Cisco Blog » Security |
- The White House Memo on Adopting a Zero Trust Architecture: Top Four Tips
- How Exploit Intel Makes You Less Vulnerable
- Defending Against Critical Threats: Analyzing Key Trends, Part 1
| The White House Memo on Adopting a Zero Trust Architecture: Top Four Tips Posted: 04 Feb 2022 05:00 AM PST On the heels of President Biden's Executive Order on Cybersecurity (EO 14028), the Office of Management and Budget (OMB) has released a memorandum addressing the heads of executive departments and agencies that "sets forth a Federal zero trust architecture (ZTA) strategy." My good friend and fellow Advisory CISO Helen Patton has done a great summary of the memo in a previous blog. The biggest news is the deadline: The memo requires agencies to meet "specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government's defenses against increasingly sophisticated and persistent threat campaigns." More urgently, within 30 days of the publication of the memo, agencies need "to designate and identify a zero-trust strategy implementation lead for their organization." And within 60 days, agencies need to submit an implementation plan and a budget estimate. Whenever a deadline is announced, teams can lose sight of the bigger picture in their rush to become compliant. So, we've put together the following recommendations to assist IT and IT security practitioners in making the most of this new mandate. 1. Plan, do not panic. For even simple IT initiatives — and deploying a zero-trust architecture is not simple — a plan is always the first step to meeting the deadline. Keep in mind that not all agencies are starting at the same point in terms of security posture or risk exposure. For this reason, the CISA guidance uses a maturity model for zero-trust architecture.
In other words, one size does not fit all. As part of the planning exercise, agencies can assess where they are for each control category in terms of "Traditional", "Advanced" or "Optimal" (as seen in the above diagram). Here are some questions to tailor our efforts:
Provide guidance internally to foster understanding and gain buy-in. This can take the form of a position paper, initial guidelines, and the overall project plan. As work progresses, provide policy and standards language to institute the zero-trust principles and architecture within the agency. Bottom line: Take your time. After all, OMB recognizes the enormity of the effort. "Transitioning to a zero-trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government." 2. Focus on coverage first: People, devices, apps – in that order. Starting with securing user access via multi-factor authentication (MFA) is consistent with the updated guidance. Per the memo, "this strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA). Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks." Additionally, the memo directs agencies to consolidate identity systems to more easily apply protections and analytics. Keep in mind, not all MFA is equal. Agencies are well-served to prioritize solutions that deliver a frictionless user experience, and hence encourage good behavior. At the same time, these solutions should support modern and more secure authentication like passwordless. Assessing device trust – authenticating a device and using device posture in access decisions – is essential for implementing a zero-trust architecture. After all, a single insecure or unpatched device can allow an attacker to obtain access and maintain persistence – a key step in escalating their attacks.
The future is here. Users – even in the public sector — no longer login to networks, they log into apps. And notably, the OMB has recommended that every application be treated as if it's internet-accessible from a security perspective. Plan to increase the coverage of people, their devices, and our applications to make the strongest policy decisions. 3. Increase signal strength and deepen policy enforcement. One of the tenets of zero trust is that "access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes." (NIST 800-207) Early in the plan, assessing "state" may be done by strong user authentication and device posture alone. The memo states that "authorization systems should work to incorporate at least one device-level signal alongside identity information about the authenticated user when regulating access to enterprise resources." But as we proceed, we should add additional signals of trust to improve the telemetry and accuracy of our policy decisions.Agencies should first become comfortable with policy and increase use of the data points and signals of trust available to us from our tooling. Then, as we gain momentum from early wins on inventory and device control, and as we increase the use of our investments through enabling more of the policy set, we can look to further build trust in our security through behavioral analysis and anomaly detection. 4. Leverage zero-trust frameworks, lessons learned, and other guidance. Within 30 days of the memo's publication (by February 26, 2022), agencies need to designate and identify a zero-trust strategy implementation lead for the organization. These designated representatives will engage in a government-wide effort to plan and implement zero-trust controls within each organization. While each of these leaders bring unique perspectives and priorities, using common reference architectures and sharing lessons learned can keep teams aligned and focused. To help with this effort, Cisco offers free, virtual workshops to better understand how zero-trust principles work in practice. Workshop attendees will hear tips directly from former CISOs like me, engage in hands-on activities, and walk away with the tools they need to develop an action plan. We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels |
| How Exploit Intel Makes You Less Vulnerable Posted: 03 Feb 2022 09:36 AM PST New research shows effective and efficient vulnerability management hinges on a key ingredient: exploit intel. The data arrives just in time. An expanding threat landscapeIn 2021, a record-breaking 20,130 Common Vulnerabilities and Exposures (CVEs) were published in the National Vulnerability Database. CVEs are exploding just as attackers are growing more sophisticated, exploiting not just weaknesses in infrastructures but also human fallibility. Trying to hold back the surge can be difficult. Research from Kenna Security, now part of Cisco, and the Cyentia Institute sheds light on the limited capacity organizations have to tackle new vulnerabilities introduced each month:
