Year: 2015

Posted on

Palo Alto Networks: Solving Government’s Data Center Security Challenges

Governments worldwide are working hard to implement a number of changes in their data center infrastructures. Some have major data center consolidation projects underway, such as the Federal Data Center Consolidation Initiative in the U.S. Others are taking advantage of the benefits of virtualization or moving to Shared Services models. Finally, many are deciding if a public cloud infrastructure is appropriate for some of their government business. To cater to the U.S. government’s interest in the public cloud, Amazon Web Services (AWS) has developed specialized cloud services, GovCloud and Commercial Cloud Services (C2S) for the Intelligence Community, designed specifically for U.S. government customers.

Having so much to consider for their data center infrastructure plans, security is certainly top of mind.  Here at Palo Alto Networks, we’re doing all we can to support governments as they secure their cyber infrastructure. We have been working with numerous customers – including many in the U.S. federal sector – to evolve their infrastructure, securely, regardless of the stage in their data center transitions.

Recently, we worked with MeriTalk to develop a “health check” with U.S. federal government agencies (read the full report here). The survey queried 300 U.S. Federal IT managers about what security issues were top of mind as they implement changes to their data centers. The results are fascinating and show that many government agencies share common security concerns in their data center and cloud planning.

The good news is that our portfolio provides security solutions that protect customer data no matter where the government is in their data center evolution. Palo Alto Networks is able to solve many of the security challenges the survey respondents identified with their current data center security solutions. Let’s look at a few of them:

Integration challenges

Integration can mean many things, but when it comes to data center security it typically refers to how well the solution can tie into the existing physical or virtualized network infrastructure. To integrate easily into an existing physical data center network, each Palo Alto Networks Next-Generation Firewall supports a range of network modes, including L2, L3, Virtual Wire and mixed mode. Virtual Wire makes our Next-Generation Firewalls truly transparent network device, looking much like a bump in the wire which solves many customer network integration challenges and can be used in both Active-Passive and Active-Active high availability modes.

From a virtualized computing environment perspective, integration means how tightly the security solution ties into the hypervisor and orchestration tools in use. The Palo Alto Networks VM-Series of virtualized firewalls allows customers to deploy the exact same next-generation firewall and advanced threat prevention features used in our physical appliances in private, public or hybrid cloud computing environments. The VM-Series supports a range of hypervisors including VMware ESXi and NSX, Amazon Web Services and KVM with OpenStack. In each of these environments, customers analyze traffic moving into and across the cloud environment, protecting both applications and data from advanced threats. Additionally, the VM-Series incorporates a fully-documented XML API to simplify integration of third party orchestration and management tools. Our ease of provisioning, noted below, helps ensure seamless integration as changes happen within the data center or cloud, regardless of your platform choice or data center instantiation.

Time to provision

In both physical and virtualized network environments, customers struggle with managing the discrepancies that may occur between compute workload additions, removals or changes and how quickly a security policy can be deployed. To help minimize these delays, Palo Alto Networks firewalls provide a rich set of native management features that streamline policy deployment so that security keeps pace with the changes in your compute workloads (physical and virtual).

As compute workloads change, are added or removed, features within the PAN-OS security operating system will see those contextual changes, proactively learning which IP addresses are changing, then apply those updates to the security policy automatically. The result is a dramatic reduction in the delay that can occur between workload changes and security policy updates. In the event that many virtual or physical Palo Alto Networks next-generation firewalls are deployed, our Panorama technology makes managing them easy and ensures that security policies are applied consistently and cohesively. Panorama also provides centralized logging and reporting capabilities that give users visibility into virtualized applications, users and content.

Performance shortcomings

In order to address the computationally intensive nature of full application traffic classification and inspection, Palo Alto Networks Next-Generation Firewall appliances are purpose-built to deliver predictable performance with security features enabled. A single-pass software architecture performs its defined functions only once on a given set of traffic, eliminating the multi-pass scan and decision making process that UTMs and other security solutions follow. This single pass software architecture is matched to purpose-built hardware that uses dedicated processing for the key areas of networking, security, content inspection and management. The end result is a next-generation firewall architecture that is fully capable of 120 Gbps of cyber security processing. Customers who have used proxy-based firewalls and UTMs are astonished at the performance gains our platforms provide.

