Get My Score

Blog

Risk and policy management

Excellent Hybrid Cloud Environment with Real-time Visibility

We are excited to announce that this week Cavirin’s CyberPosture Intelligence for the Hybrid Cloud was recognized by SC Magazine. The Cavirin solution earned five-star marks (the highest rating) in all six review categories: Features, Documentation, Value for Money, Performance, Support, and Ease of Use.

 

Risk and policy management - SC Magazine

 

The SC Magazine five-star rating is especially gratifying as it is based on an objective evaluation of features and capabilities.  Leading the charge, the reviewers thought that one of the most prominent features was Cavirin’s nonpareil CyberPosture Score.  

According to Cavirin’s Director of Product Management, the CyberPosture Score is derived by continuously assessing the security posture of all managed cloud services and workloads to compute a CyberPosture score, a number between 0 and 100. A score of 100 represents the least risk. Representing risk in this manner facilitates prioritized response plans and in-depth security analytics including score drill downs from the company level to asset groups, individual resources, policy pack/control families and operating systems. At any of these levels, with visibility that spans your entire hybrid infrastructure, Cavirin’s solution depicts trends of CyberPosture scores to help CISOs assess the impact of security posture improvements.

 

Risk and policy management - SC Magazine

 

In addition, SC Labs evaluators Matthew Hreben & Katelyn Dunn highlighted the importance of a single, unified view, emphasizing that “point” security solutions can be costly and have limited visibility into an organization’s defensive security posture:

“Users typically struggle building a meaningful risk security assessment process across a hybrid environment due to the lack of network visibility and the cost of needing multiple products. Cavirin CyberPosture Intelligence for the Hybrid Cloud serves as a single, unified view of the hybrid cloud environment that gives real-time, continuous monitoring and assessment, has automatic asset discovery and encompasses an API-first architecture that integrates security into DevOps. It enables continuous improvement of security posture and is cost-effective compared to alternatives requiring multiple products.”

In closing, the verdict of the SC Magazine analysts on Cavirin’s CyberPosture Intelligence for the Hybrid Cloud is:

“Great API-driven technology that integrates with Slack, Jira and Okta for SSO, also provides users concrete documentation and workflow suggestions. This is a strong contender in its space and worth a look.”

 To read the complete review visit, scmagazine.com

 For more information on Cavirin’s CyberPosture Score check out our latest whitepaper:  Cavirin CyberPosture - Your Credit Score for Security.

 

0
0
0
s2sdefault
voting vulnerabilities

Regardless of Potential Vulnerabilities - We Must Vote

With less than six days until one of the most important elections in recent history, coverage of potential vulnerabilities has never been greater.  Compared to 2016, the typical voter is more aware of any threats, and probably more scared.  There is a concern that people will just stay home, thinking that their vote will be compromised, as captured in a recent Pew Research Center Survey

mid-term election vulnerabilities

Given that the vote is fundamental to our democracy, this isn’t good. But, as the New York Times summed it up, even though or voting process is vulnerable and outsiders are looking to sow pervasive doubt over the integrity of American elections--the only chance we have is to vote. 

As we look back as early as a decade ago and confirmed just this last summer at DefCon, researchers identified vulnerabilities in both the voting machines as well as state election infrastructures. During the lead-up to 2016, Russia actively probed for security gaps.  Given that elections fall under state jurisdiction, the potential attack surface varies widely depending upon whether paper records are maintained, the training of personnel, and the chain-of-custody of voting results.  Best practices are summarized here.  One alarming statistic is that, although states can take advantage of federal programs to vet their systems, less than half actually requested it as of the end of October.  This where the types of attacks have become much more sophisticated over the last two years.

However, there are other, indirect threats as well, over which individuals have more direct control.

Recently, McAfee published a good rundown on deficiencies in state election websites.  Here, the threat is not at the polling place, but beforehand, with an unsuspecting voter fooled into going to the incorrect polling location entering personal information.  The cat may already be out of the back regarding the latter threat, with security firms reporting that over 35 million voter records are now available on the dark web.   These types of threats, in terms of sheer numbers of voters impacted, can be more destructive than the small percentage of voting machines that may (or may not) be compromised. 

And, we’re increasingly aware of the potential impact of social networks in spreading disinformation.  Unlike 2016, the Facebooks and Twitters of the world have realized their roles, both positive and negative, and are attempting to put the necessary checks in place.  But they will be hard-pressed to stay a step ahead of the hackers.

