Hate your antivirus (AV) solution? You are in luck! Earlier this month we announced Traps v3.4, the next step in the evolution to replace traditional antivirus software.
This release includes several major features that enable you to take the plunge to eliminate traditional antivirus.
Trusted Signers
To ensure your legitimate files are never prevented from executing on the endpoint, Traps advanced endpoint protection now evaluates whether files are signed by a trusted signer. The list of trusted signers is based on the official trusted signer list in WildFire. That means executable files that are signed by trusted signers are exempt from additional analysis and verdict evaluation. This feature is useful in situations where unknown executable files, such as new software updates for the operating system or for applications, are signed by a trusted signer but have not, yet, been analyzed by WildFire.
Local Analysis
Local analysis uses a statistical model that was developed using machine learning on WildFire threat intelligence. Traps uses local analysis to examine hundreds of characteristics associated with an unknown executable file to determine if the file is likely to be malware. With this feature, Traps quickly analyzes and assigns a local verdict to an unknown executable file when the endpoint is offline or while waiting for the official verdict from WildFire. Traps continues to use the local verdict to block or allow the execution of the unknown executable file until the agent receives an updated verdict from the ESM Server.
Malware Remediation
Traps now takes malware protection one step further with a new capability to transparentlyquarantine malicious executable files on the endpoint. To determine if an executable file is malicious and should be quarantined, Traps uses information from the following sources: WildFire threat intelligence, local analysis, and hash control policy. When malware is identified, Traps notifies the user about the quarantined file (if you enabled user alerts), removes the malware from the local folder or removable hard-drive, and stores the file in a local quarantine folder. With this feature, you can also restore a quarantined file to its original location.
Want More?
Here are a few resources to add to your Traps v3.4 reading list!
New Features Guide: Your go-to resource for all the new features in Traps v3.4.
Administrator’s Guide: Contains installation procedures and configuration workflows to get you up and running quickly.
Release Notes: Provides important information about the Traps advanced endpoint protection v3.4 software including known issues and limitations.
Pro tip: On the documentation search, use the facet to filter results for only documentation about Traps v3.4.
Threat intelligence involves learning about new attacks, adversaries, campaigns, and malware families through distinct pieces of information often referred to as indicators of compromise, or IOCs. The more we make relevant information available to network defenders, the better the odds are that they will find answers to their questions. One key consideration for leveraging threat intelligence to improve an organization’s security posture is that it must be readily able to enforce new prevention-based controls.
Threat intelligence has traditionally been used by security operations centers’ incident response teams. As security awareness in organizations of all sizes begins to expand, most people realize that they want to know which alerts should be made a priority and which threats the organization is subject to. Who are the threat actors? There is a big difference between commodity and targeted attacks. Answering these questions can lead you to implementing new controls that allow you to better secure the environment.
Enter AutoFocus. AutoFocus is the Palo Alto Networks threat intelligence service, which provides a window into billions of samples and threat artifacts collected from and correlated within our Threat Intelligence Cloud, including results from global WildFire data. The information allows security teams to quickly identify targeted that’s and pivot to relevant IOCs quickly, accelerating their analysis and response workflows. AutoFocus complements the Palo Alto Networks Next-Generation Security Platform, enabling searches from your Palo Alto Networks appliances into AutoFocus, or from AutoFocus into your Palo Alto Networks appliances. There is also an API that interacts with the data and feeds third-party security solutions. This level of usability means that a threat research team isn’t necessary to make use of the data. Anyone responsible for handling security incidents in the environment can make use of the data in AutoFocus.
In this post, we will explore a use case that will enable security operators to quickly identify what happened during an incident and to take action.
Searching From AutoFocus
Unit 42 is the Palo Alto Networks threat intelligence team that provides AutoFocus users access to world-class human intelligence, even if they don’t have a research team of their own. Unit 42 contributes to the AutoFocus community by researching malware families, campaigns, adversaries, exploits and malicious behaviors, and by compiling indicators of compromise into durable tags to identify malicious events.
To get started, it may be interesting to navigate through some of the research already done by Unit 42. Let’s assume Locky is something we have not investigated yet. By selecting this tag, we can get information about the research done by Unit 42 on this malware family.
