As one might expect, shielding is a good metaphor for much of what we do in cyber security. Any time one device serves as a protective barrier for some other valued asset, then we can say that shielding is being done. It’s fun to imagine that if Bill Cheswick, Marcus Ranum, Nir Zuk, and other pioneers had been more avid readers of Roman history, then perhaps Palo Alto Networks would be marketing next-generation shields today.
So, when my longtime friend Jim Carrigan (formerly with Verizon and also AT&T) called to tell me that he’d recently joined a New Zealand outfit that specialized in application shields, I was interested to hear more. A Zoom session was set-up and I soon found myself chatting with Andy Prow, co-founder and CEO of RedShield. The approach certainly appeared both interesting and sound, so let me try to summarize what I learned.
“Our goal has been to help enterprise customers shield their web application and API vulnerabilities without having to go in and make changes to the code,” explained Prow. “This requires that we integrate security protections that stop exploits from hackers without impeding normal transactions from authorized customers. This is done through a full suite of protective controls and actions.”
The RedShield solution combines several related strategies to achieve strong application security. First, customers are guided through a process to fix as many known issues as possible by removing application vulnerabilities from their list. “Our goal is to correct application behavior, but this works best if we help first remove the hundreds of known vulnerabilities from an organizations official Risk Register,” Prow explained.
The second step involves integration of shields, which are implemented as software objects, inserted in front of an application. When asked whether this was essentially a web application firewall (WAF), Prow introduced a clear distinction: “Certainly, we can be used where a managed WAF is required,” he said, “but our process for writing specific customer and off-the-shelf shields is unique.
“Using our fat-proxy architecture, we implement shields in code and that let us target vulnerability remediation with zero false positives, even with complex enterprise apps, third party apps and APIs, and legacy systems. It is this architecture and our shields as code that lets us tackle business logic flaws, authentication issues, and both role-based and data authorization flaws. Our shields also modernize an app's security posture calling third party APIs, such as to check for stolen passwords or use of fraudulent credit cards.”
The third step involves 24/7 management and monitoring of the shielded web application environment. This RedShield service is designed to provide and to support the important threat hunting activity, which is ultimately focused on stopping either human or bot-oriented threats. RedShield enterprise customers are provided visibility into the managed shielding through a custom dashboard.
I asked Carrigan how he intended to address the marketplace as new head of sales for RedShield, and he explained an interesting new offer: “We are willing to include a strong warranty with our solution that provides customers with assurance that this is really going to work,” he explained. “We decided that a warranty would underscore the kind of high assurance that we know that this platform brings.”
From the perspective of our TAG Cyber analysis, RedShield will obviously be considered by buyers in the context of next-generation WAF solutions – and the RedShield team understands this. We suggested during our meeting that RedShield provide as much technical insight into the development of shields as possible so that enterprise teams doing WAF evaluation can best understand the differences introduced by shields.
We liked RedShield’s concept of combining three steps – namely, establishing a cleared base of existing vulnerabilities, instrumenting shields into the application environment, and then introducing a managed service. Enterprise teams who follow this strict process will almost certainly see reduced false positive alarm rates, and will develop a more robust security environment for their web applications and APIs.
The company, which was founded in New Zealand, looks to have an experienced management team, including the addition of Carrigan. They’ve developed an impressive assortment of partners, including Deloitte, and they work seamlessly across multi-cloud infrastructure, including AWS and Google Cloud. So they look well-positioned to expand their market, especially in the United States.
If you run web applications or APIs and would like to reduce your threat surface, then include RedShield in your review process. Ask for an overview of the shielding process as well as a look at the dashboard. If you’re like me, then you’ll find the discussion useful – and perhaps you might decide this solution is for you. As always, please be sure to share with us your own experiences as you learn more about RedShield.
Stay safe and healthy.
Dr. Ed Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.
Ed holds the BS degree in physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB). Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.
RedShield is a new solution to what is one of cybersecurity’s biggest challenges -
remediating known vulnerabilities at speed and scale.
In their article "The problems with patching", the United Kingdom’s National Cyber Security Centre recognizes that “Patching is often hard to do in practice, it is time-consuming, repetitive and unrewarding, but it is the single most important thing you can do to secure your technology.”
RedShield can virtually patch known vulnerabilities in hours with their library of over 14,000 patches. If vulnerabilities specific to applications are found, they write the code and deploy the patch virtually.As a managed web application security software and service solution, RedShield eliminates all known vulnerabilities, then adds additional protections, and monitors and manages future threats.