Hopefully, with additional focus, federal dollars, and press overwatch, Nov 6th won’t present any issues.  And even if we run into some concerns, the strength of our overall voting democracy will prevail, as long as we continue to believe, stay resilient, and vote.

For voter registration and other critical infrastructure officials looking to protect future cybersecurity threats check out the Cavirin Playbook, "Leveraging NIST CSF".

 

 

 

0
0
0
s2sdefault
cybersecurity utilities

 Cybersecurity for Our Critical Infrastructure - Utilities - Thoughts of a CSO

The Utilities sector has been well positioned for several years as a Critical Infrastructure based on Federal Energy Regulatory Commission (FERC) requirements to adhere to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) guidelines and Cybersecurity Risk Management Process guidance.  In the past, the challenge has been that Corporate Information Technology was managed separately then Industrial Control Systems (ICS) which provided gaps for bad actors to exploit.  These days the challenge is expanding to end users with emerging "always-on" Internet-connected smart devices.  The challenges posed are both to the end-user consumer and to the overall power grid based on coordinated attack capabilities.  This is further complicated by most end-user consumer smart devices having all or some components manufactured outside the USA entering foreign made embedded chips that could be used against another nation, corporation, and/or individual with minimal effort.  This sector is the most important of all Critical Infrastructure industries as the other sectors need utilities to operate.

These types of threats have been proven and the genie is out of the bottle.  Stuxnet, a sophisticated computer worm that targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors, is the prime example of this situation that was contained and tested in a controlled environment protected to a greater level than Utilities.  Direct action may be more difficult to execute but still, nation-state actors will find successful opportunities. 

The challenge for the Utilities sector is to establish detective controls that spot anomalies before they can be detected by a human.  The biggest threats will come from indirect sources (Vendors, Suppliers, Customers) in the future.  These channels will have weaknesses that cannot be addressed, and safe measures will need to be implemented with the expectation that those channels are compromised.  Visualization of your organizational CyberPosture at all levels will become the norm and monitored as closely as are Voltage range and Kilowatt usage.  When there is no defined boundary to keep bad actors out the shift is towards real-time monitoring.

Yes, all organizations are implementing best practices shift left for coding, DevSecOps, etc., but in many cases, the ability to consolidate the CyberPosture view in real-time has not yet been implemented.  The usage of data visualization is another dynamic tool that has been lagging, but I expect this to become the new security domain field that will attract a great deal of attention over the next 12 to 18 months.  The National Association of Corporate Directors, highlighted in their 2017 Cyber-Risk Oversight guidance, the need for this data visualization.  My previous work at Verizon on the Verizon Risk Report (VRR) combined the Verizon Data Breach Investigations Report (DBIR) with threat intelligence from Recorded Future and external risk vectors from BitSight, which provided a security industry foundational baseline for others to build from that created great visualization techniques.  Side Note: There was some data visualization introduced with the 2018 DBIR report on the website that reduced the report size which provided historical context of top threats over time.  The second level of the VRR started to include various elements of inside-out security sources (starting with End Point Detection and Protection leveraging Tanium and Cylance) and was expanding to culture and process elements at the third level.  There is more work to be done with many other security areas being incorporated.  In my recent discussions with a major telecommunications provider and a national bank,  the data visualization movement has started and will continue gaining momentum. 

Besides data visualization, I expect that all critical infrastructure industries will expand physical air gap separation of networks.  In some ways, we are returning to the 1990s.  Back in those days, I supported customers that had air gaps.  A French bank kept Internet computers off the corporate network; a major University kept Student and Financial systems on a separate network, and a major of military establishment used air gaps.  We have allowed technology gains to fool us into thinking that we are more secure when in fact those solutions increased the risk factors.  This happened for several reasons: product development cycles were sped out the door and there is a minimal financial risk of providing insecure software and hardware to most customers.   If you introduce an unsafe automotive vehicle then there are financial penalties that those manufacturers must pay for the people that are hurt and/or killed as a result.  When have you seen a technology company punished for releasing unsafe hardware and/or software?  Therefore Utilities, actually all critical infrastructures, need to design security architectures that expect security flaws to be built-in the solutions that they purchase and implement.

For more on this and protecting our critical infrastructure, check out our Webcast on October 24th, Protecting Our Critical Infrastructure Starts with NIST CSF.  If you cannot make it, no worries, register anyway and a link to the recording will be sent to you following the event.

