Mandatory 36-Hour Breach Reporting Window for U.S. Banks

Log4j vulnerability unpatched

In November of 2021, the Agencies, comprised of the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB), passed a regulation that requires banks to notify regulators no more than 36 hours after they identify that a security incident (that rises to the level of a “notification event”) has taken place. The regulation required full compliance by May 1, 2022. FDIC-supervised banks will report incidents to their case managers while banks that are regulated by the Board of Governors of the Federal Reserve System will need to inform the board. The Agencies explain though that not every data security incident is a notification event. According to the rule, a computer-security incident is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores or transmits. An incident requiring subsequent notification is defined as a ‘computer-security incident’ that has disrupted or degraded a banking organization’s operations and its ability to deliver services to a material portion of its customer base and business lines”

 Read the full bulletin

VMWare Infrastructure Actively Exploited to Compromise Organizations

Log4j vulnerability unpatched

CISA, the Cybersecurity and Infrastructure Security Agency, has issued an emergency directive highlighting an escalation of successful attacks against commonly deployed enterprise components of VMWare virtual infrastructure. The directive points to an escalation of successful attack against a series of VMWare vulnerabilities that are exploited independently, or in combination, to fully compromise VMWare infrastructure in these organizations. While VMWare has issued patches for these vulnerabilities, attackers have quickly reverse engineered them to develop and weaponize exploits now appearing in the wild.

The attacks highlighted require network access, but successful attackers have utilized 3rd party network access and web exposed servers to compromise vulnerable VMWare components and gain full access.

 Read the full bulletin

Millions of Log4j vulnerable systems still unpatched

Log4j vulnerability unpatched

A recent survey by Qualys and published in SC Magazine suggests that after over 3 months, roughly 1 in 3 devices and installations that were affected by the Log4j vulnerability are still unpatched. This number amounts to roughly 22 million vulnerable application installations — and it should be noted that these are just the devices that are readily accessible from the Internet.

Log4j reached critical status towards the end of 2021 when it was discovered that a feature its platform could allow an unauthenticated attacker to take complete control over a remote system. The vulnerability was classified in CVE-2021-44228, and has been extensively discussed in cyber security as well as in a published flash with guidance from the government’s cyber security agency, CISA, who published guidance.

 Read the full bulletin

Lightstream Names Joe Vadakkan as Global Executive Vice President for Sales and Engineering

Cloud security veteran and key strategist joins emerging service provider to drive growth

Salt Lake City, UT, January 19, 2022– Lightstream, a leader in cloud security, digital transformation and managed services, today announced the hiring of Joe Vadakkan as the company’s new executive vice president for global sales and engineering. As an IT, cloud and security thought leader, Joe will lead Lightstream’s global cloud security engineering and sales organization to drive execution of customers’ cloud security strategies and elevate their innovation at scale.

“Joe is a prominent industry veteran with extensive leadership experience in cloud security sales and innovation, having driven many of the industry’s successful, secure digital transformations,” said Lightstream Co-CEO, Jim Cassell. “I’m excited to welcome him to Lightstream’s executive team, and I look forward to working with him on our mission to enable our global customers to progressively innovate and grow effectively with Lightstream’s cloud security solutions.”

“We are very excited to have Joe join the Lightstream team,” stated Rod Stout, Co-CEO of Lightstream. “His unique ability to help customers realize value and achieve desired business outcomes is unparalleled. With his in-depth knowledge in partner distribution strategies and his success in building and growing world class organizations, Joe will help Lightstream bring continuous value to its customers and achieve our growth objectives.”

Joe has over 20 years of technical and business leadership experience in the areas of global infrastructure and security, most recently having served in a strategic services leadership role at Optiv, a pure play cybersecurity firm. Prior to that, he was responsible for building and running Optiv’s cloud security organization. He has also held leadership roles and provided strategic guidance for startups, venture capital and private equity firms and Fortune 2000 companies.

“I am very excited to join the Lightstream team and look forward to taking the company’s technology and services innovation to the next level to fuel future growth,” said Joe. “Lightstream has a great business model and a talented team that are fast movers on solving customer needs. I believe it is uniquely positioned to accelerate secure client innovation through its Lightstream Connect platform for Microsoft Azure, AWS and Google and integration with a security partner ecosystem that enables it to compete in today’s global market.”