Fragmented solutions

One of the advantages of the Palo Alto Networks Enterprise Security Platform is the contextual control it provides by knowing what applications are being used, who is using them and what data they contain. All visibility, policy control, logging, reporting and forensics features within our enterprise security platform take full advantage of this contextual awareness to provide a closed-loop feedback platform for network and data center security. All security functions employed – advanced threat prevention with WildFire™, known threat prevention with IPS, network anti-virus and anti-spyware, mobile security management with GlobalProtect™– are correlated and shared across the platform to continuously update and employ the very latest attack preventions for the data center and your network.

Lack of security for virtual machines

Palo Alto Networks VM-Series virtualizes the functions of its enterprise security platform, allowing customers to secure virtualized workloads while preventing advanced cyberattacks. In fact, it was a global government customer who gave us the idea years ago to create a virtualized instance of our platform and customers love it. If you use AWS GovCloud, the VM-Series for AWS is available as a Bring Your Own License (BYOL) model and the VM-Series also supports VMware ESXi/NSX, KVM or Citrix SDX. You can purchase the VM-Series from your authorized Palo Alto Networks partner.

With the power of the Palo Alto Networks Enterprise Security Platform, we can protect your north-south traffic as well as your east-west traffic. We ensure that attackers are not only blocked as they enter your overall network, but are also blocked as they attempt to move laterally into and through your data center.

Additional resources to assist you in your data center to cloud security needs:

See what the media has to say about the results of the MeriTalk survey:

[Palo Alto Networks Blog]

Posted on

Providing Assurance on Data Quality

Many organizations are putting data governance on their strategic agenda, primarily because of the amount of data that is available to, generated by and utilized by the organization. Professionals who provide assurance services are now faced with the task of providing advice on the data quality issues, which if not addressed can lead to a number of adverse effects, including:

  • Lack of compliance with statutory requirements
  • Losing a competitive edge
  • Dissatisfied clients
  • A delay or scrapping of a new information system implementation
  • Failure to meet a significant contractual requirement or service level agreement

To address data quality, the organization must agree to and document data quality metrics that are relevant to the kind of data in use by the organization. Philip Nousak and Rob Phelps propose a score-based approach with predefined metrics. In general, data quality metrics may include:

  • Accuracy: Data reflects reality
  • Integrity: There is a possibility to uniquely identify data records
  • Consistency: There are no contradictions in the data
  • Completeness: All the necessary data is present
  • Validity: Data values are acceptable and fall within defined ranges
  • Timeliness: Data values represent the most current information for the specific use
  • Accessibility: Data can be obtained with ease, is comprehensible and usable
  • Granularity: Data is available at a sufficient level of detail

The data quality metrics in themselves are not sufficient for an assurance professional to provide an opinion on data quality. Other factors that should be considered can be categorized in the following three groups:

  • Technical:
    • What is the underlying database structure that is used for data storage?
    • What application is being used to process or manipulate the data?
    • While the original data may be of good quality, errors may be introduced as a result for poor database structures or bugs in the applications being used to process the data (e.g., a data value that is required to be unique by its nature)
  • Operational:
    • What business processes create or use the data?
    • What business rules are in place to provide validation of data captured or produced?
  • Governance:
    • Are the data roles and responsibilities clearly defined in the organization?
    • What monitoring and reporting requirements are in place?

In conclusion, investigating data quality practices to provide assurance, or as part of an IS audit, will add value to the organization. Assurance professionals should consider regular checks on data quality in the process of carrying out their work.

Carina K. Wangwe
Social Security Regulatory Authority, Tanzania

[ISACA]

Posted on

Palo Alto Networks Traps Protects Enterprises From Zero-Day CVE-2015-0313

It seems as if we are caught in a flash zero-day storm. It has not yet been two weeks from the disclosure of CVE-2015-0311 and we are already informed that there is yet another attack flying under the radar of signature-based security solutions.

Similar to its older kinsmen, CVE-2015-0313 was discovered in attacks utilizing the Angler exploit kit.  According to security reports, around 3,294 hits related to the exploit were already identified and as is usually the case with zero days, what we see is only the tip of the iceberg.

