The report outlines the authors proposal for a new approach to security, the Organization Cyber Risk Management Framework. This is a risk-centric security management posture that focuses on establishing a security baseline for agencies that allows them to correctly asses their risk posture based on empirical data. The authors note that in order to move to this framework, agencies must first implement automated continuous monitoring programs, which they identify as “continuous diagnostics and mitigation, configuration management, threat assessment, and remediation practices.” We at FireMon could not be more excited to see the report identify the importance of configuration management, and we have highlighted the importance of configuration management as it relates to risk on this blog previously. When discussing a risk-based approach, security practitioners tend to gravitate to threat management. Threat management is sexy; it includes attacks and attackers, and makes security practitioners feel more like MacGyver vs. Dilbert. Configuration Management on the surface seems less sexy. Getting notification that someone added a new ACL to a router doesn’t invoke images of thwarting a hackers attack. Consider the all to common scenario though where the router admin fat-fingered said ACL, and accidentally enabled access to an internal network that should not have access from the outside world. Without real-time configuration change alerting that can identify a violation of agency or corporate security policy, an attacker might end up being the one that ultimately alerts the organization to the misconfiguration.

The report is very comprehensive, and provides a very through framework for how to implement a risk based security practice. While it is clearly focused on Federal Government agency environments, it provides some good insights for corporate security practitioners as well. The report concludes that “To fix the problems of today and those of the years ahead, government should implement a more consistent method of evaluating cybersecurity threats — one which is measurable, transparent, and outcome-oriented.” It is refreshing to not only see a recommendation on moving to a risk-based security posture, but one that includes the importance of device configuration management and its importance in truly knowing your risk posture.

Related articles

• Bill would force agencies to take proactive security approach

Both incidents reinforce the need for proactively in identifying what assets are at risk on your network versus reacting and patching after a breach has occurred. While the Department of Homeland Security announced the continuous monitoring initiative last year, the time frame for implementation clearly needs to be moved up. According to Govinfo Security, the Federal Government responded to 106,000 attacks in 2011. Clearly, the traditional approach of reacting to an attack and patching the vulnerability is not preventing future attacks.

All organizations, not just the Federal Government, need to become more proactive and find the potential exploits before the attackers do. We have discussed the need for this many times previously on this blog. Securosis continues to lead the call for more proactive solutions as well, advocating just a couple weeks ago for the merits of an Early Warning System. The technology is available now to address this need. It imperative for your network’s security to know what assets are truly at risk right now. If you don’t know the answer to that questions, chances are an attackers exploit might just answer it for you.

Related articles

• Anger rises as Fed confirms Anonymous hack, downplays US bank emergency system breach
• Fed says internal site breached by hackers, no critical functions affected
• Fed Confirms Hackers’ Breach of Website, Reuters Reports – Bloomberg
• Data breach exposes Energy Department’s ‘continuing story of negligence’

The 6.1 release includes additional features, including FireMon Insight, Device Packs and a new FireMon Query Language  (FMQL) API. FireMon Insight is a real-time dashboard of all your security configurations. Insight consumes the configurations of all major firewall vendors and presents data across all of them in a single, customizable dashboard. There is a critical need to transform configuration data into a usable form that can be quickly digested and acted upon. Insight enables security practitioners to quickly get the results of your queries even across hundreds of thousands of rules and millions of objects in multi-vendor environments. Turn those queries into meaningful, automatically generated security metrics in a matter of seconds. Device packs will enable FIreMon to add support for new devices quicker and not require an upgrade to Security Manager. The FMQL API will enable large organizations with a development staff or managed service providers to pull FireMon data and analysis into other systems. You can learn about all of these new features here, and read what Dark Reading wrote about the release as well.

Gartner noted in the research note that ” Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.” We at FireMon could not agree more. Previously on this blog, we have highlighted that configuration mistakes not only represent the risk of impacting network performance, but more importantly  represent a potential risk to the network. Firewall admins could potentially (and have done so in many environments) stop a revenue generating service from working properly by incorrectly configuring a firewall policy. The bigger threat though is the potential of allowing connectivity from outside of the network to a portion of the internal network that should not have access. As Gartner noted in the research note, “Diligence in patching firewalls, monitoring configuration and assessing the rule base is required to maintain security.” Misconfiguration of your firewall policy is a serious security threat, and regardless of your opinion on the one firewall vendor versus two firewall vendor debate, a tool that automates the monitoring, configuration and assessment of your firewall rulebase is required to maintain effective network security. FireMon Security Manager can provide that automation for you, and help to eliminate your firewall’s greatest threat.

