We are days away from Ignite Conference 2016! Take a look at the top five things you need to know before heading to our biggest security conference of the year.
1. Build Your Agenda
Use Agenda Builder to create an event that is customized to your interests. Workshops and sessions are designed to be modular, so no matter how you stack them, you’ll get an integrated approach to preventing cyber breaches and securing your organization. Don’t forget to register for the sessions that interest you and reserve your spot before heading to the event.
Learn more about the Agenda Builder, available tracks and sessions, and event highlights.
2. Check Out Cyber Range
Come watch our Cyber Range Threat Prevention workshops in the Expo Hall and cheer on your favorite team. Don’t forget to follow along and join the conversation on Twitter using the#IgniteRanger hashtag.
Session Times:
Tuesday, April 5 | 12:30 – 3:30 PM PT
Wednesday, April 6 | 9:00 AM – 12:00 PM PT
3. Get Certified
We are offering a special rate to all Ignite 2016 attendees – 50 percent off your Palo Alto Networks Certified Network Security Engineer (PCNSE) exams .
With the Ignite 2016 mobile app, you’ll have everything you need to navigate the event right in the palm of your hands. Access your daily agenda, read up on speakers, and join the#igniteconf16 Twitter conversation.
Step 3: Open the app and input your activation code you were emailed, or input your email address and you will be emailed your code.
5. Win Great Prizes
We have two contests this year where you’ll have an opportunity to win some great prizes.
Passport to Prizes contest
Access your “digital passport” from the Ignite 2016 mobile app and scan each sponsor booth’s QR code by 6:00 PM PT on Tuesday, April 5. Once you scan all 27 QR codes, you’re automatically entered to win this Sphero BB-B App-Enabled Droid.
The drawing for each booth will take place in the Expo Hall at 6:30 PM on Tuesday, April 5.
Most Active Mobile App User contest
Be a power user of the Ignite 2016 mobile app and be eligible to win a $250 gift certificate to the Palo Alto Networks Ignite Shop.
Point system:
Get 4 points for every completed survey
Get 2 points for every post to the activity feed
You have until 5:30 PM PT on Tuesday, April 5 to complete your surveys and your submit your posts. The lucky winner will be announced at 6:00 PM on Tuesday, April 5.
We’re looking forward to seeing you next week at Ignite Conference 2016!
About Ignite 2016
April 3-6, 2016 at The Cosmopolitan Hotel Las Vegas Ignite is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite 2016 website for more on tracks, workshops and marquee sessions, and register today.
Earlier this month, I had the privilege of attending the Cyber 9/12 Student Challenge at American University, sponsored by the Atlantic Council. The Cyber 9/12 Student Challenge is an annual cyber policy competition for students across the globe to compete in developing national security policy recommendations tackling a fictional cyber catastrophe. During the Cyber 9/12 Student Challenge, teams were evaluated on their:
Understanding of cyber conflict policy concepts and guidance
Ability to identify key issues and fully respond to critical cyber conflict policy issues posed by a serious cyber-related scenario
Analysis of policy response alternatives, including the trade-offs involved
Ability to organize and provide clear and concise policy response options with supporting analysis
Presentation of original, creative and innovative solutions to the scenario
Each team had to do all of this in a decision document limited to two pages, as well as deliver an oral presentation – no easy task, for sure!
I had the distinct honor and true pleasure to participate in this important event in multiple ways throughout the two days, including in a panel discussion with former U.S. Under Secretary of Defense for Policy Dr. Jim Miller, moderated by Jason Healey, Senior Research Scholar at Columbia School of International and Public Affairs. I also had the opportunity to be a judge in the “final four” competition, awarding the Cyber 9/12 competition. Finally, I presented the Military Cyber Professionals Association’s (MCPA) “Order of Thor” medals to the best military college team, the Air University at Maxwell Air Force Base, Alabama, which just so happened to be the winner of the Cyber 9/12 competition.
