SIGNAL | September 15, 2016
By J. Wayne Lloyd
When it comes to cybersecurity, I have heard many people express consternation and wonderment as to why the government cannot protect the Internet. It boils down to two things: No authorization, and officials only have visibility into a scant number of networks under their control.
Last week, the Shadow Brokers hacker group made national headlines by leaking zero-day firewall vulnerabilities, and offering additional exploits for sale through auction. In response, the RedSeal team produced:
The feedback we received was tremendous, and we wanted to share a response we received from a customer:
“I sent it out to several of our key users here because I love when you guys do this. It enabled me to highlight that RedSeal is useful for zero days when there is no patch…
Funny timing as well by the way – the order to identify affected firewalls just came out this morning and we have to respond by tomorrow, so I spent the day researching and working on something before I remembered you sent this and made my life easier. So thank you.”
Have questions, or want to understand how RedSeal can help you with the next inevitable vulnerability hack? Contact us here.
The latest revelations about firewall vulnerabilities stolen and leaked by the Shadow Brokers are very scary, but not all that new. We learn about the release of a major infrastructure vulnerability about once every six months or so. Organizations that have learned to focus on resilience — knowing their network and how to operate through a threat — are in the best position to respond.
With each new revelation, every defender has to scramble to answer the same three basic questions: do I have this problem? Where? Is it exposed? In today’s situation with weaponized vulnerabilities in major firewalls, the first question is easy to answer (if unfortunate). It seems that almost every major network has instances of these vulnerable products as part of their security defenses. The second and third questions require mapping the vulnerability into your own network. Do you have wide open access, or, effective internal segmentation? For this disclosure, have you properly locked down the important protocol known as SNMP? Once you can answer these questions, you are ready to begin incident response based on any surprises you turn up.
Imagine you’re responsible for a physical building, and you put up doors marked “Authorized Personnel Only”. That’s an important thing to do. Whether you run a retail store, a corporate office, or a cruise ship, you need to keep some critical infrastructure and access in a special zone. Now imagine forgetting to put those signs on some of the doors, or worse, leaving them open – perhaps through simple oversight, rushing to build out your business, or as you adapt to changing times. And, the only way you could know if you have a problem is to walk through every single hallway to check. If you don’t know or can’t tell whether your restricted areas are solid, then incidents are much scarier. This is the issue behind the latest revelations. It’s an important industry-wide best practice to isolate important network management protocols in a special zone, similar to the “Authorized Personnel Only” part of many buildings. But organizations everywhere have to scramble to see whether they have done this properly in light of the new vulnerabilities in those protocols.
RedSeal users can see where they stand with just a few clicks.
To read more, including step by step instructions for using RedSeal to answer these critical questions, see here.
For a demonstration of how you can use RedSeal to understand the extent of the problem in your specific network, watch our video.
Last month, Wallace Sann, the Public Sector CTO for ForeScout, and I sat down to chat about the current state of cybersecurity in the federal government. With ForeScout, government security teams can see devices as they join the network, control them, and orchestrate system-wide responses.
Many of our customers deploy both RedSeal and ForeScout side by side. I wanted to take a look at how government security teams were dealing with ongoing threats and the need to integrate difference cybersecurity tools into the “cyber stack.”
Our conversation is lightly edited for better clarity.
Wayne: Describe the challenges that ForeScout solves for customers.
Wallace: We help IT organizations identify IT resources and ensure their security posture. There’s always an “ah-ha moment” that occurs during a proof of concept. We see customers who swear by STIG, and will say they only have two versions of Adobe. We’ll show them that there are 6-7 versions running. We tell you what’s on the network and classify it.
Wayne: We often say that RedSeal is analogous to a battlefield map where you have various pieces of data coming in to update the topography map with the current situation. By placing the data into the context of the topography, you can understand where reinforcements are needed, where your critical assets are and more.
RedSeal’s map gives you this contextual information for your entire enterprise network. ForeScout makes the map more accurate, adapting to change in real time. It lets you identify assets in real time and can provide some context around device status at a more granular or tactical level.
Wallace: Many companies I speak to can create policies on the fly, but ensuring that networks and endpoints are deployed properly and that policies can be enforced is a challenge.
