Palo Alto Networks was again named to Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media communications, life sciences and clean technology companies in North America. We’re proud to be one of a few enterprise security companies to make the Top 50 rank, which we attribute to rapid adoption this past year of our Enterprise Security Platform. (See the full 2014 Deloitte Technology Fast 500 list here.)
By focusing on prevention of both known and unknown threats, versus detection and remediation, we can offer network security, cloud-based threat intelligence and Advanced Endpoint Protection in one integrated, automated platform. See how our platform protects every corner of your organization, from your mobile workers to the core of your virtualized data centerhere.
Cloud computing offers both unique advantages and challenges to government users. The advantages are well-advertised: Greater efficiency, economy and flexibility that can help agencies meet rapidly changing computing needs quickly and cheaply while being environmentally friendly.
Among the challenges, security is the most commonly-sited concern in moving mission-critical services or sensitive information to the cloud.
To address this, a recently released roadmap from the National Institute of Standards and Technology recommends a plan to ensure cloud offerings meet government security needs while being flexible enough to adapt to the policies and requirements of multiple tenants, including foreign governments. The plan involves periodic assessments of security controls and development of international profiles and standards.
The recommendations are brief and make up a small part of the 140-page document released by NIST in October but categorized as “high priority.”
Security is the first of three high-priority requirements addressed in volume one. Interoperability and portability – the ability of data to be moved from one cloud facility to another—are the others.
The government already has established the Federal Risk and Authorization Management Program (FedRAMP), which became operational in 2012 to ensure that cloud service providers meet a baseline set of federal security requirements, easing the task of certifying and authorizing the systems for government operations. But the NIST roadmap addresses security requirements that extend beyond federal users.
Security in the cloud is complicated by a number of factors. First, it upsets the traditional IT security model that relies on logical and physical system boundaries. “The inherent characteristics of cloud computing make these boundaries more complex and render traditional security mechanisms less effective,” the roadmap says.
Second, a cloud system has to meet not only U.S. government security needs, but also those of other customers sharing the environment, and so security policy must be de-coupled from U.S. government-specific policies. “Mechanisms must be developed to allow differing policies to co-exist and be implemented with a high degree of confidence, irrespective of geographical location and sovereignty.”
Moreover, a comprehensive set of security requirements have not yet been fully established, the roadmap says. “Security controls need to be reexamined in the context of cloud architecture, scale, reliance on networking, outsourcing and shared resources,” the authors write. “For example, multi-tenancy is an inherent cloud characteristic that intuitively raises concern that one consumer may impact the operations or access data of other tenants running on the same cloud.”
NIST says recommended priority action plans for cloud security are:
Continue to identify cloud consumer priority security requirements, on at least a quarterly basis.
Periodically identify and assess the extent to which risk can be mitigated through existing and emerging security controls and guidance. Identify gaps and modify existing controls and monitoring capabilities.
Develop neutral cloud security profiles, technical security attributes and test criteria.
Define an international standards-based conformity assessment system approach.
Earlier this week more than 100 participants gathered at the Copenhagen Marriott in Denmark for an emergency meeting on Cyber Crime, coordinated through AmCham Denmark in cooperation with the Overseas Security Advisory Council and partners Deloitte, Palo Alto Networks and Symantec.
We’re pleased to have been part of this important event, titled “Align Business and Security Now” and focused on how to move discussions of security beyond the IT department and into the board room. Along with presentations from the Danish Center for Cyber Security, the U.S. Federal Bureau of Investigation, Deloitte and Symantec, our own Stijn Rommens, systems engineering manager for Northern Europe, discussed why aligning all processes, technology and people — not just perimeter protection — is crucial to an effective security posture.
From left to right: Lars Bennetzen (moderator), Stijn Rommens (Palo Alto Networks), Janus Friis Bindslev (Deloitte), James Hanlon (Symantec), Sigurd Hellums (Palo Alto Networks) and Morten Efferbach (Symantec).
Click here to see more details and a full photo gallery from the event.
We’re pleased to announce that the PA-7050 Series was named a winner in the Enterprise Firewall category of the Information Security™ magazine and SearchSecurity.com™ 2014 Readers’ Choice Awards, presented by the editors of the two publications.
As noted in Information Security magazine and on SearchSecurity.com, “The Palo Alto Networks PA-7050 received top scores from Readers’ Choice voters for its ability to identify users via directory integration and for the company’s service and support. The firewall’s ability to block intrusions, attacks and unauthorized network traffic; its logging, monitoring and reporting capabilities –and the overall return on investment –impressed Information Securityreaders.” Read more on why the PA-7050 was 2014 Readers’ Choice Award recipient.
The 2014 Readers’ Choice Award winners were selected based on an extensive, in-depth survey of Information Security magazine and SearchSecurity.com readers that included over 1,700 information security executives and managers, who were asked to assess and rate products deployed within their organizations from a listing of more than 400 products spanning 22 product categories.
Palo Alto Networks recently announced availability of PAN-OS 6.1, the newest version of our operating system. As with all our operating system releases, there is an amazing list of new features to help our customers better secure their networks, respond more quickly to incidents and reduce operational overhead. Given my focus on cybersecurity for Industrial Control Systems, the one feature I am particularly excited about is the capability of the WildFire appliance, the WF-500, to generate threat prevention signatures on premises.
WildFire is of course a service available in our security platform that isolates suspicious payloads (e.g. executables, MS-Office documents) at the network, detonates them in our Threat Intelligence Cloud, then sends a report back to the user about the nature of a payload. Not only that, if the payload is malicious, the cloud sends threat prevention signatures (anti-virus, malicious URL, malicious DNS) back to the firewall, essentially converting the unknown threat into a known, stoppable threat.
Many of the critical infrastructure and manufacturing asset owners I work with have told me they like the idea of WildFire and the threat intelligence cloud, but faced constraints in sending files out to the public cloud. Many have general privacy concerns, some have regulatory constraints, and on occasion, they cite the unavailability of an internet connection (airgap).
We are excited to announce with the release of PAN-OS 6.1 that we can now address these concerns via the WF-500’s ability to generate on-premise malware signatures in as little as 5 minutes. This update will come in very handy in securing several perimeters and even internal zone traffic within the automation environment — assuming you have proper segmentation! – and here’s how:
Corporate-to-SCADA perimeter: Some of the traffic which you may be allowing on a limited basis from the Enterprise IT side may be file-bearing. Use the WF-500 to inspect this for malicious content.
Vendor/Partner-to-SCADA: Just because you are using a secure VPN to let your partner or vendor into your SCADA system doesn’t mean the content is secure. Implement a zero-trust model and inspect all traffic.
Operator/Engineering to Server: Files may be introduced by removable media at HMIs and Engineering workstations or via mobile laptops connected in the LAN. Use WF-500 to detect and block zero days that originate from within.
Inter-plant traffic: Yes other plants are behind the IT-OT firewall and considered trusted, but again, don’t assume anything and be vigilant of malware that may come from other sites within the organization.
Remember: one WF-500 supports multiple next-generation firewalls, essentially transforming each firewall into a sensor for detecting unknown threats in hundreds of file-bearing applications across standard and non-standard ports, with the ability to automatically prevent them as well. This is a fundamental difference from other detection-only, point solutions which require one or more application-specific sandboxing appliances at each point of inspection in the network, resulting in partial, open-loop security at high costs to you.
WildFire is of course one element of our entire solution. For more details on our complete security platform which spans network security (Next-Generation Firewall), endpoint (Traps Advanced Endpoint Protection) and the cloud (Threat Intelligence Cloud), please feel free to read our brief whitepaper on protecting critical infrastructure.
