Palo Alto Networks is happy to announce the availability of a new “Network Security Management for Dummies” book. It is the latest addition to a series of books that explain the ins and outs of network and cyber security – and it’s available to you for free.
Our new book focuses on the importance of deploying a network security management solution when managing multiple firewalls, multiple security vendors, or both.
In easy-to-read language the book explains market changes leading to the need for network security management, the requirements a good network security management product should meet, and profiles the security and operational benefits that can be derived from network security management.
On the highest level, today’s enterprise security deployments require a network security management solution that provides:
Centralized administration with automated and streamlined management and configuration processes.
Greater network visibility with comprehensive reporting across the entire network security environment.
Prioritization of critical threats to enable faster, more effective incident response.
Earlier this month, the Financial Services Information Sharing and Analysis Center (FS-ISAC) held its annual summit in Miami. Attended by over 1,100 individuals, this was a highly concentrated gathering of information security and information technology (IT) professionals from the financial services industry. At the FS-ISAC Summit, I had the opportunity to attend some sessions, speak with a number of attendees, and get a sense of what’s top of mind. In this post, I’ll touch on a few topics that cropped up on multiple occasions during my travels through the summit.
Public Cloud
At an Amazon Web Services (AWS) session, nearly half the audience raised their hands during an informal poll to see who was already using public cloud services. AWS stated that they have more than 1,000 customers from the financial services industry. In contrast, at a PriceWaterhouseCooopers (PwC) session, only a handful put their hands up in response to a question about whether the public cloud is more secure. So clearly, the financial services industry remains cautious about adopting the public cloud, but at the same time realizes that the benefits are too great to ignore.
The flexibility, near infinite scalability, and cost advantages of public cloud computing continue to resonate with CIOs as a means to provide IT services without the traditional delays and up-front capital investment required in private data centers. Ultimately, this translates into enabling the business to pursue competitive advantages in a timely fashion. This echoes my own experience in meeting with financial institutions. Many are conducting proofs of concepts with public cloud service providers to better understand the security implications and to sort out the processes and technologies required to safely use these services. However, other institutions remain on the sidelines with a “wait and see” attitude. Ultimately, the path forward for the financial services industry will entail migrating less sensitive workloads to the public cloud initially, but still with appropriate security controls in place.
Know Your Data
At the end of the day, your business critical data is the asset that needs to be protected. Consequently, an awareness of where it resides, who has access to it, and how it travels through your network is necessary. Unfortunately, knowledge of one’s own traffic and network is generally limited. In most cases, applications and their associated data traffic just spontaneously appear on the network. There’s generally no governance process for introducing new or modified data flows across the network. Besides being a problem for network capacity planning, the lack of visibility to new application traffic limits the ability to secure the environment.
To protect data, encryption at rest has become the new norm. However, that’s not sufficient. Visibility into how and where it flows during the course of normal business is critical. Armed with this knowledge, deviations from the baseline can be detected and even stopped with appropriate network segmentation. Of course, a process to govern new or changed application traffic flows will then be necessary to effect corresponding controls across the network. This approach enables the necessary business workflows, but would constrain unexpected traffic that is the hallmark of malicious actors. By limiting lateral movement within the network, the attack lifecycle of advanced threats is severely hampered, and further attacks can be prevented.
Post-Breach Plans
Several sessions mentioned the value of pre-defined plans to maintain business during a cybersecurity crisis, to coordinate response/remediation efforts, and to ensure appropriate, timely communication with the regulators, customers, employees, and the public. There is certainly an element of business continuity involved here, but the plans may also include having cyber breach attorneys and cyber forensic teams on retainer as supplemental resources. The post-breach plan would also need to be exercised periodically to ensure all parties understand their roles and any inter-dependencies between them. No one can argue against the wisdom of being prepared in the aftermath of a breach. However, taking measures up front to prevent the likelihood of a successful breach is at least as important. Although he surely wasn’t speaking about data breaches, Benjamin Franklin’s quote about an ounce of prevention can readily be applied here. By adopting a philosophy of prevention, institutions can improve their overall cybersecurity posture and reduce the likelihood of invoking their post-breach plans for an actual event. A balanced approach, to prevent, detect, and respond, would best serve the organization.
