2014 – Page 17 – Dr. Philip Cao

October 28, 2014

You’ve Never Seen Love This Deep For An Enterprise Security Platform

Once in a while, you come across a story that grabs your attention and makes you wonder how it would apply to your own situation. Last year, one such story was the film ‘Her.’ It portrayed an everyday person falling in love with an everyday technology called OS1 and its voice, Samantha.

The analogy? We meet customers every day who tell us that they’ve fallen in love with our platform. So in honor of our customers, meet PAN-OS…

[Palo Alto Networks Blog]

October 28, 2014

IoT Security: Sorting Through the Noise to Take Action

This post originally appeared on Iron Bow Technologies’ Techsource page.

Editor’s Note: In honor of National Cyber Security Awareness Month (NCSAM) we are focusing our content on tips and best practices in the area of cyber security. This week, we are emphasizing the importance of protecting critical infrastructure and properly securing all devices that are connected to the Internet. We asked our partners at Palo Alto to provide their thoughts on the topic. Isabelle Dumont, Director of Industry/Vertical Initiatives, weighs in with her thoughts below:

Many businesses are aggressively pursuing Internet of Things (IoT) initiatives with the goal of creating revenue-generating opportunities or turning today’s businesses into more profitable ones. From every corner of the economy you see connected devices disrupting the way we conduct business. In parallel, disturbing stories emerge on the lack of security around connected “things.” Here are a few in various sectors:

Transportation/connected ships: “Shipping fleet exposed to hacking threats” [Chicago Tribune, April 2014]
Healthcare/connected medical equipment: “It’s Insanely Easy to Hack Hospital Equipment” [Wired magazine, April 2014]
Automotive/connected cars: “A Tesla-S driver was able to identify the operating system” running under the hood and installed Firefox [Softpedia, 2014]

First, when discussing the security of network-connected devices, it is important to distinguish between single or multi-purpose devices. Single-purpose devices typically collect a well-defined set of data that is sent back to a specific cloud application for storage, analysis and intelligence gathering – connected medical equipment and devices are a great example. On the other hand, multi-purpose devices connect to multiple servers and services hosted in some form of cloud – the extreme case being smartphones and tablets running any number of apps downloaded from app stores and used alternatively for personal and professional purposes.

The above distinction brings us to recommendations on how to best approach security:

Single-purpose connected devices or equipment: Apply tight network segmentation and even isolation of the servers or cloud services these devices connect to. Because these are part of a single-purpose specialized network, it should be straightforward to identify and document the applications and the types of files or payload exchanged on the network. Using application-level segmentation is very effective; you can block all traffic except the few applications that are explicitly authorized on this specialized network, regardless of ports used. This approach significantly reduces the risk of malware intrusion and lateral movement and will enable you to perform much tighter inspection of the authorized applications.

Multi-purpose connected devices or equipment: Key principles such as limiting the traffic on the network(s) to what’s legitimate and classifying all traffic are still applicable, as this will reduce the volume of unknowns and treated risks. Apply the same segmentation and tight control principles between the various cloud services as well. Additional policy rules will be required to flag suspicious application behavior and payload. An obvious one is to not allow the download of .exe files outside of well-codified exception. It might take several iterations to get to the most effective segmentation and related rules. Regardless, continuous monitoringand refinement of the security rules in such environment is a must.

In addition, for devices used for both professional and personal use, such as today’s laptop, tablets or smartphones, we recommend that you deploy on the device a means to apply to the device the same security policies as those applied inside your enterprise. A gateway solutioncan enable this and start monitoring devices as they connect to your enterprise to prevent any malware intrusion.

Protecting the endpoint: Wherever applicable, we recommend adding advanced protection directly at the device level. For equipment based on the Windows platform, our advanced endpoint protection solution, aka “Traps,” is a great option given the high percentage of threats that are no longer detected by traditional anti-virus products. Traps is a revolutionary approach for threat prevention that works: Instead of using signatures to detect malware, Traps focuses on the few techniques that threats have to use to infiltrate a system, thus blocking the attack before it even takes its first step.

If you are interested in learning more about implementing the above recommendations, here are some suggested resources to visit:

[Palo Alto Networks Blog]

October 28, 2014October 28, 2014

How to Strengthen Data Center Security Without Compromising Application Performance

Starting next week, we will be on the road with VMware and VMUG in the U.S. and Canada to discuss how you can strengthen your data center security without compromising application performance.

Click through to register for one of the below events. Space is limited so sign up now!

Palo Alto – Tuesday, November 4, 2014
Parsippany, NJ – Thursday, November 6, 2014
Ft. Lauderdale – Tuesday, November 11, 2014
Pittsburgh – Tuesday, November 11, 2014
Tampa – Wednesday, November 12, 2014
Dallas – Thursday, November 13, 2014
Phoenix – Tuesday, November 18, 2014
Boston – Tuesday, December 2, 2014
Washington, D.C. – Tuesday, December 2, 2014
Chicago – Wednesday, December 3, 2014
Toronto – Thursday, December 4, 2014
Hartford – Friday, December 5, 2014
Reston, VA – Thursday, December 11, 2014

Session highlights include:

Best practices for implementing advanced security services in a software-defined data center
Customer insights for deploying VMware NSX with micro-segmentation on your existing network infrastructure
Hands-on experience test-driving an integrated VMware-Palo Alto Networks solution

You can view the full list of events here.

