The President’s Executive Order: Mapping products to cybersecurity Risk Management

In the previous three blogs, President Trump’s Executive Order. What agencies need to do to respond., Quick hit product categories that can boost executive agencies EO mandated NIST risk scores, and Addressing the EO stated greatest threat to agency cybersecurity posture, we laid out some strategies for federal agencies to respond to the President’s Executive Order (EO).  Finally, in this blog we list a variety of products and technologies that, if not already deployed, should be considered first when trying to move the needle in security posture.

First, the different technologies are listed here in the area they fit in EO Section 1 b (i):

Section 1 b (i) defined cybersecurity Risk Management product mapping:
–Protecting IT from unauthorized access
Information and access discovery
MFA
Privileged Access Encryption
Privileged Access monitoring and management
UBEA (user)
–Maintaining awareness of threats
Threat Intelligence feeds
Threat Intelligence Management system
Vulnerability scanning/monitoring
Vulnerability mapping/prioritization
–Detecting anomalies and incidents
Deception Technology for EARLY WARNING (Man, this is an easy one!)
EDR
NextGen AV
SIEM
UBEA (User, System and Network)
–Mitigating the impact of incidents through response and recovery
EDR
NAC

Next, we will list them in alphabetical order with brief explanations of what they do.  These are not ranked by importance or value.  We recognize that many organizations will probably have most of these deployed already, but none that we have experienced have all of them deployed.

Deception Technology for EARLY WARNING (TrapX, Attivo Networks) – (This is an easy one!)
Platform that deploys “fake” systems on the network, fake credentials on the end points, and carefully crafted ogs in the administrative systems.  The most advanced deception platforms weave a complex storyline designed to look like bread crumbs leading to sensitive information to attract/bait adversaries into revealing themselves.  These platforms will include alarms that once these systems and credentials are used will send alerts to the SIEM or SOC directly.  The most eye-opening thing about most deception platforms is the low-price point for the simplest early warning system innovation.  The value vs. cost is fantastic.

EDR (FireEye HX, Carbon Black, DigitalGuardian) – These solutions defend end points against advanced threats, detect active threats and compromise, and collect logs and data for response forensically when a threat or compromise is suspected.  The more advanced EDR products can pull detailed forensic information and quarantine systems actively under attack or already compromised. This is a must-have for any enterprise.

Multi-Factor Authentication (Duo, Okta, Google Authenticator) – Two-Factor Authentication (2FA) uses at least two of the three types of authentication.  “What you know”, “What you have” and “Who you are”.  Typically, this means a password plus a verified device or fingerprint.  In the past, this was a costly and cumbersome security measure where key generators from tokens were bought and distributed.  However, with the advent of smart phones, MFA can be created with a phone app that is verified as a secure second factor for a specific user.  (NOTE:  This is not SMS, which is no longer considered an acceptable MFA.)

NAC (ForeScout) – Manages asset access to the network by validating system is complaint with security policies.  An example would be DoD “Comply2Connect” where any system connecting to the network has to be thoroughly vetted and could be quarantined for further administration and clean up.  Also can be used for quarantining a system that has been identified for investigation for attack or compromise.

NextGen AV (Cylance, Cb Protect) – Legacy AV, using signatures, stop unsophisticated attacks and NextGen AV uses math and heuristics to defend against more sophisticated attacks.  The most prevalent example is poly-morphic malware that changes its signature even after install.  By using analytics on the files, malware can be detected even if the signature was created minutes ago.

Information and Access Discovery (Varonis) – These products can scan enterprises for sensitive data (Ex: PII, or classified data) and report back all the known locations and who has access in the IdAM system to them.  It can also lay out past history of access and monitor for access and anomalous behavior in accessing sensitive data.  In addition, these technologies help significantly in any IdAM. UBA-User or DLP deployment in cleaning up access and classification of data.  Many times, access creep has corrupted security policy or people who have access are not using it and should be removed unless requesting it in the future.  Without these steps, IdAM, User-UBA and DLP can be permanently crippled or take significant time to tune and become effective.

Privileged Access Encryption (Vormetric) – Solution that specifically prevents privileged accounts from accessing data directly.  This is mitigation against the most common form of unauthorized access by adversaries.  Once inside a network, attackers typically elevate privileges to administrators and try to access data directly.   By encrypting data while still allowing administrators to administrate systems, unauthorized users, even privileged users, cannot read important data.

Privileged Access Monitoring and Management (Varonis and CyberArk/Thycotic)
– By controlling and monitoring privileged user access, a significant threat vector is closed. Even if a privileged user could not access data directly (see above), they could still create or find and take over a user account that does have access to data and systems that are desired by an adversary.  Typically, privileged user account management solutions require check out access in a highly-controlled manner.

SIEM (Splunk, LogRythm) – Security Information and Event Management consumes and correlates logs from the environment against pre-determined rules for security alerting.