Wayne: Without a doubt. We were teaching a class for a bunch of IT professionals, telling them that RedSeal can identify routes around firewalls. If the networking team put a route around it, the most effective firewall won’t work. The class laughed. They intentionally routed around firewalls, because performance was too slow.
Endpoint compliance typically poses a huge challenge too. RedSeal can tell you what access a device has, but not necessarily when it comes online. Obviously, that’s one of the reasons we’re partnering with ForeScout.
Wallace: ForeScout can provide visibility that the device is online and also provide some context around the endpoint. Perhaps RedSeal has a condition that DLP is running on the endpoint. ForeScout could tell you that DLP is not loaded, and therefore no access allowed.
Wayne: Inventory what’s there. Make sure it’s managed. If not managed, you may not know you were attacked and where they came in or went. If you have that inventory, you can prevent or at least respond quicker.
Another important component is assessing risk and knowing what is important to protect. Let’s say we have two hosts of equal value. If Host 1 is compromised, you can’t leapfrog any further. No other systems will be impacted. If Host 2 is compromised, 500 devices can be compromised including two that may have command and control over payroll or some critical systems. Where do you want to put added security and visibility? On the hot spots that open you up to the most risk! We put things into network context and enable companies to be digitally resilient.
Wallace: With so many security concerns to address, prioritization is critical.
Wayne: IoT is obviously a trend that everyone is talking about and is becoming an increasing concern for agency IT Security orgs. How is ForeScout addressing IoT?
Wallace: ForeScout provides visibility, classification and assessment. If it has an IP address, we can detect it. Classification is where we are getting better. We want to be able to tell you what that device is. Is it a security camera? A printer? A thermostat? We can classify most common devices, but we want to be 75-90% accurate in device classification. The problem is that many new devices are coming out every day. Many you can’t probe traditionally; it could take the device down. And, you can’t put an agent on it. So, we’re using other techniques to passively fingerprint a device (via power over Ethernet, deep packet inspection, and more), so we can get to 95% accuracy.
Wayne: Do you see a lot IoT at customer sites, and are they concerned?
Wallace: Some don’t realize they have an issue. Many don’t know that IoT devices are on their networks. We are seeing more cases where we are asked to assess IoT environments and address it. Before, we weren’t asked to take action. We used to be asked how many Windows and Mac devices there were. Now, there is a movement by government agencies to put anything with an IP address (the OT side) under the purview of the CISO.
Wayne: We see a lot of devices – enterprise and consumer – that aren’t coded securely. IoT devices should be isolated, not connected to your mission critical operating environment.
Wallace: I was curious how RedSeal handles IoT?
Wayne: If there is vulnerability scan data, it tells us what OS, applications running, active ports, host name, MAC address, etc. Without that data, we can grab some device data, but with ForeScout, can get more context/additional data about the device. ForeScout can tell you the devices are there. RedSeal can ensure that it’s segmented the way it should be. We can tell you it’s there and how you can get to it, people need to make decisions and act. We show IoT devices as a risk.
Wayne: What are some of the trends that you are seeing that need to be addressed at customer sites?
Wallace: From a native cloud perspective, we are working on extending the customer on-premise environment and bringing visibility and control to the cloud. We are also working on making it easier to get security products to work together. People don’t have the resources for integration and ongoing management. We’re working to orchestrate bi-directionally with various toolsets to provide actionable intelligence – advanced threat detection, vulnerability assessment, etc.
We can take intel from other vendors, and ForeScout gives us the who, what, when, where from an endpoint to determine if that device should be on a network.
For example, an ATD vendor can detect malware (find it in their sandbox). They will hand us an incident of compromise (hash, code, etc.). We’ll look for those IoCs on devices on the network and then quarantine those devices.
Wayne: Security vendors need to work together. Customers don’t want to be tied to a single vendor. Thanks for your time today.
For more information, visit our websites at RedSeal and ForeScout.
POWER | July 8, 2016
The European Union (EU) parliament on July 6 approved the first community-wide rules designed to bolster cybersecurity throughout the EU.
According to the official statement, the new law “lays down security and reporting obligations for ‘operators of essential services’ in sectors such as energy, transport, health, banking and drinking water supply. EU member states will have to identify entities in these fields using specific criteria, e.g. whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.”
