Sustaining business operations during and after a successful hack

Part 2 in a Series on how businesses can leverage US Military “Intelligent Adversary” tactics to stay cyber-secure.

Last week we highlighted the point that doing the right things doesn’t necessarily result in doing things correctly.  This notion is particularly true when we talk about security assessments.

Most IT professionals will tell you that regular network vulnerability assessments are critical to good network hygiene.  They will also tell you that periodic penetration tests are a good idea.  In fact some industry regulators include regular penetration testing in their compliance standards.  But these techniques are only snapshots in time and do not measure or replicate the broader organizational impact of a breach.  The fact is that not even the most heavily resourced cyber defense capability will identify and defeat all adversaries at the network perimeter. So accepting the reality that at some point a hacker will be successful, organizations must prepare for sustaining critical business functions and operations while the Security and IT staffs are pushing the attacker off of the network.  So how can a company do this?  Let’s walk through a scenario which should answer the question.

Consider a notional airline company; we’ll call it “Notional Air” because we’re creative.  Like most airlines, Notional Air relies heavily on its network for virtually every aspect of daily operations; scheduling, schedule changes, maintenance, ticketing.  Now consider what would happen if the Notional Air network was hacked and airline personnel were incapable of performing the functions we just described.  The reality is that if the hack was significant enough, Notional Air would likely shut down its network in order to mitigate the hack.  Even a minor hack would cause major disruption across all airline functions.

Fast forward to the post-mortem during which Notional Air IT staff provides comprehensive documentation showing up-to-date patches, regular vulnerability assessments, and a penetration test during the previous calendar year.  The IT staff and Company leadership is left scratching their collective head, asking how the breach could have been successful in spite of the diligent efforts of the IT Staff.  Enter the concept of Red Teaming.

Before we talk about why Red Teaming would have helped, let’s talk about what Red Teaming is at a high-level.  The Red Team concept is based upon the idea of taking assessments from administrative to operational context.  To be more concise, Red Teaming operationalizes assessments.  It brings together vulnerability assessments, penetration testing, and training into an operationally focused approach to assessing an organization’s network security posture, and that same organization’s ability to function when its network is degraded. One more point, Red Teamers are not run-of-the-mill penetration testers.  Effective Red Teamers penetrate networks to demonstrate what hacker activity would look and how that activity would impact business operations.  Red Teamers don’t penetrate networks to simply identify vulnerabilities.

Now back to Notional Air and how Red Teaming could have helped.  In our scenario, Notional Air would have hired a Team of highly skilled cyber security experts, trained in offensive and defensive cyber warfighting.  This Red Team would have breached the network much like penetration testers, but that’s where the similarities end.  The Red Team would have established a foothold on the network, moved laterally to critical nodes where they would have commenced creating effects.  Effects would have included exfiltrating data and rendering critical systems partially or completely inoperative.  This approach would have demonstrated what hacker activity looks like in real time to Notional Air personnel.  This approach would have also provided Notional Air operations personnel with the opportunity to learn how to operate on a degraded network, while IT Staff mitigated the hack. Most importantly, Notional Air would have been able to continue some level of operations.

The real value of Red Teaming is providing companies with an understanding of what it would take to operate on a network that has been hacked, before the company is hacked by a real adversary with malicious intent. Given the choice between no business operations and degraded business operations, I’m betting most companies would choose the latter…Notional Air did!

Part 3 of will cover “Understanding Red Teaming,” a Threat-Based approach to network assessments.  This edition will be a tactical discussion of who red teamers are, what they do, and why they shouldn’t be considered high risk.  Stay tuned!

Click to read from the beginning: Part 1


Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.  Comments and questions for Mike Walls are welcome: blog@edgewave.com

Cyber Readiness – A Holistic Approach to Network Security

Just because you’re doing the right things, doesn’t mean you’re doing things right

 

Part 1 of a 3 Part Series on how businesses can leverage proven US Military “Intelligent Adversary” tactics to stay cyber-secure.

If I were to ask an IT Professional to explain why his or her network is secure, I would probably hear a response that goes something like, “I have the latest and best technology, I do regular vulnerability scans, I do an annual penetration test, and I am in compliance with my industry’s security requirements and standards.”  At face value, that sounds like a solid answer and it appears that the IT Professional is taking the necessary steps to ensure that his company’s network is secure.  In reality, it is more likely that this answer is only partially correct.

