We are excited to announce that Palo Alto Networks Traps advanced endpoint protection has achieved a “Recommended” rating, and is positioned in the upper-right corner of the NSS Labs AEP Security Value Map (SVM), indicating outstanding protection and low total cost of ownership.
Attackers must complete a certain sequence of events to successfully accomplish their objectives, whether stealing information or running ransomware. Nearly every attack relies on compromising an endpoint, and although most organizations have deployed endpoint protection, infections are still common.
By combining multiple methods of prevention, Traps stands apart in its ability to protect endpoints. Traps blocks security breaches and successful ransomware attacks that leverage malware and exploits, known or unknown, before they can compromise an endpoint. The NSS Labs AEP test validates Palo Alto Networks prevention-first philosophy.
The Palo Alto Networks Security Operating Platform addresses these challenges by integrating network, cloud and endpoint security with threat intelligence to provide automated protection that prevents successful cyberattacks. Our platform natively integrates security capabilities across the entire ecosystem and applies them at the right place, addressing all stages of an attack lifecycle.
NSS Labs performed an independent test of Palo Alto Networks Traps v4.1. The product was subjected to thorough testing at the NSS Labs facility in Austin, Texas, based on the Advanced Endpoint Protection (AEP) Test Methodology v2.0, which is available at www.nsslabs.com. This test was conducted free of charge, and NSS did not receive any compensation in return for our inclusion.
Highlights from the test include:
100% malware delivered via docs and scripts blocked
100% exploits detected and blocked
100% evasions blocked
0% false positives
Low TCO due to high block rate and low operational overhead
Today, Microsoft announced the public preview of their Microsoft Graph Security API. The security API enables a single point of programmatic access to aggregated security insights from Microsoft and partner security solutions, as well as business information from other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) that can add high-value context to threat analysis.
Palo Alto Networks has built a proof-of-concept application to demonstrate our ability to consume alerts from the Graph API, enrich those alerts with additional threat intelligence from AutoFocus, and send alert notifications to the Graph API. This information has the potential to provide security teams with a holistic view of their environment, and enable more coordinated policy updates, to ensure a consistent security posture across the security portfolio. We will be demonstrating a proof of concept for these use cases at the Microsoft Intelligent Security Graph demo station at RSA (booth 3501 in the Moscone North Exhibit Hall).
Because Context Matters
Traditional security approaches are suited to protect against known threats, and adversaries get around these defenses by making slight changes to existing exploits and attack vectors. Microsoft and Palo Alto Networks actively hunt to identify these variants, new attack profiles, and IPs (indicators of comprise and attacks, collectively) being used by bad actors for attacks, exfiltration, and command and control.
You can minimize your exposure to these attacks by blocking at the network layer, and we have built a proof of concept to show how we can both add this additional contextual information to any alerts surfaced through the security API and take action on those alerts to block the attacker IPs and domains across all of the Palo Alto Networks next-generation firewalls deployed in your environment.
For the demo, we will showcase an application that uses the security API to poll alerts from multiple security solutions – in this case, we’ll focus on an alert from Azure Security Center. The alert is enriched with additional information from Panorama and AutoFocus, and action is taken to block the threat across all of the firewalls deployed within the customer environment. For this scenario:
Azure Security Center detects communication to a malicious IP address, likely a command-and-control center. The alert is surfaced in the Security Center, and our demo application via the security API.
Our demo application then correlates the alert with logs from Panorama to determine whether this attack has been detected by a firewall. The application also queries AutoFocus, our threat intelligence service, to pull all of the information we know about that attack: the attacker, the family of this attack, indicators of compromise, and known IPs and domains used by these attackers for their activities.
The demo application will then update the tags of the original alert, via the security API, with the threat intelligence from AutoFocus – sharing these added insights with other security products that integrate with the Graph.
Finally, the demo application can then be used to block the malicious IPs associated with the attack. In the future, the security API will enable programmatic response, such as updating the policies on all your firewalls to block this traffic in the event they are not already configured to do so.