Lets address each of Stiennon’s points. Stiennon’s argument that it is impossible to identify all IT assets is in fact wrong. The fact is that there are tools in existence today that can automate the identification of all assets within organizations, such as Insightix from our partner McAfee. It is also not impossible to assign value to IT assets. The FAIR framework has provided a comprehensive guide to assigning value to IT assets within the framework of Risk Management for years. At just a basic level, most organizations can at least identify what the most valuable assets are (where the finance information is, where the intellectual property resides, etc.) and devise a ranking or value system around that. It is also not true that risk management fails to predict the actual disasters. Many companies provide software solutions that automates the analysis of your network, and identifies exactly what assets are truly at risk, including our own Risk Analyzer. Finally, most security practitioners would say that their job is in fact to protect everything within their network environment. I have yet to meet a security professional who talks about the assets they are just writing off and not worrying about protecting.

Furthermore, Stiennon’s position assumes that there is some fundamental or significant difference between “threat management” and “risk management”.  Websters defines threat as “an indication of something impending, an expression of intention to inflict evil, injury or damage”, and defines risk as “the possibility of loss or injury; someone or something that creates or suggests a hazard.” I would argue that these are terms that are more similar than opposite in nature. Unfortunately Stiennon doesn’t elaborate on what “threat management” is beyond a link to an article on UTM appliances.

Risk Management is indeed a challenging practice to implement within an IT organization. In large enterprise and service provider environments, it is truly a huge undertaking. However, it is not so difficult that it can’t be done, or be effective, and therefore I have to respectfully disagree with Stiennon’s position. Here at FireMon, we have had a series of posts around how to effectively operationalize and automate risk management within your everyday IT security operations leveraging the real-time Security Manager and Risk Analyzer solution. Securosis has an amazing whitepaper discussing vulnerability management platforms aimed at effective risk management within IT, and SIRA offers insights and guidance how to achieve this daily. Risk Management is an effective, necessary and crucial part of any organizations IT Security operation, and the reports of it’s untimely death are greatly exaggerated.

"Risk Risk Baby"

Configuration Management has traditionally been pitched as a tool that can help eliminate mistakes and downtime within your network. That certainly is one of the benefits that configuration tools provide. However, I would argue that configuration tools are a risk management tool, particularly on the network and network security side of the house. If a router admin adds an ACL that suddenly opens access to an internal network from outside networks, that is a huge risk to the network. If a firewall admin mistakenly pushes an overly permissive policy that permits any source and service to an internal network, you need to be alerted to the risk. As I noted in my talk, ideally, your configuration tool also inter-operates with your visual attack tool, and updates the attack topology continuously and in real-time as these changes are made to the network and network security devices in your environment.

I also noted that there are others doing great work around this idea of operationalizing risk, or building a risk platform. Securosis has an amazing white paper discussing building a vulnerability management platform, and all of the elements needed to truly address risk in your environment. As they note in their paper, “There really shouldn’t be a distinction between scanning for a vulnerability and checking for a bad configuration. Either situation provide an opportunity for compromise.” Don’t open up your environment to potential compromise; be sure to include device configuration management as part of your day to day risk operations.

The case revolves around the plaintiff whose credentials and account information were compromised. The cyber thieves were then able to login to the bank’s site and initiate several transfers totaling more than half a million dollars. When the fraud was reported the bank was able to recover about half of the stolen funds, but they refused to refund Patco the rest of their stolen money.

In this case the bank’s position was that Patco was negligent enough to have their passwords, account info and usernames stolen.  Why should the bank bear the cost of Patco’s mistake? The bank said that Patco should be responsible for its own losses.  It is hard to argue against the Bank’s position. Why should they bear the loss, when they had nothing to do with Patco exposing their credentials?

But Patco is understandably upset given the size of the loss and they have a valid concern that the Bank’s own internal systems flagged the transactions as suspect and yet didn’t stop them.  Patco’s argument is that regardless of why or how the fraud was initiated, the bank must provide commercially reasonable controls to prevent fraud.  The court was persuaded by this argument.