In spite of the efforts that IT Professionals across all industry verticals take to secure their networks, the widely accepted approach of deploying the latest technology, conducting vulnerability assessments, and following compliance checklists is not adequate.  While each of the aforementioned components is important, they are generally applied independently and without operational context which means they are viewed as administrative functions.   The notion that network security is an administrative issue is problematic because virtually every company relies on its network to conduct business operations.    So businesses must ensure that their networks are ready for the inevitable attack.  We call that “cyber readiness” in the Military.  When I was responsible for Navy Cyber Operational Readiness I learned quickly that my business, the US Navy, could not fight if it didn’t control its networks.  The constantly growing list of companies that have been breached over the past few years is an indicator that many businesses are not cyber ready.

So how does an organization achieve truly effective cyber readiness?  Most importantly, businesses need to view network security holistically.  It isn’t enough to “check the boxes” by buying the latest and greatest technology, conducting vulnerability assessments, and completing compliance checks.  A different paradigm, which has proven successful in the Military, built upon three interdependent focus areas is what is truly needed.  The three focus areas Network Infrastructure, Compliance, and Operational Behavior, form the Cyber Readiness Triangle, depicted below.

triangle

 

Let’s briefly discuss each of the three focus areas to more fully understand how they contribute to more comprehensive cyber readiness:

1.  Network Infrastructure.  Perhaps the most significant problem that I have observed in industry since leaving the Navy is that businesses tend to look for the next best technology that will provide an acceptable level of security without increasing IT management cost.  This approach falls short because we continue to see businesses being breached.  It only takes one next generation firewall to be misconfigured for an attacker to find a way to breach a network.  So we see how even the most sophisticated technology will not be effective if that technology is not employed properly.

2.  Compliance.  Up front, compliance is often viewed negatively because there is a tendency for people to focus solely on what’s needed to meet the compliance requirement. Think about certification “boot camps” that are focused on preparing students to pass the certification exam rather than ensuring students finish the course with a firm understanding of the material.  But in this case, let’s assume that most IT Professionals perform due diligence when they execute the various compliance checklists associated with their particular industry.  Let’s also assume that compliance standards are valuable and that they provide comprehensive frameworks   for businesses to use when developing and maintaining cyber readiness.  Even with these assumptions, compliance standards don’t tell businesses anything about new hacker techniques, or what tactics and technology businesses can use to protect their data in response to the constantly changing threat.  Finally, many standardized compliance programs are overly generic and do not take business operations into account.

3.  Operational Behavior.  What are employees doing on the company network, and how is that activity affecting company cyber readiness?   A business can deploy the most advanced technology, pass every compliance audit with flying colors…and get breached because a an employee clicks on a malicious link in a phishing email.  Conversely, even if every employee of a business follows established information assurance policy to the letter, the network may still be vulnerable due to outdated patches or misconfigured routers.

No business is immune to cyber-attack and in fact, businesses should expect that it’s just a matter of time before an attacker succeeds.  But because attacks are inevitable doesn’t relieve a business from its obligation to do everything possible to prepare.  But preparation isn’t a series of checks in blocks.   Preparation means businesses understand that Network Infrastructure, Compliance, and Operational Behavior work together to form the Cyber Readiness Triangle and that if one leg fails, the triangle collapses.

Part 2 of this series will cover “Red Teaming”, a Threat-Based approach to network assessments.  This edition will discuss why and how Red Teaming is different and more effective than current assessment processes.  Stay tuned!


Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.  Comments and questions for Mike Walls are welcome: blog@edgewave.com

EdgeWave Receives MetroConnect Prize to Assist with International Growth

metro_connectbanner

Today EdgeWave was awarded $10,000 as part of the MetroConnect Prize, an export assistance grant to help firms pursue foreign markets.    MetroConnect is an initiative of the San Diego Economic Development Corporation, with the goal of helping San Diego maximize its economic competitiveness and prosperity through increased global engagement.    EdgeWave was one of 15 companies that won the award, out of 64 total entrants.

The award was announced today at a press conference hosted by San Diego Mayor Kevin Faulconer at the San Diego International Airport.  Thalia Gietzen, CFO,  and Mike Walls, Managing Director of Security Operations & Analysis, were on hand to accept the award, and Mike had the opportunity to stand behind the mic and say a few words as EdgeWave was one of only two companies that were featured with a speaking opportunity.

