last 24 hours cluster password on [password]
”We’re excited to take our strategic partnership to the next level,” said Sheldon Malm, Chief Executive Officer of Lyrical Security. “Packetsled’s innovative platform has become the cornerstone of our Risk Operations Center, enabling our staff to detect threats earlier, accelerate investigations, and manage clients’ risk faster than we could have imagined. Customer response to the solution has been overwhelmingly positive.”Read the Full Release
I’ve had the fortune of working in Information Technology for over 20 years. In that time, I’ve realized that this industry is constantly evolving. However, the recent and rapid adoption of cloud-based services has caused a disruption at a magnitude that I had not yet seen. Unfortunately, it is also happening at a rate that isn’t properly allowing Information Security groups to properly gauge the security ramifications.
When I first entered this industry, networks were far easier to secure. We had differentiating operational goals, but what we secured were largely single, flat, and enormous networks with only a handful of entry points. All data and assets lived within that one or two physical environments with their own dedicated controls. When we built our enterprise networks, we would build them to support the maximum resources needed to support the assets and needs within that single environment. It was very linear and, in comparison, far easier to scope and manage than the networks we support today. Much like today, our worst enemy was downtime, but the rules of engagement has changed, as have the margins for error.
What do users want? Everything right here. Right now. Oh yeah, we want it to be as cost-effective as possible.
With the benefits of cloud computing including quicker market entry, flexible costs and capacity, larger and more robust network fabric, allowing greater uptime, improved mobility and collaboration, and more fluid merger and acquisitions, it’s easy to understand why there has been such a major push into the IaaS and SaaS space.
This also means that the “Crown Jewels” live in many new places, around the globe. Several within the corporation’s complete control, many which does not. Currently, AWS operates in as many as 13 distinct locations around the world. That’s a lot of entry and exit points for your data to move. With the rate of migration and architectural change, most Information Security groups haven’t had the time or resources to assure that proper monitoring is taking place in these new realms.
Let’s face it… It’s a pretty rough day when you experience a breach or network outage in your own network, but it becomes far more complicated when it occurs in your partner’s network. In reality, the headlines read largely the same.
Additionally, as compliance oversight and governance won’t go away with the introduction of cloud-services,neither will the requirements for monitoring, reporting, and coordinated incident response with resolution. In addition our research shows that firewall configuration complexity is leaving companies exposed. The technology to keep your networks safe exists, but it’s nearly impossible to manage properly. This is where PacketSled comes in.We build feature-rich, security platforms, which easily enable the aggregation of packet-level, network analysis from multiple IRES sensors deployable around the globe.
Specifically, PacketSled sensors can live at multiple points throughout your core network, but also live within your cloud-environments. To ease management, we provide a centralized user interface that works for your team, wherever they are in the world. With an increasing amount of technology partnerships and APIs being developed by Packetsled staff, we also play well with others.
We understand that innovation is happening and at a rapid pace. With the ease of deploying Packetsled sensors, you can rollout new network coverage in a defined, lockstep approach to make sure you don’t miss an attack on your new infrastructure or initiative. Best of all, you can launch new sensors when you need the coverage, not months or years beforehand.
With our service, you always have the most recent detections, protocol analysis, and sensor technology, located in a Data Centre that will adhere to your governance and regulatory compliances. We perform all of the research and development; you reap all of the benefits.
Wherever your business is today and headed tomorrow. Let us reduce your worries about moving into the cloud. With the Packetsled platform, we’re here to help.
-Patrick Kelley, Sr. Security Researcher
“Applying advanced analytics to threat hunting and evolving an analyst’s tool into an analyst’s tool that also has very strong monitoring, detection, case management and alerting functions.”The article comes after technology editor Peter Stephenson conducted a second review of the product. In the review, he quickly arrives at yet another one of PacketSled’s key tenants:
“We never have seen that level of support response in any of the products we have reviewed and it provides a realbeneift both to new users and experienced users with a difficult problem.”Read the Article
PacketSled is excited to announce a new partnership with Secrutiny. This partnership allows Secrutiny to resell PacketSled’s cloud-based network security tool, expanding PacketSled’s market internationally.
