The Maturity of Vulnerability Management Matters

If you work in cybersecurity at a typical mid-market company, you probably cringe when you hear the term “vulnerability management.” Let me see if I can guess how the workflow goes for you:

  1. Someone uses a scanning tool to scan as many assets across your network as you know about.
  2. The output gets exported to a spreadsheet.
  3. The spreadsheet is sorted by “criticality.”
  4. Various department or organization heads receive line-items they are responsible for patching with little context on why.
  5. You wait a week or so, then repeat the process.

How close did I get?

The various pieces of your cybersecurity strategy are programs in themselves, which means we can measure them for maturity. The problem is that mid-market companies seldom have the time or resources, not to mention the capital, to execute a full-scale program. That approach ultimately leads to a “just-do-something” execution of cybersecurity, and things get complicated.

Some hallmarks help me determine what level of maturity an organization has attained. Here are just a few:

  1. Strategy: How an organization thinks about vulnerability management and whether it’s truly managing vulnerabilities or simply trying to play whack-a-mole is telling. Managing vulnerabilities means a lifecycle approach and understanding that once they’re discovered, vulnerabilities can have one of three fates:
    1. Remediate – simply put, apply the fix or patch.
    2. Defer – push the fix until a later point in time such as when the system is retired shortly.
    3. Accept – accept that the vulnerability will not be fixed, and alternative accommodation needs to be made.
  2. Execution Discipline: Understanding the discipline with which an organization executes the tasks of a vulnerability-management program says a lot. Are there change controls? Is the process well-documented and universally accepted across the organization? Does the program include all of the organization’s assets? These and more are important questions to consider. As an organization matures, execution will be more repeatable and predictable.
  3. Follow-through: Few things are more important than following through. It makes no sense to scan, notify, but then do nothing but wait for someone else to do something. As an organization matures it will learn to not only notify but report, and follow-through on impacting positive change.

All this said the important thing is to figure out how your organization ranks, and what your real level of maturity is. There is no universal answer to what maturity level your particular organization should be at. But knowing is a critical first step.

The Red Herrings of Cybersecurity Blog Series 3 of 4

Welcome to 2021.

I felt like I needed to write that we survived 2020 and are now well on our way to whatever things this year holds. In this series, I’m addressing the things that your vendors do or say that are “red herrings” – that is, they sound good but aren’t quite right.

In this installment, I’m going to address complexity. Having been involved in selling cybersecurity solutions since roughly 2007, I believe I know a few things about this.

I believe with all my heart the following statement to be true.

“The value of any security solution is inversely proportional to its complexity.”

Give that a think for a second.

The more pieces of a solution your vendor has to virtually duct-tape together for you, the less real security value the solution holds overall. I do not doubt in my mind this is true. The reason for that – I’ve seen it with my very own eyes. I’ve witnessed 100+ page solution specifications that were so complex I don’t think anyone truly understood what was happening. Forget about actually explaining it.

I think customers sometimes believe that because a solution they’re being presented is exceptionally complex that it is better. That has something to do with the level of knowledge of the buyer. I’ve seen opportunistic sales teams take advantage of this, and it’s unfortunate.

The truth of the matter is simplicity always wins. It is difficult to debate that rationally. The more steps there are in a process; the higher the chance that there will be a failure along that chain of events. As a buyer, you should be looking for the simplicity of the overall solution. Additionally, look for simplicity in the various technology components, processes, and outcomes.

Rejecting complexity and insisting on simplicity is critical in security. It is particularly critical when you’re dealing with managed services. Here are 3 of the most important pieces, when it comes to keeping it simple:

  1. Engagement process – the process by which a customer engages with the vendor for specific tasks, workflows, or requests; for example, requesting changes or working incidents
  2. Integrations – connecting technologies together, to maximize their effectiveness, must be simplified to keep the system from becoming brittle and incurring unexpected outages
  3. Technical solution – the various technical pieces of the solution should minimize complexity by limiting the number of specialized components, and the number of times that a workflow passes from one technical system to another

There you go, part 3 on complexity. In a nutshell – if you don’t understand the solution someone is trying to sell you because it’s uber-complex … it’s probably not right for you.

What the SolarWinds Compromise Means to You

A Summary Analysis of the SolarWinds Breach

What happened?