0
0
0
s2sdefault
aws outage

It’s Everyone’s Job to Ensure Online Safety at Work

This week’s NCSAM theme is ‘It’s Everyone’s Job to Ensure Online Safety at Work.”  Basically, it means that you need to take personal responsibility to ensure your CyberPosture.  Why is this so critical, and why do smaller businesses have to take additional precautions?  In many cases, these organizations have less of a budget or skillset to implement security-in-depth, and their employees may think that they are too small a target.  But, with larger organizations more apt to take proper precautions, the SME space becomes a ripe hunting ground.  The sad thing is that a single major breach is much more likely to put a smaller company out of business or tarnish their reputation to an extent that requires a long road to recovery.  In fact, 61% of SMEs experienced a cyberattack in 2017, but only 21% considered their ability to respond to be effective.

Over the last year, at Cavirin we’ve written plenty about ‘the enemy within’ as well as verticals that are the most vulnerable to employee carelessness.  Have we made any progress?  Unfortunately, it looks as if we’re heading in the opposite direction.  A Ponemon study released in the spring of this year states that the number of incidents per organization involving employee or contractor negligence has increased from 10.5 to 13.4 times per year since 2016. 

Overall, negligence, and not malicious intent or hacking, was the cause of 64% of breaches, impacting every vertical, with financial, services, industrial, energy, and healthcare the top five.  Each resulting breach cost an average of $283K, for a total of $3.8M per organization.  The table below breaks this out in additional detail.  But, where it really gets interesting is the impact of how long it takes to identify and remediate the breach.

 

cost for security breaches

If identified early, the total exposure is about 2/3 less than those that take three months or more to address.  How does one identify the breach quickly?  More on this in a bit!

 

cost for insider data breaches

Note:  This table includes malicious behavior and credential theft, for a median of $8.5M vs the $3.8M stated earlier, but the overall trend is the same.

How else might we be losing ground?   I hate to admit it, but my home state of California is one of the worst offenders.  I don’t know if it is complacency or the fact that we are surrounded by so much tech, but based on a recent study, also by Ponemon, we are the 6th worst state at -3.05 as it relates to our cyber hygiene, our personal CyberPosture.  The folks in New Hampshire must be doing something right!

 

most secure states, least secure states

More telling than just a number, are the actions taken by those with ‘good’ cyber hygiene, vs those without.  This includes backing up data, keeping software up to date, bank statement monitoring, and other obvious actions listed in the table below.

security best practices

 

So what can you do to immediately improve your cybersecurity posture?  The table above applies equally well to individuals as well as businesses.   Within the organization, one of the most fundamental tasks of IT is to ensure that laptops and servers are updated and backed-up automatically, encryption is in place, firewalls are active, and proper password hygiene is enforced.  Unfortunately, this is not always the case.  And, employee training is sometimes very nebulous, but one action that has an immediate impact is anti-phishing training.  Many IT departments also clearly identify any email from a source outside of the organization. 

One potential area of added threat is the employee with their BYOD iPhone or Android phone.  SMEs are less likely to implement device management software, and this presents a problem.  It just takes one employee, wanting to up-level their Fortnite creed, or tricked into downloading a fake Google Play Store, to bypass Android security and potentially compromise the entire organization.  Without any controls in place, these threats are incredibly hard to track…. until it is too late.

Last but not least, how do we ensure quicker discovery of any breach, with a goal of minimizing damage?  Looking back at the data on the escalating cost of a breach the longer it goes uncorrected, or how to identify a BYOD threat in less than a Fortnite, a solution is to deploy a platform to continually assess the organization’s CyberPosture.  This includes both servers, if the SME controls any, either on-prem or in the cloud, as well as that of their cloud provider.  Cavirin’s CyberPosture Intelligence provides just such as solution, not only for SMEs, but for enterprises and MSSPs of all sizes.

 

Additional resources:

StaySafeOnline (NCSA)

Cybersecurity Resources Road Map (CERT)

Cybersecurity for Startups (CERT)

 

 

 

0
0
0
s2sdefault
aws outage

Welcome to NCSAM Week 2, “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.”  This particular topic is close to home, as I have two daughters in high school who will be shortly deciding what majors to study, and whether cybersecurity is of interest.

Although at Cavirin we place a lot of confidence in our cloud security automation capabilities, we still require skilled security personnel to plan and operate the solution, as well as digest the resulting data.  And that need, even with all the AI and ML in the world, won’t go away anytime soon.  In fact, many are predicting millions of unfilled security jobs in the coming years, and the recently published National Cyber Strategy calls out ‘Develop a Superior Cybersecurity Workforce’ as a strategic national security advantage.  This is this century’s equivalent of the ‘missile’ gap after WW2 and at the beginning of the Cold War, a gap that spurred interest in engineering. 