For more

[Palo Alto Networks Blog]

October 27, 2014

Network Security: The Problem With the Edge

The past decade of Cybersecurity has been relentlessly focused on stopping threats at the network edge. The implicit assumption of this approach is that the interior of your network is a trusted zone, and everything outside is untrusted. With this idea in mind, vendors began offering more and more ways to scan traffic at this logical boundary, attempting to detect known threats and hopefully taking some type of blocking action against them.

For the better part of the past ten years, this approach was the only one offered, and did a reasonably good job at keeping organizations safe. Traditional IPS/IDS, stateful firewalls, web security – it all relied on scanning traffic and making binary “yes, no” decisions as it passed through. Typically these decisions were made on known-bad content; only able to stop what security vendors thought was malicious.

Then, adversaries and threats changed. They had been watching, learning, and understood that this “hard outer shell, squishy center” represented a golden opportunity to carry out their objectives. To the adversary, this meant that getting past the edge gave them free reign to move laterally within organizations, finding valuable intellectual property wherever it resides, and exfiltrating it out using undetectable protocols. The edge, and the legacy technologies that protected it, had become an easily evaded – and expected – barrier.

This all begs one simple question: Why would you only detect malware at the network edge?

Let’s take a step back and examine how a typical advanced attack works:

• Make an initial compromise via a spear-phishing email, which leads to an infected site with a drive-by download or a malicious attachment.

• This drive-by download exploits a zero-day vulnerability in a browser, or the malicious attachment exploits one in client-site reader software.

• In this case, the attacker has masked his traffic by compromising a benign site or using an exploit that has never been seen before, making it undetectable for traditional solutions.

• The attacker has now established a foothold through this exploited client, a base of operations for future activity.

• From here, the attacker will deliver the actual malicious payload, so-called 2nd stage malware. This will often be done over protocols such as FTP, using encryption, over non-standard ports.

• Once the malicious payload has been delivered, the attacker now has free-reign to pivot laterally within the organization, moving from the initial client toward their final target.

• Often, they will hop multiple times, and the steal data using evasive means.

In this example, the perimeter has become a trivial “wall” for the adversary to overcome. The combination of unknown threats and persistent action within the organization itself is a very common method for truly advanced attackers.

Now, going back to the initial question: what if your entire organization’s network was able to detect and prevent this attack in multiple places? Not only this, but what if your security devices automatically augmented your security posture by discovering new threats and creating new protections?

Now your infrastructure has become an adaptive security framework that is tailored toward how advanced threats operate today. In order to gain this pervasive functionality, there are a few typical places where security devices can be deployed:

• Internet Edge

• Data Center Edge

• Between Virtual Machines in the Data Center

• On Mobile Devices and Endpoints

With this type of architecture, new threats are being discovered at each location in the network, and protections created. This intelligence is then automatically fed into every single security device wherever they are deployed. This gives you the advantage, instead of the adversary, as you are now increasing the probability of stopping an attack at each location, at each stage in the attack kill-chain.

The network edge is the ideal location for quickly preventing the vast majority of attacks, but looking forward, you should consider how pervasive deployments can stop the new breed of advanced attack.

Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.

[SecurityWeek]

October 25, 2014

Palo Alto Networks News of the Week – October 25

We’ve rounded up this week’s Palo Alto Networks news right here.

To aid you in deploying Advanced Endpoint Protection in your network, take a look at this newly released Advanced Endpoint Protection 3.1 documentation.

Unit 42 discussed CryptoWall 2.0, the latest version of this malware family that uses the Tor network for command and control. Learn how you can protect yourself.

Knowledge Is Power: Kate Taylor looks at using cyber scrutiny to defend against phishing attacks and examines how cybersecurity education significantly bolsters an enterprise’s cyber defense.

Unit 42’s Ryan Olson discusses Dridex, the latest descendent of the Bugat/Feodo/Cridex banking Trojan lineage, now being distributed through word documents and how to protect yourself against this wave of Dridex attacks.

We were honored with a 2014 STAR Award for Innovation in the Delivery of Support Services. The STAR Awards, which are presented by the Technology Services Industry Association (TSIA), are among the highest honors in the technology services industry.

We wrapped up a big week at VMworld Europe, where we were featured as part of VMware CEO Pat Gelsinger’s keynote address, announcing the latest milestone in our integration with VMware. Check out scenes from show.

We shared a video of our time at AFCEA TechNet Europe, including feedback from Palo Alto Networks stakeholders and an interview with Maj. Gen. Klaus-Peter Treche (ret), AFCEA EMEA Chair.

We’re on the road across North and South America with Citrix and CA for the next few weeks to talk about how enterprises can streamline virtualized data centers, radically simply network services for delivering critical applications and reduce complexity and cost, all without sacrificing performance and security. Join us at an event near you.

It was another successful year at Black Hat Europe where we met with attendees from more than 40 countries. We captured a few great photos at our booth during the show, check them out here.

We participated in Security Leaders 2014 in Brazil, an annual gathering of about 3,000 security professionals to discuss information security and risk for enterprises. Check out some photos from our time there.

The effective date for CIP version 5 Standards is rapidly approaching and entities are beginning to implement new controls to meet the updated requirements. During this webinar on October 29, Palo Alto Networks expert Del Rodillas, along with experts from EnergySec and ENMAX, will discuss the new requirements and potential technical approaches to meeting compliance obligations.

Palo Alto Networks returns to Infosecurity: The Netherlands on October 29 and 30. Visit our booth to hear about threats hiding in plain sight on your network, plus additional important insights from our 2014 Application Usage and Threat Report.