Month: November 2014

Posted on

Palo Alto Networks 2015 Predictions: Mobility

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.) 

Looking to the year ahead, I believe mobile security will continue to be a growing area of concern for enterprises as users become increasingly reliant upon their mobile devices in their business and private lives.

1. Death of Proprietary Containers On Mobile Devices

We all know why the proprietary containers exist. Companies want to stay in control of their data. But have you met any happy users of these solutions? There’s a major problem if the user adoption is not a positive experience, and that just what you get proprietary containers split users’ mobile devices into a business half and a personal half. What’s the solution? We’re seeing far more elegant approaches coming from the operating system vendors, introduced with iOS, continued with Samsung Knox and coming soon on Android L.  The market’s going to call a winner, and I’m going to bet that in 2015, we’ll see proprietary containers disappear.

2. Mobile Malware Will be a Slow Burn

You’ve heard other people say it before, “This is the year of mobile malware.” The numbers are would seem to indicate those people are correct – right now our researchers are finding new mobile malware every 20 minutes.

But I believe there may never be mobile malware at the same infection rate as some of the Windows viruses of the past. That’s because that play is dead. Blowing up millions of computer is pure 1999. Today, malware on the PC is highly targeted, and mobile malware is going to be the same way. There aren’t going to be massive outbreaks of mobile malware, because it’s easy to find the sample if everyone, including the malware researchers, has a copy of it.

Mobile malware is always going to be in lower in numbers, and 2015 is no different. But finding it is very difficult if you don’t have the capabilities to prevent or detect it, especially with all of the BYOD devices running on networks. And furthermore, when you do find, it packs a much stronger punch. There are far more resources (including networking, company data, and recording capabilities) to make the malware more potent than what you see on PCs.

3. Less is More with EMM 

Wait a minute, isn’t more is more? Not with EMM, because the more you apply, the less your users will like it.  Unfortunately, that’s the challenge with thinking inside the box. If your only option for stopping threats is removing the application that can access the threat, then you’re left with removing functionality as the only way to solve security issues.

But in 2015, I think that the smart customer is going to thinking of more than EMM. In fact, they are going to skip a beat in the evolutionary chain. When faced with emerging security threats, the normal response is to rack and stack new security solutions on top of existing infrastructure. This is also knows as the “Value Meal” approach to security: buy more and get more, even though in the end it’s still junk food.

That’s why the next step in EMM is not more EMM.  It’s also not going to be EMM plugged into other security solutions. The smart play is to evaluate all security needs and see what could be done when looking at everything as a whole system. That includes protecting mobile devices from threats, protecting your networks from bad devices, and most importantly, making sure your data is safe.

 

Mobility is among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

[Palo Alto Networks Blog]

Posted on

Cloud Security By The Numbers


As IT executives and business leaders finally get their arms around analyses of the business opportunities versus the security risks of cloud adoption, the industry is increasingly quantifying the friction between the two. We’ve put together some numbers to show perception over some of the hot-button issues, as well as current progress toward smoothing the way for secure cloud transformations.

Quantifying the perceptions around cloud security practices.

Security Still Trumps All Other Concerns

According to a recent Informationweek Reports survey, security and data resiliency issues make up four of the top 10 concerns held by IT over cloud adoption. And sitting atop that list is the concern of security defects in the cloud technology itself.

Source: InformationWeek

 
Cloud Breach Odds

IT pros seem to be split nearly right down the middle as to whether using cloud services increases the risk of a data breach. Approximately 51% say sending data to the cloud increases or significantly increases that risk.

Source: Netskope

 
Confident With Cloud Security

Meanwhile, even more line of business leaders are confident in the security of the cloud. In fact, more than a third even believe it actually improves security, according to a survey of nearly 600 Harvard Business Review readers.

Source: Verizon

 
Raising The Stakes On Breach Risk

However, the use of the cloud does raise the stakes for breach impact. According to a recent Ponemon Institute report, the use of SaaS increases the financial impact of a breach by a factor of 1.5 times a normal breach of data from on-premises infrastructure.

