Month: August 2016

Posted on

Traps v3.4: New Features Help Prevent Cyberattacks on Banks

In recent months, reports of several breaches at SWIFT (Society for Worldwide Interbank Financial Telecommunications) member banks have come to light. Across these incidents, local security was compromised, and valid credentials were stolen and used to initiate fraudulent transfers.

These attacks bear the hallmarks of an account takeover (ATO), in which a cybercriminal impersonates a valid customer. Some of the best practices to combat ATO include patching security vulnerabilities, network segmentation, and multi-factor authentication. Among financial institutions – especially the larger ones — timely software patching has been a challenge due to rigorous testing requirements, limited change windows, and the sheer quantity and geographically dispersed nature of the laptops, desktops and servers. Although there is growing interest in network segmentation for cybersecurity, actual implementations are rare as most institutions still have flat networks. Multi-factor authentication is common for remote access to the corporate network but is atypical inside the perimeter.

Combating ATO Attacks

Since some of the best practices to address ATO tactics are not in place at many financial institutions, another approach is to use advanced endpoint protection on the laptops, desktops and servers themselves. These devices are the focus of at least two phases of the typical cyberattack lifecycle. End users and their devices are targeted by spear-phishing, drive-by downloads and social engineering. Exploits and malware are introduced to compromise the endpoint. The cybercriminal then uses this as a beachhead to hunt for valuable information or compromise other vulnerable systems (servers) within the network. In financial institutions, antivirus solutions have been a staple for many years on endpoint devices but have proven to be ineffective in protecting them as security breaches are still on the rise.

Multi-Method Prevention

Thanks to recent enhancements, Traps (version 3.4) now uses a multi-method prevention approach that combines the most effective, purpose-built malware and exploit prevention methods to protect endpoints from known and unknown threats. As financial institutions continue to be a favorite target for cyberattacks, improving advanced endpoint protection is well worthwhile. Traps prevents end users from inadvertently running malware or exploits that compromise their systems.

Traps multi-method prevention for malware includes the following five techniques.

  1. Static Analysis via Machine Learning: This method delivers an instantaneous verdict on any unknown executable file before it is allowed to run. By examining hundreds of the file’s characteristics in a fraction of a second, this method determines if it is likely to be malicious or benign without reliance on signatures, scanning or behavioral analysis.
  2. WildFire Inspection and Analysis. Traps works in concert with WildFire to determine whether an executable file is malicious. WildFire can eliminate the threat of the unknown by transforming it into known, in about 5 minutes. The automatic reprogramming of Traps, and conversion of threat intelligence into prevention, all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system.
  3. Trusted Publisher Execution Restrictions: This method allows organizations to identify executable files that are among the “unknown good” because they are published and digitally signed by entities that Palo Alto Networks recognizes as reputable software publishers.
  4. Policy-Based Execution Restrictions: Organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. An example would be to prevent the execution of a particular file type directly from a USB drive.
  5. Admin Override Policies: This method allows organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not.

For multi-method exploit prevention, Traps provides the following approaches:

  1. Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system’s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. This prevention method recognizes and stops these exploitation techniques before they have a chance to subvert the application.
  2. Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system’s normal processes, which are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application’s execution environment so that the exploit’s malicious DLLs can replace legitimate ones. This prevention method recognizes these exploitation techniques and stops them before they succeed.
  3. Malicious Code Execution Prevention: In most cases, the end goal of an exploit is to execute some arbitrary code — the attacker’s commands that are embedded in the exploit data file. This prevention method recognizes the exploitation techniques that allow the attacker’s malicious code to execute and blocks them before they succeed.

Additionally, Traps is now able to quarantine malicious executable files to stop any further propagation, and allows organizations to prevent non-malicious but otherwise undesirable software (e.g., adware) from executing.

In Lieu of Patch Management

As stated earlier, software patch management of endpoints is an ongoing challenge for financial institutions. This is further exacerbated by the sheer volume of ATMs that also need to be patched. Although efforts were launched to upgrade or replace ATMs based on Windows XP, which has been unsupported since April 2014, it would not be surprising to see some of these ATMs still in service today. (As of April 2015, an estimated 75%, or 2.2 million, of the world’s ATMs still ran Windows XP.) To protect those ATMs that have yet to or won’t be upgraded, Traps can be installed as a compensating control to prevent the exploitation of both known and unknown vulnerabilities. Traps would also provide the same benefit to other systems that are behind in or no longer eligible for software patching.

