Year: 2017

Posted on

CDANS 2017: Keeping Cybersecurity Skills Sharp With Cyber Range

We enjoy meeting with and presenting to the many hard-working professionals responsible for securing government and critical national infrastructure in Europe, the Middle East, Africa, Asia and the U.S., and this year at Cyber Defence and Networks Security (CDANS) 2017, attended by several of these regions, we decided to try something dynamic.  We invited our partner Cyber Test Systems to join us to run a Cyber Range as a pre-conference workshop. Cyber Range is used by technologists – network engineers, cyber operations professionals, and others charged with some level of responsibility for their enterprise’s security – to hone their cybersecurity skills against the most cutting-edge attacks we can find today. Cyber Test Systems does this regularly for network and security professionals across all manner of critical infrastructure – from government entities to commercial interests. And we are privileged that they continue to choose Palo Alto Networks Next-Generation Security Platform to find, analyze, and prevent the advanced attacks they’re pulling from the internet for their Cyber Range workshops.

Typically, Cyber Range assists professionals in understanding today’s most advanced threats, using some of the most advanced real-world malware actually culled from the internet for the purposes of education. Cyber Range also:

  • Exposes security professionals to different kinds of threats seen on critical infrastructure networks today, including:
    • Ransomware
    • Botnets and their command-and-control (C2) traffic
    • Phishing attacks
    • Other forms of advanced malware
    • DDoS attacks (DDoS, RDoS, DRDoS)
  • Enables professionals to improve their skills and speed in identifying these threats which they can then put into practice within their own networks.
  • Offers professionals real-world, hands-on experience using the power of the Next-Generation Security Platform, which integrates security capabilities for faster time-to-detection and signature creation within five minutes of seeing a new advanced threat.
  • Provides practitioners with hands-on experience with a mobile Cyber Range suite, which is portable, evolves with the latest attacks, and is available for reuse in national and commercial exercises to maintain team skillsets across those responsible for security – network, security, endpoint and data center teams – as advanced threats evolve.

Cyber Test Systems uses real threats, pulled from their research across the internet, and then regenerates them realistically using their series of Network Traffic Generators (CTS-NTG).

Normally, these Cyber Range workshops are attended by the practitioners. But at CDANS, we were privileged to be joined by CISOs and other, more-senior-level management who were eager to learn as well. In addition to balancing the needs of the varied technical levels of the participants, we provided an overview of a typical network topology, the network they would be protecting, and the overall exercise objectives. We reiterated the importance of using automation for speed to detection and prevention and the importance of complete visibility across the network – thinking in the context of the cyberattack lifecycle – and of all of the many applications traversing their networks. Having a grounding in the equipment, network and exercise objectives, participants were then presented with a series of attacks against their respective networks with a great deal of hands-on assistance to understand what they were seeing, including:

  • Recent ransomware such Petya Goldeneye, Merry Christmas, Cerber, Sopra, CryptoMix, Osiris variant of Locky
  • Recent web exploit kits, such as Magnitude, KaiXin, Rig-E, Rig-V, Sundown
  • Phishing attacks
  • Malicious domains and websites
  • Exploits of vulnerable clients and servers
  • DDoS attacks including DDoS, RDoS, and DRDoS attacks – just like the Mirai botnet DRDoS attack
  • Recent botnets’ command and control, such as Kelihos botnet and Mirai botnet

We were delighted to discover that Cyber Test Systems had even pulled brand new, never-before-seen malware in the wild, which WildFire,  Palo Alto Networks malware analysis environment, immediately identified in real-time in the exercise. All features of Palo Alto Networks platform were fully leveraged throughout the exercise, including App-ID, Threat Prevention, URL Filtering, and WildFire to detect and mitigate the cyberattack scenario, one after the other.

Our instructors, including the Cyber Test Systems team and two of our London-based systems engineers, acted as red teams, yellow teams, white teams and green teams, guiding our participants who played the role of the blue team throughout the exercise.

Based on the feedback, and their tenacity throughout a full day of exercising, and regardless of the technical level of the professionals who participated, they were all able to take back new insights and a new appreciation for the diversity of threats that are possible to mitigate, which they – or their teams – may face regularly. From all of us, as Cyber Range hosts, it was a privilege and an honor to meet and work with these professionals throughout this workshop.

Learn more about the work we do with Cyber Range:

Palo Alto Networks held its inaugural abbreviated Cyber Range at Ignite 2016 and, with the positive customer feedback, will be repeating it at Ignite 2017. We’d love for you to join us!

[Palo Alto Networks Research Center]

Posted on

VirusTotal Adds Palo Alto Networks to Intelligence Feeds

Palo Alto Networks is happy to announce the addition of the Palo Alto Networks (Known Signatures) scanner to VirusTotal, continuing our long-standing relationship with the organization, and furthering our commitment to threat intelligence sharing. This new integration allows users of VirusTotal to query malware samples against known antivirus signatures from the Palo Alto Networks Threat Intelligence Cloud, and ensures the continued joint cooperation between our organizations, in service of our joint customers and the industry as a whole.

What does this announcement mean?