About Lightstream

Lightstream provides full-service cloud, connectivity, and security solutions to enterprises worldwide with a focus on managed services for all three, as well as cloud infrastructure implementation, security, and support.

Lightstream has been named multiple times as a Palo Alto Networks Public Cloud Partner of the Year, and is an AWS Security Competency Partner, an AWS Advanced Consulting Partner, and a Microsoft Cloud Platform Gold Partner with Security Competency. Visit us at http://www.lightstream.tech or LinkedIn.

Media Contact

Cynthia Lawton / cynthia.lawton@lightstream.tech / 843-300-8445

 

UBC Successfully Migrates Windows and SQL Servers to Azure

Industry:  Trade Union

The United Brotherhood of Carpenters is one of North America’s largest building trade unions, with over a half-million members. The union leads the way in training, educating and representing the next generation of skilled construction professionals.

Business Problem

  • Development of Cloud migration plan to Azure.
  • Meet security and regulatory compliance requirements for migrating core legacy applications, including Personify running on Windows Server and SQL Server.
  • Provide ongoing Azure optimization and management.

Solution

  • Lightstream Cloud Foundation Framework Workshop and guided Foundation Build aligned with Cloud Adoption Framework (CAF).
  • POC stand up, Security Planning and Design, Network Architecture and Design, App Validation, Automation and Implementation.
  • Lightstream Cloud Managed Services for ongoing Azure management and optimization of financial, technical, security and operational aspects of environment.

Business Outcomes:

  • Successful workloads migration to Azure.
  • Compliant governance and security posture for workload environment enabling UBC to safely deploy applications via Infrastructure-as-Code.
  • Ongoing management and optimization including 65% cost savings through RI management and successful networking providing full direct interoperability between on-premise resources, Azure resources via ExpressRoute and AWS resources via Direct Connect.

The Red Herrings of Cybersecurity – Blog 2 of 4

Hello again.

In the previous blog in this series, I set things up for you. I explained the three things that I believe are “red herrings” in our industry – and now we’re going to dive into the first. Let’s go for a short, pointed, and honest ride.

There has been a consistency about managed services providers in the years I’ve worked for them. While not particularly comforting, the consistency of failings at least meant that we were all doing it wrong together. There is cold comfort in that.

One of those things that killed me for years is the speed of implementation. Or should I say, the complete lack thereof? In my years with HP, one of the managed services accounts that I worked with directly was grumpy because it had taken over 9 months to get an IDS successfully implemented. Yes, you read that right. Nine months. It’s not like security is a real-time battle of good and evil, and losing seconds is cause for concern, right?

I swore that I’d work to improve this, but ultimately I was unsuccessful. Then I left the company. But this stayed in my mind for a while. In my next role, I was too far removed from this situation to be able to affect it. That said, it never left my mind as my team and I advised CISOs on strategy and program development. The goal was always to decrease the time that elapsed between signing a contract and getting “security value.”

Fast-forward a bit to when I joined my previous role at Armor. The company was touting “2 minutes to deploy” and given my previous experience I thought I hit the jackpot. I’d learn over the next two years why I had been chasing a false dream. I’d recognize that faster is not necessarily better, although rapid time to value is desirable.

So what changed that swayed my thinking? Experience.

You see, I had the opportunity to witness a few “2-minute” deployments. They were categorically a disaster. Why? The answer lies in another question.

“How much protection can you expect from a security tool that does near-zero customization?”

If you answered the above with “about that, near-zero” you are now in my headspace. One of the reasons; and this is personal opinion now, there were so many install failures and missed issues downstream was that we were going for speed versus security. Sure we had it installed in two minutes. But did it serve any value? That was debatable, at best.

The lesson is this – to provide a valuable outcome to your customers, you need to do the work. There is a multi-step process that needs to be followed that I’ll readily share with you, here.

1. Understand your customer, their environment, and their challenges. Without this, you’re applying peanut butter. There are no two customers that share the same strategy, architecture, network topology, and security response needs. This I can guarantee. So why would you pretend that a single stock configuration would do anything but provide for the most basic of controls? I would argue that without this step you’ll be doing more harm than good.

