Enterprises are collectively spending billions of dollars annually securing their networks, yet 90 percent are successfully breached at least once a year, according to a Ponemon Institute survey.
Some of the breaches are the result of sophisticated “advanced persistent threat” (APT) and other targeted attacks, but over 90 percent of the breaches could have been prevented by the consistent application of simple or intermediate security measures, according to the Verizon Business 2011 Data Breach Investigations Report.
“The interesting thing is that most of the successful attacks were not complex,” said Mike Lloyd, CTO of RedSeal Networks, a Calif.-based network security software vendor. Corporate networks are subject to constant attacks by automated systems, probing every nook and cranny like a swarm of ants to try to find an easy way in. And just like a swarm of ants, they inevitably do find an easy way in because most corporate networks are simply too complex for simple or intermediate security measures to be consistently applied.
“When we look at corporate networks using our software, what we find is about 10 misconfigurations or other security defects on every network device,” he said. “Multiply that up on a large network and you have thousands of gaps that the ‘ants’ can crawl through. We always find high severity defects in every network we look at.”
RedSeal’s main product is RedSeal 5, a package made up of two applications that work together: Network Advisor, and Vulnerability Advisor. Network Advisor works by analyzing the configurations of every network device on a corporate network including routers firewalls and load balancers, determining how they work together and building a map of the entire network.
Along the way it can compare router configurations with router hardening guides supplied by NIST and others by watching out for things like default settings that should have been changed for security reasons.
“In a world of ant swarm attacks, if these things get overlooked they will be found and cause security problems. The real problem is that even if companies know that they should change these settings, they can’t do it consistently, said Lloyd.”
Vulnerability Advisor takes in data from vulnerability scans and correlates this with the network map that Network Advisor has built up, identifying the pathways and vulnerabilities that hackers could actually exploit to compromise the network from the outside. It does this by carrying out what Lloyd calls a “virtual penetration test,” using the known vulnerabilities on an offline model of the network, and then seeing what chain of attacks can lead to the most damage.
This type of risk assessment is key, believes Lloyd.
“You could find millions of vulnerabilities on a given day. What RedSeal 5 does is crunch though them on a daily basis and finds say the 10 most critical ones, which you need to fix first. It lets you say that these risks are worth fixing, and these ones are not.”
By fixing the most critical vulnerabilities while minimizing the number of new ones that are introduced, the theory goes, companies should be able to slowly reduce their risk profile over time.
RedSeal’s software can also be used to carry out “what-if” analyses to find out the security impact of changes to the network.
“Most network reconfigurations are carried out by hand, after assessing whether the change will blow something up or not. The trouble is that humans make mistakes,” Lloyd said. A typical company will carry out around 10 configuration changes per day; each one with the potential to introduce many unexpected security risks if not correctly analyzed.
The product is also useful to help companies meet compliance regulations, especially the onerous Payment Card Industry Data Security Standard (PCI DSS.) In particular, PCI DSS Requirement 1 calls for the continual review of all relevant firewall rules to prevent potential breaches of cardholders’ personal information.
“Simply understanding your network, understanding the zones and what has access to those zones; you can spend months trying to do that,” said Lloyd.
RedSeal 5 allows administrators to define complex policies and then analyze the network infrastructure’s overall adherence to them on an on-going basis. The company claims this enables customers to supply auditors with detailed proof of how policy compliance is being maintained and validated continuously via automation. This also documents changes to access and details of any policy exceptions, including information on who requested the modifications, when they were granted, and why.
Red Seal 5 is available both as a hardened appliance running on top of the open source CentOS Linux distribution, or as a software product that runs in a physical or virtual machine running Windows Server.
The product is priced on a “per Layer 3 device” basis starting at $30,000.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.