But what the engineers of the previous generation accomplished in the physical space, must now translate with the same focus and creativity into the virtual space.  And the ‘physical’ toys, the wagons and Lincoln Logs, that kids at the time were most familiar with, are in many cases supplanted by virtual ones – smartphone applications and video games.  I won’t comment on whether this is good or bad, but it does attune Generation Z, the post-millennials, for quick response and multi-tasking, skills valuable in cybersecurity.  So what is the best path forward?

The National Initiatives for Cybersecurity Education (NICE) is one framework, depicted below.  NICE supports policies that encourage hiring, developing, and retaining a skilled workforce for both the private and public sectors.  But we have a long way to go, as evidenced by the number of unfilled jobs at CyberSeek.  I doubt the average elementary school or even middle-school teacher has ever heard of NICE, and it is hard enough to encourage females to even consider STEM in general.   There are really three timelines in play – the immediate need, the near-term, that can be addressed by the universities, and longer-term, where the next generation come into their own.

For those already in the workforce, we all know that continual retraining and re-education is critical to career growth.  Consider mainframe specialists who then became comfortable with minicomputers, and later still, PCs.  Corporations must make it financially appealing for those wishing to make a change, including covering the cost of advanced degrees if deemed to offer a competitive advantage (which they should).

For those not yet in the workforce, higher educational institutions must double-down on <practical> cybersecurity programs, scholarships, and internships within the industry.  Programs that focus on identifying and solving breaches in the pressure of an operational environment.   Universities should elevate cybersecurity to a major discipline, on par with Civil, Electrical, and Mechanical.  Some have already gone down this path, but most have not.  But the real question is how to get students interested, as early as high school. 

A few electives cover the Internet, but over the last decades, the core curriculum has not really changed from English, math, science, and history.  Maybe time for a change to the more practical aspects of survival in the 21st Century?  Cyber could be one module.  In parallel, for those so inclined, the nationwide GenCyber camps for grades 10 and above are a great opportunity, and cover topics as diverse as risk assessment and threat detection, forensics and incident response, network security, and of course intro to cryptography.

The next generation is where we can make a real difference.  What does it take to get the average 10-year old interested in math or science, or for that matter, security?  In a way that removes the ‘nerdy’ connotations, we’ve seen with robotics and space.  Fact is, there are a lot of resources already available.  Some good links include:

 https://nicerc.org/student/

https://nicerc.org/curricula/requestcurriculum/

http://uscyberpatriot.org/Pages/About/What-is-CyberPatriot.aspx

 And, from the recent Wired Magazine article by Geetha Murali, CEO of Room to Read, a few recommended books to get started in the right direction:

  • Lab Girl, by Hope Jahren
  • Brazen: Rebel Ladies Who Rocked the World, by Penelope Bagieu
  • Headstrong: 52 Women Who Changed Science and the World, by Rachel Swaby
  • The Evolution of Calpurnia Tate, by Jacqueline Kelly
  • Girls Think of Everything: Stories of Ingenious Inventions by Women, by Catherine Thimmesh
  • Good Night Stories for Rebel Girls, by Elena Favilli and Francesca Cavallo

Across all age groups, a set of core skills have been identified that are markers for success in the field: 

  • Problem-solving
  • Verbal and written communications
  • Data Analysis
  • System and project management
  • Team building and leadership
  • Software programming

 

 

0
0
0
s2sdefault
security automation framework

“NEW” CyberPosture Intelligence Solution

Cavirin is a world’s first solution that provides CyberPosture intelligence for the hybrid cloud. It does so by discovering resources located on-premises, in traditional data centers such as virtual/physical machines, in multi-cloud environments (Google Cloud, AWS, and Azure) and/or Docker/Container based environments. Subsequently, Cavirin enables risk, security and compliance management for these hybrid cloud resources through a Protect-Monitor-Respond-Predict based automation framework. Cavirin supports 25 audit frameworks derived from Security (NIST, CIS etc.) and compliance (HIPAA, PCI, GDPR, ISO etc.) domains to ensure corporate security and compliance policies are enforced for the hybrid enterprise of tomorrow! The Cavirin solution has been featured in leading market research reports and has won multiple awards for innovation and market leadership.  

Here is the second part (in a two-part series) that highlights customer benefits along with the features supported in our Summer 2018 release of Cavirin's "New" CyberPosture Intelligence Solution--Check out Part 1 or visit the "Why Cavirin" page for an introduction into our CyberPosture Intelligence solution.

