VMware Certified Professional 5 – Data Center Virtualization (VCP5-DCV)
Cybersecurity: No Cease Fire, Who Will Win? – Insights from North America ISRM 2014
ISACA’s 2014 North America Information Security and Risk Management (ISRM) conference, which will be transformed into CSX 2015 next year, provided a great platform for cybersecurity professionals to share and learn in this big context. I appreciated the opportunity to attend the conference, and especially it was my privilege to interview several conference speakers.
Here are some thoughts as I look back at ISRM 2014.
The fear of cybersecurity
It was not a surprise to me that quite a few speakers started their presentations by illustrating the current threat landscape. Enough evidence justified why everyone should consider cybersecurity a serious concern.
During his “2014 Top Security & Privacy Bloopers” presentation, Todd Fitzgerald skillfully summarized and analyzed data breaches from Target to Sochi Olympics and from EBay to JP Morgan. The number of companies notified by the US Federal Bureau of Investigation (FBI) in 2013 of breaches alarmed and reminded us that there is no place to hide in cyberspace. Regardless of the industry, the size and the type of your organization, it seems that cyberattacks can happen at any time. It brings further complexity to the table when your organization is leveraging new technology forces such as cloud, software defined networking (SDN), big data or the Internet of Things (IoT). Another critical aspect, proposed by Tim Mather, is to be aware of application programming interface ( API) , which will most likely be the next hacker target.
Joseph Ingemi’s presentation provided us a new angle: to consider cybersecurity from geographic and political views. Although Ingemi took the stance mainly from Western countries’ points of view, he proposed a valuable approach to evaluate the intention and similarities of the cyberattackers. I was also impressed by his deep analysis on the correlation of cybersecurity with recent economic and political events and efforts such as Trans-Pacific Partnership ( TPP ) and Group of Twenty ( G20).
We must accept that at some level, a cyberattack is unavoidable. We are at war, said Curtis K. S. Levinson; the cybercriminals are targeting financial gains but the cyberterrorists are targeting generating fear. The big question is: There is no cease fire in cyberspace, so who will win the battle? I think the following three themes discussed throughout the conference can help us fight against the adversaries.
New developments in regulations and standards
Based on recent developments, privacy has become the highest priority for nations across the world. According to Fitzgerald, EU parliament approved the amended EU Data Protection Legislative Framework Proposal (the “Draft Regulation”), which was intended to replace Directive 95/46/EC. The right to erase data, increased penalties, DPA approval of transfer to non-EU countries and data portability were the four major areas EU wants to improve. Canada’s Anti-Spam Legislation (CASL) became effective on 1 July 2014. Deloitte called CASL one of the toughest laws of its kind in the world. Australia’s privacy amendment with 13 privacy principles came into force. South Korea amended its Personal Information Protection Act. Brazil, Mexico and South Africa had also initiated privacy and security regulation efforts.
In terms of standards and best practices, ISO/IEC 27001:2013 and PCI DSS 3.0 became effective in January 2014. The new ISO standard focuses more on leadership and has greater emphasis on setting objectives, monitoring, performance and metrics. ISACA and National Institute of Standards and Technology (NIST) both initiated a cybersecurity program. NIST released a cybersecurity framework in February 2014 based on Executive Order 13636. ISACA launched the Cybersecurity Nexus (CSX), which offers thought leadership, certification, training and networking for all levels of the cybersecurity profession, explained ISACA International President Robert E Stroud, CGEIT, CRISC.
Practical security strategies
During his “Cybersecurity: Engaging with the Board” presentation, Adel Melek illustrated an actionable approach to transform an organization’s cyberdefense to be more secure, vigilant and resilient. The 10 key considerations for board and senior management proposed by Melek, especially the 10 questions the board should ask to evaluate the overall security maturity level, were truly insightful.
One interesting topic around privacy is how to balance employees’ privacy versus organizations’ security protection. It makes the global debate worse if the organization is an international company with employees throughout the world with various definitions of privacy. According to presenter David Melnick, cyberthreats and liability drive investment in employee control. Despite increasing risks and strong policies, organizations fail to regulate employee personal web use. At the same time, regulatory environment trends increase employee privacy rights. Melnick proposed the approach of separating personal web use and professional web use to strengthen security and reduce risk by providing employee privacy.