I believe that events such as this are both rare and critical to our national security and international economic competitiveness. There’s no shortage of the more technical cyber competitions, such as Capture the Flag. However, there aren’t many events that pit college teams against each other over the development and delivery of clear, precise, well thought out governmental policy options when dealing with the growing cyberthreats and challenges that we face in today’s digital age.
Kudos to the sponsors, hosts, speakers and other contributors to this world-class event, but mostly I want to thank the 39 college teams that competed. They were all magnificent, and I sincerely wish them the very best of success in something that’s of critical importance to our country and the world!
Please take a minute to check out the photos from the Cyber 9/12 Student Challenge.
Like most network administrators, you are concerned with manageability, streamlined operations, and ensuring your network security deployment is bulletproof.
In this three-part blog series, I’ll address those concerns by sharing the benefits of moving to a network security management solution such as Panorama and explain how you can maximize your Panorama deployment.
Let’s start with the benefits of Panorama:
Streamlined policy management: Simplify the creation, import, copying and ongoing management of rules across the network. Provide a single security rule base to further streamline operations in deployments of operational complexity.
Simplified operations: Streamline day-to-day network security operations, and make the task of implementing and managing policies manageable by maintaining a static security posture in a dynamic and operationally complex network.
Flexible deployment options: As your security deployment grows, the complexity of managing the network should not. Accommodate geographical or logical differences in policy, management and reporting needs with one central management platform, and simplify the deployment and maintenance of the management system while keeping costs low.
Unparalleled network and threat visibility: Provide the capability to highlight critical threats across your network, focus on critical threats with actionable data, prioritize a fast response, and do more with less.
If you are already a proud owner, you likely chose Panorama to enhance management functionality, improve visibility across your deployment of next-generation firewalls, and streamline your rule base. But you could take advantage of some additional benefits by slightly changing the way you have deployed the product. There are three key steps you can take to ensure optimum performance of Panorama in your fast-growing or large network. Let’s explore how you can get the most out of your Panorama deployment.
Move from a Virtual Machine (VM) to a dedicated hardware platform.
Add log collectors.
Deploy high availability (HA).
In my next post, I will explain how these three steps will help maximize your investment in Panorama. In the meantime, you can learn more by visiting Panorama at a Glance.
Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.
This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.
In my first two blogs, I covered Imperatives #1 and #2. Here are the major themes for each imperative:
Imperative #1 – We must flip the scales (published February 16, 2016)
Imperative #2 – We must broaden our focus to sharpen our actions (March 12, 2016)
Imperative #3 – We must change our approach
Imperative #4 – We must work together
Imperative #3 – WE MUST CHANGE OUR APPROACH
Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #3 in case the reader is pressed for time.
As a reminder from my previous two blogs, I use the four factors in Figure 1 to explain the concept behind Imperative #3 in a comprehensive way.
Figure 1
Threat: This factor describes how the cyberthreat is evolving and how we are responding to those changes.
Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities – or the what) and ways (methods, priorities and concepts of operations – or the how) to achieveends (goals and objectives – or the why).
Structure: This factor includes both organizational (human dimension) and architectural (technical dimension) aspects.
Tactics, Techniques and Procedures (TTP): This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.
In this third blog of the series, I’d like to describe Imperative #3 using the concept model outlined above and step through the implications.
Figure 2
EXECUTIVE SUMMARY:
What we have been doing in the past simply isn’t working. We MUSTchange our approach!
The first change in approach is to move away from a focus on known threat signatures toward a focus on suspicious activity in order to make unknown threat signatures known as rapidly as possible. We must scale the discovery of indicators of compromise through automation, determine in near real time that there are malicious techniques being employed, produce mitigations for those bad techniques, and automatically push them out to adjust the security posture of our networks and devices. Doing so imposes increasing costs on adversariesbecause it forces them to change their entire breach playbooks.
Next we must change our policies and strategies, recognizing that detection and response, while critical cybersecurity functions, are insufficient to resolve the problem on their own. It takes a strong prevention mindset, policies driven by the organization’s leadership, and accompanying strategies that align resources and methods to achieve the desired results.