In the simplest of terms, SolarWinds – a company synonymous with Network Management Systems (NMS) that is used almost universally across ~300,000 customers worldwide – was compromised through what is being labeled a “supply-chain” attack. This means that attackers from what appears to be a nation state-sponsored APT (Advanced Persistent Threat) group executed an attack against the software company that allowed them to insert code into SolarWinds’ most popular platform called Orion.

Between March and June 2020, the attackers were able insert code into the build system of Solarwinds’ Orion tool and push out updates which contained what is effectively a trojan horse. This means that the attackers were then able to use the compromised update of the Orion platform to then pull down malware (Sunburst) onto systems that were compromised with this update. From there, attackers had what is effectively free-range on the victim’s network. Since they were operating from a tool that is meant to reach out and monitor/manage network and system infrastructure, their compromised allowed them virtually limitless capabilities on most networks they infected.

It should be noted that while the attack appears to be targeted to the government sector and it’s providers, such as FireEye in one documented case, it is being relayed that any customer who had the relevant software installed should assume compromise.

*Please keep in mind that this situation is actively evolving with significant global effort to provide more information as it becomes available. The information contained in this advisory is subject to change at any time, and we encourage you to do additional research.

 

Why is the situation critical?

SolarWinds’ Orion is one of the most popular NMS (Network Management System) platforms out there. As a result, it’s confirmed install base is some 18,000+ networks worldwide. If you have the tool installed you are advised to assume breach and immediately enact your breach protocols and procedures. Work your incident response processes through, and in the event that you have evidence of no compromise you will have peace of mind and certainty. Even though your organization may not have the tool installed, it’s highly likely that one of your partners or suppliers may, leading to a third-party risk management nightmare that requires urgent attention. Now is the time to reach out to your close partners, particularly those that have assets connected into your physical or virtual network, and obtain certainty on their current state relevant to this compromise.

Organizations that find themselves compromised with this attack should assume that the attacker has had full access to all NMS and connected systems, assets, and data, and could move around the network undetected and exfiltrate sensitive data at will. There have been no detection capabilities prior to this breach going public, and new indicators of compromise (IOCs) are being published as researchers around the world work to uncover them. It should be noted that attackers will adapt and change their signatures to avoid detection. It is highly advised that companies review their logs for signs of long-term compromise based on the IOCs known at this point.

 

What should you do now?

If your organization does have SolarWinds’ Orion installed, you can take immediate steps to mitigate while you investigate. At minimum we urge all customers to review their logging, network access, and security strategies at this time to minimize potential impact and mitigate risk. Additionally, we provide the following suggestions:

  1. If you have Orion installed on your network and rely on it for monitoring/management you must immediately disable it’s access to the Internet. If you are unable to do so, access should be limited to absolutely only those IP addresses that are required to operate,
    1. Additionally, perform in-depth log analysis going back to March for the IOCs being published including domains that are using in the attack. Keep in mind now that the attack has been uncovered, these will likely change as the attackers pivot their attack to avoid discovery.
    2. Monitor closely all Orion NMS network activity, and perform packet-capture logging for evidentiary purposes, is possible.
  2. If you do not have Orion installed you should not necessarily assume your organization is safe. Consider your 3rd party suppliers and connected partners and perform due-diligence to understand whether these have the tool installed and could have a potential compromise.

 

What can Lightstream do for you?

 

Right now

  • Lightstream’s security team can assist in assessment or analysis of the situation to understand potential impact to your organization
  • Lightstream’s teams should be alerted immediately via ticket if your organization has SolarWinds’ Orion installed so that we can take additional measures for investigation
  • If your organization has minimal, none, or insufficiently operationalized endpoint or network security monitoring and response capabilities, Lightstream can help by deploying, managing, and detecting and responding to threats such as this both today and in the future

Near and Long-term

  • Lightstream’s Edge Defense and Endpoint Defense services are optimized to identify, protect against, detect and respond to, and recover from threats to your organization’s IT infrastructure, systems, and applications. Enterprises large and small can use our fully managed platform to supplement their own security operations (SOC) or fully outsource the management, detection and response 24x7x365
  • Lightstream’s expertise in Zero Trust architecture can be used to evolve your physical and virtual network to minimize the damage and business impact from even sophisticated attackers. We offer this service to our managed and new customers
  • Lightstream’s Security Advisory Services can perform a Security Strategy Program Framework (SSPF) assessment to understand how your existing security strategy would be impacted in cases such as this. This is offered to both new and existing customers.