Today, you can create automated playbooks to update your firewall policies via Panorama based on Security Center alerts. In the future, this orchestration will be enabled via the security API across providers and consumers connected to the Graph.
Give Me More Data!
The logical next question is how to enable alerting from Palo Alto Networks firewalls to feed into the Intelligent Security Graph. We have also developed a Palo Alto Networks Provider as part of this proof of concept. Applications and services consuming alert data through the security API can access alerts from our firewalls via the API and this provider. This provider could be extended in the future to enable more functions from the Panorama API, such as to implementing policy updates and blocking.
There are two components for this proof of concept: a provider application that acts as the intermediary between Panorama and the security API, and the Microsoft Graph Security API Demo App that is subscribed to our provider. To enable applications to subscribe to Palo Alto Networks alerts via the Graph, we did the following:
Register this demo provider with the Microsoft Security Graph.
Microsoft Graph Security API Demo App subscribes to notifications from our provider.
When new alerts are available, our demo provider will send a webhook notification to the Microsoft Demo App.
After receiving the notification that new alerts are available, Microsoft Demo App will query our provider to retrieve the security alerts.
What’s Next?
Microsoft and Palo Alto Networks are working together to help our customers better defend against increasingly sophisticated attacks. In fact, we are one of the founding members of the Microsoft Intelligent Security Association. We are partnering across multiple teams and products to share alerts and threat intelligence to enable faster detection, remediation, and prevention so your organization can stay ahead of these attacks. The proofs of concept demonstrated here at RSA are just the first steps in our collaboration.
Stop by the Microsoft booth, #3501, in the Moscone North Exhibit Hall to view these demos in action, and you can learn more about Palo Alto Networks just a few feet away at booth #3715. You can also learn more information about the Microsoft Graph Security API by following this link.
By now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.
Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.
Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.
However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.
What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”
Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.
In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?
Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.
First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily … but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.
Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.
As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that.
Ed Moyle, Director of Thought Leadership and Research, ISACA
When I ask customers what they like about Palo Alto Networks, their answer is consistent: it just works. They can operate efficiently and prevent successful cyberattacks. Our Security Operating Platform is built for automation – it has to be easy to operate if we’re going to help our customers achieve digital transformation.
You may not recognize the name “Security Operating Platform” because we have recently changed it from “Next-Generation Security Platform.” We feel this new name better reflects its unique value. The components of the platform are integrated, making it easy to operate and automate manual tasks.
In my last blog post, I noted that the hardest part of digital transformation isn’t deciding on vendors or deploying new technologies, but instead getting people to think differently and change how they work. One of the recommendations shared, based on what I’ve been hearing for months now in my time spent with our customers and partners, is that organizations should bring stakeholders together and out of their silos to create cross-functional teams.
Whether we call these teams “agile” or something else, this mode of working requires support from a platform that can automate workflows, meet compliance and provide consistent enforcement across network, cloud and endpoints. If the technology is not designed to support workflow across the environment, it is not going to support these cross-functional teams.
We continue to expand the platform and add automation. A decade ago, we invented the Next-Generation Firewall, enabling organizations to adopt security best practices using app-, user- and content-based policies and applying a Zero Trust approach throughout. We added cloud-based security services for threat detection and prevention in what we call our first evolution. These services use the next-generation firewalls as sensors and for automated enforcement. In our second evolution, we extended the platform to include endpoint and cloud security. The security services integrate with the cloud and endpoint security to share intelligence and automate enforcement.
Now, in our third evolution, we have further extended our automated approach to ecosystem partners. Innovative apps developed by us, by third parties, or by your own teams, can access a security data set that is specific to your environment, as well as access shared threat intelligence. The apps can monitor, detect and report on threats, automate workflows, and meet compliance. As threats evolve, we believe automation and analytics that work across cloud, network and mobile devices are required to detect and stop sophisticated attacks.
We’ll see you at RSA Conference this week and hopefully at our Ignite ’18 Security Conference next month, where we’ll be celebrating disruption and digital transformation. I look forward to hearing from you – come experience our Security Operating Platform for yourself.