Dr. Lance Hayden demonstrated how the Goal, Question, Metric (GQM) framework, which I think is one of the most practical approaches so far, works well for strategic metrics.
Educated and experienced security professionals
According to Cisco, there still is a significant need for skilled professionals who can protect and defend enterprises worldwide. Obviously, experienced security professionals are key to the success of fighting against cyberadversaries. The panel from Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles.
lso, Robin “Montana” Williams introduced the US National Initiative for Cybersecurity Education (NICE), which aims to raise national cybersecurity awareness, broaden the pool of cyberworkers through strong education programs and seeks to build a globally competitive cybersecurity workforce.
We are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.
Alan Tang, CISA, CGEIT, CBCI, CIPP/IT, CISSP, ISO20K, ISO27K, PCIDSS, PMP, TOGAF
Director of Research – Security & Risk
Info-Tech Research Group
[ISACA]
(ISC)² 2015 Cybersecurity Predictions: Security Moves into the C-Suite
The recent attack on Sony Pictures illustrates just how impactful a breach can be, and it will not be the last of its kind. While there are minimal concrete root causes known about the Sony attack, we can infer from the extent of the breach that practices and controls surrounding information access, desktop security, and network intrusion monitoring and prevention will be in the crosshairs.
While defense and banking have held a ‘do or die’ approach to security for decades, many other organizations have passively entered an era where the means to destroy billions in shareholder value sits on central servers, accessible immediately by multiple staff with email and Internet access. This productive combination requires a more rigorous set of thinking to protect than ever before. In 2015, we hope to see a renewed focus on risk-centric data valuation, and the corresponding projects to improve controls in response. Numerous conversations will be held where executives are looking for the most effective tools to buy, and many security experts will be called on to elevate security architecture, risk management, and technical controls.
2015 will be the year when the Russell 3000 stop rationalizing privately that they are ‘not a security company’ any longer. Instead, they will embrace the reality that they cannot live without the Internet, and therefore must implement the controls to thrive within it.
-Noah Gray, CSSLP, Senior Manager of Enterprise Architecture, (ISC)²
[(ISC)² Blog]
Palo Alto Networks 2015 Predictions: Endpoint Security
As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)
1. Customers will stop paying for failed technologies
It has become abundantly clear that traditional approaches to endpoint security are no longer effective. In this era of advanced threats, the endpoint is the critical line of defense that has not been adequately protected. Signature based anti-malware, behavior detection, or even whitelisting are not sufficient to protect against the most advanced malware and exploits.
Security professionals have taken note and have started to seek new endpoint protection technologies. The failure of traditional anti-malware also leaves security professionals wondering if they should continue to pay for expensive endpoint security suites that are no longer effective. According to Forrester’s Chris Sherman, “[security professionals] are now more than ever looking to augment or replace their failing antimalware tools with more effective solutions.” In a recent report, he also mentions that a “firm recently told Forrester that it’s looking to replace its third-party anti-malware tools with native OS-supplied anti-malware.”
I can tell you both from my own recent experience as a CISO and from speaking with customers that this is a very real trend. Evidence has already shown that customers’ willingness to pay for these failing technologies has eroded. According to Gartner, license revenue per seat was seen to be declining at the end of 2012.
We recently surveyed our customers and received 555 responses to this question: “Would you consider switching to ‘free’ enterprise Antivirus in order to fund more advanced endpoint protection for your company?” Forty-four percent responded either “Absolutely,” “Likely,” or “Already in progress.” What does this mean? It means that in 2015 we will see many organizations opt for free anti-malware products like Microsoft’s System Center Endpoint Protection (SCEP), which some customers will find they already own due to enterprise license bundling.
The significance of that 44 percent should not be understated. Many organizations are on a three year renewal cycle for anti-malware. So does that mean vendors of traditional endpoint anti-malware products should expect to lose approximately 14.67 percent of their renewals each year for the next three years? This depends on whether customers will be able to translate intentions into action by finding appropriate replacements for failing endpoint products. Time will tell, but this will be a trend to watch in 2015.
