Audacy | May 1, 2023
Tune in to KCBS and hear Dr. Mike Lloyd, RedSeal’s CTO, share insights into double dip ransomware attacks, why segmentation matters, hardening your infrastructure and a quick perspective on the importance of Biden’s National Cyber Strategy.
Sadly, once again we find ourselves watching war as it unfolds. More than any previous conflict, this one is being fought in cyberspace as well as on land and in the air. Many commentators raised their eyebrows when NATO officially added cyber to Article 5 of its founding treaty back in 2016. That now seems like a prescient move. But while the fighting, both online and off, has been largely confined to Ukrainian targets thus far, that’s unlikely to last for long.
The truth is that, by accident or design, we’re all in a war zone online, because online conflict does not respect country boundaries or even physical distance. Western targets must prepare accordingly, by understanding their attack surface in granular detail, and probing for weaknesses that could be exploited by adversaries in the days, weeks and months to come. Resilience is the name of the game here, and that will only come about by plugging the highest risk gaps now across cloud and on-premises infrastructure.
We’ve already heard of multiple offensive cyber-campaigns traced back to the Kremlin. They began even before the invasion, when scores of Ukrainian government websites were defaced and wiper malware known as WhisperGate was discovered targeting multiple organizations in the region. More destructive malware variants, HermeticWiper and IsaacWiper were launched in the early days of the campaign, reportedly rendering hundreds of machines unusable.
By targeting the Master Boot Record (MBR) and strategically important folders of the Windows OS, the malware is eerily reminiscent of NotPetya, another wiper variant disguised as ransomware and aimed at Ukrainian targets in 2017. NotPetya is important because it tells us something very important about destructive cyber-attacks: they can very easily “spill over” and impact organizations that weren’t originally intended as targets. It also happened with Stuxnet—a weapon that was designed with high precision to target Iranian uranium enrichment facilities, but still spilled over and infected other machines.
In short, war is never as clean and precise as Hollywood movies make it seem. In the case of NotPetya, multinationals in Ukraine found their networks impacted, and the worm-like threat eventually travelled down corporate VPNs to spread globally, causing billions of dollars’ worth of damage. One victim, US pharma giant Merck, was only recently awarded a $1.4B payout from its insurer to cover costs incurred during the attack.
That said, Western firms may also need to contend with genuine Russian state-backed cyber-attacks if tensions ratchet up further and economic sanctions begin to hit the Putin regime hard. Just what they’re capable of should be clear following the SolarWinds attacks which compromised nine US government agencies. Russia also has an ace in the hole: an ‘army’ of organized cybercrime groups prepared to turn their nefarious talents to hitting critical infrastructure and other strategically important Western sectors. With big budgets to spend on attack tools and exploits, plenty of know-how, and a sophisticated cybercrime supply chain in place, they could do significant damage.
If geopolitical tensions remain high for an extended period of time, the chances increase significantly of innocent organizations being drawn into the online conflict. The lesson for defenders is to fix defensive gaps now, before they’re exposed—intentionally or otherwise. Just as First World War gas attacks spread indiscriminately, harming anyone without a well-fitted and sealed gas mask on, cyber-weapons will go anywhere, through whatever gaps are left open.
Finding these vulnerabilities and misconfigurations first requires a detailed understanding of the entire corporate network, which for most organizations will extend from on-premises servers and data centers across multiple public cloud environments. That means knowing and mapping every single network device, application, service and data pathway. From this position of enhanced visibility, it’s then possible to enforce security policy to minimize exposure, and continuously check for and correct any policy compliance drift. The “continuous” qualifier is particularly important given the dynamic and ephemeral nature of cloud assets.
Ultimately, war, in whatever theater it’s fought, is about resilience. So if it wasn’t already before, take some inspiration from the brave men and women protecting their Ukrainian homeland, and make cyber-resilience a priority for your organization today.
I think we’d all agree the last year and a half has brought disruption, and cloud security wasn’t exempt. The Covid-19 crisis has dramatically expanded attack surfaces as companies transitioned to remote work and embraced the cloud. But let’s be clear: the cloud is not a magic bullet. Yes, the cloud is relatively new and exciting, and it does prevent some of the old security mistakes. And yes, the cloud does close off some previously vulnerable spaces. But at the same time, it opens up new ways to do things wrong.
This is where a strategy called cloud security posture management (CSPM) comes in. The goal of CSPM is to find and reduce attack surfaces, and then eliminate misconfigurations through continuous monitoring of cloud infrastructure. This is important, because more than 99% of cloud breaches have their root cause in customer misconfigurations and mistakes, according to Gartner.
