Tag Archive for: Network Visibility

Tales from the Trenches: My network hasn’t changed!

Since 2004, RedSeal has been instrumental in empowering our clients to comprehensively visualize and fortify their intricate networks. While our customers initially grasped the importance of understanding their network architecture, connections, and identifying potential risks, there’s often an enlightening “aha” moment when the true significance becomes unmistakable. These narratives, cherished within the confines of RedSeal, vividly exemplify the practical value of our platform beyond mere theory. In the words of our dedicated field team, who collaborates directly with our clients, this blog series aims to unveil the instances where the theoretical transforms into tangible reality.

Today’s post is brought to you by John Bays, Senior Security Solutions Consultant, Federal


Imagine navigating the landscape of a government entity, where a dedicated administrator went about their daily routine, firmly believing that a single login to the server was all it took to keep things ticking. Little did they know, a significant issue had quietly brewed beneath the surface – the network had remained unchanged for a considerable six-month stretch.

Approaching the situation with curiosity, I gently posed some questions.

  • How might they have overlooked the network’s lack of growth?
  • What led them to believe that everything was running smoothly without addressing potential issues?

This unfolding scenario morphed into a journey of understanding, aiming to uncover misconceptions and illuminate the broader responsibilities at hand.

Misunderstanding a role’s responsibility happens. At RedSeal, we know this and help ensure misunderstandings are laid to rest. Taking a supportive approach, I guided them through various aspects of the platform, emphasizing the value of active involvement. As the pieces fell into place, a realization dawned on this client – our exploration revealed numerous devices being added and removed from the network. This revelation painted a richer picture, demonstrating that their role was more intricate than they had initially perceived.

This experience turned out to be a valuable lesson for all involved, highlighting the importance of staying engaged and adapting to the ever-changing dynamics of the network environment. It wasn’t about fault-finding; rather, it underscored the need for continuous learning and awareness in the evolving tech landscape. After all, even the most dedicated administrators can benefit from a broader perspective on their responsibilities.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

Why Visualizing the Entire Healthcare Attack Surface Is Critical

In recent years, the healthcare sector has been steadily adopting web and cloud-based technologies and shifting towards an internet-enabled system to improve quality of care.

However, along with the limitless benefits that the internet offers — like sharing information, simplifying operational processes, tracking workflows, enhancing connectivity, and storing and organizing data — is an increased risk of cyberattacks, data breaches, and other types of fraud. This makes hospitals and healthcare organizations increasingly vulnerable to advanced threats and targeted attacks.

According to recent reports, data breaches in the healthcare sector have been rising at an alarming rate for the last five years. In 2020, during the COVID-19 pandemic, email-based attacks increased by 42%, so it’s no wonder that more and more healthcare organizations are adopting a robust, multi-faceted strategy to improve their security posture. Hospitals’ expanding digital footprint also complicates their network infrastructures, making complete visibility into the entire attack surface extremely essential to managing cyber risks effectively.

Expanding Healthcare Attack Surface Risks

The widespread use of wireless technology is undoubtedly beneficial to the healthcare system. Wireless technology enables healthcare IT infrastructures to run data center servers, medical equipment, tools and applications, and other devices like smartphones, tablets, and USB drives. Organizations stay connected to deliver effective operations and consistently informed care.

These connected devices help in patient monitoring, medication management, workflow administration, and other healthcare needs. However, the increased number of devices connecting to the network also broadens the attack surface — meaning more entry points for unauthorized access and therefore the need for enhanced infrastructure visibility to mitigate risks.

Why Complete Visualization Is Essential

From booking an appointment to setting foot in the doctor’s clinic or hospital, patients go through several processes and interact with different interconnected devices and software systems. While a connected environment ensures a seamless patient experience, the different touch points provide more opportunities for attackers to gain access to sensitive data.

Currently, there are 430 million linked medical devices deployed globally, connected through Wi-Fi, Bluetooth, and radio transmission. The sheer amount of sensitive and personal information healthcare systems capture and process is why their systems are desirable targets. Therefore, it is critical to safeguard the data stored in these systems.

Protected health information (PHI), such as credit card and bank account numbers, and personal identification information (PII), such as social security numbers, are data cybercriminals find particularly alluring. Selling this sensitive information on the dark web is a very profitable business.

Even just a small part of the healthcare technology spectrum may lead to the greatest cybersecurity gaps, allowing criminals to exploit vulnerabilities and gain access to sensitive data. The resulting cyber crimes directly impact organizational productivity and brand reputation.

