Digital Resilience Needs to Supersede 'Detect and Protect'

welcome to digital resilience needs supersede detect and protect my name is Kristen Kane I am the Senior Sales Engineer at Red Seal for the southeast in my career just a little bit about me I have been I work for in network ops and security ops I've worked for value-added resellers and solution providers and I work for manufacturers so I have sat on all three sides of that table sometimes all at once in the same meeting so we all know that bad stuff happens the list you see on the screen are the list of state of reaches in the last few years John John Chambers stated that there are two types of companies those have been

hacked and those who don't know they've been had I compiled this list on the screen with minimal research a few minutes searching on Google and had to truncate the list for lack of space on the screen continue and I didn't continue these are only data breach I didn't include actual hacks like musk panda mask or a ransomware attacks which is you know Baltimore City Atlanta so we all know that stuff happens we have we have lots of evidence and and most of us look at this list and go there but for the grace of God go on that actors seem to have the advantage one of my favorite quotes or one of the resonates with me

on stage the favorable dark but comes from Rob Joyce former chief of the tailored access operations the National Security Agency you know the technologies you intended to use in that network we know the technologies that are actually when you through the network the bottom line is when we build networks a lot of times we build them with a naive assumption that they only it's something we don't even if we're smart enough to know that this is not the truth sometimes we we are blind to the fact that there are things going on we just don't know about we on the other hand most organizations operate under detect and protect philosophy and and this comes from the very nature of how

the market drives solutions for these things they've their drive the market inherently drives solutions to be point solutions a problem I've got a problem with viruses so we came up with anti virus I have a problem with DDoS attacks so we come up with solution for DDoS attack I have a problem for this piece of security security in the market responds by creating a point solution and and point solutions are going on don't get me wrong point solutions are excellent bring excellent value to the network but they are inherently point solutions and we and unfortunately the reality is that we have more points that need solutions then we can afford to address and to top it off this affects

right through for detecting protect means that we must succeed every time and that's that's a an almost guaranteed failure right there we have three principal challenges we're going to talk about today and then I at the end of the presentation are the end of my slides which are mercifully for you will I'll take a look at some some solution acts with some product driven solution aspects we can things we can do with certain solutions in the market first we don't know our networks nearly as well as we need to so think for yourself how long would it take you to answer the following question somebody comes to you and says from within your organization inside your paycheck and said you know

hey what's the attack surface of my network look like hey are we exposed to network Explorer the RDP ports how many firewalls we have an operation right now what procedures and percentage of my servers are fully patched hey there's a guess Wireless thing that we have can they get any place other than you know guess Wireless I suspect that most of us would take longer to answer some of those questions than we might be comfortable with and after answering we even might have some lingering doubts about the accuracy the answer if not today's answers and tomorrow's you know certain to change you know when I go to sleep at night and I get up in the morning did the answer I

give yesterday's it's so right you know how does it change how much is it change and we all wonder you know that this is something I have that keeps I'm fairly certain we've all lost a little bit of sleep or at least shed a few beads of sweat over we did a survey red field a survey of our customers CEOs and so this kind of helps put this in perspective we ask these a lot of questions but one of them was how many of them believed they had an accurate blueprints of their network and they came back 76 percent of CEOs believed they had an accurate blueprint of the network infrastructure so let's think about what that actually

means that means that either they have already asked the question or been told by the network team here's a picture of our network it's accurate or they've gone into their office you know wandered down the hall and said hey show me a picture of my network what's that look like and got an answer that they have taken if they saw you as you know complete and total picture of their network and we all know as soon as you put pen to paper this network bastard obsolete right now we're massive highly influenced I you know which group doesn't it we're now a firewall guys can call different methods new router guy rather guys going to draw a different

map than the the switch and infrastructure guys access that the cloud guys going to have a totally different map that doesn't look anything like anybody else's so it's a kind of interesting that the confidence of this response was so high when we all know that it's closer to this reality whit Redfield one of the things we do is create network models from which we can project a map and we find nearly a hundred percent of the time that our customers have devices subnets access that aren't on anybody's playing anybody's blueprints or been totally forgotten about or Never we're known in the first place we just don't know what we don't know i second week on the job at Red Seal I

went down to see your customer lovely people and I was down there it was a softball pitch right I was going in my sales guy who'd been with the company for a while so I don't worry about it it'll be good to get your feet wet you can do a road map thing talking to customers see how we're doing maybe make some suggestions about how it uses part better so I go down and up we're doing all this and it was great I had their there Redfield brought a console up and we're looking at it and scrolling through a list of their firewalls and when I'm stopped me and said hey Chris whoa what's that I said well that's the

firewall looks like a Palo Alto firewall model such as that named brought up I read it off and he goes what what why is that there I said well it's there because Reza would have gone out into the day collection one of the things Red Steel does is actually does a question on your network devices and pulls in their configurations and when we use those configurations to build an as-built model of an hour so I said well it's right here here's the time stamp that means that Reds you know last week sometime went out and did a data collection from that device and Occident so it's on the network and he goes no it's not and I