 

Additional Links and Resources

The Red Herrings of Cybersecurity – Blog 2 of 4

Hello again.

In the previous blog in this series, I set things up for you. I explained the three things that I believe are “red herrings” in our industry – and now we’re going to dive into the first. Let’s go for a short, pointed, and honest ride.

There has been a consistency about managed services providers in the years I’ve worked for them. While not particularly comforting, the consistency of failings at least meant that we were all doing it wrong together. There is cold comfort in that.

One of those things that killed me for years is the speed of implementation. Or should I say, the complete lack thereof? In my years with HP, one of the managed services accounts that I worked with directly was grumpy because it had taken over 9 months to get an IDS successfully implemented. Yes, you read that right. Nine months. It’s not like security is a real-time battle of good and evil, and losing seconds is cause for concern, right?

I swore that I’d work to improve this, but ultimately I was unsuccessful. Then I left the company. But this stayed in my mind for a while. In my next role, I was too far removed from this situation to be able to affect it. That said, it never left my mind as my team and I advised CISOs on strategy and program development. The goal was always to decrease the time that elapsed between signing a contract and getting “security value.”

Fast-forward a bit to when I joined my previous role at Armor. The company was touting “2 minutes to deploy” and given my previous experience I thought I hit the jackpot. I’d learn over the next two years why I had been chasing a false dream. I’d recognize that faster is not necessarily better, although rapid time to value is desirable.

So what changed that swayed my thinking? Experience.

You see, I had the opportunity to witness a few “2-minute” deployments. They were categorically a disaster. Why? The answer lies in another question.

“How much protection can you expect from a security tool that does near-zero customization?”

If you answered the above with “about that, near-zero” you are now in my headspace. One of the reasons; and this is personal opinion now, there were so many install failures and missed issues downstream was that we were going for speed versus security. Sure we had it installed in two minutes. But did it serve any value? That was debatable, at best.

The lesson is this – to provide a valuable outcome to your customers, you need to do the work. There is a multi-step process that needs to be followed that I’ll readily share with you, here.

1. Understand your customer, their environment, and their challenges. Without this, you’re applying peanut butter. There are no two customers that share the same strategy, architecture, network topology, and security response needs. This I can guarantee. So why would you pretend that a single stock configuration would do anything but provide for the most basic of controls? I would argue that without this step you’ll be doing more harm than good.

2. Prototype and test your configurations. Once you think you know your customer, develop the defensive model, policies, and response actions. Work hard to identify not just the 80% case but those 20% outliers that are going to cause trouble once you deploy. Here’s a hint – one of the most difficult things to get right is the disruptive cases. The situations where something happens to upset the customer’s ecosystem due to a configuration you’ve made are irreversible – especially during initial deployment. If you can’t get it right from the start, you’ll lose your customer’s trust before you ever get to protect them. Minimize your unknowns; that’s the best advice I can give.

3. Expertly guided deployment is essential. Far too many times I heard customers say, “We got this” and then proceed to bungle everything because of either ego or something else. But I promise if your provider is offering you assistance to deploy – take it. If they’re not, ask why they’re not helping you be successful.

Expect this effort to take you north of forty hours for a mid-size implementation. That’s my estimation. You, the provider, should spend a week of solid work to get to a deployment stage. That’s a far cry from 2 minutes but provides infinitely more security value.

While I still believe that deploying as quickly as possible to get security value is critical, I no longer believe that doing so at the expense of customization and testing is viable. Everything comes at a price, and in cybersecurity, the price for protection is time. And effort. It takes effort, planning, patience, and expertise on your part and your customers. I don’t care how you present it – those are things you can’t rush.

Next up, removing complexity. I welcome your comments in the meantime.

The Red Herrings of Cybersecurity Blog Series – Blog 1 of 4

The longer you’re in the cybersecurity business, the more you realize that some of the things you learned early on as ground truths were red herrings. Allow me to elaborate.

As the head of security strategy here at Lightstream, my job is to innovate and think ahead of the demand curve. I take this job very seriously, which is why I’ve been re-evaluating some of the things I held true in previous roles. There are three things I want to address over the next four posts, and I hope this reveals a little about how I’m thinking and perhaps provides some groundwork for good dialogue.