Here are a few risks that are most detrimental to healthcare businesses’ bottom lines and reputations.

  • Ransomware: Healthcare services are notably vulnerable to ransomware attacks because they depend on technology to a significant extent, considering the nature of their day-to-day operations. Health records are highly rewarding for criminals because each patient, hospital, or confidential record can command a hefty price in the underground market.
  • Phishing: Phishing attacks are quite common in healthcare. Attackers target the most vulnerable link in the security chain, i.e., people, to make their jobs easier. Through social engineering, users click on malicious attachments or links, thereby infecting their systems and losing access. The repercussions can be disastrous and the losses unimaginable. For instance, a Georgia diagnostics laboratory recently discovered that an employee’s compromised email account led to a phishing attack, impacting 244,850 individuals. The attackers were able to acquire patient information and then attempted to divert invoice payments.
  • Cloud Storage Threats: Many healthcare providers are now switching to cloud-based storage solutions for better connectivity and convenience. Unfortunately, not every cloud-based solution is HIPAA-compliant, making them clear targets for intruders. Healthcare companies must implement access restrictions more carefully and encrypt data properly before transmitting. Additionally, complete visualization of the attack surface is necessary to prevent data breaches, data leaks, improper access management, and cloud storage misconfiguration.

How to Protect Expanding Healthcare Attack Surfaces

Attack surface analysis can help identify high-risk areas, offering an in-depth view of the entire system. This way, you can better recognize the parts that are more vulnerable to cyber threats and then review, test, and modify the security strategies in place as necessary.

Healthcare IT administrators must secure the network infrastructure using stringent policies and procedures like enforcing strong passwords, properly configuring firewalls, setting up user access permissions, and ensuring authorized access to assets and resources. They must also monitor and properly configure all the devices connected to the network — be it standard healthcare devices or personal devices of patients and workers. In addition, a strong encryption policy can help increase data security, making it difficult for cyber attackers to penetrate the system.

Conducting regular attack surface scans can also mitigate cyberattack risks. This helps ensure security control measures are adequate and that decision-makers have the data they need to make informed decisions regarding the organization’s cybersecurity strategy. Also, all types of software and related updates for medical devices must be tested prior to installation.

Secure Your Entire Healthcare Network with RedSeal

Healthcare organizations often hesitate to invest in cloud security solutions. But the average cost of a healthcare breach is $9.23 million, which is far more than the cost of professional cloud security solutions. Additionally, healthcare institutions deal with extremely sensitive information, and fines for data security noncompliance can be extremely costly. Healthcare security leaders must be able to effectively visualize their entire attack surface to bolster their cybersecurity defenses.

RedSeal offers award-winning cloud security solutions that provide comprehensive, dynamic visualization of all connected devices. We partner with leading network infrastructure suppliers to provide comprehensive network solutions and professional services. This way, you can see and secure your entire network environment.

Contact us to learn how we can help strengthen your network security.

Purdue 2.0: Exploring a New Model for IT/OT Management

Developed in 1992 by Theodore J. Williams and the Purdue University Consortium, the Purdue diagram — itself a part of the Purdue Enterprise Reference Architecture (PERA) — was one of the first models used to map data flows in computer-integrated manufacturing (CIM).

By defining six layers that contain both information technology (IT) and operational (OT) technology, along with a demilitarized zone (DMZ) separating them, the Purdue diagram made it easier for companies to understand the relationship between IT and OT technologies and establish effective access controls to limit total risk.

As OT technologies have evolved to include network-enabled functions and outward-facing connections, however, it’s time for companies to prioritize a Purdue update that puts security front and center.

The Problem with Purdue 1.0

A recent Forbes piece put it simply: “The Purdue model is dead. Long live, Purdue.”

This paradox is plausible, thanks to the ongoing applicability of Purdue models. Even if they don’t quite match the reality of IT and OT deployments, they provide a reliable point of reference for both IT and OT teams.

The problem with Purdue 1.0 stems from its approach to OT as devices that have MAC addresses but no IP addresses. Consider programmable logic controllers (PLCs). These PLCs typically appear on MAC addresses in Layer 2 of a Purdue diagram. This need for comprehensive visibility across OT and IT networks, however, has led to increased IP address assignment across PLCs, in turn making them network endpoints rather than discrete devices.