said well yeah yeah it is because right there there's the timestamp I'm show you where we got you know I'm sure you that the the session reference and everything you guess well we decommission that firewall six months ago and I said well you know what it says you know Redfield said to talk to it last week so he gets up himself and goes out kind of smack about ten minutes later sometimes out there decommissioning process that included unplugging the upstream console the upstream patch cable from the firewall but leaving all of the downstream connection physical connections through the firewall implants and of course we all know why they did this the firewall guys are putting in new firewalls they wanted to

make sure if something went horribly wrong they didn't have a whole lot of work to do to go back to what was so they just unplugged the outside you know the public face that firewall and left it as is meaning to come back at some point and take it offline and clean it up and it never happened but in the meantime this was providing access between the zones on the the trusted side of the firewall another example I went down to a customer's you know proof of concept and we've gotten certain elements whose network modeled pulled in and he said okay he's what's next and so well at this point I like to kind of validate

that the network looks like you expect it to look like and it you know we're getting you know so it'll take some throw me a softball well we'll check out some easy stuff and kind of make an assumption that you know most of it's working he says okay easy one he says I know that this part of my network between this permanent work and that part of my network I only allow court eighty court 443 and 453 I said okay cool easy enough when we ran the query in read tune and it comes back it should have come back saying you know partially open port 80 four four four three quarter and it comes back to this right

open no controls no ACLs monitoring this and he was like Oh Chris that's just not right so he dug down on it a little bit and at the end of the day we found a full class c network in public IP space so basically 255 addresses on the internet that had any any access into the courses network and he was blown away and we're sitting there and he was huge that can't be right that just can't be oh I remember what that is I looked at him and he took breath he said well a while back we changed our phone over to voice a cloud boy provider so it turns out that this Class C Class C address

space on the internet was all I don't buy the cloud voice provider board provider and we've probably all been in that room and know how that works the guys came in giving them eating the all credit they came in they locked everything down they made the first call didn't work now they're in their time crunch why is it not working I can't really have my my president my vice president my CEO not being able make phone calls so what do they do they start ripping out firewall rules rip rip rip rip rip and they get down to any any and finally works and they they push back from the table and take a deep breath and go great it works we're just

going to leave it right here for now we'll come back and clean it up later of course they never did so we don't know our networks as well as we should because there's too much to know for any one person to put in their head there's too much to know second there mountains of data and there are mountains of products producing mountains of data this slide is several years old just kind of provoked shows the the landscape of the security software's social security solutions thanks I'm sure that they're even bigger I ordered magnitude now and and they're probably ones that as many of them falling off or many new ones meaning the falling off those are our new ones

a recent study you know the minimum number of security solutions and enterprises is a dozen large infrastructures can have forty or fifty I run into our regular basis customers going yeah my budgets been slashed I've got a I've got to figure out what tools I'm going to keep what tools let me get rid of so you know we're always on the chopping block from my side and of course from the operational side they're always having to pick and choose which baby they want to keep and which baby they throw out into the bulrushes and on top of everything else most of these are again point solutions and they don't really provide any sort of integrated or

holistic view of the the situation and in third we never have enough network with security may Mountaineers we get tons of sack we have tons of data but we don't have enough people to do the analysis you know what do we do we hire people but they don't exist we use fewer products orderly in vacant more an existing tech now my brother-in-law as a cyber security expert and works for credit union in the southeast has risen the organization to the point where he now oversees hiring his own team cybersecurity team he literally cannot find qualified staff has ultimately decided that the best way to get qualified staff to actually grow them himself so he's got to find people are

interested cultivate them train them hope that HR doesn't undermine his ability to pay them at the market rate and retain them and when he can't do that he has start all over again he barely in his complaining we talk about this on a regular basis for deaf family gatherings even the it's just hard to keep ahead it's hard to say even much let's get ahead bonus material and then we have organizational challenges you know our own organizations work against this you know we have SEC ops and then arts and separate branches reporting to different VPS with conflicting you know a competing budget we have the Nama jobs I want to help but I've been told not to

territorial battles zero-sum budget games so what do we do we need to shift our way of thinking protection detection are necessary but no longer sufficient we need to incorporate the idea of digital resistance you are our planning and our organizational bill we assume the after same digital regimes as soon as attacks happen and succeed just as soon as I step from the get-go it's going to happen it's already happened it's already been successful how do we mitigate the damage and the impact of those attacks we focus on continual insight or improvement and we focus on rapid recover digital resilient help speaker in from the top down certainly can only be successful ultimately successful fully successful we're driven from the top

down but it's actually implemented from the bottom up because the mechanics of digital resilience are built at the operational level it also helps to build organizations and incentivize a holistic view and I apologize for the jargon it's just sometimes they just can't get around it a holistic view and they work security and performance we build think about how we build naively build organization those of us on the on the call we decided to get busy we get together and we build company and say none of us for safer discussion is a network the IT security person but we know that we need networks and we know we need IT security and we know we need

