Cyber Defense Magazine has named the Palo Alto Networks enterprise security platform as Best Enterprise Security Solution Product for 2015.
The representatives from the magazine stopped by the Palo Alto Networks booth, #N4120, atRSA 2015 to deliver the award.
Cyber Defense Magazine recognizes companies for their unique and compelling value proposition for their product and service. The natively integrated Palo Alto Networks enterprise security platform brings network, cloud and endpoint security into a common architecture, with complete visibility and control, ensuring organizations can detect and prevent attacks. This next-generation enterprise platform streamlines day-to-day operations and boosts security efficacy, and the one-of-a-kind, multi-layered defense model prevents threats at each stage of the attack kill chain. For more information on our award-winning Enterprise Security Platform, click here.
NSS Labs just released its latest Next-Generation Intrusion Prevention System (NGIPS) Test Report. As expected, the report recognizes the Palo Alto Networks Intrusion Prevention System (IPS) service for its strong security efficacy. Here’s a nice quote from Mr. Vikram Phatak, the CEO of NSS Labs.
“Exploits being used by Threat Actors in active campaigns are the most likely source of compromise that enterprises face every day. The Palo Alto Networks PA-5020 was the only product that blocked 100% of these live exploits during our test, and 98.8% against all exploits, earning a recommendation by NSS Labs for security effectiveness.”
There’s a lot of deep-level technical security information inside the report but I wanted to pull out a few highlights to give you a taste of what’s included. Of course I invite anyone to read through the detailed report, which is posted at http://go.paloaltonetworks.com/nss. And, as an aside, if you want to read a primer on how bad guys attempt to sneak past IPS systems, the NSS Report is an excellent starting point.
The NSS Labs NGIPS Test Report focuses on five specific areas – security effectiveness, performance, stability and reliability, management and configuration, and total cost of ownership. As Mr. Phatak points out in his quote, Palo Alto Networks has achieved an overall exploit block rate of 98.8%.
NSS Labs employs a number of tests in order to evaluate a product’s overall exploit block rate. The first grouping of tests taps into a library of over 1800 exploits that exercise different attack vectors, impact types, and older exploits to make sure vendors don’t age out signatures in order to preserve performance levels. For this first grouping of tests Palo Alto Networks successfully blocked 1852 of 1898 exploits to achieve an overall rate of 97.6%.
The next group of tests produced some results that I am particularly proud of. Mr. Phatak makes a reference to a live exploit test in his quote. This is a very interesting exercise that focuses on active threats and attack methods discovered by the NSS global threat intelligence network over the course of many months during the test window for the overall NGIPS evaluation of the Palo Alto Networks IPS service. In other words, these are exploits that each vendor must block without any prior testing or planning. During this time window, the NSS researchers hurled 613 previously unknown exploit at the Palo Alto Networks IPS service and the service blocked all 613. Palo Alto Networks is the only company that achieved a 100% block rate.
Other highlights include performance where the PA-5020 delivered 2.97 Gbps of NGIPS throughput, nearly 50% above our documented rate of 2 Gbps. And we cruised through all resistance to evasion, stability and reliability, and application control tests.
As a CSO, I look at these results as a strong testament to my long-held belief that prevention isn’t futile. With the right approach across people, process and technology, organizations can in fact prevent the bulk of advanced threats. While the focus of this particular evaluation is on our own IPS’s ability to block known exploits — which we clearly excel at – it is but one element of preventing known and unknown attacks down the attack life cycle that also includes stopping the delivery and installation of malware through malicious domains and URLs and foiling the establishment of command and control activity channels. This latest NSS NGIPS Test Report validates a key and essential component to the Palo Alto Networks system of systems approach and I am very proud.
The 2015 Verizon Data Breach Investigations Report (DBIR) represents the first time Palo Alto Networks has contributed data to this important publication, and we are proud to be part of an intelligence-sharing ecosystem that, in the end, raises the collective bar for everyone in the industry.