SIGNAL | July 8, 2016
Federal agencies need to address their aging legacy systems and need to do it now. The situation is so dire that some systems are more than 50 years old and running on 8-inch floppy disks, according to a report by the Government Accountability Office.
When disaster strikes, the Federal Emergency Management Agency (FEMA) enterprise network is expanded to include “temporary” mobile data centers that can last from months to years. In this kind of situation, change control, network maps and configurations can get wildly out of control. The security engineers in FEMA’s Security Operation Center (SOC) wanted network visibility. What’s more, they needed continuous monitoring to be able to measure risk and make decisions about how to deploy their scarce time and resources.
After learning more about RedSeal’s security analytics platform, FEMA’s cybersecurity lead realized that it could fill a major void in the agency’s solution set. RedSeal could help him understand the network, measure resilience, verify compliance, and accelerate response to security incidents and network vulnerabilities.
The FEMA SOC team deployed RedSeal to help manage their change control process — by modeling the data centers as they popped up in near real time. As data centers come online, they use RedSeal to ensure the right access is available. In the coming months, the team is expanding use of RedSeal to support their incident response program.
FEMA’s network team also uses RedSeal, to visualize access from disaster sites. Initially, they were shocked by the level of network access sprawl. They had no idea how much gear was on the network at a disaster site or how many security consequences resulted from simple configuration changes.
Now, with RedSeal’s continuously-updated network model, the network team is able to identify everything on the network and rapidly address any configuration changes that cause security, performance, and network uptime issues.
Get a PDF of this article. FEMA: Modeling Network Access
An anonymous intelligence agency had a problem.
Their vulnerability assessment program was expensive and sub-optimal. The program was run by two internal employees and 16 contractors. Going to data center to data center, each assessment could take anywhere from 2 months to a full year to conduct.
First, they had to inventory each data center and find all the configuration files. Then they had to review each set up to make sure they were updated and had applied best security practices. At that point, they could create a network map.
Using the map, they could then begin to manually analyze the network for vulnerabilities. Given time and resource constraints, the team was forced to triage. Ignoring medium and low level vulnerabilities, they focused on a short list of the most critical.
Of course, by the time they completed their analysis, the whole network had changed. The network map was merely a snapshot in time. Plus, the vulnerability assessment reports didn’t include leapfrogs to move deeper into the network.
The agency realized that getting one or two reports per year on a network that had already changed — at a cost of $5 million — was not a situation that could continue.
After researching various cybersecurity tools and getting a glowing review from other cyber teams in the government, the agency’s cybersecurity team realized that RedSeal was the solution they needed. RedSeal’s continuous monitoring of the config files on the network means that the network map is never out of date. Experts at In-Q-Tel were brought to review RedSeal. Approval was quickly given. On a Monday, their engineers told RedSeal, “We want it on Friday!”
Now, after deploying RedSeal agency wide and setting up 14 instances, they conduct continuous assessments year round across all data centers. After five years, customer feedback has been 100% positive, “We realize now that we can’t leverage the other cybersecurity tools unless we have RedSeal. RedSeal is core to our cybersecurity and vulnerability management operations.”
Do you have a problem with your time consuming manual vulnerability assessment program? Click here to set up a free trial of RedSeal and choose the better way.
RedSeal software is the best way to measure and manage the digital resilience of your network.
Get a PDF of this article. US Intelligence Agency: Clear ROI
USA TODAY | June 16, 2016
U.S. cybersecurity policy has followed a Jekyll-and-Hyde path lately.
In December, Congress passed a bill making it easier for U.S. software companies to hold onto their proprietary technology, to encourage them to share data on cyber threats. It was part of a new push for open cybersecurity standards to help combat rapidly-evolving threats.
In April, however, the Senate Intelligence Committee introduced a bill that would force U.S. companies to provide backdoor access to encrypted data to law enforcement in response to a warrant.
POLITICO | June 15, 2016
AFTER THE DNC ATTACK — The blockbuster news that Russians reportedly hacked the Democratic National Committee to get opposition research on Donald Trump and other information inflamed GOP criticism of Hillary Clinton’s private email server. But it had a host of security ramifications, not just political ones. MC spoke to, or heard from, a range of experts on the meaning of it all.