The RedSeal Conversation

October 20, 2015 · 10:23 AM

by Wayne Lloyd, Federal CTO RedSeal

Blue vs Red. No, not the Rooster Teeth series for the Halo fans out there. For those that do not know how the reference pertains to cyber security: Blue teams can be looked at as the good guys (cyber defenders) and Red teams are the bad guys (attackers). Not to say the Red teams are “bad guys”; their job is to identify weaknesses in order to teach and improve the capabilities of the Blue teams. 
The U.S. military runs Red vs Blue cyber war games, and I had the opportunity to participate in them during my time in the Intelligence Community. I quickly learned that all war games (whether simulated kinetic wars or simulated cyber wars) are rigged to make it impossible for the Blue team to win. Reminiscent of Star Trek’s Kobayashi Maru scenario that Captain Kirk had to participate in at the Star Fleet Academy. Why on earth would you do that? So when the real thing happens you won’t be surprised and you’ll know how to handle it.  
The only thing that was a shock to the U.S. military during the war of the Pacific in World War II was Kamikazes. The U.S. military had war-gamed every scenario to include a sneak attack on Pearl Harbor. They never imagined suicide attacks in that day and age so it wasn’t part of the games. But, with that single exception, they were prepared to deal with everything that occurred. 
I often describe how RedSeal can help Blue teams when I give demonstrations. RedSeal’s native ability to calculate every possible access path and attack vector is basically a cheat for Blue teams. Just as Kirk defeated the Kobayashi Maru scenario by changing the rules (or cheating.) Historically, Blue teams have had to find every possible path into the network and every possible attack vector or exposed vulnerability in order to defend the network. This takes vast amounts of time and effort, and many times is impossible to achieve. The Red team only has to find one way in, and they have all the time in the world to do it. 
A lot of Blue team personnel attend our conferences where they get energized about the possibilities RedSeal can open up for them. RedSeal allows the Blue teams to identify the most critical or highest risk access paths and attack vectors in the network, automatically, every day. There are other Blue teams who are known as auditors or vulnerability assessment teams. They look at snapshots of a network’s security posture and network resiliency. Typically these audits are manual, labor intensive and time consuming efforts that consist of collecting and reading network configuration files, reviewing vulnerability scan data, and performing analysis to merge the data into actionable reports. RedSeal can automate this process, turning what could take weeks or months into just a few days, so Blue teams can cover greater portions of the enterprise faster. 
Then there are those sneaky Red team people.  Remember them? They only have to find one way in. I don’t get many of them openly announcing themselves at conferences but they do pop up from time to time. They ask, “Can we use RedSeal to automate the analysis to find ways in and pivot or leapfrog through the network?” Well, the answer is yes. As you move through the network and collect data, you can feed it into RedSeal to figure out your next move or moves. There is a misconception that breaches are blitzkrieg style attacks -- meaning that once the attacker is in, it is game over. In fact, most of the time they have to continue to move through the network to achieve their objective -- and then get out with the data without being detected. If you have a model of the network that shows where access is and is not and what vulnerabilities could be leveraged as you push deeper into the enterprise, it removes the unknowns and allows you to move with more certainty towards your goal. 
RedSeal is a tool to defeat an impossible scenario. Whether it’s faster time to exploitation or to identification and remediation, RedSeal allows both Red and Blue teams to accomplish their goals faster and with more accuracy through automation. Live long and prosper!


August 18, 2015 · 1:05 PM

by Wayne Lloyd, Federal CTO RedSeal

Not too long ago I had a customer, “Joe”, explain to me how he overcame organizational challenges and got his network team to operationalize the findings from RedSeal.

Joe started by taking advantage of RedSeal features that can be leveraged immediately upon deployment, such as the Best Practice and STIG checks. He generated a report and sent it over to the transport team, convinced that they would recognize the findings’ importance and promptly start remediation efforts.

Unfortunately for Joe, the transport team was busy with their own operational tasks, and he’d just dumped a phonebook worth of problems in their lap.  The first issue they had: More work! More importantly, they had no idea where the data came from and didn’t trust its accuracy. They reacted the same way the people I’ve worked with did; they ignored it. They had to focus on their own priorities. It’s hard to justify overriding operational or mission requirements with new (not mandatory) tasks.

Joe is not the type to be ignored or take no for an answer; he chose another tactic.  He printed three high priority findings and personally showed them to the most receptive network team members. He didn’t present the findings as issues that needed immediate attention but instead, he asked for help in verifying the findings. They reviewed the three findings, validated them as real issues that needed immediate resolution, then thanked Joe for sharing them.

A few days later he did the same thing with the same result.  After weeks of this, the network team came to trust the findings and wanted to know where they came from. He told them it was RedSeal, and they jumped at his offer to have the reports automatically emailed to them. They wanted to learn what else RedSeal could provide.

What I learned from this is if you want to gain acceptance, you can’t just dump mountains of work on an unwitting team that is already over tasked.  You have to slowly gain their trust a little bit at a time.  Show them that you’re really on their side and not there to tell them they are doing things wrong.  Once they have confidence in the data, they will ask for more. Once they gain trust in the results, they will operationalize it into their own workflow as a willing participant… rather than a reluctant recipient.