First, the three red herrings I want to discuss. These apply specifically to the delivery of security services in the form of an MSSP – and while these three things may be applicable elsewhere, that’s not what I’m addressing in this series.

  1. Faster deployments are somehow better;
  2. Complex services are more effective;
  3. Vendors taking over your tools is a good idea.

Let me break these three things down so you can get a sense of the high level here, and then over the next few posts, I’ll share my thoughts and how I have arrived there.

At my last company, there was a very odd metric we put on all of our marketing literature – the time to deploy our product. It made sense at the time. We told customers we could get the product installed in about 2 minutes and that as soon as they signed up for our service, they’d be off and going in that short timeframe. That all sounded good until I observed a few of these deployments. Have you ever tried to install a security product in 2 minutes? If you have, then you will probably agree with me that the only thing you get in those 2 minutes is a stock vanilla deployment with virtually no contextual understanding or customization. To translate that into an outcome – low value, and a potential disaster by breaking something.

Complexity has always been the archenemy of everything in technology. The more complex a deployment becomes, the more difficult it is to understand it. Hence it will be difficult to fix and secure. I don’t believe this is disputable. So why is it that so many security services vendors build slide after slide in their presentation to explain their overly complex systems and processes? The answer is simple – the buyer has come to believe that if they don’t understand it, then it must be advanced. It’s like the Arthur C. Clarke quote: “Any sufficiently advanced technology is indistinguishable from magic.” My friends, don’t buy magic; it’s rarely real in the end.

Finally, let’s talk about those RFPs you’re sending out. If you’ve purchased a set of tools and failed to implement them properly – whether you figure this out on day three or three hundred is immaterial – asking someone else to take your operation over is a terrible idea. The likely outcome is what we in the industry refer to as: “your mess, for less.” I promise you there is no value here. You get what you pay for, and “cheap” is not the same thing as “less expensive.” There’s a lot to unpack here. I’ll save my thoughts for the full post; however, I wanted to seed this in your mind for now.

So now you have it – my thoughts on the three most important red herrings cybersecurity services vendors put forth that I believe you should avoid. In the next three blog posts, I’ll unpack each and perhaps leave you with something to think over. A better way forward, perhaps.

Risk and Reward in the Brave New Work-From-Home World

The Covid-19 pandemic changed everything about the way we work, play and live — literally overnight. But here, let’s focus on the way we work since that’s the basis for how we feed our family, afford our mortgage and Netflix.

It happened suddenly. With very little notice companies urgently needed a plan to send all of their employees home while enabling as many as possible to continue working. There was no refusing and no option B. Companies that weren’t prepared were going to have to face complete closure. So, with precious few days to plan, companies sent employees performing sensitive business processes, with sensitive customer and internal information, home to work remotely.

Remote work, if you’re prepared for it, is easy. I’ve worked from a home office for almost a decade, and while it hasn’t always been my preferred mode of work, it’s doable. But that’s the key, being prepared. Companies had to send employees home without any preparation or strategy so the results were predictably disastrous in many cases.

Let’s look at just a few of the risks of working from home:

Connectivity

The network environment that a work-from-home employee plugs into is dramatically different than the one at the office. I’m not simply talking about the hygiene of the network – because it’s far from a given that the network at the office is ‘clean’ – I’m also referring to available resources. Your office has physical and virtual devices that prevent attackers from gaining access, and then detecting and responding to them quickly. Odds are that your home network has none of this. Further, your home network is most likely connected by a cable modem that your children, spouse and even other family members and friends connect to. Their devices and intentions aren’t always clean. Not every company has a robust VPN infrastructure that can handle a full work-from-home workforce, and even fewer have one that supports the kind of flexibility that their users will demand when working from home.

“Internal Protected Systems”

While the notion of a trusted internal network is rapidly disappearing from our reality, there are still many, many companies that have critical business processes that run on systems not exposed to the Internet or outside of the company. As the people who work on those systems go to work from home, it may be necessary to find ways to expose those systems. This is exceptionally dangerous if proper care isn’t taken to think through a strategy and implement significant safeguards.

