Tag Archive for: Incident Response

Top 10 Cyber Incident Response Mistakes and How to Avoid Them

Dark Reading | May 6, 2020

Automation can make a big difference in the efficacy and efficiency of an IR program. The trick is figuring out just the right level of automation to cut out the low-value manual work while still leaving the tasks better-suited to human judgment in the care of smart analysts.

“Some organizations underautomate and get lost in the slog because IR is hard,” says Dr. Mike Lloyd, CTO of RedSeal. “Others overautomate, not realizing that machine reasoning still falls short and is easily defeated by a human who knows they only need to beat a machine, not another human.”

The Importance of Speed in Incident Response


By RedSeal Federal CTO Wayne Lloyd

Have you seen CrowdStrike’s “Global Threat Report: Adversary Tradecraft and The Importance of Speed”?

Just released at RSA Conference 2019 this year, the key takeaway is that nation states and criminal organizations are increasing both the speed and sophistication of their cyber tactics. This isn’t a surprise, but the report presents more detail on just how little time we have.

CrowdStrike defines “breakout time” as “the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network.”

The report shows a more granular examination of breakout time by clocking the increasing average speed of major nation state actors, including the breakout speeds of Russia, China, North Korea, Iran, and others.

So what can you do?

According to the report, basic hygiene is still the most important first step in defending against these adversaries — including user awareness, vulnerability and patch management and multi-factor authentication.

The CrowdStrike report continues:

With breakout time measured in hours, CrowdStrike recommends that organizations pursue the ‘1-10-60 rule’ in order to effectively combat sophisticated cyberthreats:

  • Detect intrusions in under one minute
  • Perform a full investigation in under 10 minutes
  • Eradicate the adversary from the environment in under 60 minutes

Organizations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads out from its initial entry point, minimizing impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.

RedSeal and the 1-10-60 Benchmark

A RedSeal model of your network – across on-premise, cloud and virtual environments — gives you the detail you need to quickly accelerate network incident investigation. You’ll be able to quickly locate a compromised device, determine which assets bad actors can reach from there – and get information to stop them. Since RedSeal’s model includes all possible access paths, you’ll see specific paths the network attacker could take to valuable assets. And, you’ll get specific containment options so you can decide what action to take — from increasing monitoring, to placing honey pots, to changing firewall rules, to simply unplugging the device — decreasing your network incident response time.

Network security incident response that used to take hours, if not days, to determine becomes available immediately.

Click here to learn more about RedSeal’s support of incident response teams and how it will improve your agency’s digital resilience.

RedSeal To Be Mega Sponsor at Splunk .conf2017 Showcasing RedSeal Adaptive Response App for Incident Response

Sunnyvale, Calif. – RedSeal, a leader in network modeling and cyber risk scoring, today announced it is a Mega sponsor of .conf2017: The 8th Annual Splunk Conference.  At booth M38, RedSeal will demonstrate how its network modeling and risk platform integrates with Splunk Enterprise Security (ES) to greatly accelerate incident investigation and containment. RedSeal became a member of the Splunk Adaptive Response Initiative in February 2017 and the RedSeal Adaptive Response App for Incident Response is currently available on Splunkbase.

“We made the decision to be a Mega sponsor of .conf two years in a row to reinforce the importance of integrating network context with existing security applications,” said CEO and Chairman of RedSeal Ray Rothrock. “The integration of  RedSeal’s network modeling and risk scoring platform with Splunk’s analytics-driven security platform provides security professionals with real-time visibility into the blast radius, potential attack paths and associated at-risk assets for an Indicator of Compromise.”

RedSeal’s Vice President of Product Management, Kurt Van Etten, will present a session titled Accelerate Incident Investigation with RedSeal and Splunk Adaptive Response Actions at .conf2017 on Thursday, September 28th. During the session, attendees will learn how RedSeal’s integration with Splunk ES leverages  the Splunk Adaptive Response framework to provide immediate answers to the following investigation-relevant questions:

  • What is the compromised device? Where is it physically and logically located?
  • What other critical assets can the threat access?
  • Can an untrusted network reach the compromised device?
  • What are the exact firewalls and rules you must modify to contain the threat?

.conf2017 will feature more than 200 technical sessions, including more than 80 customer presentations, and is expected to attract IT, security and business professionals from across the globe who know the value of their data. The conference will be held September 25-28, in Washington, DC at the Walter E. Washington Convention Center in Washington, DC, with three days of optional education classes through Splunk University, September 23-25, 2017.

.conf2017 attendees will learn how to gain Operational Intelligence from machine-generated data by improving customer experience and service delivery, enhancing IT performance, shipping better code faster, providing timely business insights or reaching new levels of security in their organization. With 85 of the Fortune 100 in attendance, it’s the best place to learn how leading companies are using Splunk. Attendees will share best practices, discover new features and ways to implement Splunk software to gain insights from their data. Register for .conf2017. At the conference, follow us on LinkedIn and Twitter  or follow the conference itself @splunkconf (all conversations tagged #splunkconf17).

About RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.

Accelerate Incident Response and Investigations

Knowing which hosts are involved in a security incident is critical information for anyone who is an incident handler. The quicker the attackers and their targets can be identified the quicker the incident can be stopped. Collecting this information from a plethora of systems and log sources can be difficult and time consuming. Compounding the problem even further Forrester reported that “62% of enterprise security decision makers report not having enough security staff[1].” Lack of resources and time spent verifying devices instead of dealing with the threat right away contribute to the damage done by threat actors.

For an incident response team to perform their job effectively, on top of understanding and responding to threats, they need to understand the network. This includes all entrances to a network, the route information flows through their network, the critical systems needed to run their business, the location of the critical systems within their network, and an understanding of how the attack can spread once the network is compromised. Understanding the network and the topology is the foundation of any good incident response team. How do you protect and contain an outbreak if you don’t understand how it spreads? The network is the medium in which it spreads.

Allowing your incident response team to access the RedSeal appliance will drop your “average time to achieve incident resolution” and “time to containment” KPIs. RedSeal ingests all network device configurations and will show the paths information takes, where the attacks are coming from, and where the targets exist within your network. RedSeal simplifies locating devices by parsing through the NAT, VPN, and Load Balancer configuration files with only a few clicks of the mouse. In a matter of minutes, the incident response team will be able to find where both the target and the attacker exist on the network as well as the path the attack traffic is taking. Otherwise, in most situations, incident response must parse through and follow routing tables manually or engage the network team to get an understanding of the path.

Another challenge incident response teams face is overlooking subnets and devices, especially in large and complex organizations. RedSeal will shine light onto forgotten devices and subnets. Again, with a few clicks of a mouse, RedSeal will analyze the configurations and report if there is a direct connection from untrusted zones to these devices. Once found, the devices can be hardened against threats and appropriate decisions can be made to take them offline, upgrade, or migrate them to a more protected area of the network.

An incident response team’s main goal is to keep the level of impact to an organization down to an acceptable level. It is the time between detection and containment that has the biggest impact on mitigating the severity of the incident and data loss. Stopping the threat faster, before it spreads, also means fewer resources spent in recovering from the impact of the incident. RedSeal reduces the amount of time incident response spends identifying targets, moves the team to stopping the incident faster, and improves your organization’s resiliency against attacks.

[1] Forrester “Breakout Vendors: Security Automation and Orchestration.”

To learn more about how RedSeal can accelerate your incident response, watch our animated video, or contact us.

Does Your Company have a DFARS NIST 800-171 Time Bomb?

On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS), revising its earlier August 2015 interim rule on Safeguarding Covered Defense Information.

This new interim rule is a ticking time bomb that gives government contractors a deadline of December 31, 2017 to implement all of the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171-Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations —  or lose their contracts.

The NIST Special Publication 800-171 provides federal agencies with requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in non-federal information systems and organizations
  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
  • There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

Cybersecurity and compliance teams at government contractors are searching for technology to automate the necessary, but taxing process of implementing the mandated controls and remaining compliant on an ongoing basis. Organizations are finding that it is one thing to implement the 800-171 controls once, but quite another to implement and monitor them continuously.

RedSeal has a history of support for federal government cybersecurity initiatives. The company’s innovative software platform is installed in numerous DoD, intelligence, and civilian organizations for the purpose of continuous monitoring. At the highest level, RedSeal delivers three core security controls: visibility, verification, and prioritization.

RedSeal’s cybersecurity capabilities align with many of the controls in NIST 800-171. RedSeal supports a total of 26 controls in 7 of the 14 NIST 800-171 security requirements families; at a high level RedSeal supports 800-171 control areas as follows:

Configuration Management Continuous validation of actual system configurations versus desired state across multi-vendor infrastructure.
Risk Assessment & Incident Response Prioritization of vulnerabilities for efficient and effective remediation and response.
Network Security Architecture & Access Control Network map and situational awareness for risk assessment and systems categorization and segmentation validation.
Security Assessment and Continuous Monitoring Analysis of actual, deployed information flow architecture and continuous comparison with desired architecture and policy.
Planning, Program Management and Acquisition Inventory, audit and analysis of network security architecture for legacy, new deployments, and acquired systems.


With RedSeal, federal system integrators can significantly reduce the cost and time associated with enforcing compliance against SP 800-171 by automating assessment of many of the SP 800-171 controls. Certain controls have traditionally been difficult to automate, and therefore resource intensive to maintain and audit. However, RedSeal’s unique technology automates and prioritizes these difficult controls, greatly decreasing resource requirements while improving the quality of the control.

The federal government is placing a greater sense of urgency on real-time situational awareness and continuous monitoring to improve the efficiency and effectiveness of responses to emerging security threats, and is now including government contractors in that effort.  By implementing RedSeal, organizations can lower the cost of compliance, increase situational awareness, and improve control activity efficacy in an operationally efficient manner.