There’s also an ongoing disconnect between IT and OT approaches. Where IT teams have spent years looking for ways to bolster both internal and external network security, traditional OT engineers often see security as an IT-only problem. The result is IP address assignment to devices but no follow-up on who can access the devices and for what purpose. In practice, this limits OT infrastructure visibility while creating increased risk and security concerns, especially as companies are transitioning more OT management and monitoring to the cloud.

Adopting a New Approach to Purdue

As noted above, the Purdue diagram isn’t dead, but it does need an update. Standards such as ISA/IEC 62443 offer a solid starting point for computer-integrated manufacturing frameworks, with a risk-based approach that assumes any device can pose a critical security risk and that all classes of devices across all levels must be both monitored and protected. Finally, it takes the position that communication between devices and across layers is necessary for companies to ensure CIM performance.

This requires a new approach to the Purdue model that removes the distinction between IT and OT devices. Instead of viewing these devices as separate entities on a larger network, companies need to recognize that the addition of IP addresses in Layer 2 and even Layer 1 devices creates a situation where all devices are equally capable of creating network compromise or operational disruption.

In practice, the first step of Purdue 2.0 is complete network mapping and inventory. This means discovering all devices across all layers, whether they have a MAC address, IP address, or both. This is especially critical for OT devices because, unlike their IT counterparts, they rarely change. In some companies, ICS and SCADA systems have been in place for 5, 10, even 20 years or more, while IT devices are regularly replaced. As a result, once OT inventory is completed, minimal change is necessary. Without this inventory, however, businesses are flying blind.

Inventory assessment also offers the benefit of in-depth metric monitoring and management. By understanding how OT devices are performing and how this integrates into IT efforts, companies can streamline current processes to improve overall efficiency.

Purdue Diagram


Controlling for Potential Compromise

The core concept of evolving IT/OT systems is interconnectivity. Gone are the days of Level 1 and  2 devices capable only of internal interactions, while those on Levels 3, 4, and 5 connect with networks at large. Bolstered by the adoption of the Industrial Internet of Things (IIoT), continuous connectivity is par for the course.

The challenge? More devices create an expanding attack surface. If attackers can compromise databases or applications, they may be able to move vertically down network levels to attack connected OT devices. Even more worrisome is the fact that since these OT devices have historically been one step removed from internet-facing networks, businesses may not have the tools, technology, or manpower necessary to detect potential vulnerabilities that could pave the way for attacks.

It’s worth noting that these OT vulnerabilities aren’t new — they’ve always existed but were often ignored under the pretense of isolation. Given the lack of outside-facing network access, they often posed minimal risk, but as IIoT becomes standard practice, these vulnerabilities pose very real threats.

And these threats can have far-reaching consequences. Consider two cases: One IT attack and one OT compromise. If IT systems are down, staff can be sent home or assigned other tasks while problems are identified and issues are remediated, but production remains on pace. If OT systems fail, meanwhile, manufacturing operations come to standstill. Lacking visibility into OT inventories makes it more difficult for teams to both discover where compromise occurred and determine the best way to remediate the issue.

As a result, controlling for compromise is the second step of Purdue 2.0. RedSeal makes it possible to see what you’re missing. By pulling in data from hundreds of connected tools and sensors and then importing this data into scan engines — such as Tenable — RedSeal can both identify vulnerabilities and provide context for these weak points. Equipped with data about devices themselves, including manufacturing and vendor information, along with metrics that reflect current performance and behavior, companies are better able to discover vulnerabilities and close critical gaps before attackers can exploit OT operations.

Put simply? Companies can’t defend what they can’t see. This means that while the Purdue diagram remains a critical component of CIM success, after 30 years in business, it needs an update. RedSeal can help companies bring OT functions in line with IT frameworks by discovering all devices on the network, pinpointing potential vulnerabilities, and identifying ways to improve OT security.

When Moving to the Cloud, Don’t Overlook Resources On-Premises

Today’s cloud infrastructure is complex and constantly evolving. In the cloud, security controls are implemented by developers and DevOps teams while on-premises controls are implemented by the firewall/network operations teams. These can create significant knowledge gaps, leading to unknown attack points.

Most security spending these days is focused on the cloud and treated as a silo, but you can’t afford to ignore your on-prem resources and how the two entities work together.

Challenges with Protecting Cloud and On-Premises Resources

With resources moving to the cloud, most of the attention moves to cloud security and protecting the cloud perimeter and resources. Yet on-prem resources also have connections and exposure. However, you need a comprehensive security strategy that protects both cloud and on-premises resources.

