"Everybody agrees that this is the right thing," said Mike Lloyd, chief technology officer of RedSeal Networks, which sponsored the survey in which some 64 percent of respondents said that continuous monitoring and the security metrics it provides will improve IT security status. 'This clearly is a technical problem.'"
"Concepts like attack surface and overall risk can be very difficult for security to explain to top management, much less measure," said Dr. Mike Lloyd, CTO at RedSeal. "We're giving them some tools to help do that."
"Everybody agrees that this is the right thing," said Dr. Mike Lloyd, chief technology officer at RedSeal Networks, with 64 percent of respondents saying that continuous monitoring and the security metrics it provides will improve IT security status. "This clearly is a technical problem."
"Security is the absence of something, and that is hard to measure," said Dr. Mike Lloyd, chief technology officer at RedSeal Networks. "So what you have to measure is posture -- how far you are ahead of the next threat." Instead, companies should measure metrics that improve security, such as the number of vulnerabilities remediated. "The trick then is to make it quantifiable and repeatable," he says.
"Anyone who faces risk due to assets in someone else's control needs to establish a yardstick that the outside entity can use to show they have taken due care," said Dr. Mike Lloyd, chief technology officer at RedSeal Networks. The yardstick needs to be quantifiable objectively, must maintain some privacy for the organization being studied, and "must actually measure security posture, not just busy-ness," Lloyd concluded.
Security experts were more concerned about the fact that Symantec lost its data through no fault of its own, since the code was on a third-party server. "It is not enough to ensure you follow best practices; in an interconnected world, you have to worry about the security of other organizations," Dr. Mike Lloyd, CTO of RedSeal Networks, told eWEEK.
"It is not enough to ensure you follow best practices; in an interconnected world, you have to worry about the security of other organizations," said Dr. Mike Lloyd, chief technology officer at RedSeal Networks. "Your business partners and strategic customers may be friendly, but they are not going to expose specifics to you about how well they protect themselves."
However, Mike Lloyd, chief technology officer at RedSeal Networks, points out the breach does raises questions about addressing security of your own corporate data in the networks of business partners and others. "The fact that Symantec suffered a breach due to lax protections in someone else's network is a significant wake-up call," he said.
It's difficult for organizations to "understand the risk of a network you cannot see," said Mike Lloyd, CTO of Santa Clara, Calif.-based vendor RedSeal Networks. "As we steadily lose control of our own critical assets, and as attackers increasingly automate their attacks, we will need more baselines like this so that one organization can show another that it is well run."
"Other companies to watch in this sector include website vulnerability company WhiteHat Security Inc. and RedSeal Networks Inc. which combines vulnerability data with network access data to provide a picture of the overall health of a network, rather than pinpointing particular holes."
"People are aware of the objectives, but when you map it down to practical technical concerns, people don't even agree on which technologies they will do the continuous monitoring in," said Mike Lloyd, CTO of RedSeal Networks. "There doesn't seem to be agreement that what we need to do is get, what those with a military background would call, situational awareness. We understand we need the situational awareness, but it is not a well settled question how to do that. These environments are extremely complex."
"The databases that exist today have ultimately been designed to allow the easiest access from a multitude of devices and places. In many people's minds, they think you need to access a server with an application running on that, and that there is a measure of safety for the data sitting underneath the application because the application is secure," says Dr. Mike Lloyd, CTO of RedSeal Systems. "But your database is sitting out there, and, in many cases, when it came out of the box, it came configured to be connected to the Internet."
Modern IT infrastructure can be very "porous" and it's difficult for security teams to "understand it all," Mike Lloyd, CTO of RedSeal Networks, told eWEEK. The Journal report highlighted "significant out-bound holes" as it appears the infiltrators were able to "exfiltrate" the data they found, Lloyd said. Most organizations build some defenses against in-bound attacks, but very few effectively know how to control out-bound traffic, he said.
"When it came to protecting clients in a number of instances, the advice from vendors was to unplug the SCADA solution from anything connected to the Internet or any public network," said Parveen Jain, President and CEO of RedSeal Networks. Still, "it's a big problem where you have old systems, sometimes unresponsive vendors, limited resources and yet [a technology that's] a tremendous source of risk to almost everyone."
"Interestingly, the senior people that we surveyed -- the people who have the broadest view of the problem -- were the most pessimistic," says Mike Lloyd, CTO at RedSeal, which makes security monitoring solutions. "The people who can see the whole picture are realizing how difficult continuous monitoring is and how much more is still to be done."
"If you look at (vendors like) McAfee or Symantec, they provide medicines or prescriptions, while we are a full health check," Jain said. "We conduct a CAT scan or a blood test and tell customers the best way to deploy technology or medications for the problems they have. We give them this intelligence before the bad guys can get it."
RedSeal Networks has raised $10 million in additional funding from insiders to help companies and government agencies protect their networks against hackers, VentureWire has learned.
"RedSeal is one of the most strategic and influential providers on the global security market based on its ability to solve the most acute challenges faced by every large enterprise security organization today, complexity and change," Ray Rothrock, chairman and Partner of Venrock, said. "The constant evolution of security infrastructure makes it nearly impossible for even the best professionals in any organization to maintain the visibility necessary to ensure compliance and critical asset protection, or measure their progress over time."
