Day: December 1, 2015

This is the fourth in our series of cybersecurity predictions for 2016. Stay tuned for more through the end of the year.

In 2015, the cybersecurity market witnessed the introduction of a slew of new and improved products that promised to enhance the detection and response capabilities of organizations against malware. The prevailing rationale was that an improvement in these tools would help organizations to reduce the impact of malware by becoming better at spotting suspicious activity. Unfortunately, the threat agents also witnessed this trend. Their attacks became more targeted, oftentimes uniquely designed to compromise a given organization’s defenses.

The shift from executable malware to exploits will continue

In 2016, we can expect that well-funded, highly skilled, and patient threat agents will shift their focus toward deploying the types of attacks that are virtually undetectable by current antivirus solutions and much harder to counter by current “detect and respond” tools. These attacks will exploit vulnerabilities in legacy and commonly used applications that are often whitelisted or play a major role in the organization’s business processes; hence, these applications cannot be eliminated without having a negative impact on the organization’s ability to conduct business.

As threat actors become more effective in the reconnaissance of their targets, the exploits will become more highly customized to the specific applications in use by a target organization, and even to the targeted individuals within that organization.

In 2016, software developers will undoubtedly continue to improve the overall security of their applications and operating systems, while threat actors will escalate the perpetual “cops and robbers” game by deploying exploits that are more sophisticated – and often created by professional exploit developers.

Organizations will realize the futility of fighting machines with people

Cyberattacks in 2015 exhibit a massive increase in volume, velocity and variation. The fundamentally asymmetrical nature of cyberattacks, in the sense that small groups of highly skilled individuals have the potential to inflict disproportionately large amounts of damage on an organization, took a turn for the worse as attackers gained increased access to more scalable options, such as Malware-as-a-Service and Exploits-as-a-Service.

While attackers unleashed an army of machines on their targets with a click of a mouse, many organizations continued to commit their scarce resources to the perpetual loop of “detect and respond,” which is to identify, investigate, remediate, recover, and then repeat.

In 2016, we can expect that organizations will finally realize this people-intensive approach is no longer scalable or sustainable. Organizations will recognize that automation and scalability are the keys to matching the asymmetric nature of cyberattacks. And they will come to rely on new tools that can effectively prevent the army of machines from using sophisticated and previously unknown threats, malware, and exploits to compromise the organization’s defenses.

The pendulum will start to swing back from detection and response toward prevention

2015 witnessed the continuing market sentiment that security breaches are inevitable, that organizations should assume a breach has already happened, and that the best course of action is to focus scarce resources on rapid detection and response in order to minimize the impact.

Despite the proliferation of new services and products that focused on helping organizations to improve their ability to detect and respond to malicious activities, organizations will realize that these advancements cannot change the economics of their chosen approach.

The fact remains that the further along the breach continuum one detects and intercepts an attack, the higher the negative impact, and the costlier it will be to recover and remediate.

In 2016, organizations will begin to realize that breach prevention is not only possible but also more viable and sustainable. Although detection and response capabilities will remain necessary for a balanced security posture, the old adage “an ounce of prevention is worth a pound of cure” will resonate with more and more organizations.

 

Michael Moshiri

[Palo Alto Networks Blog]

If you’ve been to any recent Palo Alto Networks Ignite conferences, you’ve likely attended sessions led by our Product Management team on best practices for various Palo Alto Networks technologies and security initiatives.

Actually, those best practices sessions are, by far, our most requested and well-attended sessions. Customers have been very interested in how technologies on our platform can be combined to improve their security posture and make their lives easier. As one of my customers once put it, “Your platform is like a Swiss Army knife. There are all these cool tools and features, and you just have to figure out how to combine them to solve the problem at hand.”

For instance:

• Combine SSL decryption and URL Filtering to easily identify URL categories for decryption and inspection.
• Combine URL Filtering and file blocking to disallow .exe downloads from high-risk URL categories, such as dynamic-DNS or unknown URLs.
• Combine App-ID, User-ID, and Content-ID technologies to identify known versus unknown users, restrict their access to applications housing sensitive data, and enforce strict decryption and threat inspection policies. This combination will make sure that unknown users are not doing anything malicious to your network.
• Combine User-ID and file blocking to help prevent the delivery of malware via watering hole or a spear phishing attack to groups of users who don’t have a business reason for downloading Portable Executable (PE) files types, such as .exe, .dll, and .scr.

Over the years, we have accumulated tons of tips and tricks throughout our tens of thousands of customer engagements that we actively recommend to our customer base. We are still discovering new ways our customers combine and use features on our platform to solve their problems.

Here are just a few of these recommendations:

• Enable file blocking profiles within your application-based policies and allow only certain file types to be downloaded or uploaded to prevent malware downloads and data exfiltration.
• Utilize the dynamic block list feature on the NGFW to prevent traffic to and from known malicious IPs. Or, better yet, copy the IP addresses that have triggered a number of IPS signatures in a certain amount of time, and paste them into a dynamic block list to help prevent attacks from actively targeting your organization.
• Enable DNS sinkhole functionality on the NGFW to provide your security and IR teams with a list of users and endpoints actively attempting to connect to command-and-control domains, as they’ve very likely been compromised. The sinkhole will block the communication and provide a high fidelity list of users for whom you should probably re-image devices.
• Alert on or disallow SSL traffic over unexpected ports, especially if it’s traffic you aren’t able to decrypt and fully inspect for threats.
• Activate strict threat profiles for Threat Prevention signature sets (IPS, AV, anti-CnC) and leverage WildFire to configure signature updates every 15 minutes within your data center to help prevent lateral movement on east-west traffic and data exfiltration.

We use tips like these to help our customers better secure their organizations and more fully leverage technology and features within the Palo Alto Networks Next-Generation Security Platform. For us, it’s all about enabling business and preventing breaches.

That’s why we’re collecting these tips, tricks, and tactics and publishing them in a series of chapters – our recommended best practices. The first chapter, on leveraging application-based policies to provide complete visibility (the first step in reducing the attack surface), is available now within our Fuel community and will be followed by chapters on decryption and user-based policies in the next few weeks.

Be sure to download our best practices to find out how you can better secure your organization or confirm that you’re already ahead of the game.

Kate Taylor

[Palo Alto Networks Blog]