I like to use the analogy of a brick house. Even if a house is made of perfect bricks, is it immune to falling down? No. Naturally, when you build a house, you want to make sure the bricks you’re using are solid. But even then, the house can still fall if built incorrectly. Cloud innovators push an approach called “shift left” (meaning detecting problems sooner in the build process), but this is no replacement for checking the final result. After all, no matter how carefully you check a building’s blueprints, the final structure will inevitably be different.
CSPM automates the process of ensuring the individual bricks are OK, but more importantly, makes sure the house as a whole is constructed properly, so it won’t collapse when the big bad wolf (or a squad of hackers) comes along and tries to blow it down.
But what makes CSPM so compelling from a security standpoint is that it’s proactive, not reactive like endpoint management or extended detection and response (XDR). These are analogous to fire alarms for your building. Alarms are necessary for sure, but you have to actually prevent some fires, not just wait and react. So, while firefighting is critical, part of your budget should be for tools that prevent fires in the first place and plan ahead for resilience of your infrastructure when a fire does break out.
CSPM is all about being proactive and putting the right processes in place so that fewer fires start, and spread less when they do happen. Sure, mistakes and misconfigurations will still happen. CSPM recognizes this reality, but proactively hunts for the ingredients that drive security fires rather than just accepting that they can’t be stopped.
Your developers are not security gurus. The framework called DevSecOps advocates adding security practitioners into the software development and DevOps teams. DevSecOps strives to find a happy balance between development teams that want to release software quickly and security teams that prioritize protection. But, to me, this is too optimistic a notion – it glosses over the fundamental differences that must exist between security thinkers and app developers. Developers think “how can I make this work?”, but security is about thinking backwards – “how can this be abused?”
Security is also fundamentally a big-picture problem, where all interactions have to be considered. Getting back to the building analogy, CSPM lets you compare the final structure to the blueprints used to construct it. It allows you to examine the building to see whether there are any flaws or points of structural weakness that the bad guys can exploit to get in. Humans aren’t good at continuous detail checking, but it’s a great job for automated software.
Context is everything. The blueprints don’t tell you whether you’re building on sand or building on bedrock. CSPM provides that critical context not just for one section of your structure but for the entire building and its surroundings.
CSPM also automatically determines whether all the cloud applications and services across your entire organization are configured correctly and securely. It’s simply not possible to hire enough security professionals to do that on their own. It’s not that people you have aren’t good; it’s that you’ll never have enough people who are experts in all the rapidly changing cloud languages and configurations.
Bad guys are actively hunting for new openings in your cloud. CSPM is quickly becoming one of the best ways to close the gaps in your security posture and shut the door on those who intend to do you harm.
Check out RedSeal Stratus – our new CSPM tool that offers the worlds most accurate, reliable, and actionable approach to calculating access and exposure. You can join the pilot program now!
Cloud security is maturing – it has to. We’ve had too many face-palm worthy incidents of organizations hearing “hey, I found your data in a world readable S3 bucket”, or finding a supposedly “test” server exposed that had production data in it. Happily, we are emerging out of the Wild West phase, and some order and maturity is emerging, and along with it, new lingo.
Gartner divides the emerging ideas into three main disciplines – CASB, CWPP, and CSPM. Think of these as if you’re securing a (pre-pandemic!) office building. CASB is your ID badge reader, and CWPP is your video surveillance. Cloud Security Posture Management (CSPM) is everything else you do to secure your building, like having a security guard walk around to look for gaping holes in the wall, or the sounds of someone drilling through a safe.
CSPM is arguably the hardest area to understand, since it’s so broad, but that same breadth is what makes it the most important to get right. In comparison, having no badge readers at all would be bad, but you don’t have to go overboard – you just need a reasonable check that you’re not letting everyone in. Posture management is different – CSPM isn’t a point solution, it’s the approach of always asking “what else have we forgotten?”
If you ask for a crisp definition of CSPM, it’s hard to find one – after all, Posture Management can refer to the mindset of “how could we be attacked, what are the consequences if it happens, and what can we do it mitigate it?” I find it easiest to split this into three main questions – what have you got, what are you doing to protect it, and what’s the level of risk? All of these are familiar to experienced security professionals – we’ve been asking these same questions about IT networks forever. So why is it different in Cloud?
For legacy on-premises networks, the hardest question was “what have you got?” – rapid growth and technology change made keeping an accurate inventory challenging. Cloud disrupts this in some interesting ways. Each cloud account has a controller for the software defined network, which solves one problem, but then goes and creates another. It’s impossible for any network to exist in a software defined cloud that the controller did not create for you. This means you can always tell exactly how big any one cloud network is. Problem solved, right? Not so fast – anyone who’s tried to inventory cloud footprint realizes that this same controller is changing things so quickly you can’t keep up. It’s also so easy to add new cloud networks that people do it and then forget to tell security, so the inventory problem just moves up a level – not “find the missing router”, but “find the missing cloud account”.