The addition of the Palo Alto Networks (Known Signatures) scanner to VirusTotal provides a number of benefits to both Palo Alto Networks customers and users of the VirusTotal service, including:

  • Palo Alto Networks will continue to enrich our visibility into the threat landscape with samples sourced from VirusTotal, as an extension of what we receive via WildFire submissions and other third-party feeds.
  • VirusTotal users will be able to check malware samples against known antivirus signatures in the Palo Alto Networks Threat Intelligence Cloud.

How does this announcement affect Palo Alto Networks customers?

There is no impact to Palo Alto Networks customers or to the protections they receive from the Threat Intelligence Cloud, as part of the Next-Generation Security Platform. We do not rely on any third-party service, including VirusTotal, to provide known or unknown file verdicts for our customers. We continue to employ our WildFire threat analysis service to detonate and identify malware, extract threat intelligence and drive preventions for unknown threats, which are enforced via Threat Prevention, URL filtering (PAN-DB), Aperture and Traps.

Palo Alto Networks is firmly committed to sharing threat intelligence across public, private and commercial organizations, in order to raise the collective immunity against cyberattacks for the entire industry. Being part of the VirusTotal community continues to augment our ability to collect samples, ensuring we have wide visibility into threats sourced from internal and external sources and driving up the cost of launching successful attacks, as protections are automatically shared with Palo Alto Networks customers via WildFire.

[Palo Alto Networks Research Center]

Posted on

PAN-OS 8.0: New Hardware Enables Powerful Security Performance Without Compromise

Three key trends are driving the need for increased performance and capacity requirements on security appliances:

  1. Data center consolidation, leading to increased bandwidth requirements.
  2. Increasing share of encrypted traffic, which must be secured.
  3. Consumption of hybrid cloud and software-as-a-service (SaaS) applications driving north-south traffic growth.

At the same time, organizations are required to rethink how to protect the network from a new, more sophisticated class of advanced threats that evade traditional security mechanisms.

Our latest release, PAN-OS 8.0, introduces new hardware appliances that do a lot better than the usual compromise between performance and applying next-generation security to all traffic, including encrypted traffic. With these new appliances, you can now prevent successful cyberattacks everywhere your data resides – from your largest data centers down to your smallest branches. The new appliances include:

PA-5200 Series

The PA-5200 Series – PA-5260, PA-5250 and PA-5220 – prevent threats and safely enable applications in high-performance network deployments, including Internet Gateway, Data Center, and Service Provider (SP) environments. Secure your network with predictable performance and advanced visibility and control of applications, users and content at  throughput speeds of up to 72 Gbps.
Key Features:
  • High-performance appliances deliver up to 72 Gbps (App-ID) and 30 Gbps (Threat Prevention)
  • High SSL session capacity with up to 32M sessions and 3.2M SSL-decrypt sessions
  • Flexibility in I/O with high-density 10G, 40G and 100G support
  • Front-to-back airflow support 


PA-800 Series

The PA-800 Series – PA-850 and PA-820 – is designed to secure enterprise branch offices and retail locations.
Key Features:
  • High-performance appliances up to 1.9 Gbps (App-ID) and 780 Mbps (Threat Prevention)
  • Fast management plane, leveraging multiple CPU cores and 8GB memory
  • Hardware resiliency, leveraging redundant power
  • Flexible I/O for today’s and tomorrow’s network needs with up to 10G interfaces
  • Simplified deployments of large numbers of firewalls through the USB port

PA-220

Built in a compact desktop footprint, the PA-220 brings next-generation firewall capabilities to your smallest branch offices and retail locations.
Key Features:
  • Built-in resiliency with dual power adapters
  • Complete high availability support: active/active and active/passive
  • Passive and silent cooling to eliminate noise and increase reliability
  • Desktop footprint with high port density
  • Simplified deployments of large numbers of firewalls through the USB port

Architected to handle ever-increasing amounts of application-, user- and device-generated data, our next-generation firewalls natively classify all traffic, inclusive of applications, threats and content, and tie the traffic to the user, regardless of location or device type. The applications, content and users are then used as the basis of your security policies to safely enable applications and prevent modern threats, both known and unknown.

With our expanded portfolio of appliances, customers can now address an even wider variety of use cases with different form factors and performance variants to fit diverse deployment needs.

Learn more about our new family of breakthrough performance hardware.

, and

[Palo Alto Networks Research Center]

Posted on

Incident Response – Being Prepared for the Worst-Case Scenario

It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.

Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.

Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.

The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:

Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.

Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.

Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.

Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.

Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:

  • An executive commitment and endorsement of the incident response initiative
  • An Incident Response Team (IRT) comprised of members with varying areas of expertise ranging from IT to legal and communications
  • A defined communication plan
  • A plan to support, maintain and test the incident response plan on a regular basis
  • An organized, structured approach that clearly defines the roles and responsibilities for all parties involved
  • A clearly stated definition of what an incident means to your organization and how incident response aligns with existing organizational security efforts, such as business continuity and disaster recovery plans
  • A well-defined plan on how to monitor and analyze potential threats to the environment
  • An operation plan that defines how incidents are declared and initial steps for information gathering
  • A post-incident process for lessons learned and process improvement

A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).

Joe Gates, Senior Security & Controls Advisor, The Mako Group LLC

[ISACA Now Blog]

English
English
Exit mobile version