Source: Netskope

 
Cloud Encryption Lags

The added impact of potential risk from a cloud breach is further exacerbated by lackluster cloud encryption practices. The percentage of organizations that use encryption to secure sensitive data in the cloud hovers at only about 1/3 worldwide.

Source: Safenet

 
Cloud Fogs Up Policy Visibility

And the truth is that most security organizations still struggle to extend corporate data governance policies to the public cloud, and they have a hard time maintaining visibility into security policy across a hybrid cloud infrastructure.

Source: Algosec

 
Cloud Enforcement Gap

That’s probably why they can’t seem to enforce cloud policies very well. According to a report by Skyhigh Networks, there’s a perception gap in how well companies are blocking unauthorized use and uploading to cloud apps compared to their intended policy enforcement actions.

Source: Skyhigh Networks

 
How Big Of A Shadow IT Problem Do You Really Have?

A survey conducted by the Cloud Security Alliance on behalf of Netskope also found that IT departments may be underestimating the number of cloud apps used across the business. More than half of these departments believe the business is running 10 or fewer cloud service apps. Meanwhile, compared to data from Skyhigh Networks, the average number is closer to 800.

Source: Cloud Security Alliance

 
Security Team MIA In Cloud Buys

Many of the struggles IT faces in the cloud can be summed up here, according to a Ponemon Institute study: Just 9% of IT security organizations are always involved in decisions regarding cloud procurement. Worse, 47% are rarely or never involved.

Source: SafeNet

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

[Dark Reading]

Posted on

9 Core Capabilities That Define An ICS Security Platform

Securing industrial control system (ICS) networks is crucial in this age of advanced persistent threats. Stuxnet changed the game for ICS a few years ago, and in 2014 it changed again with the Havex RAT variant, which used techniques way more innovative than any threat we had yet seen targeting this industry.

With these threats in mind, Mario Chiock, a leading cybersecurity and disruptive technology executive adviser, and I got to thinking about what core capabilities really need to go into an ICS security platform. Naturally, that discussion led to the development of a full list of recommendations, which we’re pleased to share with you in a new paper.

Click here to access your copy of “Defining the 21st Century Cybersecurity Protection Platform for ICS.”

For more

[Palo Alto Networks Blog]

Posted on

A Look at the Fourth Annual IT Audit Benchmarking Study

This week, Protiviti and ISACA issued results of the fourth annual IT Audit Benchmarking Study. The organizations surveyed 1,330 IT audit leaders across the globe, including chief audit executives, IT audit vice presidents and directors, who answered questions in five categories:

  • Today’s Top Technology Challenges
  • IT Audit in Relation to the Internal Audit Department
  • Assessing IT Risks
  • Audit Plan
  • Skills and Capabilities

The survey found that, although organizations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments.

“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted.”

Top Technology Challenges
The survey also revealed the top 10 technology challenges that respondents say their organizations face today:

  1. IT security and privacy/cybersecurity
  2. Resource/staffing/skills challenges
  3. Emerging technology and infrastructure changes: transformation, innovation, disruption
  4. Regulatory compliance
  5. Budgets and controlling costs
  6. IT governance and risk management
  7. Big data and analytics
  8. Vendor, third-party and outsourcing risks
  9. Cloud computing/ virtualization
  10. Bridging IT and the business

Establishing Organizationwide Support for IT Audit
The IT Audit Benchmarking Study found that more than half of the largest public companies surveyed have a designated IT audit director or equivalent position within their organizations, and 48 percent reported that these individuals regularly attend audit committee meetings – a number that has doubled over the past three years. Additionally, respondents indicated that their audit committees have increased their involvement in the IT risk assessment process, with 20 percent reporting significant involvement as compared to 14 percent in 2013.

The increased resources and attention to IT audit is a positive sign that companies of all sizes around the world are recognizing the significant benefits of this critical function.