1. Protect-Monitor-Respond-Predict security automation framework

Cavirin has implemented the Protect-monitor-respond-predict security automation framework which is at the core of everything that Cavirin does. We have provided the various puzzle pieces in this security automation framework over the last few releases and added some new elements in the summer release as well. 

Technology and Infrastructure agnostic solution - Cavirin provides the Protect-Monitor-Respond-Predict security automation framework with a single pane of glass view for the hybrid cloud infrastructure in a technology agnostic, cloud infrastructure agnostic manner so that customers don’t have to worry about the underlying infrastructure type.

In the summer release we have augmented the support greatly, namely:

  • Protect: we have increased the coverage for “protection” policies greatly, including adding new control frameworks such as support for CCPA (California consumer privacy act), Support for CIS Azure and CIS GCP benchmarks, enhancing AWS Cloud policies support, thereby further strengthening the number of policies support to be unparalleled in the industry. Cavirin supports 80,000 policies over 25 control frameworks.
  • Monitor: there are multiple ways that Cavirin implements monitoring,
    • Golden Posture monitoring: Continuous monitoring to ensure any golden posture drifts are detected and alerted through any of the signaling channels supported by Cavirin: JIRA/Slack/ServiceNow/PagerDuty.
    • AWS Lambda and SNS-Based Monitoring: Security monitoring of AWS CloudTrail events has been revamped to detect and alert operations staff via SNS Topics when the configuration of AWS resources are modified. 

  • Respond: Cavirin provides several capabilities to remediate the various issues/problems discovered by the Cavirin solution:
    • Cavirin provides a prioritized remediation gap report which provides a sorted and “prioritized” action plan based on its potential improvement on the overall CyberPosture score. This enables customers to focus on the most impactful remediation plan thereby minimizing time and resources expended.
    • Auto-remediation: Cavirin is launching “CavBots” to execute auto-remediation capabilities that are detailed below.
  • Predict: Cavirin provides data science insights to understand how the CyberPosture score is trending with time. Further, there are ways to analyze the assessment data for all the resources discovered and managed by the Cavirin solution. Capabilities exist to filter, sort, remediate and generate extensive reports with multiple perspectives as required by the customer.

 

2. Auto-remediation through Cavirin Cloud-bots aka “CavBots”

From the CISO Dashboard, there are two ways to get remediation guidance

  • Alerts and Remediation: Users can view failed policies sorted by their impact on the CyberPosture score, get a prioritized gap report along with remediation guidance and post notifications or work-items in Slack, PagerDuty, Jira and ServiceNow.
  • AWS Lambda-Based Remediation (New): Users can configure Cavirin to auto-remediate using built-in auto-remediation capabilities using “Cav-Bots” which execute remediation commands on behalf of the user. Remediation of AWS policy failures are achieved via AWS Lambda. Pre-built Lambda functions can be deployed in customer’s AWS accounts to initiate remediation of failed AWS policies.

 

3. More Enterprise-ready features

There are several enhancements made to support large enterprise-grade scalability and deployability to ensure that Cavirin can integrate with the enterprise infrastructure for large-scale enterprise deployments.

  • Role Based Access Control (New): To support deployments within large organizations, Cavirin’s Role-Based Access Control features allow customers to segment users, asset groups, reports and resources based on user’s role and function. In addition, access to CyberPosture views and actions is restricted by a user’s role. Custom roles can also be defined providing great flexibility.
  • Single Sign-On (New): Support for single-sign-on with Single-Sign-On products including support for Okta.
  • Enhanced OS Support (Enhanced): Certified Cavirin software on Ubuntu 16.04 (from 14.04). the Content team will continue to release content updates every month.
  • Digital fingerprinting of assets: Each asset in Cavirin has a unique identifier (GUID) which is derived by doing a digital fingerprinting of every asset discovered by Cavirin. With the Summer, 2018 release, compute instances are identified by their GUID. A given GUID may have multiple IP addresses. This identifier is used during the entire “Protect”-“Monitor”-Respond-Predict security automation framework. This also helps greatly to identify and de-duplicate compute instances.
  • Cloud workflow framework (New): Significant increase in the number of policies that Cavirin supports across major clouds (AWS, Azure, and Google Cloud). In addition, Cavirin provides the ability to roll-out additional content fast to customers on a regular basis.

Check out Why Cavirin for more information on our CyberPosture Intelligence Solution.

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.