Palo Alto Networks Next-Generation Security Platform can protect financial institutions by preventing both known and unknown attacks. To learn more about how we secure the public cloud, how to apply network segmentation, and how to prevent successful breaches, please visit the following resources:
The good news is that there are numerous best practices that can help prepare your network and endpoints for a potential ransomware attack that targets your unwitting employees and/or contractors to gain access to your assets.
The basics: Ransomware is malware that encrypts your files and uses that encryption to restrict access to your (or any other victim’s) files or systems until the victim pays the ransom for the key to decrypt those files.
How does it get delivered: Like all of those other phishing emails you’ve been training your employees to delete, ransomware relies on the same social engineering technique to fool your users into opening them and downloading what’s inside. Often, the link itself is encrypted so if you’re not decrypting suspicious links within your email, it can often get right through your defenses that way. In other cases, the malware is hosted on the legitimate website of an unsuspecting host just waiting for your employees to use it. Since government is naturally a high profile target, the attackers may intentionally look for websites they know your employees will use in order to host their malware. It’s up to website administrators to maintain their own security best practices to prevent infections of their sites.
Why it’s harder to detect and prevent than other malware: Because the malware changes rapidly (usually every few hours), it often fools network defenses. And even best-in-class remediation processes are often too late to save your assets – they’ve already been encrypted.
Without going through an exhaustive security best practices list, below is a summary of some best practice “reminders” in light of this evolving and growing threat to our networks:
People and Process:
Refresh your existing and ongoing training to advise your employees and contractors about these threats and what to watch for, as well as how to report anything suspicious. The more realistic you can make this training, the more likely it is to stick with your employees. Theoretical examples are only interesting to a point.
Use red teaming types of exercises to keep your employees alert to these phishing emails. It’s easy to become de-sensitized or oblivious to them.
Run hourly backups on your critical systems and daily backups for all others. Have a reasonable backup plan, for your particular environment, to address data on end user systems.
Establish as swift of a patching process as possible. Recall that many exploits damage your networks because they can. Government, in particular, is often too slow in patch cycles – do whatever you can to change your process and improve these patching times.
Disable Flash altogether if possible.
Restrict mounted file shares as much as possible. It’s no surprise that this is an oft-forgotten vector and has the potential to wreak the most damage in an enterprise environment.
All file-sharing applications, e.g. Dropbox, Box, which can be a common delivery mechanism -, unless you are using Aperture to ensure file-sharing environments are secured and the right users have permissions to the applications.
Whitelist applications at your Data Center. Given that this is a controlled environment, you can be more restrictive at this critical point in the attack life cycle.
Block known bad URLs (in the Palo Alto Networks platform, it’s the malware category)
Block unknown URLs, or put a ‘continue’ page to warn users and to break automated downloads/droppers
Enable all threat prevention capabilities, on our platform, on all traffic all the time (IPS, AV, Spyware). Newer IPS rules have been added such as those that block javascript files sent via email that are used as droppers.
Block specific file types depending on delivery app.
eg, block PE’s and other unwanted file types over web/email.
Block file downloads from unknown URLs sites altogether.
Enable SSL decryption – remember that the payload can be delivered by SSL
Technology – on the Endpoint
Enable exploit prevention on all of your critical assets using Traps
Don’t allow unknown executables to run. If you are a Palo Alto Networks customer, disable until WildFire returns a verdict on the file.
Don’t allow .exe’s to run from risky locations, e.g. a tmp directory.
Use the global surge in ransomware as an opportunity to revisit your security practices, regardless of which framework (ISO 27000-series, NIST Cyber Security Framework, etc.) you use.
Today, consumers have an increasing interest in implementing cloud solutions to process and store their data. They are looking to take advantage of the benefits provided by cloud computing, including flexibility, cost savings, and availability. Fortunately, there are many cloud solutions available to consumers, touting cloud computing features such as multi-tenancy, virtualization, or increased collaboration. But is it really a cloud service?
With the rapid growth of these types of solutions, consumers and other interested organizations want to identify whether a service is actually a cloud service.
In actuality, there is such thing as a cloud service. It has a definition and we have seen federal agencies require cloud service providers to justify why their service is considered a cloud service.