In Lieu of or Addition to Network Segmentation

In many financial institutions, ATMs are not truly segmented from the rest of the corporate network. As mentioned earlier, many financial institutions still have flat and open internal networks. Network segmentation is highly recommended and would certainly help limit the exposure in the event of a compromise. However, yet another layer of defense is advanced endpoint protection for the laptops, desktops and servers. Traps, with its multi-method prevention approach, stops the techniques at the core of these attacks, instead of focusing on the millions of unique malware and exploit samples themselves. Consequently, Traps prevents sophisticated, targeted and never-before-seen attacks from compromising an endpoint. At the end of the day, the endpoints hold the resources (e.g., confidential data, customer PII, and financial transactions) that are most interesting to the cyber attackers. Protecting the endpoints from compromise is a foundation of a sound cybersecurity policy and a cornerstone of the Palo Alto Networks Next-Generation Security Platform.

Secure Your Endpoints

By bridging the communication gap between the endpoint and the network, and by integrating with the WildFire unknown malware analysis environment to increase visibility, Traps prevents new threats from compromising an endpoint. Traps integration with the Palo Alto Networks Next-Generation Security Platform allows organizations to continuously share the growing threat intelligence gained from thousands of enterprise customers, across both their networks and endpoints, to coordinate prevention and response. So whether your financial institution has implemented one or more of the best practices to address ATO attacks, give some further consideration to the ability of Traps to prevent endpoint cyber breaches by blocking both known and unknown threats.

Learn more:

[Palo Alto Networks Research Center]

Posted on

Opportunity for Young People

In recent years, many young people have felt disenfranchised and robbed of opportunities to pursue career ambitions. This sits in contrast to the fast-developing field of cybersecurity, where hiring managers regularly report staff shortages and lead times of over six months to fill positions.

Cybersecurity is fundamental to the digital economy, but the (ISC)2 Global Information Security Workforce Study forecasts a growing workforce shortage of 1.5 million by 2020. As cybersecurity is a relatively new discipline, most organisations look for a minimum of three to five years’ experience, as well as a good understanding of cybersecurity concepts for the roles they are creating. Newcomers struggle to get these roles as employers find it difficult to judge their instincts. Often only the largest employers can consider entry-level or graduate training, which only goes so far in meeting the needs of a growing digital economy. There are few opportunities for young people or the uninitiated to step into this career opportunity and meet the need.

Directed by our EMEA Advisory Council, we have been working with universities across the United Kingdom to both inspire interest in and improve access to our field. We take, as our model, established professions such as engineering, that support the development of three and four-year university courses. These not only teach fundamentals, but also serve as a filter for people who have the right instincts. Graduates move into a workplace that has a level of confidence in them, whilst the professional community supports their ongoing development. Our aim is to mature cybersecurity in this same manner.

Working with the Council of Professors and Heads of Computing (CPHC), our efforts brought industry, academia, professional bodies and several government departments together to define Principles and Learning Outcomes for undergraduate computing science degrees (published in June 2015). Realising their importance, BCS, the Chartered Institute for IT, a key participant, immediately included the Principles within their degree accreditation guidelines. Cybersecurity is now a mandatory component of most computing science degrees in the U.K., affecting 20,000 new graduates a year.

Publication was followed by a curriculum development roadshow this year supported by the U.K. Office of Cyber Security and Information Assurance (Cabinet Office), where a real will to champion and embed cybersecurity concepts more comprehensively was expressed by 60 of the approximately 100 U.K. universities that teach computing science. Not everyone who pursues a computing science degree will choose a career in cybersecurity.  This effort aims to address a breadth of need and motivate the development of a cyber-competent society, including interested and skilled individuals who will be able to secure it. It will also boost employer confidence in graduates with inherent instincts for security as they pursue careers in IT.

The ambition doesn’t stop with computing science: there is now interest in integrating cybersecurity in business degrees. Knowing the fundamentals of our field is becoming critical to nearly every professional vocation.

By Dr. Adrian Davis, CISSP, Managing Director, EMEA, (ISC)²

[(ISC)² Blog]

Posted on

Cloud Security Alliance Announces Strong Line Up of Trainings and Working Group Sessions Scheduled for Privacy. Security. Risk. 2016 Conference

Presented by CSA Congress and IAPP Privacy Academy, Event to Provide Forum for Professionals to Expand Education and Collaborative Work in IoT, Containerization, Privacy Audits, Threat Intelligence and Privacy Risk Analysis

San Jose, CA – August 8, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released its schedule of workshops and CSA Working Group sessions taking place in conjunction with the upcoming Privacy. Security. Risk. 2016 conference scheduled for September 13-16 at the San Jose Convention Center. Presented by CSA Congress and IAPP Privacy Academy, the workshops and working group sessions will provide attendees with advanced knowledge and collaboration opportunities on some of the most forward-looking cloud computing technologies, initiatives and global concerns.