Small Gains in IT Audit Risk Assessments
The ISACA/Protiviti survey also reveals a modest uptick in the number of organizations that update their IT audit risk assessment on a continual basis. However, this number still remains low—around 15 percent—for even the largest companies.

Additional Highlights
Other research findings of note include:

  • Globally, respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and SOGP. In practice, organizations may utilize a combination of these frameworks to complete their risk assessments.
  • Across every region and size of respondent organization, lack of resources ranks as the top reason why companies are using outside resources to augment their IT audit skills – and in fact, the percentages are very consistent. These findings are also in line with the top technology challenges outlined above.

I encourage you to view the full results at www.isaca.org/2014ITauditstudy.

Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President

[ISACA]

Posted on

Palo Alto Networks 2015 Predictions: Threat Prevention

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.) 

I know this is a cliché statement, but this year has flown by at the speed of light. I love looking to the future and I can’t wait to see how next year will shape up. Looking back on a few key trends in threat prevention for 2014, I can provide some insight into what awaits us in 2015. Here are three trends that stuck out as important indicators of what’s to come in the next year.

1. Attackers will use more legitimate and convoluted means to launch widespread attacks.

You’ve likely seen the word “malvertising” tossed around. This attack method has been around for a few years, and Yahoo! and AOL were both targets in September and October of this year, earning attackers thousands of dollars per day.

But the use of malvertising as an attack method is a shift from the kind of dark-corner trickery seen in spear phishing and packet sniffing to a technique that leverages a legitimate business process to do all the hard work normally involved in delivering malware. The process gives the attacker access to potentially millions of users with minimal effort. All the attacker has to do is design the malvertisement code.

We’ll be seeing a lot more of these types of malware delivery methods. Not just malvertising campaigns, but also the use of bona fide business procedures to deliver malware and amplify results. Widely-used business channels with little to no security are tempting targets for attackers; they provide a constant stream of unsuspecting targets and feature lots of moving parts that make it impossible to track down the attackers. It will require careful coordination to make these channels more secure.

2. Application security is getting better all the time. However, we will continue to see a steady stream of zero-days, mostly related to legacy code.

Secure coding practices have become a part of the software developer’s everyday life. In the past few years, we’ve seen more application security and development teams turn to static and dynamic analysis to catch code and business logic vulnerabilities and fix them before the application is released or updates are pushed.

Customers are starting to build time-to-fix clauses with monetary penalties into their contracts with vendors. If anything is clear in the B2B universe, it’s that vulnerabilities affect application integrity, which affects customer trust, which affects revenue. It’s easier and much cheaper to fix vulnerabilities during the early development cycle than once an application has reached production or even QA.

However, this also means that legacy code is much more expensive to fix, even if a vulnerability has not yet been exploited in the wild. Along with the fact that black hat hackers are continuing to get more creative, this is the reason why the number of CVEs in 2015 will remain at least equal to if not greater than the number reported in 2014.

*CVE information for years 2010 through 2013 taken from Secunia <http://secunia.com/vulnerability-review/vulnerability_update_all.html>

*CVE information for 2014 taken from <https://cve.mitre.org/&gt;

3. IPS functionality and firewall functionality will meld more than it already has.

As the enterprise market sees the benefits of a true platform-based approach to security, I suspect we’ll see more vendors phasing out stand-alone and UTM security solutions. What better way to truly bolster the way IPS handles security than by including other defensive techniques like decryption, decompression, application-ID, user-ID, data-loss prevention, and sandboxing?

The market’s move from traditional IPS to Next-Generation IPS to NGFW + NGIPS already started, but there’s more innovating to be done to supply security that keeps up with what the bad guys are doing. There’ll be more appeal than ever for a single, integrated platform that “does it all,” doesn’t require users to take a performance hit, and can be used anywhere from data centers to the cloud.

So, who else is excited for 2015?

Threat prevention is among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

[Palo Alto Networks Blog]

English
English
Exit mobile version