Will you defuse this bomb in time?

For more information on how RedSeal can assist with NIST 800-171 controls, please contact Matt Venditto, mvenditto@redseal.net or download a more detailed datasheet on NIST 800-171 here.

RedSeal Joins Splunk Adaptive Response Initiative at RSA 2017

RedSeal and Splunk Combine Forces to Deliver Automated and Continuous Response, Optimize Analytics-Driven Security and Improve Operational Efficiency

SUNNYVALE, Calif. & SAN FRANCISCO – RedSeal, the leader in network modeling and cyber risk scoring, and Splunk Inc., provider of the leading software platform for real-time Operational Intelligence, today announced that RedSeal has joined the Splunk® Adaptive Response Initiative. Powered by a growing list of leading cybersecurity technology vendors, Adaptive Response is a best-of-breed security initiative that leverages end-to-end context and continuous response to improve security operations with an adaptive security architecture. The announcement was made at the 2017 RSA Security Conference.

Following its unveiling at the 2016 RSA Security Conference, the Adaptive Response Initiative now includes over 20 participating vendors as members. With this extensive network, organizations can use Splunk Adaptive Response to further interact with data, extract and share new insights, gain more context and invoke actions across key security and IT domains. Ultimately, this allows customers to detect threats faster, make analytics-driven decisions and improve operational efficiencies within their Security Operations Center (SOC).

“Our increasingly digital world underscores the need for enterprise networks to be resilient to cyber events and network interruptions. Improved security posture and accelerated incident recovery are central to achieving this goal,” said Ray Rothrock, CEO of RedSeal. “By combining Splunk’s centrally positioned analytics-driven security platform with RedSeal’s network modeling and risk scoring platform, we are thrilled to help security professionals around the world gather even more context to detect threats quicker and deliver a more automated and continuous response against advanced attackers.”

While many organizations employ a layered, multi-vendor approach to security, most individual solutions are not designed to work together outside of the box. Splunk Enterprise Security (Splunk ES), working in conjunction with technologies like RedSeal’s network modeling and risk scoring platform, extends analytics-driven decision-making and improves detection, investigation and remediation times by centrally automating retrieval, sharing and response.

“We created the Adaptive Response Initiative so organizations could efficiently combat advanced attacks while utilizing their existing security architectures. Members like RedSeal are key to the success of Adaptive Response,” said Haiyan Song, senior vice president of security markets, Splunk. “Together we will solve this very challenging problem facing every enterprise.”


About RedSeal

RedSeal puts power in decision makers’ hands with the essential network modeling and risk scoring platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can improve their security posture, accelerate incident response, and improve the productivity of their network and security teams. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, Calif. and serves customers globally through a direct sales and channel partner network.

Shadow Brokers Turn Out the Lights

The Shadow Brokers are turning out the lights. On their way out they dumped another suite of alleged National Security Agency hacking tools.  Unlike last time, where the released exploits focused on network gear from vendors such as Cisco and Fortinet, these tools and exploits target Microsoft Windows operating systems.  Most of the sixty plus exploits are already detected by antivirus vendors, such as Kaspersky, and it is a safe bet that all antivirus vendors will detect them shortly.

In Shadow Brokers’ farewell post, they say they are leaving the account open for someone to deposit 10,000 bitcoins — the equivalent of $8.2 million — to obtain the entire cache of alleged NSA hacking tools. To date, no one has paid the requested amount.  With such a high price it has been speculated that the Shadow Brokers never seriously expected anyone to pay. This leads some to believe they are associated with a nation state who is trying to cause headaches for US spy agencies and the administration.

What can be done to protect your systems from these tools and exploits?  Basic security practices of course.  Keep your systems up to date with patches and operating system releases.  Practice your usual good cyber hygiene such not clicking on links in emails.  Be conscientious about what you plug into your home or business computers as a lot of malware can spread through external hard drives and USB sticks.

Also, it is imperative to have good backups and test your backups.  Many times after a breach occurs, organizations find out too late that they’ve never tested their restore procedures to verify they have good backups. Or, they learn that their backups have been infected with malware from previous backups of compromised systems.

Have an incident response plan in place and practice your incident response plans regularly. Having a plan is great. But you need to practice to make sure your team can execute your plan. Plans without practicing is the equivalent of a firefighter knowing it takes water to put a fire out, but not knowing how to get the water off of the fire truck and onto the fire.

Know your network; and consider using RedSeal.   Even if you don’t use us, knowing your network will lead to greatly enhanced resilience and enable your incident responders to keep business and mission critical systems online and functioning during an incident.  Security is not sexy, despite what Hollywood depicts. There is no silver bullet that will magically make your network impervious.  It takes hard work and continuous effort to build and maintain resilient networks.  So, do you know yours — completely?