Mapping Policy to Your Network

A few years ago, I sat in an otherwise empty classroom inside the administration building of a children’s hospital with two members of their security team. We stared at a spreadsheet and a document that described the server and client zones of their network, displayed from a projector like a classroom project. For each zone, we dug into the details of allowed, forbidden, and approved access. This work was precise and detailed, requiring us to step through subnet addressing, host addresses, and the policy documentation over and over again.

mappingEventually, we had mapped the network security architecture policy to their network, though, and this was a critical next step in protecting kids and their families from the potential evil done by those who would attack the network of a children’s hospital.

The work to dig in and map every network to an appropriate zone is significant, but it’s critical. Regardless of your specific requirements, knowing the purpose of every subnet, each type of host collection you have, and mapping them to a reasonable network security architecture is a critical requirement allowing you to draw lines between parts of your network to avoid the situations that Target and Supervalu have found themselves facing.

As attackers and their attacks become ever more sophisticated and patient, your security zones and the implementation of security controls between them is your only real defense. Of course, using automation to monitor those controls and ensure that they are implemented correctly, consistently, and completely is equally vital. More on that in an upcoming post.

Leave a comment

Filed under Uncategorized

Staying on Top of Security

By Ray Rothrock, CEO of RedSeal Networks

Wall Street values companies based on their performance over time.  That performance is measured in revenue growth and profit, but it is also measured by the reliability with which results can be predicted. Predictable results makes everyone happy.  Wall Street doesn’t like surprises, and neither does a CEO.  At some level, I suppose, the CEO’s job is to grow the business with as few moving parts as possible, eliminating potential surprises that could upset predictable results.

ray-staying-on-topThis becomes difficult when you realize that the very foundation of every modern business, the network, is full of moving parts and is anything but stable. Technology continues to evolve, new products are introduced, and companies are constantly changing their electronic infrastructure in hopes of improving operations and lowering costs.  This double whammy of new products and the desire to lower costs by changing the network brings complexity, potential vulnerabilities and unpredictability to the business. At the end of it all, one should always ask the question – are things getting better, or not?  Is my network improving or not?  And am I more secure or not? How can I know?

I recently met with the chief executive of a Fortune 20 company.  In our discussion I learned that this CEO gets a cyber report every Monday morning.  Not only does it include what attacks or threats his company witnessed, but it includes information on what is happening in the world as it applies to his business.  This sounds a lot like what the President of the United States gets in his daily briefings from the NSC!  I was totally surprised and delighted that he was taking security so seriously.

What does this mean for you, the CEO?  A cyber event is coming, whether you like it or not.  It doesn’t have to be scary or deadly.  Being prepared with a secure network is now the cost of doing business.  The sooner you start, the less impact it’ll have on your company when it happens to you.

 

Leave a comment

Filed under Uncategorized

Was It Something I Said?

I was in one of those small, interior conference rooms when it first happened. It was very hot outside, with an obvious threat of another day over 100°F and extreme humidity, as well. But, it felt even hotter in the room. I was there to provide insights to members of the network and security teams for a regional retailer, and only a few minutes into the training, it seemed like everything I said resulted in angry rebuttals. As a pretty easy-going guy, I couldn’t figure out how it was that I had offended the senior network engineer so completely. So, I asked her, “What has you so upset about this information?”

“Simple!” she hissed through clenched teeth pointing across the table, “They are going to just use this to beat me up!”

There, in a nutshell, is a fundamental problem with many IT organizations: different teams have different fundamental objectives and instead of working together and understanding the goals in a more holistic way, they end up in an adversarial relatiosomething-i-saidnship, fighting for resources and the favor of the CIO, CFO, and CEO.

It starts with the clear distinction between the role of network operations and security. The network team is responsible for making sure that packets get through. Their phone doesn’t ring as long as everyone gets access to what they need and there are no slowdowns. On the other hand, security is responsible for making sure that some packets do not arrive, protecting network assets from unauthorized access and from potential attacks of various kinds. As a result, the two teams often find themselves diametrically opposed to one another.

The solution to this rests with the CIO as typically the executive responsible for all aspects of the network infrastructure. As a result, the CIO is the place where these divergent objectives join to create a single strategy, and she is the one who can provide the context and vocabulary for unification.

How is this done in your organization? How have you seen it done, perhaps in organizations where it doesn’t work so well (since I’m sure your organization doesn’t have this issue!)? What do you need in order to make sure that the entire IT organization is aligned to the same goals?

Leave a comment

Filed under Uncategorized

Identify and Close Before the Bad Actor Exploits

It happened again yesterday. I was taking a break on my back porch and listening to the Colorado summer rain when an alert hit my phone: news of another breach. They seem to be coming with a disturbingly increasing regularity and with ever more serious consequences. For example, one company, Code Spaces, was completely destroyed when they refused to pay an attacker who then destroyed their customers’ data. The Energetic Bear group accessed utilities’ networks and could have launched attacks against them. In all likelihood, the number, extent, and veracity of these attacks will simply continue to expand.

