Posts

You Think Your Network Diagram’s Right?

Federal agencies are clamoring for information about best practices about to implement the findings of last year’s cybersecurity “sprint.” This new directive, the Cybersecurity Implementation Plan, is mandatory for all federal civilian government agencies. It addresses five issues intended to shore up agency cybersecurity and ensure network resiliency.

So when agencies are done with their implementation, all their networks and assets will be secure, right?

Wrong.

Most of the time the reality of your network and the official network diagram have little to do with each other. You may think it’s accurate…but it’s not.

Recently, I sat down with Jeremy Conway, Chief Technology Officer at RedSeal partner MAD Security, to talk about this. He works with hundreds of clients and sees this issue constantly. Here’s his perspective.

Wayne: Can you give me an example of a client that, because of bad configuration management, had ineffective security and compliance plans?

Jeremy: Sure I can. A few months back, MAD Security was asked to perform an assessment for an agency with terrible configuration management. With multiple data centers, multiple network topologies, both static and dynamic addressing, and multiple network team members who were supposed to report up the hierarchy, we quickly realized that the main problem was that they didn’t know their own topology.  During our penetration test, we began compromising devices and reporting the findings in real time. The compromises were just way too simple and easy.  The client disputed several of the results.  After some investigation, we figured out that the client had reused private IP space identical to their production network for a staging lab network, something no one but a few engineers knew about.  Since we were plugged into the only router that had routes for this staging network, we were compromising all sorts of unhardened and misconfigured devices.  Interestingly enough, this staging network had access to the production network, since the ACLs were applied in the opposite direction — a whole other finding.  To them and their configuration management solution, everything looked secure and compliant. But in reality, they had some major vulnerabilities in a network only a few folks knew about, vulnerabilities that could have been exploited to compromise the production network.

The client was making a common mistake — looking at their network situation only from an outside in perspective, instead also looking at it from the inside out.  They didn’t have enough awareness of what was actually on their network and how it was accessed.

Wayne: That’s a powerful example. How about a situation where an agency’s use of software-defined or virtual infrastructure undermined their access control?

Jeremy:  One hundred percent software defined networks are still rare in our world. However, we had a situation where virtual environments were spun up by the apps team, not the network team, which caused all sorts of issues. Since the two teams weren’t communicating well, the network team referenced network diagrams and assumed compliance.  In reality, the apps team had set up the virtual environment with virtual switches that allowed unauthorized access to PCI data. Running a network mapping exercise with RedSeal would have identified the issue.

Wayne: I imagine that inaccurate network diagrams cause major issues when incident response teams realize that there hasn’t been any auto discovery and mapping of the network.

Jeremy: Yes, this is a must-have feature, in my opinion. When responding to an incident, you have to perform the network-to-host translations manually. Tracking down a single host behind multiple network segments with nothing but a public IP address can take a long time. In a recent incident with multiple site locations this took the client’s network team two working days — which really doesn’t help when you’re in an emergency incident response situation.

RedSeal makes it easy to find which host has been compromised and which path an intruder has taken almost instantaneously.

Moreover, conducting a security architecture review is much quicker and more comprehensive with RedSeal. This used to be a manual process for our team that typically took 2-4 weeks for the average client. RedSeal has cut that time in half for us.  Additionally, with RedSeal the business case for action is stronger and the result is a better overall remediation strategy. How? For one, given an accurate map of the network, HVAs can be prioritized and a triage process can be deployed that allows security teams to focus scarce time and resources on priority recommendations. This visibility into the severity of security issues also allows teams to develop mitigation strategies for patch issues.

Wayne: Jeremy, this has been a great discussion. I hope you’ll come back and do this again.

Continuous Monitoring + Policy Management Leads to Network Resilience and Successful Command Cyber Readiness Inspections

Over the past few years, DISA has been moving network infrastructure into Joint Regional Security Stacks.