In the midst of the business and technology merge, organizations of all industries have started their journey into the cognitive era of cybersecurity. In this era, it is essential for a business to have an IT security strategy to govern how the organization will protect itself from internal and external cyber threats. However, what commonly fails to align to IT security strategy is the organization’s overall security culture. IT security strategy can only be effective if there is a strong security culture embedded into the very fabric of the company’s operations. Today, I will cover the two core components for building a robust security culture, to maximize the effectiveness of the IT security strategy.
An organization’s security culture is comprised of the mindset and habits of employees, as it relates to IT security. Habits that are intended to prevent and protect against internal and external threats are, unfortunately, not always unified for the greater good of the organization. Many times, different siloed habits are formed within individual business units based on the easiest route to achieve the task at hand (e.g.: using shared accounts, instead of unique individual accounts or using privileged accounts to perform simplistic tasks). Within an organization that lacks a mature IT security strategy, employees are more likely to naturally learn and follow what is perceived to be the path of least resistance to accomplish a task. They then continue to pass these learned, non-compliant, methods on to other employees within that business unit. Eventually, it becomes the mindset of that business unit as the only way to accomplish that task because – as I’m sure you’ve heard before – “ that’s the way we’ve always done it.” Building a strong security culture will encourage employees to question the norm if something doesn’t seem quite right.
Every organization is unique and will have its own security culture. Throughout my consulting experience I’ve come to find the state of the security culture depends on two factors: (1) well defined security policies, processes and procedures; and (2) exceptional communication about the adoption of those security policies, processes and procedures. To have a strong security culture, these two factors must be coordinated and implemented together as one has little to no lasting effect without the other.
Define a Security Policy
A security culture begins with a well-defined and properly enforced security policy. The development and enforcement of a security policy starts at the very top of the leadership pyramid and reflects down to the junior level employee. In defining a security policy, the first step is to understand the business environment and its threat landscape. An organization’s security policy should
Define the baseline security requirements
Define the requirements that meet or exceed the industry and regulations requirements
Align to the risk appetite of the organization
While a well-defined security policy should be clear and strictly enforced, it should not, however, dictate how each business unit must operate to comply with the requirements. Meaning the policy should be separate from the procedures. While the security requirements should be clearly defined, a strong security culture will allow for each individual business unit to determine an optimal method for incorporating these requirements into their own business operations. The ideal security policy should be seamlessly integrated into employee day-to-day thinking and decision making to ensure a secure mode of operations for all business units. The security culture should unify the organization by allowing all business units to work together, while operating in loosely-coupled coordination to provide an optimal level of protection against internal and external threats. For an organization as a whole, the goal is to create centralized policies that can be incorporated into the daily process and procedures for all business units within an organization. An organization with a strong security culture has employees that understand cybersecurity and the importance of making the necessary operation adjustments to comply with defined security requirements.
Communicate and Train Secure Habits
The communication of security requirements and security awareness go hand and hand in building a strong security culture. More communication brings more awareness and with more security awareness, individual employees are more likely to incorporate security into their day-to-day thinking and decision making. As a result, security becomes thoroughly embedded into the mindset and work habits of each employee therefore creating a strong security culture.
However, communicating the security requirement is not as straightforward as defining the security policy. To effectively communicate security policies, the communication tactics should be tailored to the target audience based on analyzed behavior, their current security understanding and preferred communication style. The goal is to effectively communicate, to each business unit, why it is necessary to follow the organization’s security policies. Better communication of the purpose and reasoning for security policies, will help to build a strong security culture through the elimination of decentralized execution of centralized policies. To take security maturity one step further, organization should also provide security awareness training. This training should serve the purpose of eliminating nonconformist habits, by bringing awareness and competence to better, more secure habits.
Conclusion
Clearly defined and communicated centralized security policies will allow an organization to enforce organization-wide security requirements. Each business unit will understand the importance of security, while having the freedom to create and establish optimal operations within well-defined boundaries.
