While Visiting RSA 2017, Don’t Forget About Testing Security Controls

If you are going to RSA and walk the vendor floor, keep in mind that the vast majority the vendors you will meet are not designed to work together. You may be able to centralize their logs and even orchestrate a cohesive incident response to an event, but you won’t automatically know if you are PCI Compliant, if you have a gaping hole in your NIST Cyber Security Framework program or if your span port is down and all of your DLPs and IPSes are now blind. An answer to this is to look for solutions that can measure your defenses across all of your defensive technologies and identify gaps in your security specified by frameworks written in house, or by vetted industry experts and groups such as PCI, NIST and CIS.
As co-founder of Tenable Network Security, I strongly believe that the Security Center ContinuousView solution is the “apex predator” in this space. It leverages network scanning, endpoint monitoring, event monitoring and network monitoring to continuously map all of your defenses and vulnerabilities into easily understandable dashboard and reports. Tenable instantly translates this data into hundreds of dashboards, graphs and tables and then summarizes this into control by control indicators such as shown below for the NIST Cyber Security Framework.

These analytics are interactive. As you use your network, collect logs and perform your audits, Security Center Continuous View automatically checks all of your controls and computes how they line up with your desired frameworks.

Over the past few years, I’ve met many organizations who were not mature enough to think about their security in terms of controls. They wanted more tactical ways to understand where their controls were failing. For example, at Tenable, we added features to the Nessus vulnerability scanner which would filter results based on age of vulnerability or missing patches not being deployed by your patch management system. These were tactical ways to look for failures of patches being deployed in your network.

One of the things I look for as a potential investor, are companies that can quickly identify control issues or test controls without the need for human innervation. A company in this space we recently invested in is 
vThreat. This solution allows you to simulate a wide variety of malicious behaviors in a benign manner.

For example, I’m currently testing a wide variety of passive network monitoring solutions and I wanted to see if my cloud sensor from 
EastWind Networks was working. I created a simulation in vThreat which had an endpoint connect to a variety of simulated malicious domains as shown below:

I then looked for this traffic in my EastWind console by searching for “hithomeloans.com”:

This may seem like a simple example, but doing this in practice or in an automated manner is very useful. Anyone who has run passive network sniffing knows that span ports can be reconfigured, log collection can be blocked by firewall rule changes and 100s of other things can go wrong.

Here is one more example. I used vThreat to launch some pass the hash scans.

My Suricata network intrusion detection system then identified the activity as follows:

ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection

There are many new solutions to test security controls coming to the market from both existing vendors like Tenable, as well as a new set of companies. As you walk the vendor floor at RSA and think about which solutions you need to increase your defensive posture, think about testing your existing deployment for gaps you can easily close.