Drilling into Locky provides us with all the search attributes associated with this tag. We can see that Locky is a ransomware payload, which is used to encrypt sensitive files or systems, then hold them until the victim pays the attacker. We also see that Locky is typically dropped byDridex actors, which gives us a better idea of who is likely to be behind the attack. Ransomware is typically more of a commodity type of crime, in which the attacker’s goal is to get as many systems encrypted as possible, driving profits from their malicious activity.
Selecting “Add Tag” to “Search” will bring up the results of a query that includes samples, sessions, statistics, and much more information about the malware. You can search through samples of data that came from devices owned by your organization via WildFire. You can also see samples made public by other organizations, dramatically broadening the lens.
This allows you to gain visibility into threats not directly observed by your organization, taking advantage of the community of WildFire and AutoFocus users. In this case, we will pivot into “Public” samples to further analyze the Locky ransomware.
Finding over 7,000 variants seems daunting. It also demonstrates that file-hash-only identification is no longer practical. By drilling into the samples, we can see that there are patterns in the malware. These are the same similarities that Unit 42 used to create the tag. The infrastructure for the malware and most of what it does to the system once installed are the same each time it is deployed – primarily, that the file is obfuscated by changing a few bits to avoid hash-based detection.
By drilling into one of the hashes, we can see everything that WildFire observed when detonating this malicious software on Windows® XP and Windows 7. From there we can drill into individual indicators of compromise and search our own appliances for evidence, as well as create new protections for specific high-value IOCs, such as IP address, DNS or URLs.
The remote search function allows you to add search filters specifically designed for Palo Alto Networks security appliances. You will first be prompted to choose which of your appliances to search. Finally the console for the specified appliances will launch with the search filters already in place.
In this case, we have selected our Panorama instance. Since the logs from all security appliances are being forwarded, we will have visibility into the entire network with one search.
When we search through all the various types of logs in Panorama, we are looking for a specific command and control server as the destination. The good news is that we did not find the command and control server for Locky in the network, meaning we have confirmed there is no active infection within the organization.
1996 had its share of significant events. The first flip phone, the Motorola StarTAC, went on sale. The Czech Republic applied for European Union membership. Australia defeated Sri Lanka 2-0 to win cricket’s World Series Cup. The first version of the Java programming language was released. The massive Internet collaboration “24 Hours in Cyberspace” took place. IBM computer Deep Blue became the first computer to win a game of chess against a reigning (human) chess champion. Excel Communications Inc. became the youngest company ever to join the New York Stock Exchange. Intel released the 200 MHz Pentium chip. And ISACA published the first edition of what was then called Control Objectives for Information and related Technology, or COBIT, as its typography was styled at the time.
Of course, at the time it was released, no one knew it would be just the first of several versions of COBIT. Nor did they foresee that it would undergo continuous evolution to make it ever more relevant and useful to practitioners seeking to control organizational information and the technology that processed, manipulated and stored it. Neither could anyone have anticipated the level of acceptance and use COBIT would achieve, as it was increasingly used—alone or in combination with other frameworks or in-house solutions—in governments and companies large and small worldwide.
COBIT 5: A New Framework for a New World
Since its release, COBIT 5 has been downloaded tens of thousands of times, has been widely discussed on social media, and has been prescribed for use by national governments and municipalities alike. Likewise, the impetus for use of COBIT has evolved from just supporting internal audit to a means of organizing multiple frameworks (including regulatory frameworks) and as a means for connecting overall enterprise objectives to the governance and management of IT assets.
The traditional use of COBIT has been to assist companies with their compliance and assurance needs, but those needs exist outside of just for-profit companies. For example, the government of South Africa has mandated the use of COBIT among municipalities.1 The intent is to exercise proper control over the use of scarce IT resources to ensure delivery of value to those served. Municipalities are expected to use COBIT to align their goals for the use of IT assets with the requirements of the local governments.
The impetus for use of COBIT has evolved from just supporting internal audit to a means of organizing multiple frameworks and as a means for connecting overall enterprise objectives to the governance and management of IT assets.