Many organizations and vendors struggle with getting this comprehensive picture. For example, in many companies, in-house teams are responsible for managing on-prem resources while other teams or third-party providers monitor the security of cloud resources. At the same time, you have DevOps teams that are constantly evolving the cloud environment.

Different Languages

The products and tools being used in the cloud and on-premises domains are often disconnected and speak different languages as do the teams using them.

The problem is not people, however. It’s often the tools being used, like having a separate doorman on the front door (cloud) and back door (on-prem), and they both speak different languages and often have competing goals. While security teams are focused on mitigating exposure, DevOps teams are looking for a faster way to bring products to market. Competing goals can only aggravate language barriers.

Even highly skilled teams may not understand how other teams work. The technology is different, the configurations are different, and some nuances require expert interpretation and experience. Few team members will be conversant in both on-prem and cloud resources.

Greater Complexity

More than 90 percent of large organizations already employ multi cloud strategies; 80 percent use hybrid clouds.

This creates an even greater complexity for security and management. For example, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud use different names for instances and virtual machines. Azure calls them virtual machines (VMs), while Amazon has Elastic Cloud Compute (EC2) and Google has the Google Cloud Compute Engine.

Even when the same term is used, it can mean different things. For example, a virtual private cloud (VPC) exists in both AWS and Google, but they are different and operate differently.

This only increases the language barrier that hinders a comprehensive approach to security.

Lack of Understanding of Shared Responsibility

Organizations also assume their cloud service provider (CSP) will protect assets in the cloud. While CSPs such as AWS, Azure, Google Cloud, Oracle Cloud, and others provide robust security for their networks, it’s still the customer’s responsibility to protect their data.

Gartner estimates that 99 percent of cloud security failures are the fault of the customer, not the CSP. The sheer volume of configuration settings and pathways to critical resources makes it difficult to manage security in the cloud. When you add in on-premises data centers or servers that are connected, the infrastructure becomes even more complex.

Constant monitoring and continuous compliance should be a shared responsibility between providers and organizations.

Not Monitoring Resource Misconfigurations

Most vendor security solutions are only as effective as how they’re configured. Yet few are monitoring that and telling you where these configurations are causing potential problems.

You need a comprehensive, end-to-end understanding of your cloud and on-prem infrastructure to analyze every configuration and security policy. While you may have cloud security tools for each environment, you need complete cloud network visibility to protect your infrastructure, look for exposure, and find security gaps.

Are You Seeing the Whole Picture?

Nearly every organization has at least some on-premises that are connected. The challenge often comes when it’s time to configure the right access for communication. You need to ensure that nobody on the cloud side can attack on-prem resources or vice versa. That’s why total visibility is essential.

If you’re not seeing the whole picture, it’s easy to miss attack points. Securing your infrastructure requires you to detail what you have, how it’s connected, and what’s at risk.

You need to:

  • Know what you have in your total infrastructure
  • Understand how everything is connected
  • Determine where your exposure is — all attack paths to cloud and on-premises
  • Uncover what policies or configurations created the exposure

Only then can you remediate problems and plug security gaps. You must understand how your cloud and on-prem resources are all interconnected to determine and mitigate your total risk.

Managing Cloud and On-Prem Resources

Some organizations turn to Cloud Native Application Protection Platforms (CNAPP) as a way to provide visibility amid the complexities and the constant evolution of hybrid resources. Yet all existing CNAPP solutions don’t understand on-Premises and are insufficient to identify access via all attack path and associated risk. Most tools call into the application programming interfaces of cloud service providers, looking for misconfigurations at the compute and container levels. However, they don’t fully understand end-to-end access.

CNAPP is an important weapon in the battle to secure the cloud, but most vendor solutions simply do not provide the total visibility you need across cloud and on-prem resources. RedSeal solves these problems.

RedSeal on-premises and RedSeal Stratus in the cloud provide a complete view of the entire infrastructure. They identify the gaps in your security by pinpointing attack points and any hidden pathways. This analysis also determines the underlying reason why these attack points exist and what needs to happen to remediate them.

RedSeal solutions also work across borders. They provide the platform to speak to DevOps and firewall/network operations teams in the right way, helping eliminate language barriers. This way, you get benefits across borders for cloud and on-prem, enabling you to identify security issues across the entire infrastructure by driving collaborations between the teams and building trust.

Protect Your Entire Infrastructure

On-premise and cloud resources cannot be protected in a silo. Working in tandem with a shared responsibility model, a hybrid solution with RedSeal provides continuous monitoring and compliance across both on-prem and cloud resources, identifies gaps, and helps you protect your entire infrastructure.