"It's a count of activity, of all the processes that your people run that they record. How many times did you change the firewall? How many patches did you deploy? How many times did you update your antivirus signatures?" says Mike Lloyd, CTO for RedSeal. "The problem with this approach is that you're measuring your busy-ness, not your business."
"The move to monthly reporting was [former federal CIO] Vivek Kundra's effort to make it impossible to do security reporting as a bureaucratic exercise," says Mike Lloyd, chief scientist at RedSeal Systems, which makes security monitoring tools. "If you're doing it monthly, you can't do it with people pushing paper. He was trying to make reporting difficult enough to force agencies to move to automation."
Can anyone be blamed for feeling like this? It seems like there is a new breach or incident reported in the news each week. Yet, most of the automated attacks are preventable. Technologies and policies that assess code development, user and process enforcement, and traffic analysis are all helpful when addressing these types of threats.
"On the one hand, it shows that, as an industry, we are growing up -- we're willing to admit we don't have all the answers," said RedSeal CTO Dr. Mike Lloyd. "On the other hand, it also shows that it's time for many organizations to wake up and smell the coffee -- they don't have some of the information they need to build a comprehensive defense."
"Security professionals all agree we are losing this war," said Mike Lloyd, chief technology officer at RedSeal. "This is not only a startling conclusion, but it's also interesting that security organizations are actually admitting this."
"Consistent application of network security controls across even medium sized networks has transcended human ability," RedSeal CTO Dr. Mike Lloyd said. "For many years there's been the notion of an arms race between IT security professionals and attackers; what this survey proves is that the good guys understand they're facing a truly daunting task to keep up."
"If you cannot keep the "crown jewel" servers up to the minute with the latest patches, then you have to put these most critical assets inside a "zone" to defend them," said Dr. Mike Lloyd, CTO of RedSeal Systems. "This can be called the 'Boy in the Bubble' security model -- you have to secure these most sensitive machines, using an internal perimeter because patching frequently isn't an option."
"Of course the response to that is to unify your controls. Look at the set of audits you have in place, about what they have in common, pass that once, and use the same report over and over," says Dr. Mike Lloyd, CTO of RedSeal Systems. "This doesn't come cheap, it takes effort to do this but it can be done."
"Blaming Google for this is really getting it all backwards," said Dr. Mike Lloyd, chief technology officer at RedSeal Systems. "Google just makes it clear that there is a problem. If you left the door unlocked on a store room for years and then Google Maps came along and put a photograph showing there was no lock on the door, the fact that the photograph went up isn't the problem. The problem was that the door was unlocked for years."
"With the addition of indexing data that is accessible via FTP, hackers can now identify wide-open FTP sites that may contain sensitive data or can be used to leapfrog to other machines on the company's internal network," says Tom Rabaut, RedSeal analyst. "Also, Google offers the ability to restrict searches to a single domain which will make it easier for hackers to limit their data mining to only target companies."
"Security professionals in organizations of all sizes are tasked to defend against escalating threats despite shrinking budgets. Addressing the complexity of today's networks and attacks requires the intelligence and operational insights that RedSeal uniquely delivers, along with the opportunity to optimize security spending," said Ray Rothrock, Chairman of RedSeal's Board of Directors. "Parveen will drive RedSeal to even greater success by providing organizations with the products they need to improve their network defenses and prevent the data breaches that dominate today's headlines."
"It's been about: I need to connect to this business partner, then that business partner, then that business partner, and then all the sudden, your great castle of defenses has a whole wall missing, because you have this wide path out to all these extranet partners," said Dr. Mike Lloyd, Chief Scientist at RedSeal Systems.
"The government agencies haven't gotten to that point of awareness yet," said Major General John Casciano. "We keep saying the same old things, senior officials are giving the same old briefings and we are not further along solving the problem."
“The “emphasis on cyber-security by the Administration and Congress is commendable,” but progress has been practically non-existent, as the country hasn’t really moved forward towards enacting a comprehensive cyber-security law, said Major General John Casciano, an adviser on government security issues to security software producer RedSeal Systems. “We are not further along solving the problem than we were 20 or 25 years ago,” Casciano said.”
"Strong integration, nice best practice and downstream impact capabilities. Very useful risk map with great visualization for the security team."
"With a federal agency deadline for Federal Information Security Management Act (FISMA) compliance reporting through the new automated CyberScope tool already five months past, many security experts believe the government still has a long way to go in its quest to establish standards and implement continuous monitoring across the board."
"When attackers are using automated scripts, to a large extent, they don't care who you are. They care about what you have, and they are coming for you."
"If you look at the [Verizon report], you see that most attacks were not targeted at a specific company, but were designed to find the enterprises that were most vulnerable. Ninety-seven percent of the breaches could have been avoided by using simple controls."
“If security is about prevention of leaks and attacks, then, what metrics should security departments show their bosses to prove that they are doing their jobs well?”
“The government is facing more sophisticated, targeted attacks launched for the purpose of cyberespionage. We should be worried about the attacks we are not detecting.”
“Security is hard and getting it right all the time is nearly impossible. But many of the mistakes that people make are simple, avoidable ones that can lead to serious intrusions and major network compromises.”
"Finding every potential configuration problem and vulnerability on our network is simply too big a job for human efforts alone. RedSeal took that whole process out of the equation and automated everything."
"The technology keeps IT administrators apprised of up-to-date security status information they can use to make cost-effective, risk-based decisions about IT systems, according to In-Q-Tel."