“We’re absolutely thrilled to be able to help bring PacketSled’s unique detection, forensics and incident response capabilities to our customers in the UK,” said Founder of Secrutiny, Simon Crumplin. “In today’s threat landscape, attackers are continuously evolving their strategy, which is why we believe that PacketSled’s combination of real-time visibility with full fidelity network history will provide a massive leap forward in information security.”
Secrutiny offers a quick, cost-effective Security Posture Audit to help organizations reveal cyber adversaries are present and active in their network. The company selects only the best technologies and methodology to offer next generation cyber strategy.
As a seasoned incident response practitioner, I am always looking for better ways to manage serious security breaches. Over the last decade, the cyber-security community has refined many strategies and best-practices to help organizations identify, investigate, contain, and remediate advanced threat attacks. This has been enormously helpful.
I have also found it useful to look beyond our own realm in cyber-space and observe how other industries manage large security incidents. A few years ago, I spent some time researching and interviewing public safety, fire, and military professionals. My goal was to determine if there are patterns of behavior in their response tactics that might apply to our IR space.
It did not take long to realize that the foundation of most public safety incident handling practices is to, “Establish and secure a perimeter.” This may seem obvious to you, but it is important to realize the safety of human lives is often at stake if this is not done right. When you think about it, almost all public safety, search-and-rescue, and military operations begin with this strategy.
The most obvious example is the fighting of a wildfire. A large percentage of the effort is spent on surrounding the fire and creating a “Dozer line” free of debris to starve the fire. Granted, the firefighters are usually at the mercy of temperature, wind, and humidity. Regardless of the weather, the containment strategy is to surround the fire and work inward to contain it.
You see the same behavior when law enforcement agencies are faced with an act of terrorism. From the Boston Marathon attack to the bombing of the Brussels airport, the response was identical. Establish and secure a perimeter and work inward to determine the scope of the incident and look for suspects.
Sometimes this is really difficult. Consider the disappearance of Malaysia Air Flight MH370 on March 8, 2014. Lacking any reliable telemetry to determine where to search for the aircraft, a primary search area (perimeter) of 23,000 square miles was established. Folks, that is a big perimeter. Regardless, the same rule applied: establish a perimeter and search inward.
I immediately realized the value of this strategy in cyber-attack incident response investigations. In a cyber-attack response, the “perimeter” is almost always network boundaries. Why? If the source of the attack is not an insider, and the attacker(s) do not have physical access to your computing resources, the source of their attack will be an external network. This dynamic is obvious and compelling.
This makes it easy for incident responders to determine where to ‘establish’ a perimeter. It will always be where any external network has a route to your internal network. The first place to look is where your Internet points-of-presence (POP) are located.
Once you know the “scope” of your perimeter, you have to make some quick decisions on whether or not you “secure” it.
In the case of PCI, HIPAA, or other regulated data loss, you really have no choice but to secure the perimeter by shutting down the network segment. In other cases you need to make a hard decision. Do you lock out the intruders by securing the perimeter, or do you monitor it to learn more about the attacker TTP’s?
If you secure the perimeter you tip off the attackers you know of their presence, and you lose the ability to collect additional, often critical, evidence. If you monitor the perimeter you run the risk of watching your precious data head to the Far East.
Here at PacketSled, we are all believers in the “Establish/Secure the perimeter and work inward” strategy when dealing with advanced threat actors. In fact, many of our customers rely on PacketSled network sensors to monitor their network perimeters during high-profile incidents.
Deploying a PacketSled sensor to establish a perimeter is painless. We have an IR deployment package that can have you up and running in minutes. Provide a SPAN/TAP feed to our sensor(s) and you have perimeter network visibility when you need it most.
Let us show you the value of PacketSled network visibility tools. To arrange a product demonstration or talk IR strategies give us a call.
PacketSled will be at BlackHat 2016 in the Innovation City, booth IC29. Stop by for a demo of IRES, the Incident Response Expert System. Or Schedule a Meeting to take a deeper dive.
© 2017 PacketSled, Inc.