The five essential cloud characteristics are based on the National Institute of Standards and Technology’s (NIST) definition of cloud computing in Special Publication (SP) 800-145. Here,NIST defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
According to NIST SP 800-145, a cloud service employs all of the following five characteristics:
On-demand self-service – A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
Broad network access – Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
Resource pooling – The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
Rapid elasticity – Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
Measured service – Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Whether you are a cloud service provider, consumer, or other interested party, it is important to identify how the cloud service offering meets each of the five essential characteristics. For example, cloud service providers in the FedRAMP authorization process usually document how their service meets each of the five essential cloud computing characteristics in their System Security Plan (SSP).
It goes without saying that regardless of whether or not a service meets the definition of a cloud service, the cloud service provider and consumer must always plan and prepare for the security risks associated with providing or using a the cloud service and the types of data the cloud service will consume. The cloud service provider is responsible for selecting a security program framework to implement security controls specific for cloud environments and the data protection requirements of their customers. Equally, the consumer must be fully aware of the data they plan to process and/or store with the cloud service and their responsibilities to protect that data.
Christina McGhee, Manager/FedRAMP Technical Lead, Schellman
SINGAPORE – May 11, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, announced today that it hosted its 5th annual CSA APAC Summit in Singapore, beginning May 3rd. The weeklong event was attended by thought leaders, policy and decision makers representing key industry organizations, cloud customers, and the R&D community. Attendees represented both end-user and industry viewpoints and provided networking and business opportunities. The event was a curtain raiser for IDA’s CloudAsia 2016, which occurred May 3-5 also in Singapore.
The keynote presentations this year featured:
Khoong Hock Yun, Assistant Chief Executive Officer (Development) and Chief Data Officer of Infocomm Development Authority of Singapore (IDA)
Daniele Cattedde, Chief Technology Officer of Cloud Security Alliance
David Shearer, CEO of (ISC)2
Dr. Meng-Chow Kang, Chief Information Security Officer, APJC Region of Cisco Systems, Inc.
Evan Dumas, Head, Emerging Technologies APAC, Middle East, & Africa of Check Point
Martin Leo, Executive Director, Morgan Stanley Investment Management
Todd Partridge, Director of Product Marketing of Intralinks Holdings, Inc
Wally Lee, Cybersecurity Architect, Cybersecurity Global Practice of Microsoft
This year’s event also included a number of key panel presentations focused on emerging trends and issues in cloud computing:
“Overcoming the Top Threats to Cloud Computing” by Eric T. Ashdown of Cyber Security Managing Partner of Ridge Partners LLC, Kawin Boonyapredee of Qualys, Mandar Bale of FireEye & Benildus Nadar of Deep Identity chaired by Luciano “J.R.” Santos, Executive Vice President of Research of Cloud Security Alliance
“Cloud and the Enterprise 2016” chaired by Jimmy Sng, Partner, of PricewaterhouseCoopers with panelists across Information Security Manager of Waikato District Health Board, Audit Director for Technology of Australia and New Zealand Banking Group, Technical Advisor of Asia Pacific of (ISC)2 & Security Consultant at Hewlett-Packard Enterprise
The theme of this year’s summit centered on how the future of information security lies in the cloud. An earlier CSA survey conducted identified mobile security as an area of concern. CSA’s Mobile Application Security Testing (MAST) working group, which strives to create a more secured cloud ecosystem to protect mobile applications, will be releasing the Mobile Application Security Testing (MAST) whitepaper after going through 4 months of public review process. Co-chair Keng Lee discussed this whitepaper during the summit. The whitepaper will also be used in the development of a new certification scheme, CSA STAR Mobile that will test and certify mobile applications. There may be additional scope of work that will address application store security issues among others.
CSA also hosted its 4th annual APAC Chapter Leadership Workshop on May 4, an annual event that provides a platform to report Chapter activities and progress and work plan for the year. 25 Chapters out of 31 across Asia Pacific participated in this workshop to discuss the Chapter strategies moving forward for this year.
On May 5, CSA hosted its 1st in-person CSA STAR Certification Summit. This Summit brought Certification Bodies and representatives from Governments from Asia Pacific, Europe and Americas together to discuss the future of cloud computing certification and assurance, while also addressing current challenges on cloud computing security and privacy assurance and compliance. This invitation only event focused on building strategies on CSA National Certification approach and roadmap.
The CSA CXO luncheon also occurred on May 5. Senior government officials and corporate decision makers participated in the quarterly lunch, which is theme based and facilitated by a research analyst. The takeaways received from the luncheon create continuous touch points until the next luncheon.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.