In addition to the award, which will be used to expand EdgeWave distribution to markets in Asia and Europe with the help of our partner Huawei, this is a tremendous publicity opportunity for EdgeWave, with several media outlets and four different TV News camera crews in attendance.

Read full press release HERE

EdgeWave wins big at 2015 IT World Awards

Last night EdgeWave took home four awards from the Network Products Guide 2015 IT World Awards, held in San Francisco, California.

EdgeWave ePrism® Email Security™ took Gold in the Email Security category and a Bronze in the Cloud Security category. ePrism Email Security combines Military-Grade cyber security with a SaaS cloud platform to protect organizations against the most advanced email-borne threats while also providing comprehensive security policy compliance. EdgeWave iPrism® Web Gateway™ took Gold in the Web Security category by combining Military-Grade cyber security with a cloud-enabled platform to deliver “anytime, anywhere, any device” internet protection and policy enforcement. EdgeWave also took Bronze for their security and deployment of the 2014 US Tennis Open.

EdgeWave ePrism Email Security, and iPrism Web Gateway, provide Military-Grade protection through processes that have been battle-proven to defend complex networks against sophisticated cyber attacks. Called EdgeWave EPIC™ (Enhanced Precision Integrated Cyber Capabilities™), this unique cyber defense capability combines experienced U.S. Military cyber security veterans with advanced technology to precisely identify attacks, help eliminate threats and help stop data breaches.  EdgeWave EPIC is deployed through award-winning ePrism Email Security, iPrism Web Gateway, EPIC Next Generation Firewall and new EPIC Security Assurance Service to provide adaptive, layered defense against advanced cyber threats.

“Stopping data breaches is of paramount importance and traditional approaches aren’t working.  EdgeWave ePrism Email Security, and iPrism Web Gateway, provide Military-Grade cyber defense against advanced threats in a platform that is almost effortless to implement and use,” said Mike Walls, Managing Director, Security Operations & Analysis, EdgeWave. “This recognition validates our dedication, and we thank Network Products Guide for acknowledging our hard work.”  Prior to joining EdgeWave, Mr.  Walls (CAPT, US Navy ret.) was responsible for U.S. Navy cyber readiness, ensuring the security of over 300 ships, 4,000 aircraft and 400,000 servicemen – the world’s largest intranet.

Click HERE for a full list of winners

Navy Red-Team Testing Moves to Business

Mike Walls, EdgeWave Managing Director and former head of US Navy Cyber Readiness, spoke with iSMG’s Eric Chabrow at the Gartner Security & Risk Management Summit. Walls shares valuable insights on how businesses can implement Red-Team tactics to protect organizations from data breaches.

navy-red-team-testing-moves-to-business-showcase_image-4-i-2750

 

 

Chabrow’s article can be found HERE

As a U.S. Navy aviator, Mike Walls dropped bombs for a living for 26 years and then took that experience to the Fleet Cyber Command to lead so-called “red teams” to not only test the information systems on warships, but the impact degraded systems had on warfighting capabilities.

Now, as managing director of security operations and analysis at the IT security company EdgeWave, the retired Navy captain is evangelizing those Navy red-team testing capabilities to the private sector

“Penetration testers are trying to stay up with adversary tactics, the latest hack,” Walls says in an interview with Information Security Media Group. “The difference is the operational contest. The red teamer is not just trying to get into the network to prove he can. He’s going two or three steps beyond to create effects with a very definitive purpose. A pen test is very encapsulated. A red team has a very broad operational view of what [it's] doing and what the impact is going to be.”

In the interview, conducted at the Gartner Security and Risk Management Summit outside Washington, Walls:

  • Describes how red-team testing in the Navy prepares a warship commander to continue to engage in a battle with degraded IT systems;
  • Provides an example how a business could benefit from red-team testing;
  • Explains why warfighting experience in the Navy or business know-how in the private sector are key attributes for red-team members and their tleaders.

An Annapolis graduate, Walls joined EdgeWave shortly after retiring from the Navy last July. In the Navy, Walls directed forces conducting cyber operations across the global Navy cyber domain, including all Navy unclassified networks and websites. He also oversaw development and implementation of the Navy’s first website vulnerability assessment capability and directed a cadre of sophisticated cybersecurity trainers and assessors conducting cooperative (blue team) and non-cooperative (red team) cyber-readiness assessments. He also provided penetration testing support to the Navy’s operational test and evaluation force.