DISA’s website says, “A joint regional security stack is a suite of equipment that performs firewall functions, intrusion detection and prevention, enterprise management, virtual routing and forwarding (VRF), and provides a host of network security capabilities…security of the network is centralized into regional architectures instead of locally distributed …JRSS allows information traversing DoD networks to be continuously monitored to ensure response time as well as throughput and performance standards. JRSS includes failover, diversity, and elimination of critical failure points as a means to assure timely delivery of critical information.”

RedSeal is the official continuous monitoring solution for the JRSS. We are actively working with our clients to deploy this feature to help them achieve network resilience.

However, many clients don’t realize that combining continuous monitoring with policy management solves another actual problem: preparing for and passing Command Cyber Readiness Inspections (CCRIs).  Teams have to nearly shut down operations for weeks at a time to prepare for these important events. Failure can affect careers.

CCRIs take place on annual cycles and information networks get wildly out of compliance.  To keep networks operationally compliant, RedSeal monitors configurations daily and send alerts when actions have been taken that violate policy.  Plus, RedSeal is the only platform that allows its customers to verify STIG compliance on all of their Layer 2 & 3 devices as part of their continuous monitoring practice. This, in turn, allows for less prep time needed for CCRIs.

At a recent Centcom briefing by RedSeal, a DISA representative noticed that “it would make more sense if you import PPSMs [ports, protocols and services management] into RedSeal.” This would reduce the time to identify new, daily activity that created non-compliant configurations.  A number of RedSeal customers have successfully deployed the combination of PPSM policies with RedSeal’s continuous monitoring capability.  RedSeal automatically conducts scheduled analysis of the platform to check compliance with PPSMs and alerts on any failures, no matter how small.

Customers have found that automated continuous monitoring plus policy management equals network resilience.   CCRIs can now become a byproduct of daily network and security operations.  Successful real time policy management means more successful, less taxing CCRIs and higher network overall resilience.

President Obama’s $19 Billion Cyber-Defense Budget and Plan is a Bold and Necessary Step

“The federal government is finally taking bold steps to fulfill what the Constitution says in its preamble – ‘to provide for the common defense,’ in this case, the common cyber defense.

The actions and budget announced today are an important recognition and investment in the defense of the critical information infrastructure of the United States, and provides an example for governments, businesses, and NGOs worldwide.

The plan recognizes that it is critical to implement platforms with analytics and capabilities to understand complex networks and assist in prioritizing what needs to be done first to improve resilience.

As the president writes in a Wall Street Journal op-ed, ‘we are still in the early days of this challenge.’ Networks will only grow more complex, creating opportunities for hackers and challenges for defenders.

The federal government’s new Chief Information Security Officer should be asking talented agency teams, ‘how are we measuring our cyber results and defenses? How are we thinking about resilience? And how are we determining the first step to take to make our digital infrastructure more resilient?’

Networks were not designed with cyberattacks in mind, so they are not resilient to them.  But it’s not too late. Building digital resilience into networks before attacks is the only way to get ahead of the ongoing, automated, and ever more sophisticated attacks.

The proposal by the President can be an excellent step in leading the world to a more cyber resilient future.”

2015 Alamo AFCEA Chapter Event (ACE) Speakers Focus on Solving Root Causes of Cybersecurity

For the third time in a row, I flew down to Texas at the end of the year.

The reason? To attend the important Alamo ACE event presented by the local San Antonio AFCEA chapter. With multiple sessions over three days covering primarily cybersecurity and ISR, the event draws 1500 military and industry leaders.

My takeaway? RedSeal’s cybersecurity analytics platform and approach to proactive digital resilience was validated by a series of senior leaders on the front lines of protecting our nation’s most high value assets. Each of them is shifting focus to solving the root causes of cyber insecurity, rather than deploying a patchwork of tools. They realize that:

  • End users can’t manage their own security
  • A global black market has resulted in low prices for hacking toolsets
  • Commercial IT has a multitude of defects that create cyber risk

These military leaders equate mission assurance with security. This means:

  • The network must be survivable against all attacks and available 24×7
  • Users can have different authorizations for data access.
  • The DoD’s cyber supply chain interdependencies must be equally protected or the entire mission is at risk.