In May 2006, the government of Turkey mandated the use of COBIT for banks operating within Turkey.2 The Banking Regulation and Supervision Agency of Turkey (BRSA) mandated that all banks operating in Turkey must adopt COBIT’s best practices when managing IT-related processes. The result of this legal requirement has been that internal auditors and bank management have put into place resources based on the process descriptions used in COBIT. Compliance reports are now submitted to government officials to demonstrate adherence to COBIT process and practice descriptions. There have been other government mandates for the use of COBIT in Costa Rica and Nigeria.
These uses were not foreseen, but they are understandable, natural extensions of the framework. The potential for a comprehensive framework is to use it to administer resources such that greater efficiency and effectiveness are realized and value is created for stakeholders. IT resources are ubiquitous, and the potential for IT spending without clear alignment to overall strategic aims is high. That risk of misalignment is a control issue.
Fast Change, Faster Response
One area where this issue is particularly impactful is in the arena of new and emerging technologies—particularly those that have a high potential for “shadow IT” adoption (i.e., adoption without central oversight such as by IT or another organization). In many cases, an enterprise can become aware that users have begun adopting a new technology only after that technology has begun to proliferate throughout the enterprise as a whole.
When that happens, resources can be consumed in a way that does not align with enterprise requirements nor directly or indirectly progress the prioritized goals of the enterprise. This is obviously undesirable as it can divert time and attention away from those activities and investments that do tie directly to those goals and anticipated or desired outcomes. The issue is further compounded as, in many cases, senior management is unaware that this resource strain is even occurring in the first place. Cloud services is an example of this (in particular, software as a service [SaaS]), mobile technologies (whether bring your own device [BYOD] or otherwise), and social media. It does not take an extraordinary level of insight to see that these disruptive changes, when adopted without a workmanlike and disciplined approach, can bring about potential areas of risk, introduce potential inefficiencies and spark other undesirable outcomes.
COBIT already provides the means to manage technology resources no matter their origination, purpose, internal user community or other defining factors. Organizations can already adopt and apply COBIT 5 (as it exists right now) in such a way that all technology use is deployed, managed, measured, and otherwise aligned with stakeholder needs and business goals. This puts organizations in the position of being able to lessen the potential disruptive impact of new technology, better manage and control risk, and directly measure the value to the business (even of “shadow IT”) against the business value provided through the use of new technologies. Looking forward, though, a primary area of further growth for COBIT lies in the ability of the framework to provide value as the pace of change accelerates and as operational technology and traditional IT merge.
Governance
It does not take a rocket scientist or an especially astute prognosticator to be able to state a few things with confidence about where enterprise technology use is heading in light of the trends we are seeing in the marketplace already. First, we can state with confidence that a proliferation of devices will likely occur as the Internet of Things (IoT) continues to expand. Likewise, we know that certain sectors that have specialized operational technology (i.e., the clinical network of a health care provider, industrial control systems, specialized networks used for telecommunications, broadcasting or other industries that require high-speed or specialized transmission) are likely to see their existing specialized technology use continue and, in fact, become even more specialized in supporting the way that they do business tomorrow.
While the COBIT framework can be used already to address these challenges head on, there are opportunities to provide more and better guidance to practitioners about how, specifically, to do this. For example, specialized supporting artifacts and tools to build upon the COBIT framework can provide immediate value to the practitioner so they are not “reinventing the wheel” separately from enterprise to enterprise. Tools that are immediately practical to the professional in the field—such as templates to support deliverable creation and reporting; governance artifacts such as policy examples and templates; and tools that support measuring effectiveness, managing risk or other activities to support robust governance—are a necessity given the pace at which technology use evolves and the likely even more rapid pace at which it will evolve tomorrow.
These items and others that directly target an increase in the practical value of the framework to the practitioner are on the forefront of the COBIT research agenda. Just as COBIT evolved over the last 20 years to meet the changing landscape of enterprise and become a framework for systematic governance of enterprise IT (GEIT), the future will mean continued evolution to address a systematic framework for governance as “information technology” becomes just “technology”—as usage and scope expand beyond the borders of the IT department and become embedded in the fabric of the business more generally. Likewise, as the alacrity of change (and the pace of disruption that occurs as a result) continues to increase, the framework will continue to evolve to meet those needs.
Peter Tessin, CISA, CRISC, CGEIT
Is a technical research manager at ISACA where he has been project manager for COBIT 5 and has led the development of other COBIT 5-related publications, white papers and articles. He also played a central role in the design of the COBIT online web site. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, UK and Australia.
