Know What to Protect and Why

In my last article, I discussed the importance of walking the terrain, or knowing your network. I suggested beginning at the at high level: identify your sites, then group your assets by site or facility. This is a great place to start understanding your network because network controls tend to be fairly static. However, discovering network devices like routers often leads to discovering subnets and previously unknown endpoints.

These this begs two questions: Why should I care about my endpoint inventory? What should I do with this data?

Maintaining accurate endpoint inventory data is a daunting task. In modern environments, endpoints are changing all the time. In fact, endpoint entropy continues to grow exponentially. We need to prioritize. There are two aspects of endpoint inventory security professionals should focus on.

The first is to look at your network through the eyes of an adversary and ask, “What is most valuable?” In a military example this might be a bridge, an airfield, or a key logistics site. In the cyber world this might be your credit card holder data, your intellectual property, or the CFO’s laptop. Consider what an adversary might want to accomplish. Are you concerned about a nation state stealing intellectual property? Might someone want to disrupt your operations? Could organized crime try to extort money after encrypting your systems?

Most security professions believe that “everything is important.” While that’s true, we all have limited resources. We need to prioritize where to apply preventative technologies, which vulnerabilities to patch, and what incidents to investigate. It is imperative to identify the key data or systems in order to identify a control framework to protect them.

The second important aspect of endpoint inventory data is using it to maintain the accuracy of your operational systems. Many key security systems depend on the accuracy of endpoint data. Our customers almost always have a CMDB, vulnerability scanner, EDR agents, and a patching system. The numbers coming from these systems never agree. We see CMDBs that are about “80% accurate;” endpoints that aren’t being scanned; endpoints that are missing agents; and some endpoints that aren’t being patched. Being able to quickly see the difference between these operational systems will identify gaps in your operations. For example, if your EDR count is greater than the one from your vulnerability scanner, you can quickly identify the exact systems that are not being scanned. If the count you’re getting from your vulnerability scanner is greater than the one from your patching system, you can quickly identify systems not being patched. Organizations that operationalize this process aren’t just maintaining an inventory count, they’re ensuring a more accurate use of their key operational systems.

RedSeal Bolsters Digital Resilience Platform to Deliver Most Comprehensive Model of Enterprise Data Centers

Exclusive new features give enterprises ability to strengthen security posture with greater visibility into and across their cyber terrain

SUNNYVALE, Calif. – November 13, 2018 – RedSeal today announced the latest upgrade to its award-winning network modeling and risk scoring platform, trusted by more than 50 U.S. government agencies and hundreds of Global 2000 companies worldwide. To create the most complete network model possible, RedSeal’s platform now validates policies at the application and networking levels, as well as provides endpoint modeling. These exclusive new capabilities bolster users’ understanding of their complete enterprise data centers, including public cloud, private cloud and physical network environments, which in turn extends an enterprise’s foundation for being resilient to cyber events.

Unprecedented Network Context with Application-Based Policies: Layer 7 Application ID

Large enterprises with Next Generation Firewalls (NGFWs) can now use RedSeal to visualize access and validate policies at the application level (Layer 7), as well as at the networking level (Layers 2, 3 and 4). No other security, network modeling or cyber risk scoring product provides this level of visibility, understanding and validation for an organization’s security posture.

With this kind of visibility within and between their network environments, users can understand and prioritize incidents and vulnerabilities wherever they are. This is a significant new capability because traditional firewall policies are based on the networking level—defined by source, destination, port, and protocol. NGFWs, however, are becoming more prevalent in networks and users can create policies, to be implemented by the firewalls, based on the identities of specific applications or Application IDs. For example, RedSeal can validate a “Deny Skype” policy that has been applied to specific addresses, or across all ports and protocols, further strengthening the user’s security posture.

Expand Picture of Cyber Terrain with Endpoint Information from All Sources

With its capabilities expanding to include endpoint modeling, RedSeal is the only resource that models and consolidates endpoint information from any source. This feature gives RedSeal users the ability to import and store information about their endpoints from multiple sources, including vulnerability scanners, Endpoint Protection and Endpoint Detection Response (EDR) solutions, as well as other applications such as Active Directory.

“A comprehensive understanding of network assets and paths is the foundation of a digital resilience strategy,” said Kurt Van Etten, chief product officer at RedSeal. “With its latest enhancements, RedSeal’s platform is the only product on the market that models Layer 2, 3, 4, and 7 policies and consolidates endpoint information from any source. As a result, RedSeal builds the most complete model available, including public and private clouds, physical assets and endpoint sources. The important new features introduced in our latest product ensure users can confidently validate their security posture, accelerate investigation and improve productivity of network and security teams.