While reviewing the findings, a few key points stood out to the Unit 42 team:
“70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.”
This important data point means that a single piece of malware could be subtly altered to produce an endless stream of variants, all of which would evade traditional signature-based detection. Of note, this premise matches our recent internal research, lending more credence to this trend.
Verizon defines unique malware from a signature/hash perspective, “when compared byte-to-byte with all other known malware.” In fact, there are a variety of commonly available and easy to use tools that can automate the process of obfuscating these threats. In what has become a mantra throughout the security industry, the report states that, “Signatures alone are dead,” and Palo Alto Networks would agree. When malware is used once (or a handful of times), matching against these patterns has limited effectiveness at best. When taken from a defenders perspective, it is clear that organizations need to consider an approach that can prevent malware based on payload, not signature, and quickly generate and share protections for the endless new variants released each day.
“In 70% of the attacks where we know the motive for the attack, there’s a secondary victim.”
This highlights an important trend: adversaries are using third-party websites, or co-opting infrastructure, to deliver their attacks. This often can mean that the person or organization that experiences the initial breach isn’t the real target, but a tool, a pawn in a larger battle. From an attacker perspective, this allows them to take advantage of trust that these “jump-off” points have built up, or use the resources of another company for their gain.
The most common methods observed in these types of attack are:
Watering hole attacks (also known as strategic web compromise), where an organization’s website is infected with exploit code to try and infect visitors to their site.
DDoS attacks, where web servers or other high-bandwidth hosts are compromised and used in an attack on another target.
Anyone who’s ever thought, “My company isn’t a big target” should look at this statistic and realize that they can’t trustingly stand on the sidelines. Either your infrastructure is secured against attack, or it will be “drafted” into one side of the battle.
“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”
Palo Alto Networks has observed that the extended lifetime of CVE exploitability, and rapid implementation of new vulnerabilities into attack toolkits are nothing new. New vulnerabilities take time, effort and resources to discover – and if you think of adversaries in the context of “running a business,” they want to get the greatest return on their investment (ROI). Generally, there is no need to deploy a zero-day exploit, when an older, and unpatched vulnerability can be used. Well-funded adversaries that have the in-house R&D to discover a new CVE and develop unique exploit code against it are the exception, rather than the rule. When a new CVE is discovered, we typically see them being added to exploit kits in about a month, following initial disclosure and reverse engineering.
It is also important to draw the line between commonly exploited CVEs, and those being used by the most advanced and targeted attackers. In general, the DBIR focuses on exploits targeting web applications, whereas we believe the most advanced and targeted threats leverage memory corruption exploits to gain a foothold on the endpoint. These exploits often come in the form of data files such as PDF or MS Word documents. As traditional anti-virus (AV) products do not detect such exploits, it is difficult to gather statistics around their use. Post-incident investigations often conclude that a system is infected with malware, but may not uncover that an exploit was used to download the malware onto the system. As organizations adopt advanced endpoint protection products that block these types of exploits, we expect an increase in awareness and reporting of their prevalence in the threat landscape.
“40% of controls determined to be most effective fall into the quick win category.”
In the summary of this year’s DBIR, Verizon has included a table showing which Critical Security Controls (CSC) would have applied to the incidents they’ve tracked. This table is telling because most of these controls are relatively simple for an organization to deploy, especially if they have the right security platform already deployed. If organizations deployed just the “quick wins,” the volume of breaches could decline substantially by the time next year’s report is released.
Image 1. SANS Critical Security Controls mapped to incidents observed by Verizon, which can be used as a guide for implementing foundational security controls with the most impact. Source
Overall, Palo Alto Networks and the Unit 42 threat intelligence team are honored to be included in the 2015 DBIR. We firmly believe that sharing intelligence on adversaries, campaigns, and attacks is one of the most effective tools we have to raise the cost of a successful breach for attackers. The more organizations that have relevant and timely intelligence, the harder it will become for attackers to compromise them. We look forward to sharing more threat intelligence and research throughout the security community, including in our role as a founding member of the Cyber Threat Alliance.