Standard security measures do not offer sufficient protection. In browsing through various security vendor responses, we see recommendations to disable Flash’s targeted version until a patch will become available or to block the URL which – temporarily – hosts the exploit kit. We might expect that quite soon a signature will be generated to the exploit which – again temporarily – utilizes CVE-2015-0313 to execute malicious code in victim endpoints.

These are all reactive steps. They have limited mitigation value, but they lag behind the attackers. And what’s more, they are reactive to what thus far is a small manifestation of a potentially larger threat. Attackers are evolving and it’s not farfetched to assume that out of the box URLs are standing in line to replace the one which was already tagged as malicious and that the exploit code is being modified right away, emptying the original’s one signature of any value.

This zero-day is yet another example of why advanced attacks need to be addressed in a manner that tackles them at the core and sustains security — regardless of changing factors.

Palo Alto Networks Traps analysis of CVE-2015-0313 reveals that exploits utilizing this vulnerability attempt to bypass standard DEP protection using a ROP chain. Once the ROP is successfully carried out, the exploit tries to access OS functions.

What Traps “sees” in this case is not an unknown threat but an understandable and well-defined pattern. In fact, it quite resembles the one we described in our last zero day post. Obstructing the exploit in these phases breaks the chain and crashes the attack.

Traps has knowledge of the techniques attackers need in each critical stage of exploitation. Possessing that knowledge enables Traps to obstruct them in real time, proactively preventing the exploitation from reaching its goal. The result is that endpoints are completely protected from exploitation trying to make use of zero day CVE-2015-0313.

Installing Traps on your endpoints protects your enterprise from known attacks and zero days alike. Learn more about Advanced Endpoint Protection here.

[Palo Alto Networks Blog]

Posted on

A Smart Strategy to Combat Advanced Persistent Threats and Targeted Attacks

Seemant Sehgal, CISA, CISM, BS7799 LI, CCNA, CEH, CIW Security Analyst, SABSA

Advanced persistent threats (APTs) are a hot topic in the security arena today. There are a number of definitions and methods of identifying an APT. Some define it based on the extent of pinning it to certain attack vectors, while others map it to the complexity or time it takes to complete the attack. The term “targeted attacks” is the latest buzzword, gradually taking center stage as a new breed of cyberthreats emerge.

So how can one devise an effective strategy to combat such threats? Well, to do so, it is important to understand the implications of the words “advanced” and “targeted” in the cybersecurity context. Think of the example of a pickpocket looking for a prospective victim. A thief will skip stealing from targets when they are vigilant and instead look for someone whose guard is down. In other words, the attacker will go for the “low-hanging fruit” to find a way in.

Applying this scenario to the context of cyberthreats, the best strategy to combat an APT is to keep an eye on low-hanging fruit in your security ecosystem. Low-hanging fruit in this context represents the easiest vulnerability for threat agents to exploit and reach their target. It is important to remember that low-hanging fruit is not a static concept when it comes to cybersecurity. The moment you take the most obvious vulnerability out of the equation, attackers are going to take the next easiest route. As a result, the best combat strategy is that an enterprise stays situationally aware of the lowest hanging fruits it is offering to an attacker.

From a more global perspective, threats are targeted at a generic profile. Hence, for a threat to impact your values that are at risk, 2 conditions need to be met. First, the target profile must match the ecosystem that you present to the attacker. Second, your organization must be more easily exploitable than your next best competitor or another target presenting the same value to an attacker. If you want to make sure that your organization does not meet these criteria, the best strategy is to be situationally aware of the ecosystem your enterprise is a part of and ensure that you stay ahead of other like organizations.

However, when it comes to targeted attacks, the environment the enterprise is a part of does not matter. If the threat agents are motivated and committed to taking aim at you, they will. As with APTs, the best strategy to mitigate these targeted threats is to ensure that you are situationally aware of and continuously engaged in removing the low-hanging fruit from your security ecosystem. This way, you offer more complexity to an attacker and you have a better chance of combating targeted attacks.

Read Seemant Sehgal’s recent Journal article:
Effective Cyberthreat Management Evolution and Beyond,” ISACA Journal, volume 1, 2015.

[ISACA]

English
English
Exit mobile version