security incidents have surged 66 percent year-over-year since 2009 according to PricewaterhouseCoopers’ 2017 Global State of Information Security Survey.

“CEOs are underestimating their companies’ cyber vulnerabilities,” said Ray Rothrock, chairman and CEO of RedSeal. “Their confidence does not square with what we observe. Cyber-attacks are up and financial losses associated with these attacks are increasing dramatically.” Specifically, PricewaterhouseCoopers’ 2015 Global State of Information Security Survey projected that financial losses from cyber-attacks will jump from $500 billion in 2014 to more than $2 trillion in 2018.

Cyber Confidence Based on Out-of-Date Strategies

While CEOs remain confident that their cyber strategies are well equipped to handle the risks facing their company networks, there is a disconnect between their perception and reality. In Oct. 2014, FBI director James B. Comey said that no company is immune from attack. “There are two kinds of big companies in the United States,” he told 60 Minutes. “There are those who’ve been hacked…and those who don’t know they’ve been hacked.”

Yet two years later, the RedSeal study found that half of the CEOs still prioritize keeping hackers out of the network, versus just 24 percent who were concerned with building capabilities to deal with hackers who have successfully breached their network’s perimeter defenses.

“The new cyber battleground is inside the network, not at the perimeter,” said Rothrock. “Firewalls, virus detectors, and malware scans are required to keep out 99 percent of the bad guys, but the one percent who get in can cripple a firm, critical infrastructure or a government agency.”

CEOs Struggle to Assess Their Massive – and Growing – Cybersecurity Investments

The study found that, while 87 percent of CEOs agree that they need a better way to measure the effectiveness of their cybersecurity investments, 84 percent still plan to increase their spending in the next year. A trend reiterated by IDC’s Oct. 2016 prediction that organizations will spend $101.6 billion on cybersecurity software, services, and hardware in 2020, a 38 percent increase from its 2016 spend projections.

“We’ve reached an inflection point where cyber security strategies and investments have underperformed for an extended period of time. Analysts estimate that cyber losses are now growing more than twice as fast as the spend on security,” continued Rothrock. “To stem this tide, CEOs and boards need more effective metrics to understand the real-time health and function of their network, and to more clearly manage and measure their cyber strategies and investments.”

Even though security budgets are at an unprecedented high, nearly three out of four CEOs report the metrics they receive lack meaning or context. Most (79 percent) agree their reports are too difficult to understand, and 87 percent need a better way to measure whether cybersecurity investments are effective. In addition, they cite a lack of timeliness (51 percent) as well as only receiving reports in times of crisis (50 percent) as significant challenges.

Nearly 90 percent of CEOs say they want information – on a daily basis – about their cybersecurity posture and network’s overall health, external threat level, and the resilience of the network.

And while 79 percent of CEOs surveyed strongly agree that cybersecurity is a strategic function that starts with executive leadership versus being a responsibility passed on to the IT team, 89 percent of these same CEOs report reliance on their IT team to make the budget decisions on cybersecurity.

“CEOs project a great level of confidence when asked about their cybersecurity strategies, however their perceptions aren’t in line with reality,” said James Kaplan, partner at McKinsey & Company and co-author of Beyond Cybersecurity: Protecting Your Digital Business. “For years, the IT security industry has operated with the understanding that every organization will suffer a security incident. Given this inevitability, CEOs should be much more focused on building resilience into their businesses so they can maintain operations when the breach occurs.”

Methodology

This RedSeal study was conducted online via independent data collection firm, 72 Point, in September 2016. 200 chief executive officers in the U.S. were randomly sampled, at organizations with 250 or more employees. 42% of respondents were CEOs of companies with greater than 1,000 employees. The survey reached CEOs across a host of major industries, including technology, finance, manufacturing, government and retail. Respondents were invited to the survey from an invitation-only panel of CEOs. The survey and methodology is MRS compliant. To review an executive summary of the results, visit our website.

###

About RedSeal

RedSeal puts power in decision makers’ hands with the essential cybersecurity analytics platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can understand the state of their networks, measure resilience, verify compliance, and accelerate incident response. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, Calif. and serves customers globally through a direct sales and channel partner network.

RedSeal Measure Security

RedSeal Brings Unparalleled Digital Resilience Measures to the Enterprise

RedSeal platform improves risk mitigation and preparedness through faster analysis of cybersecurity incidents

SUNNYVALE, Calif.— February 2, 2016—RedSeal (redseal.net), the cybersecurity analytics company, today announced that it has introduced new incident response, metrics, and increased automation capabilities for its cybersecurity analytics platform. The new features will speed time to finding and solving cybersecurity issues, allowing organizations to better visualize, measure and improve their digital resilience.

As an essential step in building a digitally resilient organization, RedSeal’s cybersecurity analytics platform gives users the most up-to-date model of their entire, as-built network, so that they can visualize access paths and quickly target cybersecurity resources where they will have the biggest impact on their most valuable assets.

RedSeal’s security analytics platform now adds critical network context to incident response efforts. It allows users to analyze the path between the suspicious host and reachable asset, and then drill down to highlight the change required to prevent that access–typically a firewall configuration rule change.

In addition, only RedSeal provides an organization with a critical benchmark to manage cybersecurity through its Digital Resilience Score. An easy to access web dashboard or the new iPhone and Android smartphone application provides a current digital resilience score, based on RedSeal analytics. The smartphone application provides executives with their network’s current score and daily trending information. The RedSeal dashboard provides network managers and CISOs detailed information to understand and remediate security exposures. RedSeal’s Digital Resilience Score has garnered attention from finance firms working to incorporate cybersecurity into M&A valuations, as well as from cybersecurity insurance underwriters seeking actuarial data.

Improved automation, with features including assisted modeling and auto-grouping, will increase user productivity. To extend the benefits of the RedSeal security analytics platform within an organization, RedSeal’s platform now also includes Splunk and FireEye integration. All key functionality is available through industry standard browsers, making analysis simple and quickly understandable.

“Organizations invest huge amounts of time and money trying to stave off the inevitable cyberattack,” said Ray Rothrock, chairman and CEO of RedSeal. “As long as people are involved, either by criminal intent or plain human error, there will be network intrusions and weaknesses. Digital resilience is important because attacks are inevitable and organizations must be prepared to thrive in their wake. Being able to measure your digital resilience and respond quickly to incidents can mean the difference between a minor setback versus a total meltdown.”

About RedSeal (redseal.net)

RedSeal is an essential step in building digitally resilient organizations people can trust. RedSeal’s security analytics platform builds an accurate, up-to-date model of an organization’s entire, as-built network to visualize access paths, prioritize what to fix, and target existing cybersecurity resources on the most valuable assets. With RedSeal’s Digital Resilience Score, decision makers can see the security status and benchmark progress toward digital resilience in the inevitable attack. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers in North America, Europe and Asia.

RedSeal and the RedSeal logo are trademarks of RedSeal, Inc. All other names and trademarks are the property of their respective owners.