In CSPM, most of the key innovations are focused on the second question – “what are your protections, and are they working?” Cloud disrupted this too, bringing innovations that are incompatible with a lot of the traditional security stack. It’s not that question 3 – risk assessment – is unimportant. It’s just that it isn’t so deeply impacted by the differences between cloud, hybrid, and on-prem. Risk assessment is strategy, not tactics.
So why has cloud disrupted the question of whether you have working protections in place? Well, going back to the start of the article, that unintended exposure of a cloud storage bucket represents a mistake we simply couldn’t make until there was a cloud. Sure, every cloud comes with many strong security controls. But that’s the problem – there are so many enforcement controls that are all new, all different, and are like nothing we did for the past 40 years in on-premises data centers. Novelty is great for innovation, but terrible for security. Coordinating all the new controls and ensuring they are used correctly is the core job for CSPM. Basic checklists aren’t enough – just as we’ve found with all previous network technologies, a network built out of individual compliant elements can still fail as a system, like a house built out of perfectly formed bricks which can still fall down if assembled incorrectly.
This is why the core discipline in CSPM is visibility, so you can achieve end to end understanding of what is exposed and what is not. Figuring out access – what can reach what, and especially, what is exposed to the Internet – sounds so basic, but has become explosively complicated. It’s impossible to hire enough certified security professionals with deep enough understanding of all the cloud dialects used across an organization. So the only solution is to focus on CSPM – building up a map of your cloud assets, then looking across all the layers to ask “what is exposed?”
For more information on RedSeal’s CSPM solution, RedSeal Stratus, check out our website. Or sign up for our Pilot Program and test drive RedSeal Stratus yourself!
IT Pro Portal | April 27, 2021
Let’s analyze security and defense over the ages through a Covid lens.
From ancient Jericho through to medieval Constantinople, people built walls around cities as a main method of defense for around 10,000 years. But we don’t live in walled cities any more – why not? That’s a really big change, and it deserves an explanation.
Our companies aren’t walled cities, but they certainly had a strong tradition of being centralized and walled off. A year ago, we suddenly found that we couldn’t do that any longer. I’ve spoken to many managers who were frankly surprised at how well it has worked to abruptly change the paradigm, and let people work out in the community, away from the supervisor’s beady eye, and outside the protective walls of the building or the network.
Solutions Review | February 2, 2021
Today, we present new 2021 Cyber Predictions from Dr. Mike Lloyd, Chief Technology Officer of RedSeal.
It’s hard to conceptualize, but we only just started 2021. Given how much has already occurred, both carrying over from 2020 and fresh challenges, it can prove easy to forget that the year is still young. There’s plenty of time yet to change course on your business’ cybersecurity and respond to predictions.
As such, we wanted to share these 2021 predictions on enterprise cybersecurity from Dr. Mike Lloyd, Chief Technology Officer of RedSeal. These predictions were submitted as part of our first annual Cybersecurity Insight Jam.
Computer Fraud & Security | January 2021
We deploy a lot of security technology, but breaches continue. Either we’re bad at this or the game is stacked against us.
It turns out it’s the latter – there are structural reasons why security remains so elusive. We’re short staffed, up against a heavily automated group of adversaries, and our IT infrastructure is fragmenting. Mike Lloyd at RedSeal suggests that we need to find a better way to target investments in security to where they are most needed, and then integrate a single view of our ever-widening attack surface.
VM Blog | January 15, 2021
The rules of the security game keep changing. We were finally getting close to perfecting the art of securing data centers and VPNs, when along came cloud, multiple cloud environments, and a pandemic forcing many of us to work remotely, disrupting all aspects of work and home life.
From a data center point of view, there was a great migration of who needed access to what, from where. Here are some thoughts of what to expect in security in 2021, some of the key lessons from the year and how businesses can prepare for the new year.
Computer Weekly | 4 January 2021
After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?
Security Weekly | December 29, 2020
The news is flooded with updates regarding the COVID-19 vaccine. Cyberattacks are targeting the vaccine supply chain. Phishing attacks are exploiting sign-ups for the vaccine. There are even attacks to get access to vaccine data. Sounds a lot like our enterprises every day! We’re all learning about human immunology from the headlines, but what are the equivalent defenses for our networks? How do we achieve resilience at scale, when we don’t really have a network immune system?