Threat Intelligence Feeds – Both free and paid threat feeds supply adversary information to identify when an attack, attacker, or malicious file needs attention.  Many organizations have paid subscriptions to threat feeds from different products in their environment, however some pay for high fidelity threat feeds to augment them.

Threat Intelligence Management System (Anomali) –  Threat Intelligence is the core of defending against attackers.  Knowing what files, IP addresses and threat actor indicators to look for or block are key to the effectiveness of cyber security tools throughout a cyber infrastructure.  By deploying a threat intelligence management platform, the highly valuable threat feeds, free and paid, can be deduplicated against each other, contextually aggregated for enrichment and distributed to the cyber tools.

UBA (User, System and Network)
– User (Exabeam):
 Analyzes logs of user activity from the standard IT infrastructure (such as IdAM/AD/LDAP), creates a baseline of activity and monitors for deviations from the baseline.  This includes individual user behavioral changes and user deviations from the standard a cohesive group creates. This may include an account that has been compromised.  The most mature User-UBA will create a timeline of activity from a range of logs including normal IT and security tools throughout the enterprise.
– System (Exabeam):  Analyzes system logs from the IT infrastructure, creates a baseline of activity and monitors for deviations from the baseline.   This System-UBA go beyond signature or correlations to known activities of attackers.
– Network:  Analyzes network logs such as packets and netflow from IT infrastructure and security tools, creates a baseline of activity and monitors for deviations. Unlike IPS or NGFW, these Network-UBA go beyond signature or correlations to known activities of attackers in the network. The most advanced will pull in logs from many resources across multiple disciplines.

Vulnerability Scanning/Monitoring (Tenable, TripWire) – Scans systems with or without agents on end points to monitor for vulnerabilities and changes to a system that may open it up to compromise.

Vulnerability Mapping/Prioritization (RedSeal) – Actively ingest network configuration data and vulnerability scanning logs to rank security threats identified by attack paths to vulnerable systems.  The resulting risk scoring and details allow for an enterprise to prioritize mediation by risk score that is specific to their systems and not a generic one-size-fits-all scoring.

If any of these intrigue your organization and you would like to know more, please contact us at federal@guidepointsecurity.com.

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

Reshape Cyberwar: Flip the Script to Put Attackers on the Defensive

If we’re going to succeed in defending against bad guys, we should admit we are in a cyberwar. We are at odds with people who want to steal, corrupt, and destroy. To succeed against these cyber enemies, let’s draw from the words of Sun Tzu, the ancient Chinese military strategist: “Hold out baits to entice the enemy.”

Many people believe government network defenders only need to make one mistake before they are “pwned” and the bad guys steal sensitive data. As a network defender in this cyberwar, you have to be right 100% of the time; attackers only need to be right once. A missed vulnerability, a misconfigured router, or an overlooked Indicator Of Compromise (IOC) gives attackers the opening they need to cause damage.

To arm yourself in this cyberwar, find a way to flip the script. Do you remember the movie, “Home Alone?” Its message is applicable here: Even if you’re at a disadvantage when you’re defending your “home,” if you prepare for the bad guys, you can flip things to your advantage.

This creates a new category of “deception” technology. To capture the bad guys, this can be anything from basic virtual fake systems to confuse bad actors, to full networks with elaborate fake data, alarms, and traps.

More mature solutions go past simple virtual machines that look like juicy targets. To alert SOCs of potential breaches, they include deception inside Active Directory structures and at real endpoints and servers. By planting worthless administrative-looking credentials inside endpoints and Active Directory, a SIEM can easily alert SOC analysts to illicit behavior.

These solutions create a web of alarms and traps like the ones the “Home Alone” kid set up in his house. When the bad guys find and try to use credentials or scan or log into these fake systems, a spotlight is immediately illuminated on the activity. This shows the SOC that someone is attempting to do something bad; however, instead of a thief screaming about his head being on fire like in the movie, a simple SIEM rule about the use of a non-working credential or deception created system burns a hole in the bad guy.

Instead of fumbling around a network, the bad guys make one mistake and they are caught. This changes the game from the penetrator’s advantage to the defender’s advantage. They must tiptoe around and be careful about what they touch and where they go.

So let’s follow the best ideas from Sun Tzu to Churchill, Po-Ch’eng and even the Hittites and use deception to reshape the battlefield of cyberwar in our favor. Remember, as cliché as it may be, “The best defense is an offense.”