2. Prototype and test your configurations. Once you think you know your customer, develop the defensive model, policies, and response actions. Work hard to identify not just the 80% case but those 20% outliers that are going to cause trouble once you deploy. Here’s a hint – one of the most difficult things to get right is the disruptive cases. The situations where something happens to upset the customer’s ecosystem due to a configuration you’ve made are irreversible – especially during initial deployment. If you can’t get it right from the start, you’ll lose your customer’s trust before you ever get to protect them. Minimize your unknowns; that’s the best advice I can give.

3. Expertly guided deployment is essential. Far too many times I heard customers say, “We got this” and then proceed to bungle everything because of either ego or something else. But I promise if your provider is offering you assistance to deploy – take it. If they’re not, ask why they’re not helping you be successful.

Expect this effort to take you north of forty hours for a mid-size implementation. That’s my estimation. You, the provider, should spend a week of solid work to get to a deployment stage. That’s a far cry from 2 minutes but provides infinitely more security value.

While I still believe that deploying as quickly as possible to get security value is critical, I no longer believe that doing so at the expense of customization and testing is viable. Everything comes at a price, and in cybersecurity, the price for protection is time. And effort. It takes effort, planning, patience, and expertise on your part and your customers. I don’t care how you present it – those are things you can’t rush.

Next up, removing complexity. I welcome your comments in the meantime.

The Red Herrings of Cybersecurity Blog Series – Blog 1 of 4

The longer you’re in the cybersecurity business, the more you realize that some of the things you learned early on as ground truths were red herrings. Allow me to elaborate.

As the head of security strategy here at Lightstream, my job is to innovate and think ahead of the demand curve. I take this job very seriously, which is why I’ve been re-evaluating some of the things I held true in previous roles. There are three things I want to address over the next four posts, and I hope this reveals a little about how I’m thinking and perhaps provides some groundwork for good dialogue.

First, the three red herrings I want to discuss. These apply specifically to the delivery of security services in the form of an MSSP – and while these three things may be applicable elsewhere, that’s not what I’m addressing in this series.

  1. Faster deployments are somehow better;
  2. Complex services are more effective;
  3. Vendors taking over your tools is a good idea.

Let me break these three things down so you can get a sense of the high level here, and then over the next few posts, I’ll share my thoughts and how I have arrived there.

At my last company, there was a very odd metric we put on all of our marketing literature – the time to deploy our product. It made sense at the time. We told customers we could get the product installed in about 2 minutes and that as soon as they signed up for our service, they’d be off and going in that short timeframe. That all sounded good until I observed a few of these deployments. Have you ever tried to install a security product in 2 minutes? If you have, then you will probably agree with me that the only thing you get in those 2 minutes is a stock vanilla deployment with virtually no contextual understanding or customization. To translate that into an outcome – low value, and a potential disaster by breaking something.

Complexity has always been the archenemy of everything in technology. The more complex a deployment becomes, the more difficult it is to understand it. Hence it will be difficult to fix and secure. I don’t believe this is disputable. So why is it that so many security services vendors build slide after slide in their presentation to explain their overly complex systems and processes? The answer is simple – the buyer has come to believe that if they don’t understand it, then it must be advanced. It’s like the Arthur C. Clarke quote: “Any sufficiently advanced technology is indistinguishable from magic.” My friends, don’t buy magic; it’s rarely real in the end.

Finally, let’s talk about those RFPs you’re sending out. If you’ve purchased a set of tools and failed to implement them properly – whether you figure this out on day three or three hundred is immaterial – asking someone else to take your operation over is a terrible idea. The likely outcome is what we in the industry refer to as: “your mess, for less.” I promise you there is no value here. You get what you pay for, and “cheap” is not the same thing as “less expensive.” There’s a lot to unpack here. I’ll save my thoughts for the full post; however, I wanted to seed this in your mind for now.

So now you have it – my thoughts on the three most important red herrings cybersecurity services vendors put forth that I believe you should avoid. In the next three blog posts, I’ll unpack each and perhaps leave you with something to think over. A better way forward, perhaps.