For now, the case has been sent back down for adjudication and suggested to both parties that they try to settle this before a verdict. But the case itself brings up a bigger issue:

When does an organization or individual have to take responsibility for its actions on security? If the bank were held to be liable in the Patco case what message does that send?  One could say that the message is don’t worry too much about your online banking credentials because at the end of the day if anything bad happens the bank is liable anyway.  I don’t think that is the message we should be sending. How can we expect banks to take this exposure on without figuring that risk into the fee equation?

No doubt there are many instances of negligence and poor security where consumers should hold the failing institution liable for loss of money or information.  But there must be some shared responsibility of security.

As Securosis pointed out in their excellent Vulnerability Evolution Management white paper earlier this year, organizations “ need the ability to analyze threat-related data, combine it with an understanding of what is vulnerable, and provide visibility to what is meaningfully at risk.” When trying to address the risk to their environment, most organizations have relied on the vulnerability scanner.  Vulnerability Scanners are extremely effective at their job, and are the core component to being able to identify vulnerabilities within your network. Simply running a vulnerability scanner by itself though, and then deciding which of the hundreds, thousands or tens-of-thousands of vulnerabilities should be patched is not enough. Without a knowledge of the network topology and the mitigating security controls that are in place, the vulnerability scan results are just another list of things to get to at some point when trying to prioritize your network security activities.

Fortunately, we have done a lot of work in developing a tool that understands what assets are truly vulnerable on your network. FireMon Security Manager with the patented Risk Analyzer add-on enables you to visually see exactly what assets are meaningfully at risk. Our partnership with Rapid7 and the integration of Metasploit with Risk Analyzer takes this understanding to an even deeper level, allowing you to prioritize what assets are not only vulnerable, but what assets can have exploit code executed on them by an attacker. You can learn more about this enhanced integration in a joint on-demand webinar we did recently with Rapid7 here. FireMon will also be highlighting the importance of operationalizing risk on day 2 the 2012 United Security Summit as well. We hope to see you there.

Much of the discussion around defense has been about changing the way we have traditionally done defense in the network security world. A lot of focus has been placed on the fact that the technology we have deployed over the years has created “walls” obstructing our view. Defense should focus on the information or capabilities we already have in place, be it the information in logs from routers, switches or firewalls, or rigorous patch or vulnerability management. Parsing through all of this information or even prioritizing vulnerabilities for medium, enterprise or MSP organizations is a daunting task though. Holland point out in his blog that “the reality is that enterprise wide patch and configuration management are very challenging for companies”. Considering the fact that many of these organizations that do leverage vulnerability management systems sometimes get results telling them they have over 10,000+ vulnerabilities that need to be addressed, it is easy to see how the full breadth of protection is not always deployed.

A more intelligent approach to defense is needed. An approach that takes the vulnerabilities within your network, matches them against the network topology and the mitigating security controls that are in place, and highlights exactly what assets are truly at risk within the full context of the network. An approach that prioritizes the remediation actions that you need to take, and enables you to see the effect of those actions on the overall risk posture of the network. An approach that updates the risk map in real-time as changes occur to the configuration of the network devices and network security controls deployed within your network. A defense approach that is realized in FireMon Security Manager 6.0, the industry’s first Security Posture Management Solution. We invite you to try this new intelligent defense here.

FireMon is at Black Hat USA 2012 & Bsides in Las Vegas this week. Black Hat has grown every year since its inception 15 years ago, and this year proves to be the largest conference yet. Today’s keynote from Shawn Henry focused on changing the security paradigm and taking back your network. He noted that intelligence is the key to winning the battle against attackers. The more intelligence you have about your organization and threats facing it, and knowing what your attackers are focused on, the better prepared you will be to defend your network.

Blackhat 2012 (Photo credit: sally_monster)

FireMon’s Security Manger 6.0 with Risk Analyzer add-on is a key tool in arming yourself with that intelligence. Security Manager with Risk Analyzer will map your entire network, highlight what assets are at risk and how they could be pivoted off of to exploit multiple layers within your environment. Security Manager 6.0 also provides a  prioritized list of remediation actions that will reduce the greatest amount of risk with the least amount of effort. Security Manager 6.0 automates the analysis of your infrastructure, and provides real-time updates to your risk posture when changes occur to your infrastructure. FIreMon gives you the intelligence you need to understand your network, and know exactly what your attackers will focus on. To see the worlds first Security Posture Management solution in action, please visit us at booth 517 a Black Hat.