So what do you do?telescope-smaller The good news is that the steps are well known and understood: place security controls into your network to isolate a set of subnetworks (typically called “zones”) and both set and monitor the potential access paths between the zones. This is the first set of defenses against attacks, and one which many organizations do not fully deploy.

It is common for me to see organizations that partially deploy zones – but do not monitor their implementation. This is akin to the multi-petabyte database that contains one incorrect byte of information: you can trust none of the information as a result.

So, the first step is to create clear and concise zones in your network and to analyze all potential access paths through your network to be sure that your zone rules are respected network-wide.

Do you do this? If so, what’s your approach?

Leave a comment

Filed under Uncategorized

The Reality Gap

Architecture, Design, and the Operational Network

A couple years ago in a conference room with a window looking out on the Arizona desert, two of us sat down with a customer to talk about their network. I asked to see their best network diagram, which he left to retrieve. When he returned, he rolled it out to its full length on the conference table. He began telling me of a number of inaccuracies that he knew while I looked in the lower right corner for the annotation.

The plot was years old.Untitled-1When I speak to groups of engineers, I often ask how old they think the average organization’s network diagram is. While the guesses vary from 2 to 5 years, everyone recognizes that they are woefully out of date. And that’s a huge deal for attempting to understand and protect your network.

…by the way, in my experience, the average is 5 years old! As a result, many of the technologies deployed didn’t even exist when the last map was made. Making the map current never seems to get to the top of the priority stack, either.

The truth is that if you can’t see it, you can’t secure it. If you don’t know what your network really looks like, you can’t possibly be certain your security controls are properly deployed. Even if you have designed a security architecture aligned with the best practices of network security zones such as those outlined in the PCI DSS, if your architecture isn’t reflected in the operational network, it’s effectively moot.

Similarly, the network and security design teams create a network design that they intend to align with the architecture.

However, when it gets implemented, does it align? Does it stay aligned as equipment changes, requirements evolve, and needs expand? How would you know?

That, of course, is the 100 million-customer-data-record question.

What do you think is the best answer?

 

Leave a comment

Filed under Uncategorized

We’re Living in Mud Huts

By Ray Rothrock, CEO of RedSeal Networks

In the modern world, we depend on so many standards to protect us in our everyday lives – without even realizing it. For example, when we walk into a building we expect it will not fall down, even in an earthquake.  But before we walk in, we don’t demand to see the drawings, the engineering, or the credentials of the builder and inspectors.  We don’t even want to see the final certificate of occupancy: we just assume that the building has been constructed according to good, complete standards.

Regrettably, the networking world is not quite to this standard of design and implementation.  Yet, today we completely depend on the networks for business and assume that they are generally well architected, built well, and up to whatever standards of protection and compliance there are.  However, we continually read warnings about doing banking online on a public WiFi network, or change our passwords because people can steal them from company directories, and so on.  Yikes!hut1

You see, networks have been built by so many people over decades, largely without standards for design, inspection and operation, and have grown so large and complex, that basically it’s as if we were living in mud huts from 2000 BC.  Is that any way to conduct your critical business? In a mud hut, that is easily brought down, vulnerable to natural and man-made disasters, and not very comforting on the security front?

I wouldn’t live in a mud hut.  And I doubt you would either.  So, if your network is large, complex, and built by many people over a long period of time, there is a good chance that it may not be as secure as it should be for your business.  Ask your CISO what standards have been used in building your network.  PCI? FISMA? HIPAA? These are just a few, but they are a good start to addressing the needs of good and proper network architecture and design.  But these standards have to be repeatedly checked because the network in which they are implemented changes all the time.  In reality, there aren’t any great standards.  And until there are, and networks are rebuilt in accordance with them, every CEO needs to understand the risk of running his business out of a mud hut.

 

Leave a comment

Filed under Uncategorized

What Keeps CEOs Up at Night?

By Ray Rothrock, CEO of RedSeal Networks

Post 3 – What keeps CEOs up at night?

As a CEO, getting a good night’s sleep is harder and harder these days.  We used to worry about competition, labor problems, regulatory issues, financing issues, sales and, if our company was public, our stock price.  In the 21st century there is a new worry – cyber threat.  Cyber attacks are real and they can be devastating.  Cyber threats come in all shapes, sizes, types, and intentions.  And they are, for the most part, completely automated.

Every business depends ceo-nighton its networks, and we have every indication that dependency is increasing at a dramatic pace.  These networks and the technology that makes them run are constantly changing.  They evolve to suit the needs of business, and they are improved in performance and security by new products.  Unfortunately, they are often built without a big view architecture in mind: “just make it work” is often the order of the day.

As CEO, knowing that these networks run more and more of your business, you should be asking your team – is it better today than yesterday?  Is it more secure today than yesterday?  What happened on our network yesterday?

Getting this data in a standard, understandable form is no small task.  Further, because things change often, the CEO needs to know the answer to this question often.  The geeks still build and operate the networks though the business people use them – kind of like cars and roads.  You don’t need to know how they are built, but you do need to know they are safe and reliable.  As CEO, you must care whether your network is safe and reliable and that you have a team in place that can do make it so.

Leave a comment

Filed under Uncategorized