But for resource-strapped Security teams, the data shows most enterprises need only remediate about 4% of the millions of vulnerabilities present in their environment, thanks in large part to exploit intel. Focusing on the 4%Real-world data drawn from Kenna customers and external sources highlights just 4% of vulnerabilities present in any environment are exploited in the wild. In other words, only 4% of vulns in any given environment pose a real risk. But how do you know which 4% are worth fixing? Through risk-based prioritization informed by comprehensive exploit intel and vulnerability intelligence, coupled with advanced data science. It's in the researchSince 2018, Kenna and Cyentia have examined the performance of cybersecurity organizations and published results twice a year in the Prioritization to Prediction (P2P) research series. The latest, P2P Volume 8, reveals how organizations reduce their exploitability when informed by real-world threat and vulnerability intel. P2P Volume 8 outlines how organizations can measure exploitability in their specific environment. And it demonstrates risk-based prioritization performs best when it factors in the presence of exploit code—evidence attackers have designed a way to exploit a vulnerability. RBVM + Exploit Intel = Lower RiskAccording to the research, organizations that employ risk-based vulnerability management (RBVM) strategy—informed by exploit intel—do a better job defending their infrastructure than organizations using other methods, namely Common Vulnerability Scoring System (CVSS) scores. To see how each method stacked up, the graph below compares exploitability scores resulting from different prioritization strategies. Yellow dots mark the median exploitability scores across all organizations using that method.
The key findings are illuminating:
It's noteworthy that despite its shortcomings, CVSS is commonly used to score CVEs, and many scanner solutions simply repackage CVSS. Risk-based prioritization reduces exploitabilityAnalysts and even government organizations recognize the effectiveness of risk-based prioritization to reduce exploitability, mirroring P2P findings over the past four years. In 2019, just 20% of Security organizations closed more high-risk vulns each month than were identified in their environment. Fast forward to today, and the number has jumped 3X to 60%, with another 17% keeping pace with the appearance of new high-risk vulns. So more than three-quarters of organizations employing intel-driven RBVM are at least able to keep pace with new threats, and six out of every ten are gaining ground against them. These findings suggest Kenna Security customers are evolving their RBVM strategies over time and incorporating exploit data in the mix makes them less vulnerable. The research found that implementing an intel-driven RBVM strategy is the most effective way to drive down exploitability, even more than adding remediation capacity. Drive down riskOngoing P2P research proves that a risk-based methodology, with prioritization informed by exploit intel, points to the likelihood that a CVE is weaponized. This strategy is also the most direct route to creating a less exploitable enterprise. With an advanced RBVM solution, the remediation list or fix list writes itself, saving IT and AppDev teams from chasing down vulnerabilities that aren't a risk, lowering their overall risk profile. Virtually every CISO is likely to report patching 4% of CVEs is more than possible with the resources they have. But the secret is identifying the 4%—and having the right exploit intel and RBVM platform to make it possible. Harness exploit intel to minimize riskFor more on the research-backed ways to lower risk, download your copy of the Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability. We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels |
| Defending Against Critical Threats: Analyzing Key Trends, Part 1 Posted: 03 Feb 2022 09:31 AM PST Earlier this year we held a live broadcast, featuring cybersecurity threat analysts from across Cisco Secure. We discussed the most significant cyber threats of 2021, what we're seeing now, and how defenders can best protect their organizations in the year ahead. In the first of this three-part series, we've compiled some brief highlights from the broadcast. Be sure to watch the videos for more in-depth analysis. Colonial Pipeline, and The New World of Infrastructure SecurityFrom all the threats you could have chosen to talk about, why did you choose Colonial Pipeline?
One is the real-world impact of the attack, i.e what happened to gas supplies on the East Coast of the United States. The attack inspired political pressure, and that subsequently led to an increase in response speed from the US government on ransomware activities. On the flip side, the reaction from the bad actors was also interesting. It was very much an 'Icarus' situation. They knew that they had overstepped. And there was an immediate and profound response from that environment. What do we know about the bad actor side of this attack? MO: Immediately, there was chatter on underground forums and the dark web about the fact that this was a mistake. In fact, various ransomware groups rolled out a formal policy. It said, "This group does not attack critical infrastructure or hospitals." We also saw various underground forums instigate certain new rules, which told people that they could not advertise ransomware services here. This was likely because they wanted to evade the attention of law enforcement, and the kind of attention that being associated with ransomware brings. This hasn’t gone away in the months since. The bad actors have understood that this event changed the calculus, in terms of how countries treat ransomware actors. You gave a quote in an article just after the attack – "It’s time to move beyond ransomware thoughts and prayers." Why did you say that? MO: Up until this point, a lot of government response up had been about information sharing; getting the message out. Then they would rely on traditional law enforcement methodologies to go after these groups. Unfortunately, it's been clear for a while that this wasn't viable. The arrest record was incredibly poor, in contrast with the catastrophic impact that ransomware can cause. The ransomware threat continues to be at a critical level for certain actors and, therefore, you need to treat those actors as National Security threats. That means you need to bring in the full scope of government response. Additionally, with ransomware, we’ve always been concerned about the breadth that a supply chain attack could bring. In 2017, we saw what a ransomware-like event could look like when delivered through supply chain, with NotPetya. That attack caused over $10 billion in damages globally. To be clear, that was a purely destructive state-sponsored attack, not ransomware, but it was intended to look like ransomware. Supply chain is the hardest problem in security right now. I can’t think of anything else that is that is as flummoxing. Watch the full video with Matt on Colonial Pipeline, ransomware, and supply chain attacks: Read more about the new world of critical infrastructure. Security Debt: An Increasing Target of OpportunityWhat is security debt and why is it becoming increasingly critical?
