New Users
Home
Products Guide
Recommend Products
People
Hot Companies
Technology
Case Studies
Awards
About This Guide
Brian Laing - Create a product that allows a true view into a network’s security posture
SITUATION - Security is a complex multi-faceted problem. Individual components of security can be very complex, for example the filter rules on firewalls often number in the thousands. Factor in networks are interconnected by multiple devices and multiple vendors, and the problem only escalates. While the components of security are complex the human side also has its issues. Determining the threat posture of a network requires advanced skills and understanding in networking, applications, and vulnerabilities. Not only are these skill sets different disciplines, but they also use different technology, often have different reporting structures, and have different and conflicting concerns around security. Each solution solves some aspect of technology; what they lack is contextual awareness of each other. Their individual complexities make this very difficult to attain. First you must understand each area, then you must understand how they are related. Only after this has been done can true insight be attained. The need for a solution to this problem is driven not only by the internal strain of keeping track of a multi-solution, multi-vendor, and multi-departmental problem, but also from external pressures. The increasing threat landscape has caused numerous compliance mandates to pop up; PCI, SOX, HIPAA, etc. These require that companies spend valuable resources on a potential insurmountable task.
SITUATION - Security is a complex multi-faceted problem. Individual components of security can be very complex, for example the filter rules on firewalls often number in the thousands. Factor in networks are interconnected by multiple devices and multiple vendors, and the problem only escalates. While the components of security are complex the human side also has its issues.
Determining the threat posture of a network requires advanced skills and understanding in networking, applications, and vulnerabilities. Not only are these skill sets different disciplines, but they also use different technology, often have different reporting structures, and have different and conflicting concerns around security.
Each solution solves some aspect of technology; what they lack is contextual awareness of each other. Their individual complexities make this very difficult to attain. First you must understand each area, then you must understand how they are related. Only after this has been done can true insight be attained.
The need for a solution to this problem is driven not only by the internal strain of keeping track of a multi-solution, multi-vendor, and multi-departmental problem, but also from external pressures. The increasing threat landscape has caused numerous compliance mandates to pop up; PCI, SOX, HIPAA, etc. These require that companies spend valuable resources on a potential insurmountable task.
Name: Brian Laing Title: Chief Technology Officer Company: RedSeal Systems, Inc.
SOLUTION - Although security risk management as a product, has emerged in a nascent form a couple of years ago, I and other security practitioners have been creating these attack scenarios for years. When the first products in this category started to appear they required frequent and pervasive network scanning, causing companies to feel that an investment in security risk management was often deemed costly and complex. Only a solution that can adapt to missing or stale data can deliver value quickly and efficiently, simply pulling all the data together is not enough. Over the past 15 years I have done a considerable number of security audits all over the world. Most of the time, I had to do the review blind in some way, often filling in details, or asking questions based on my years of experience and intuition. When I started working on the design of our product, the RedSeal Security Risk Manager™, I wanted to make sure that the system could function with as minimal a data set as possible – making it more automated and easy to use. Configuration files are the easiest piece of data to collect as many companies have repositories already set up. In cases where a repository is not present the information can be attained with little to no impact to the network. This is not always the case with vulnerability scans. To deal with the missing and/or stale data, I designed Adaptive Risk Analysis (ARA).The idea behind this innovation was that with just the configuration files an initial threat map could be generated. From the initial threat map, a user could answer a few simple questions that would further refine the threat map. This low resolution threat map could then be used to prioritize additional scanning. An easy way to think of this is to use an analogy of the weather. In the morning you can look out the window and see that the ground is wet, by looking at the sky you can see if there are still clouds in the sky. If there are still clouds, you know there is still a chance of rain and that you may need a jacket and umbrella. For additional information you tune into a weather report. ARA uses the same thought process, to ARA the addition of vulnerability data is the equivalent of a single day weather report. The adaptive risk approach enables companies to install and implement a risk management solution extremely quickly, usually within minutes. At any point after initial deployment, network information can be added incrementally from other data sources, such as vulnerability scans and application discovery tools, to increase the confidence of risk calculations. The implementation of ARA has well exceeded my initial expectations. In many cases working from a minimum data set of files containing firewall rules, has allowed the product to show time to value much faster then any other security product I have worked with. Adaptive risk analysis (ARA) creates the initial model or map of the network. The network map can, for example, reveal points on the network where access to a server is inadvertently allowed. The model data is further analyzed in conjunction with data about the latest security vulnerabilities and exposures, such as those tracked by the National Vulnerability Database (NVD). In an area where little to no information is present, ARA uses the information it does have to infer the presence of a vulnerable target. This inferred data is then combined and corrected as real data is imported into the system. The information is then used to derive the threat analysis, generating a series of threat maps and a risk map that graphically depicts the network's vulnerable areas. In the past, users were often surprised at the number of machines and depth of an attack that I could accomplish. Nothing could have prepared them for what I was able to find using SRM. Threat maps typically show that within two to three attack points or hops, an entire network can be compromised. We refer to this as four hops to death. Why four? Well, that is the most steps we have found to be required to penetrate a large global company’s network. When customers see their network topology for the first time you get responses like a 4th of July fireworks display “oooh aaaahhh”. When they see that 90% of their network is attackable from one Internet facing web server or a specific piece of network infrastructure, the “ooh aaah turns into “uh oh”. All of this information comes together allowing RedSeal SRM to quickly and effectively visualize and quantify business risk, pinpointing areas of exposure and delivering actionable insights into how to best focus resources towards mitigation. RedSeal equips users with a meaningful priority list of the actual systems that need to be addressed. RedSeal SRM is the industry’s first adaptive security risk management technology which offers users a way to dramatically streamline the process of analyzing network and security posture. RedSeal SRM maps the entire infrastructure, measures its relevant risk, and mitigates its exposure. Maps: RedSeal SRM automatically audits your entire network infrastructure including all network resources, security devices and hosts to compile an end-to-end and up-to-date map of these resources and their relationships Measures: RedSeal SRM pinpoints which assets are exposed then assigns a risk value for meaningful measurement Mitigates: RedSeal SRM prioritizes vulnerabilities that you need to find-and-fix before an exploit so you can mitigate your risk profiles and focus on the most important assets first.