some of these things so what do we do well you know one of us we need firewalls so we go hire a firewall that one of us is hard we need routers we about go ahead a rather that one of us is hard we need so we've got some regulatory requirements we got so we go hire a team a regulatory requirement people and what have we done inherently we had built a siloed infrastructure and how do businesses typically run well whatever we've got one budget if I get to chunk of it so now we've built all these silos that we have to budget out and those budgets are inherently competing with each other so before we know it before we've actually

taken any active steps we've actually created an organization that is built from the ground up not to cooperate with each other and that's a problem unfortunately it's about a heart can say about you know organization than just that it's definitely something we need to focus on or or pay attention to because the innate assumptions that we build organizations with and have very real-world impacts but what I really like to focus on for the rest of talking is the tools and the nature of those tools that we we use when we build out the security organization so we want to adopt tools that help you know your network we need to you know however that works right you need to know you never

even know about your network they need to be able to assess the inventory you need to be able to know the context and then work how those those immature pieces put together how they speak to one another what face what surface they present to the world where the weak points are where things are vulnerable to attack we need to provide we need tools that can help provide these insight across functional groups across silos we need to find tools that inherently encourage sharing of information so I'm just a second I'm going to switch over screens here so for example in Red Seal one of the first things we do is pull in configurations from devices when we pull

into devices we run best practice check run them through best practice chance and we provide these you know as a like a first level of value that we get in these are industry standard best practice gents generally agreed on if you look at me I don't make sense you know I shouldn't have a default password I should have a password on an able account I shouldn't have telnet turned on and the device that sort of thing with these with these best practice checks you can do a couple things you first you take a look and kind of sort and see where you are actually following best practices and where there are outliers so this raises questions hey I've got a question

for the network guys you know I've got to I mean I get a best practice check I've got 211 devices total two and nine of them pass but I've got two hours to fail so clearly we're following that policy we're following it as practice check but why do I have two outlines are those special cases are those dukes and you take that now the interesting thing with red seal is that we typically typically end up selling to the security group because or the compliance group of the audit group or someone on the security side of the table and but this is clearly a network ops challenge right we have our security now these are security teams about redfield take this

information and have to communicate I work with and there were costing what's the problem with security and there were cops working together well they're incentivized totally and totally opposite ways now where guys are hired and paid to make bits ago security people are hired and paid to make it stop so it is often difficult and challenge to get these teams to work together we actually spend a lot of time and a tread feel when I'm not coaching our security users and how to talk to the network path and network folks so that they can offer these up as conversation starters and not rocks to beat them with the last thing we want is these folks to walk in and clam a record

down on the desk and say hey you got scraps fixing your network because that doesn't set in make any friends right much better to approach that with beer candy or both and make it a soft a soft question hey tell me about this how did you guys do this why did you guys do this why is this he did another way to look at these is exactly the opposite look where and you see I'm sorted here turn on my highlighter I've sorted here where you can see I've got zero pass devices and all my fail devices so the question there is why are we not paying any attention at all through this best practice check again this is a

conversation so nod it done by the security side but if the conversations definitely going to end at the network offset and this is where that building organizations that work welcome the communication across silos and realizes the ultimate goal is not only making the bits fast as fast as possible or only locking everything down so nothing bad happen but working together so that we have a effective and secure organization is key and tools like this can help encourage that when used properly another example is the risk so we take along with the we pullian configurations from the network devices and we build a model of the network as it is built we also pull in vulnerability data currently aboard

older scanner and present two different ways to look at that vulnerability data so this is a picture visual picture of a typical home ability scan sorted by presented by CBS escort okay this is what you usually get you know reds of high CVS escorts green jello CBS s scores and as you can see there's not really anything that jumps out the red certainly stands out but it doesn't really suggest where to start but the red and this is a fairly small Network four pieces Redfield can take and sort this and actually because we put the risk these low mobility scores in the context of a network we can see who are given host with given vulnerability can

it be reached what else can it reach a network and create a score that suggests that indicates where a single host or single group of hosts have inordinate amounts of access to the rest of the network where they're also hosts with risk and then and we can point to those so in this case we have one that pops up right here we call downstream risk would suggest that basically if I were to patch that one host I would get rid of a huge amount of risk in my network I'd be closing a door that had hallways off of it to other a lot of other hosts that could also be active so this is the

kind of thing again you want to use tools and look at tools that help you do deep insight and analytics in your network and see very quickly where do I spend my resources which are rare we've already talked about that how do i best use these things have my best cream eight complete strategies that are not just host focus you're not just Network focus you're not just perimeter focus but incorporate elements of all of us so that you know you make good decisions make smart decision hop back over to my slides

actually I believe that was that so I'll stop there any questions