Why is it that some companies succeed and others fail? There is a general consensus certain things are common among successful companies. We call these things key success factors. Key success factors are essential attributes that are critical to an organization reaching its business goals.
There is no agreed-upon list of success factors because they vary depending on the nature of the business, among other things. Some business experts would say good, productive employees are a key success factor. Others believe keeping loyal customers is a critical factor. Still others would submit that having clear policies and procedures is how organizations succeed.
I would not disagree with any of these. However, as a Certified Information Systems Auditor (CISA)and a former IT auditor and manager, I would suggest that having an effective audit function is critical to the success of a business. The purpose of an audit is to evaluate an entity, such as a policy, process or account, to ascertain if it meets a predetermined standard or criteria.
Cybersecurity Ripe for Audits
A successful audit should identify areas of the organization needing improvement, including those that are likely to be high risk. In today’s digital environment, cybersecurity is typically top of mind for company leaders. They often know enough to be concerned, but not enough to actually address those concerns. In other words, there is no question that cybersecurity is an area of high risk for most organizations, but how they should respond to this risk is unclear.
It is the job of the IT audit function to determine how the organization should respond to risks that are specific to their operation and then evaluate whether the response is appropriate based on auditing standards and best practices. One common response to mitigate risk is to implement countermeasures, also known as controls. In those situations it is the responsibility of the auditor to evaluate the effectiveness of the controls to determine if they will indeed work.
For example, business leaders often believe that a firewall is a sufficient response to cybersecurity concerns. Some questions IT auditors will ask these situations include, What type of firewall is it? How has it been configured? How often are the rules updated? The IT auditor will also inform senior management that a firewall is only one of many controls that should be considered when responding to the threat of a cyberattack.
While the audit team should be actively involved in the tactical procedures of auditing the company, a skilled audit team that partners with the board of directors and senior management will not only identify aspects of the company that need attention, but also develop an audit plan that supports the organization’s overall strategy and act as consultants to help move the company closer to its vision. Over time, with the ongoing involvement of the audit team on the tactical and strategic levels, the organization can certainly count audit as one of its key success factors.
Note: For more on auditing cybersecurity, view this article in @ISACA.com.
There have been recent articles and blog posts arguing that the API approach is better than the proxy approach when it comes to selecting a cloud access security broker (CASB). The argument doesn’t really make sense at all. Both surely have their advantages and disadvantages, but each covers unique use cases and while you could certainly select a CASB that supports one versus the other, why not choose a CASB that offers both so you have the option to combine the two and address expanded use cases?
Pitting one against the other is like comparing a spoon vs. a fork. A spoon was designed to hold softer food in addition to liquid so you can place it in your mouth and eat a meal. Spoons come in various sizes depending on the application. In a similar fashion, an API deployment method is primarily focused on a set of specific use cases that includes being able to inspect content in sanctioned cloud apps and support for out-of-band policies such as restrict access, revoke shares, quarantine, and encrypt.
A fork on the other hand, was designed primarily to grab and hold solid foods for eating. That is a job that the spoon cannot do. In a similar fashion, a proxy deployment method is primarily focused on a specific set of use cases around providing real-time visibility and control over cloud traffic and depending on the type of proxy, you can cover both sanctioned and unsanctioned cloud apps in real-time. Real-time and covering unsanctioned cloud apps is not possible with an API deployment method. In addition to use cases, there is the comparison of effort to deploy and use. You can argue that a fork requires a bit more care versus a spoon. You might not give that fork to a toddler for example, but a spoon would be less risky with trade-off of course that they might have a hard time eating their vegetables with that spoon. Similarly, a proxy requires and inline deployment and a forward-proxy specifically requires extra configuration and care. The effort can be worth it given the use cases.
Let’s get back to my original argument that why choose one versus the other? Choose a CASB that covers both an API method of deployment and multiple proxy methods of deployment. You can choose only one or combine them to expand your use case coverage. Should we start calling API + Proxy a spork?
Here is a table that compares use case coverage for API vs Proxy to help you make the decision which one to choose or perhaps choose both.
Bob Gilbert, Vice President/Product Marketing, Netskope