 

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

Regular Maintenance on Your Splunk Implementation Ensures Value for Your Investment

vuln_exec_summary EDITEDA common motivational phrase “If you’re not moving forward, you’re falling behind” embraces the idea that simply trying to maintain the status quo isn’t really just being stagnant, but also means you’re being overrun by the world.  This idea applies to many different things in life such as professional sports, IT, and yard work. Okay. That last one is my own personal challenge to keep up with. In sports, if you’re not innovating new plays and adding new talent, while your competition is doing both, catching up and staying on top is impossible.  In IT, the pace of change often indicates just how far you fall behind by not moving forward.  New technology isn’t just neat and cool, over time it becomes a necessity.

Cybersecurity is closer to the professional sports analogy than regular IT.  But your competitors aren’t just trying to win the same trophy as you, they are bad actors trying to delete or steal confidential and proprietary information.  For the Federal government, this reality has played out vividly and publicly. Embarrassing and costly breaches have been in the headlines seemingly non-stop.  CIOs and CISOs have been working hard to improve and move forward, investing in new technology and cybersecurity talent that can make a difference.

Sometimes attention to areas that were invested in originally, fall by the wayside, as new shiny objects appear that solve immediate threat vectors.  It’s a tough challenge to keep up with all the new threats, vulnerabilities, and technologies to mitigate them.  One area GuidePoint Security is focused on is making sure that past investments continue to show value through small investments that move them forward.  A prime example is Splunk.

Splunk is a fantastic big data platform that offers nearly unlimited analytic possibilities and ways to ferret out bad guys in an environment before they can do harm.  It’s also a highly customizable platform that offers opportunity to orchestrate labor intensive tasks that are repeated often. These tasks cost organizations hours of valuable analysts’ time that could be spent proactively hunting or evaluating new alerts and threats.  GuidePoint has enjoyed great success deploying Splunk into environments for customers showing significant value and ROI.  However, we have even greater success showing customers that continued investments in Splunk produce even larger gains.

Fine tuning Spunk on a routine schedule can mean the difference between powerful results or a slow depreciation in value.  Here are just three possible initiatives to improve an existing Splunk implementation for your environment:

  1.  Integration of products purchased or implemented since the last services engagement.

One of the most common use cases for Splunk security implementations is funneling security alerts and information into the platform for analytics and dashboards. Over time, two things happen.  First, new tools and solutions are added and are either not integrated or not integrated fully into Splunk.  Second, tools that were originally fed into Splunk need updating as their functionality and Splunk’s functionality may not be fully realized.  Splunk is a highly customizable, fully programmable platform. Splunk can not only ingest and compare threat feeds and data from security tools, but can also integrate to centralize consoles and controls of many different products. An example that GuidePoint has already implemented for customers is allowing SOC operators to stay in the Splunk interface and make changes to Palo Alto products in response to Splunk analytics, without having to switch consoles. This type of integration can be done with many security products.

  1. Orchestration of routine labor intensive manual processes.

Many SOC teams have scripts to “automate” recurring labor-intensive tasks.  I put the term automate in quotes because, in reality, it’s an orchestration that requires human interaction to initiate.  It typically is not automated in the true sense of the word because fully automated responses can be dangerous.  Orchestration is a better description. These are usually created out of necessity, under time crunch by a high level security analyst.  While this typically fills the immediate need of the SOC and is usually shared with the team, there are two problems with this scenario.  First, the only person that knows how the script really works is the original programmer.  Others have to rely on that person’s knowledge and availability to make improvements or fixes.  If the individual ever leaves, knowing what that script does and how it can be adjusted, could become a problem.  Second, the decision on what to automate may be made without full knowledge of management and the end result could positively or negatively impact the SOC or IT infrastructure.

Having an outside firm such as GuidePoint Security come in and sit down with the SOC team to discuss recurring, labor intensive processes that could be orchestrated, elevates the conversation to a more visible decision process.  Secondly, it allows the programming in Splunk to be well documented in a deliverable method that is more easily maintained inside of Splunk’s language. The script is no longer written in a personal preference language that may not be known or maintainable by the rest of the team.

  1.  Improving dashboard functionality and efficiency.

It has already been mentioned that over time new products might need to be added to the Splunk dashboards since the original configuration and coding was done.  However, there are more improvements and efficiencies that can be addressed on the dashboards for a SOC.  Often GuidePoint Security finds that fine tuning what is being displayed can only be done after some usage.  SOC front line folks will have a good idea of efficiencies and improvements that can help them get their jobs done faster.  Non-traditional metrics may have become obvious that could be added to the dashboards to significantly improve the SOC team’s knowledge of their security posture.

Lastly, continued refinement of one-click reports for SOC and top line leadership, in particular, can significantly assist security teams in meeting their own and management’s needs, reducing time-to-discovery and security posture reporting to management in real-time.

GuidePoint Security performs professional services implementing these kinds of improvements for customers with Splunk every day.  We can augment your environment for short engagements and significantly improve the value and efficiency of your security investments.  So consider these and other initiatives and make sure your Splunk implementation doesn’t stagnate or move backwards because it’s not moving forward.

 

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.