An effective prevention-first policy means we must also change our approach by evolving from a legacy view that success is a result of bolting onto an organization’s network enterprise a bunch of independent point solutions to a more natively integrated platform approach. The point solution approach looks at different “pieces” of the attack lifecycle and creates an enormous volume of alerts – mostly false positives – causing lots of work. None of the point solutions are natively integrated to communicate with each other to put the whole threat picture together, so that takes lots of equipment, bandwidth, time, people and money. Next-generation technology allows you to look at the entire lifecycle process as a whole in a single pass by design, andleverages automation to alert only on threat playbooks and block them across the network enterprise.
Finally, at the procedural and technique level, there is magic in leveraging automation in ways we have not thus far. Traditionally, in a “detect and respond” approach, we measure our “incident response” in days, weeks and months because we rely almost exclusively on human decision-making and manual action. We must change our approach so that we leverage automation and save what only humans must, or are best suited to do for the slower, manual procedures. Automation in an integrated platform approach reduces your workload, gives you better visibility of potential attackers, and safely enables your organization to do its critical business functions.
DETAILED DESCRIPTION OF IMPERATIVE 3:
THREAT
So here’s the first important change in approach. We have to move from focusing on known threats and signatures to an approach that focuses on UNKNOWN threats … or at least making unknown threats known as quickly as possible (hopefully in near real time) so that we can then do something about them.
We have a problem that is giving today’s cyberthreats a significant advantage over our ability to secure and defend our networks. This problem pits a growing adversary marketplace that leverages information sharing, automation and the cloud at increasing speed and decreasing costs against an oftentimes slow, clumsy, manual and increasingly expensive cybersecurity community. Here’s where we can begin to get ahead and increase the cost to cyber adversaries.
If we can begin to scale the discovery of indicators of compromise through automation, determine that there are “bad” techniques being employed in near real time, produce mitigations for those bad techniques, and automatically push them out to adjust the security posture of our networks and devices, then we can begin to make a dent in adversaries’ agility, flexibility and scale.
Because remember, making an unknown threat known in a matter of minutes still means that something got through before it was discovered; but, if you can do what I just said in near real time, then because of the attack lifecycle process we know that it usually takes more than a few minutes to get through all the steps of an adversary playbook to achieve the final goal. The lifecycle process requires almost any cyber actor to first gather information and perform reconnaissance, next conduct the initial compromise, then lay down an exploit or inject malware, establish command/control, apply privileged movement through the network to get to the right location, and finally to achieve their objective, whether it be the exfiltration of information, disruption, deception or destruction.
This takes time – usually at least hours, but it can take days, weeks and even months depending on how stealthy a cyber actor wants to be.
So focusing on turning unknowns into knowns as quickly as possible forces the adversaries to change their entire playbooks at a rate that begins to put them on the wrong side of the problem.
POLICY and STRATEGY
I believe this next point is critical if we want to deal effectively with something that not only threatens our national security but also threatens our international stability and economic vitality. As a community we have traditionally taken an approach that focuses on detection andresponse. I’m not making light of those functions (detection and response) because they are, no doubt, vital. But they are insufficient. We are never going to get ahead of the problem, if we don’t change our approach to focus first on prevention, while also having good detection, response and resilience in place.
I believe this imperative starts at the leadership level of any organization; and, therefore, I include it as a policy category. Once leadership buys in, the challenge is to turn a policy of prevention into a viable strategy and align any organization’s limited resources with effective methods to achieve our goals and objectives.
ARCHITECTURE
If you accept the change in approach to focus on prevention in addition to detection and response, how do you make that happen? Is it possible? I wouldn’t be in this job if I didn’t believe that not only is it possible but this imperative for change is driving the way our technology works at Palo Alto Networks right now!
And here’s the key to success from an architecture point of view: we must change our approach away from a legacy set of isolated point solutions randomly placed throughout the network architecture and normally installed in a “bolted on” model. In this model network security solutions don’t talk to each other and don’t effectively integrate with one another without a considerable amount of complexity, friction, bandwidth, energy and time consuming procedures, so the hope of stopping threats based on an endless number of known signatures usually means you’re always in the business of cleaning up the disaster instead of preventing it in the first place.