The first session I attended featured Steve Brown, the Vice President of Operations and Cyber Intelligence Center in the Global Cyber Security organization at Hewlett Packard. A former Navy and Wells Fargo senior security leader, Steve saw three big similarities across military and commercial organizations:

  1. The same critical data targets across DoD and commercial
  2. The same end user issues
  3. The same need to balance reward with risk

What keeps Steve up at night? Globally, 30 billion cyber events per day and 1.4M on his networks! Steve works to make cyber investments about risk and reward. For example, to shorten time lag between attack and response he split up his Red Team and created a Cyber Hunting team. Gathering and sharing intel wherever he can to see risk earlier and proactively take action.

On the same panel was Lt. Gen. (retired) Michael J. Basla now Senior Vice President of Advanced Solutions for L-3 National Security Solutions (L-3 NSS) and former CIO of the US Air Force. According to him, the key challenges for US cybersecurity are:

  • No matter how well secured we are, they will get to us. Plan for it.
  • Focus on access rather than security
  • We must find successful hacks faster
  • We need to not only have a map of our digital infrastructure, but also know the terrain — including sections in the Cloud.

Later on, I sat in on a session featuring Maj. Gen. Burke E. “Ed” Wilson. He is the Commander, 24th Air Force and Commander, Air Forces Cyber, Joint Base San Antonio-Lackland, Texas.

Gen. Wilson gave a quick overview of the US Air Force’s cyber terrain, including an emphasis on securing their network, base infrastructure and weapons systems. This is a change from the past when the USAF was focused primarily on network defense. Now they also focus on base infrastructure and weapons systems. They struggle with how to provide mission assurance from cyber risk.

On the flight home, reflecting on this conference, I realized the DOD cyber security conversation has changed dramatically. The past focus on audit and inspections has given way to a realization that networks are critical to national security. They deliver the mission. Our military leaders understand the cyber threat to their missions and are now putting their focus behind creating the strongest possible defense.

Cyber Concerns Dominate 2015 AFCEA TechNet Asia Pacific

by Derek Heese, RedSeal’s director, Department of Defense RedSeal

I recently returned from Hawaii where I attended the AFCEA TechNet Asia Pacific trade show for the fifth time in a row. It’s always a good opportunity to hit a couple of birds with one stone: meet with some customers, develop relationships with new prospects and hear which issues and initiatives are getting the highest attention.

It wasn’t a surprise given the events of the past few years, but I was pleased to hear the deputy commander of the Pacific fleet, Rear Admiral Phillip G. Sawyer say, “If you’re not resilient in communications, you’re not relevant.” Of course, this applies to the traditional communications infrastructure as well as to cyber security.

As another speaker, Maj. Gen. Dave Bryan, USA (Ret.), pointed out, “We’re at war in cyberspace, and this has been a hard lesson to learn.” He added that the threat lies not to network access or to the network itself, but to the data. “It’s the database, stupid,” he said. “Look for the technologies coming out that protect the database.”

Adm. Dick Macke, USN (Ret.), former commander, U.S. Pacific Command, offered deductive reasoning to set a high priority for cyberspace. “Cyber equals C2 [command and control], C2 equals victory. Therefore, victory needs cyber,” he stated. Adm. Macke called for the ability to beat the enemy at its own game. “We’re going to be attacked, and we are going to lose some part of our C2,” he warned. “I’m a warfighter, and I want rules of engagement that allow me to attack [cyber] before I have to defend.”

Needless to say, we had a steady stream of visitors drop by our booth, mostly new prospects, asking how RedSeal could provide solutions to their various problems. Network mapping. Vulnerability identification.  Automating security controls. As one Navy officer said, “If you have to do it more than twice, automate it.”

I agreed. And we scheduled a demo of RedSeal for his team this week.

Events

Nothing Found

Sorry, no posts matched your criteria