2. Increased focus on the endpoint
In light of the many security breaches in the news these days, security professionals are re-examining strategies around advanced threats. In particular, two things have become clear: 1) strategies focused on network-based detection and response will continue to fail, and 2) advanced threat prevention is required on the endpoint.
Detection and response are necessary components of any security strategy but should not become primary objectives. The focus here is on finding breaches as quickly as possible and mitigating the damage. This has played out in companies detecting breaches months or years after they first occurred, leaving the company to deal with a massive and prolonged data breach that becomes a public nightmare for customers, executives, and investors. No software product can remediate that damage.
Network based controls, especially those that focus on prevention of advanced threats, are necessary but not sufficient. The last line of defense remains the endpoint itself and it is clear that network controls alone cannot block the most advanced threats. Furthermore, many organizations are faced with increasingly vulnerable endpoints because they still run Windows XP, which is no longer supported with security patches. The same will soon be true of Windows Server 2003. Now that many organizations have already adopted advanced threat prevention on the network, the endpoint will come into focus in 2015.
3. Consolidation of dynamic threat analysis onto Next-Generation Firewalls will make room in the security budget for Advanced Endpoint Protection
Many customers that I speak with are keen to reduce the number of disparate security vendors that comprise their security architecture. Organizations began this by eliminating separate IPS and URL filtering devices in favor of a Next-Generation Firewall. Then the need for network based dynamic analysis of files arose in order to detect advanced threats. Many customers added yet another set of devices onto the network.
Innovation has once again brought about a new opportunity for consolidation. Cloud based dynamic analysis on a Next-Generation Firewall not only reduces cost and administrative overhead, but also maximizes the ability to prevent, rather than just detect advanced threats. The next step is to integrate this with advanced protection on the endpoint via shared threat intelligence and the result is a platform that is far stronger than the sum of its parts. In 2015, I expect to see more customers eliminating point solutions for dynamic analysis that do on-device sandboxing in favor of integrated security platforms that leverage dynamic analysis in the cloud, enabling shared threat intelligence.
Endpoint security is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.
[Palo Alto Networks Blog]
How Malware Trends Affect Key Industries, From Healthcare to High Tech
Today we released our first Threat Landscape Review, which takes a high-level view of how malware is delivered to networks across major industries around the world. The data used for this report was derived from Palo Alto Networks WildFire™, which automatically identifies threats from malware over a wide array of applications by executing them in a virtual environment, observing their behavior. This data was collected from live systems in networks belonging to 2,363 different companies operating in 82 different countries.
While there are currently over 4,000 organizations using WildFire to defend their networks the data for this report was specifically collected from organizations in 10 key verticals:
- Critical Infrastructure
- Finance
- Government
- Healthcare
- High Tech
- Higher Education
- Hospitality
- Manufacturing
- Professional Services
- Retail and Wholesale
The following are key findings from this report:
- Globally, our platform detected malware delivered in over 50 distinct applications. 87% of this malware was delivered over SMTP, 11.8% through Web-Browsing (HTTP) and 1.2% in the remaining applications.
- While all verticals saw SMTP and HTTP as the primary channels for malware delivery, they varied greatly in the percentage for each. Retail and Wholesale organizations received almost 28% of malware over the web channel while Hospitality organizations received less than 2% through the same channel.
- Over 90% of unique malware samples were delivered in just one or two sessions, while a much smaller proportion was delivered in over 10,000 attacks.
- While the US is still the leading callback location across all verticals, analysis revealed a variance in callback prevalence by country based on each vertical.
- One malware family, known as Kuluoz or Asprox, was responsible for approximately 80% of all attack sessions recorded in the month of October. This malware sends copies of itself over e-mail quickly and to users all around the world and then attempts to download additional malware, impacting 1,933 different organizations.
Download the full report here.
Subscribe to Unit 42 threat intelligence alerts here.
[Palo Alto Networks Blog]