Let me paint a picture for you about this point that our Regional CSO for Europe and the Middle East, Greg Day, developed. It’s very easy and low cost for an attacker to change just that one characteristic of a signature and reuse all the rest of a threat playbook. If we use a picture of an adversary’s face as an example, then this is the equivalent of changing that person’s eye color so you don’t recognize the face anymore.
Breaches, intrusions and attacks happen at CPU speed, so this “picture of a face” is typically changing thousands of times in a minute. You need to be able to recognize the whole face. If you can do that, then even if the threat changes one characteristic of the lifecycle or breach playbook, you can still spot the adversary by recognizing the whole face and blocking the person.
If you can do that, then it’s very expensive and hard work for attackers to change their approach because they would have to change all the characteristics of their entire face (all the stages of their playbook for a breach). That’s hard for them and expensive. So they are likely to go try somewhere else where their entire breach playbook or lifecycle is not blocked.
But this is typically what happens now, using various point solutions for the different facial features (sticking with the face example). So let’s say you have a threat with multiple stages of a breach playbook (a face with multiple features). And we have all these defenses, which are different tools designed to detect different aspects of a breach. These point solutions include legacy firewalls, URL filtering, antivirus, IPS, sandboxing, IDS, SSL decryption, and many more.
The different tools generate hundreds or even thousands of alerts. Most of them are false positives. Think about all the analysis you must employ to sift through them. This high workload exists because different parts of this security stack all produce alerts independently from each other.
There is a better approach in which all of the detection capability is built into a single platform that is designed from the start to work together, not retrofitted. This approach looks at the big picture – all the characteristics at once. This approach also “self-learns” in near real-time.
Here’s what I mean by being designed to work together. In the point solution model, the information about a suspected cyberthreat goes to the first component (say AV) and is unpacked so that it can be inspected and a response, created. After it’s unpacked, the unpacked version is discarded and the package is passed on to the next component (say URL filtering), unpacked and discarded…and again…and again.
In the first place, doing this unpacking many times is expensive because it is resource hungry and it’s been done over and over again. You need a lot of hardware to support this approach.
Secondly, it’s very difficult to manually correlate the results from each of the inspections to look at the context of what you have found – to form the big picture. Incidentally, 30 percent of traffic coming into networks today is encrypted, which makes the unpacking process even harder. This manual multi-pass approach is slow.
We must change from this approach to an “integrated platform” approach. The key is tonatively integrate the approach so that network security, endpoint device security, and the analytical backbone to feed the network and endpoint security with near the real time discovery of previously unknown threat signatures enables an organization to actually preventadversaries from stepping through the attack lifecycle process and completing their intended objective. This is possible with an integrated platform approach.
That means the unpacking happens once, and all the cyber breach characteristics are searched for afterward. That means it’s automated and fast. Instead of alerting every time a suspicious characteristic is found, it looks at the big picture, only alerting when there is high confidence that an actual breach is taking place – when there is high confidence that there is a match to the entire face instead of just one of many facial features.
As well as alerting you, it blocks all the combinations of what your adversary is trying to do. It does this by self-learning and reprogramming itself. It can only do this because of the speed at which it operates. The result is fewer alerts to deal with, better visibility of what is happening, and automated blocking or prevention actions taking place.
TTP
Down where the rubber meets the road at the tactical, procedural level, here’s the other key to successfully moving from a legacy to a “next generation” approach. We are taking a page from the threat itself with this imperative for change. Today’s advanced threats, even the modestly advanced ones, don’t operate at manual speed. They operate at the speed of automation.
The threat is always going to beat our manual efforts to defend when they leverage automation and cloud to come at us in “nth degree” permutations of code adjustments (like changing different facial features thousands of times a minute), and that’s exactly what they do. We have to do the same thing to gain an advantage over the threat and change our approach from a procedural point of view.
Traditionally, in a “detect and respond” approach, we measure our “incident response” in days, weeks and even months because we rely almost exclusively on human decision-making and manual action. However, when it comes to the issue of human-based, manual action versus leveraging the power and scale of automation, we must change our approach so that weleverage automation and save what only humans must or are best suited to do for the slower, manual procedures.