The SANS Best of Awards program was created to recognize the solutions that organizations are using to successfully fend off cyber attacks. Each year SANS accepts nominations for products and services that have increased the effectiveness and efficiency of cybersecurity programs. Nominees for the 2014 awards were voted on by hundreds of security operations professionals and security managers from within the SANS community.
To learn more about next-generation firewalls and the Palo Alto Networks enterprise security platform, click here.
Organizations are realizing that it is not a matter of if a cyberattack will occur against their enterprises; it is a matter of when. This realization is causing executives and board members to take a growing interest in what is being done to protect and defend their top non-human asset: information. Support for growth in cybersecurity staffing is here; the problem is that the pool of skilled cybersecurity talent is facing a drought.
To address the global cybersecurity skills shortage, ISACA has launched a portfolio of innovative skills-based cybersecurity training courses and performance-based exams and certifications, through its Cybersecurity Nexus (CSX). These new CSX certifications are providing a benchmark that will help shape the future of cybersecurity hiring and the career progression of cybersecurity professionals. CSX will help assure cybersecurity pros that they can keep their skills sharp in the face of evolving threats, changing technology, and highly motivated adversaries who seem to get cleverer every minute. Organizations will have assurance that candidates have the right skills to address cybersecurity incidents from day one on the job, and that their security teams have the most important and current skills, knowledge and advanced capabilities.
This ISACA effort is critical, as 82 percent of organizations expect to experience a cyberattack in 2015. But, they feel they are relying on a workforce that is not qualified to handle complex threats, according to the State of Cybersecurity: Implications for 2015 survey from ISACA and RSA Conference. The results also revealed that 35 percent are unable to fill open cybersecurity positions.
Historically, cybersecurity training has been more general and did not evolve with the changing threat landscape. There has never been a defined career progression for cybersecurity. ISACA examined the lifecycle of a cybersecurity career and the skills that are needed at every level to develop a holistic approach to cybersecurity from beginning to end.
ISACA’s new cybersecurity certifications are:
CSX Practitioner—For this certification, a professional must demonstrate the ability to serve as a first responder to a cybersecurity incident following established procedures and defined processes. There is one certification at this level, and three training courses are available. This certification is a prerequisite for any of the five CSX Specialist certifications.
CSX Specialist—A professional must demonstrate effective skills and deep knowledge in one or more of five areas based closely on the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond and Recover. There is one certification and one training course for each of these five areas. Professionals can choose to attain one or more of the five. CSX Practitioner is a prerequisite for a CSX Specialist designation.
CSX Expert—Only those who possess a master level of cybersecurity skills will be able to attain CSX Expert. Professionals must demonstrate skills that show they can identify, analyze, respond to and mitigate complex cybersecurity incidents. There is one training course and one certification at this level. No prerequisites are required.
ISACA is the first organization to use PerformanScore, a unique learning and development tool that measures a professional’s skill in performing cybersecurity job activities in a virtual setting using real-world cybersecurity scenarios.
Skills verification for cybersecurity pros should recognize that there are multiple ways to respond to threats, and PerformanScore can do just that—measure skills across the entire solution set of possibilities. Since the tool compares actions to grading criteria that are referenced against an adaptive scoring rubric in real-time, instructors can provide more precise feedback and professionals can learn more efficient cybersecurity techniques.
ISACA is the right organization to answer the urgent call for skilled cybersecurity professionals. ISACA blends the membership strength, vision, global reach, reputation, integrity and ties to global governmental entities like no other organization. We have the commitment, tools, resources and foundation to offer the complete holistic program that is provided through CSX. As a member of ISACA for over 15 years, it is exciting to see the strong strides ISACA is making to help strengthen enterprise security today.