This year’s workshop schedule includes the following:

  • Software Assurance: Putting Industry Best Practices into Action
  • Cloud Controls Matrix Foundation Workshop
  • Cloud Security and Privacy Audits: A 360-Degree Crash Course
  • Meeting the Challenges of Privacy, Security and Compliance in the Cloud

“This year, we have worked to design a training track that will provide attendees with valuable knowledge, no matter where they are in their cloud adoption, to better understand and tackle some of the top challenges and concerns organizations are facing when implementing and managing cloud technology,” said J.R. Santos, Executive Vice President of Research at the CSA. “These workshops are designed to really get to the heart of the matter at a deeper level and in an intimate setting that naturally fosters knowledge building, idea exchange and problem solving.”

All workshops are scheduled to take place on Wednesday, September 14 and are offered at an additional cost to the main conference. For more information and to register visit:https://my.iapp.org/nc__event?id=a0l1a000000nBgQAAU.

Aside from the workshops, Privacy. Security. Risk. 2016 will serve as host to a number of important CSA Working Group sessions where CSA members will look to collaborate on and move forward with a number of important research and guidance efforts on behalf of the CSA. Scheduled for Tuesday, September 13 at the Blossom Hill Room at San Jose Marriot, CSA Working Groups scheduled to meet include:

  • Containerization
  • Internet of Things
  • Mobile Application Security Testing Initiative
  • Open API
  • Open Certification Framework
  • Quantum Safe Security
  • Security as a Service
  • New Research Working Groups: Blockchain & Data Center Security

Participation in the working group sessions are free and open to all CSA members. For schedule information and to register to attend a session visit: https://www.eventbank.com/event/683/.

Presented by the IAPP Privacy Academy and CSA Congress, the P.S.R. Conference, now in its third year, is expected to draw approximately 1,500 privacy and cloud security professionals. The event brings together two related fields—privacy and security – with important perspective to help practitioners excel in their role. The event aims to deliver the most thought-provoking speakers and sessions led by the foremost experts and provides invaluable opportunities to connect and share ideas. The join event will provide attendees with more than double the education and networking opportunities with the leading innovators and practitioners in technology, security and privacy for the price of a single conference.

Registration is now open and with an early registration discount of $200 available until August 19. The most current conference program can be found at https://iapp.org/conference/privacy-security-risk-2016/sessions-psr16/.

WHAT: Cloud Security Alliance Congress US 2016 at P.S.R.
WHEN: Workshops: September 13-14 Conference: September 15-16 9:00 am – 5:00 pm
WHERE: San Jose Marriott and San Jose Convention Center
ATTENDEE REGISTRATION: https://my.iapp.org/nc__event?id=a0l1a000000nBgQAAU
MEDIA REGISTRATION: kari@zagcommunications.com

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts. For further information, visit us atwww.cloudsecurityalliance.org.

About the IAPP
The International Association of Privacy Professionals is the world’s largest association of privacy professionals with more than 25,000 members across 86 countries. The IAPP is a not-for-profit association that helps to define and support the privacy profession globally. More information about the IAPP is available at www.iapp.org.

Media Contact
Kari Walker
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

New Traps v3.4 Features Improve Protection in Healthcare Environments

With all the recent ransomware attacks, the healthcare industry can use some help in the area of endpoint security. As we’ve seen in the past few months in ransomware attacks on hospitals in WashingtonCalifornia and Kentucky, malware and software exploits are commonly used together by malware operators to deliver a payload and compromise a system or, worse, a group of systems at the same time. As part of Palo Alto Networks Next-Generation Security Platform, Traps advanced endpoint protection plays a key role in a cyberattack prevention strategy by preventing malware and exploits. Traps was recently enhanced and now uses a “multi-method prevention” approach that combines the most effective, purpose-built malware and exploit prevention methods to protect endpoints from known and unknown threats.

Let’s look at Traps capabilities and highlight several new ones recently added to Traps v3.4 that eliminate the need for a traditional antivirus, and are especially beneficial to healthcare organizations.