Here, cloud capabilities are vital. This can raise concerns regarding a number of issues, so we believe that you have to allow for different types of cloud options, such as true cloud versus on-premises cloud capabilities.
So how do you make sure that this model can scale to whatever shape and size your organization will grow to? Remember, current organizations take different products from different vendors to look for the different characteristics that adversaries might use. And they try to integrate these in some way, mostly using manual procedures and people to look at the different alerts. That’s labor- and resource-intensive and focused on detecting and respondingafter they have been breached.
The use of automated procedures and techniques in an integrated platform approach can reduce your workload and give you better visibility of potential attackers. This is the capability ofnext-generation technology and helps an organization to securely manage traffic coming into the network, so that critical business functions can go on uninterrupted. This is a big step toward prevention and state-of-the-art cybersecurity.
CONCLUSION:
Imperative #3 is about changing our approach:
From a threat focus on known signatures to suspicious techniques and making unknown signatures known rapidly.
From a policy and strategy focus on detection and response to prevention first.
From an architectural structure focus on retrofitted legacy point solutions that don’t communicate effectively or efficiently to a natively integrated platform.
From a procedure/technique focus on human-based manual action to automated action.
Taken together, these four different factors represent an imperative for future change if we want our cybersecurity efforts to be successful in the digital age, so that we can continue to place our trust in the digital environment while more effectively managing the growing risks associated with that same environment.
The final blog in this series will be about the tremendous advantage that the cybersecurity community can gain by leveraging a strong team approach and building effective partnerships because, in today’s advanced threat environment, you simply cannot go it alone and be successful.
Written by John A. Davis, Major General (Retired) United States Army, and Vice President and Federal Chief Security Officer (CSO) for Palo Alto Networks
CSA, The World’s Leading Cloud Organization Collaborated with Verizon and Vidder To Validate Security and Feasibility of High Availability Public Cloud Architecture at Fourth Annual CSA Hackathon at the RSA Conference 2016
SEATTLE, WA – March 31, 2016 – The Cloud Security Alliance (CSA), today released The Software Defined Perimeter (SDP) Hackathon #4 Report: High Availability Public Cloud Research. The report is based on the findings and key learnings from the fourth annual Hackathon held by CSA’s SDP Working Group during the RSA Conference 2016 held last month in San Francisco. Conducted over a four-day period, the goal of this year’s Hackathon was to validate the concept of creating a high availability application environment by combining the compute resources of multiple public clouds. With the support of Verizon and Vidder, the contest was designed to challenge the pre-conceived notions of public cloud security and reliability.
Jim Reavis, CEO of the CSA commented, “We would like to thank Verizon and Vidder for their leadership, resources and support in this year’s Hackathon. We are encouraged and pleased that it worked to validates the SDP’s working group theory that a high availability application infrastructure can be created for mission critical applications by combining multiple public clouds.”
In this fourth iteration of the Hackathon, Verizon helped define the architecture to ensure it reflected real world that included use of Vidder’s PrecisionAccess SDP Gateways deployed in two different public clouds while providing access to a redundant application that was located in a third cloud. To monitor contest activity, Vidder deployed its Insight real-time monitoring system to identity attackers. While this Hackathon saw a significant increase in the number of highly sophisticated attacks, the result was that no attacker was able to breach the SDP gateway even though they were provided a full packet capture of a valid connection.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.
Vidder PrecisionAccessTM isolates the protected applications from all networked users and devices, connecting only authorized users and trusted devices to applications they are authorized to access. The resultant new paradigm enables enterprises to achieve agility with security, augmenting cloud migration and business ecosystem collaboration, while reducing risk for traditional IT. PrecisionAccess is the industry’s first and most widely deployed solution based on the Software-Defined Perimeter (SDP) framework for advanced access control promoted by the Cloud Security Alliance (CSA). In 2015, Gartner named Vidder a Cool Vendor in Cloud Security Services. The company’s headquarters are in Campbell, Calif. For more information, visit http://www.vidder.com.