Local Administrators

When you work at an office, the local site administrator sets you up on the printer near your desk or area and any other devices that you may want to use. It’s conceivable that you never needed to perform administrative functions on your laptop. Then, you’re sent home and have to add your printer, your home Wi-Fi and potentially other devices to support your way of working. Since you’re not at an office, and there may be no way to have a help desk professional do it for you, companies will be stuck enabling employees to be their own local administrators. This will prove catastrophic when it happens because one of the highest impact changes that security has implemented in recent memory was to remove administrator access for users. This removal has forced attackers to up their game. Removing that safeguard lowers the bar for attackers significantly.

Security Tools Maintenance

While most companies won’t struggle with this, the reality is that there are many that still don’t have a way to remotely perform software inventory/update, software scanning and patching and other forms of necessary administration. Something as simple as updating your anti-malware tool on your laptop may be impossible if the system was not set up to manage distributed, fully mobile users. These are not trivial administrative things but these tools must be maintained, monitored and leveraged to ensure that attackers don’t suddenly have a massive advantage over defenders.

The risks are there, that should be obvious. The rewards are there as well – the main one being that your company gets to continue to operate even at some diminished capacity. So while I don’t want to tell you that working from home is necessarily some catastrophic event, or that there’s no way to do it safely, the likelihood of many mid-market companies enacting strategic work-from-home policies that include security is probably pretty low given that they weren’t prepared in the first place.

Moral of the story:  if you weren’t prepared, you’ve likely made some mistakes. These mistakes don’t need to be permanent, nor do they necessarily mean you’ll be hacked. What you should do is work with someone who has experience in implementing work-from-home and remote work strategies to see what you can improve or what you’ve simply neglected to do. A good time to do that is today because tomorrow you might have to explain yourself – and that’s no fun.

Let’s Do Great Things – Why I Joined Lightstream

“If somebody offers you an amazing opportunity but you are not sure you can do it, say yes – then learn how to do it later.”  — Richard Branson

If necessity is the mother of invention, then the cybersecurity community hasn’t been doing a very good job of listening to mom. Our industry is rife with complexity, rising costs, and let’s face it – failing efficacy. We spend millions upon millions of dollars on security kit, and yet the size and scale of critical data breaches continues to grow. We argue about the reasons, and who could have done more or spent more, or hired better staff; but in the end we’re all just living in a giant glass house, rock in hand. As a realist, this is disappointing on a number of levels.

I believe we are at an inflection point in the history of the industry. We stand on the precipice of a great divide. The strategies and outcomes of yesterday are no longer valid. Things have to change, evolve, and frankly grow up. Hyperbole aside, the cyber security community must realize things have to change dramatically. There is urgency in this moment.

Rising budgets have suddenly hit a brick wall, as a global economic full-stop has forced the re-evaluation of spending and priorities. And yet, we can’t just say we’re going to ignore safety and data security. So now what?

This is where I believe we, collectively, have an opportunity. Security leaders and their peers in technology are struggling to solve problems in their own individual domains, but therein is an opportunity. Security can’t just be something we add on as a step in the assembly line. It has to be foundational, fundamental, and pervasive in our companies and strategies.

Enterprise IT leaders have three key priorities. Connect, protect, and optimize. Connecting people, offices, applications, and business processes is key to agility and resiliency in times of turmoil. Protecting the right things, with proportionality, while allowing creativity and agility is something that has alluded cyber security professionals since day one. And of course let’s not forget that this whole thing has to be continuously optimized, so that today’s strategy and delivery models evolve as our businesses do whether it’s in times of expansion or contraction.

If you buy into my line of thinking, you already know what’s coming next.

Most of your traditional security vendors aren’t set up to operate this way. They sell you each of these three critical pieces in silos, in ways that don’t work together well. It’s a two-thousand-piece puzzle where each 10 piece section is made by a different manufacturer without any regard to the others. And the worst part is you’re the one who has to put it together and make it great.

When I spent time understanding how Lightstream operates, the opportunity became clear. Connect, protect, optimize as a service platform in a manner that abstracts the delivery method from the business outcome. When the world went to cloud computing, we didn’t keep asking who made the chipset or the hard drive – we just added CPU and storage and expected it to work. Why doesn’t your IT strategy behave this way? Well … it can.

I’m joining Lightstream to add my knowledge and experience to help them continue to build out what is a world-class service platform that’s focused on delivering business outcomes as a partner to enterprise CFOs and technology leaders alike. When you can achieve security outcomes, save on your bottom line, and be more effective – that’s nirvana. That’s what we’re focused on. I’d love to tell you about it.