I characterize it as technological debt, that has manifested as a security issue. From an attacker point of view, how could they exploit security debt within an organization? DL: The attacker can look at it from many ways. They might use Shodan or scanning or do something as simple as open-source intelligence, like going through LinkedIn and seeing what people put in their resumes i.e they work on a particular product. They can then distil down the products that were possibly used in that environment, and then compare against vulnerabilities that are either published or they can find on the dark web. They can then build up a profile of that organization, and target it based on what intelligence they've gathered. What is your advice to organization’s listening who might have security debt and want that debt to be addressed?
Watch the full video on Security Debt: Read more about how to manage Security Debt in Duo's latest Trusted Access report. The most critical vulnerabilities (you might not be thinking about…)Jerry, what can you tell us about the world of vulnerabilities?
I don’t know many security teams that are staffed to the level of being able to look at 55 CVEs a day and can understand which ones important and which ones are not. We run a model every night, and it looks like there’s going to be over 23,000 CVEs this year. So, we know that this is a problem that is growing bigger. The truth is that while we talk a lot about vulnerabilities that are popular (everybody knows about Log4j and the Microsoft Exchange vulnerability that came out early 2021), we’re seeing more vulnerabilities come through on Chrome and Edge in huge waves. PrintNightmare was one of the most impactful vulnerabilities of 2021. It was so widespread that in the end, Microsoft set an instruction to go back to needing an admin to install printers. It really changed the dynamic of how security teams work in this arena. What occupied your team’s time during 2021? Can you highlight some of the top vulnerabilities? JG: We spent a lot of time on the Chrome V8 engine. Microsoft also made a substantial change this year when they moved from Internet Explorer. Now it’s based off Chromium, so we’re making sure our customers understand the switch from an open-source browser from a closed source browser. We’re also seeing a lot of virtualization vulnerabilities becoming increasingly common. We saw a lot of VMware vulnerabilities this year that we have hadn’t seen in the past. And we’re starting to see the emergence of what we internally call "Pile-on CVEs." (We don’t have a good term for it yet…). For example, a base CVE might come out, and then over the next couple of weeks, you might say, "I looked at the code because it was interesting. And I found this CVE, and this CVE, and this CVE…" What do these findings and activities that happened in 2021 tell you about what defenders might have to face this year? Are there any vulnerability trends that you can point to? JG: We know that CVSS isn’t a great predictor of exploitability – and we’re not saying anything here that CVSS themselves don’t say themselves. When we launched our latest Priority to Prediction report, we made the news because we said Twitter is a better indicator of exploitability. What you have to look for generally isn’t in the CVSS score. Organizations really need to move to a risk-based vulnerability management system, where you’re looking at potential remote code executions. Or if there is a released exploit code for it (that’s the biggest thing that you can do). And what can you do to make sure that the vulnerabilities on your network are being addressed properly? To help you stay up to date, our blog, blog.Kennasecurity.com has the Prioritization to Predication report which discusses how you can reduce risk with vulnerability prioritization based on risk and real-world exploitation data. And I have a personal project that runs a notebook every day at CVE.ICU that does open-source data analysis on the CVE data set. Watch the full video on the top vulnerabilities: For more resources on how to deal with critical threats, head to cisco.com/go/critical-threats. We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels |
| You are subscribed to email updates from Security – Cisco Blogs. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |


Matt Olney, Director of Cisco Talos Threat Intelligence and Response: There’s two things that I found interesting about Colonial Pipeline…
Dave Lewis, Advisory CISO, Cisco Secure: Security debt is when organizations use systems that have depreciated or aren't being properly maintained. As a result, this introduces all sorts of targets of opportunity for an attacker.
Jerry Gamblin, Director of Security Research, Kenna Security (now part of Cisco): Last year, we saw over 20,000 CVEs (Common Vulnerabilities and Exposures) for the first time ever. That’s 55 CVEs a day.
No comments:
Post a Comment