SOLUTION -
Although security risk management as a product, has emerged in a nascent form a couple of years ago, I and other security practitioners have been creating these attack scenarios for years. When the first products in this category started to appear they required frequent and pervasive network scanning, causing companies to feel that an investment in security risk management was often deemed costly and complex. Only a solution that can adapt to missing or stale data can deliver value quickly and efficiently, simply pulling all the data together is not enough.
Over the past 15 years I have done a considerable number of security audits all over the world. Most of the time, I had to do the review blind in some way, often filling in details, or asking questions based on my years of experience and intuition. When I started working on the design of our product, the RedSeal Security Risk Manager™, I wanted to make sure that the system could function with as minimal a data set as possible – making it more automated and easy to use. Configuration files are the easiest piece of data to collect as many companies have repositories already set up. In cases where a repository is not present the information can be attained with little to no impact to the network. This is not always the case with vulnerability scans.
To deal with the missing and/or stale data, I designed Adaptive Risk Analysis (ARA).The idea behind this innovation was that with just the configuration files an initial threat map could be generated. From the initial threat map, a user could answer a few simple questions that would further refine the threat map. This low resolution threat map could then be used to prioritize additional scanning. An easy way to think of this is to use an analogy of the weather. In the morning you can look out the window and see that the ground is wet, by looking at the sky you can see if there are still clouds in the sky. If there are still clouds, you know there is still a chance of rain and that you may need a jacket and umbrella. For additional information you tune into a weather report. ARA uses the same thought process, to ARA the addition of vulnerability data is the equivalent of a single day weather report.
The adaptive risk approach enables companies to install and implement a risk management solution extremely quickly, usually within minutes. At any point after initial deployment, network information can be added incrementally from other data sources, such as vulnerability scans and application discovery tools, to increase the confidence of risk calculations. The implementation of ARA has well exceeded my initial expectations. In many cases working from a minimum data set of files containing firewall rules, has allowed the product to show time to value much faster then any other security product I have worked with.
Adaptive risk analysis (ARA) creates the initial model or map of the network. The network map can, for example, reveal points on the network where access to a server is inadvertently allowed. The model data is further analyzed in conjunction with data about the latest security vulnerabilities and exposures, such as those tracked by the National Vulnerability Database (NVD). In an area where little to no information is present, ARA uses the information it does have to infer the presence of a vulnerable target. This inferred data is then combined and corrected as real data is imported into the system. The information is then used to derive the threat analysis, generating a series of threat maps and a risk map that graphically depicts the network's vulnerable areas.
In the past, users were often surprised at the number of machines and depth of an attack that I could accomplish. Nothing could have prepared them for what I was able to find using SRM. Threat maps typically show that within two to three attack points or hops, an entire network can be compromised. We refer to this as four hops to death. Why four? Well, that is the most steps we have found to be required to penetrate a large global company’s network. When customers see their network topology for the first time you get responses like a 4th of July fireworks display “oooh aaaahhh”. When they see that 90% of their network is attackable from one Internet facing web server or a specific piece of network infrastructure, the “ooh aaah turns into “uh oh”.
All of this information comes together allowing RedSeal SRM to quickly and effectively visualize and quantify business risk, pinpointing areas of exposure and delivering actionable insights into how to best focus resources towards mitigation. RedSeal equips users with a meaningful priority list of the actual systems that need to be addressed.
RedSeal SRM is the industry’s first adaptive security risk management technology which offers users a way to dramatically streamline the process of analyzing network and security posture. RedSeal SRM maps the entire infrastructure, measures its relevant risk, and mitigates its exposure.
CONCLUSION - RedSeal’s security risk management solutions give instant visibility into the threats that leave an open door to valuable company resources. Companies of all sizes in all industries, - whether they are the smallest retail store or the largest manufacturer - need to ensure their security infrastructure works. RedSeal SRM offers users the opportunity to identify and proactively minimize security risk. We’ve found that we have two types of users, and they both benefit significantly. By using RedSeal SRM security consultants can offer services more quickly and more broadly, and companies can more rapidly adapt to the changing threat landscapes as well as make more rapid changes to their infrastructure to facilitate new revenue generating applications.
Brian has over 15 years of experience in information security and networking/telecommunications. Prior to co-founding RedSeal Systems, Brian was co-founder and CTO of Blade Software, where he led the development of the security industry's first commercial IPS/FW testing tools. Brian was responsible for product management, business development and the technical vision for the Informer product line. Prior to founding Blade Software, he was Product Manager for Internet Security Systems, Inc. (ISS) Intrusion Detection line of products, pioneering the use of network taps in the deployment of network IDS and writing the fundamental paper "How to Implement a Network IDS". Along with his technology background, Brian has done a great deal of work in the artistic side, doing everything from cell-based animation, bronze sculpting, making movies and photography. Since starting RedSeal, Brian has enjoyed taking breaks from work by taking his wife and three daughters on various photo safaris in and around the San Francisco Bay area.
RedSeal Systems, Inc. One Lagoon Drive, Suite 375 Redwood City, CA 94065 Tel: 1 650-432-6080
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2007 Silicon Valley Communications - All rights reserved.