Traps multi-method prevention for malware incorporates the following five techniques:

  1. Static Analysis via Machine Learning: (new for v3.4): This malware prevention method evaluates an executable file before it is allowed to run by examining several characteristics of the file itself to determine if it is likely to be malicious or benign. The threat intelligence available through WildFire is used to train a machine learning model to recognize malware, especially variants that have never been seen before, with high accuracy.

Medical practitioners are increasingly working remotely and disconnected from the hospital network. This new method of analysis is especially effective in healthcare environments, for this reason, as offline devices cannot take advantage of the multiple prevention methods that are available through WildFire.

  1. Quarantine of malicious executables (new for v3.4): Prior versions of Traps killed malicious processes. Traps v3.4 now immediately removes malicious files to prevent further propagation or execution attempts of infected files.
  1. WildFire Inspection and Analysis: Traps works with WildFire to determine whether an executable file is malicious. WildFire can eliminate the threat of the unknown by transforming it into known, in about 300 seconds. The automatic reprogramming of Traps, and the conversion of threat intelligence into prevention, all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system.
  1. Trusted Publisher Execution Restrictions (new for v3.4): This malware prevention method allows healthcare organizations to identify executable files that are among the “unknown good” because they are published and digitally signed by trusted publishers, or entities that Palo Alto Networks recognize as reputable software publishers (i.e., Microsoft). These executable files are considered benign and, therefore, allowed to run.

Hospitals will often have a number of self-signed applications in their environment. Now you can optionally select to trust certain untrusted signers (like your local signature authority). Any unsigned apps or untrusted signers are tested with other capabilities, like WildFire and local analysis.

  1. Policy-Based Execution Restrictions: Healthcare organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. An example would be to prevent the execution of a particular file type directly from a USB drive.
  1. Admin Override Policies: This method allows healthcare organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not.

Traps Multi-Method Prevention for Exploit Prevention includes the following three approaches:

  1. Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system’s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. This prevention method recognizes and stops these exploitation techniques before they have a chance to subvert the application.
  1. Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system’s normal processes that are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application’s execution environment so that the exploit’s malicious DLLs can replace legitimate ones. This prevention method recognizes these exploitation techniques and stops them before they succeed.
  1. Malicious Code Execution Prevention: In most cases, the end goal of an exploit is to execute some arbitrary code — the attacker’s commands that are embedded in the exploit data file. This prevention method recognizes the exploitation techniques that allow the attacker’s malicious code to execute and blocks them before they succeed.

Biggest Benefits of Using Traps in Healthcare Environments

  • Traps mitigates risks of EoL operating systems: Although efforts were launched in many hospitals to upgrade or replace end-of-life operating systems running on hospital workstations (Windows XP and Server 2003), there are still many in service today. Those machines most likely have not been removed yet due to application dependencies. Traps can be installed as a compensating control to EoL operating systems by preventing the exploitation of both known and unknown vulnerabilities.
  • Traps mitigates risks of falling behind in your patch management: Software patch management of endpoints is an ongoing challenge for healthcare institutions. Keeping up to date with the monthly Adobe Acrobat, Flash and Microsoft patches is a very complicated task and many fall behind. Although you should still patch monthly, Traps offers protection from exploitation of both known and unknown vulnerabilities in case you fall behind.
  • Traps may be accepted as a PCI compensating control: Many customers tell us that their PCI qualified security assessor (QSA) accepts Traps as a compensating control for unpatched systems. Talk to your QSA to see if they will accept it too.

Learn more about Traps:

[Palo Alto Networks Research Center]

Posted on

A Powerful Combination: New Cyber Breach Prevention Offering

Palo Alto Networks, Accenture, Splunk, and Tanium have teamed up to create an advanced managed cyber defense offering that makes it easier, more efficient and effective to identify, prevent, detect, and respond to attacks.

Accenture has integrated the Palo Alto Networks Next-Generation Firewalls and Traps Advanced Endpoint Protection offering, Tanium’s endpoint visibility software, and Splunk Enterprise Security with its own operating model and cyber defense architecture to construct the new Accenture Cyber Defense Platform.

This combination of technologies will help organizations better defend their networks, protect their endpoints, gain insight into the security behaviors within their enterprise, and effectively automate breach detection, prevention, response and recovery efforts.

Incident response is often too little, too late to effectively deal with increasingly sophisticated attackers. This collaboration will help organizations transition to the necessary prevention-minded security approach, as well as expand visibility, enhance analytics capabilities, and protect from the latest cyberthreats.

To learn more, please visit the Accenture Cyber Defense Platform.

[Palo Alto Networks Research Center]

English
English
Exit mobile version