Year: 2018

Posted on

The Importance of Securing Your Cloud

One of the biggest misconceptions regarding the cloud is that you can rely on the cloud provider service to protect your business, your data and everything else your firm holds dear.

Take a minute to think about your own home security system. Do you just lock the doors with the key and head off to work, fully secure that your valuables will still be there when you get back? Not likely. Many of us have at least a simple alarm system in place on doors and windows. More and more people are heading toward the latest trends in home security: motion sensors, 24-hour video cameras, remote door answering, etc.

Why does securing your cloud matter? Three enormous reasons:

  • Your cloud provider is only managing part of your security.
  • Cloud security lowers the risk of data breaches.
  • The minimum level of security compliance should never be enough.

Your security vs. cloud security
Let’s talk about your security against the cloud service provider’s security. The provider has specific language in any contract it signs with you concerning what it is and isn’t responsible for if there is a security breach. In its 2016 “Cloud Adoption & Risk Report,” SkyHigh Networks reported that the average user in an organization employed 36 different cloud services at work. That’s 36 potential security breach points into your cloud and 36 ways for information to leak out. By introducing all of the apps you need to make your business run to your cloud environment, you must take on the responsibility of ensuring that they are only serving their necessary capacity when analyzing and manipulating the data stored in your cloud.

It is integral that you manage all of your cloud-based applications and treat them all as security risks until the day you can scratch them off that list. The old days of hiring a third-party app to plug-and-play into your network are long gone. Your best way forward should be with a Security-as-a-Service (SECaaS) solution. Just like your infrastructure, software and your share of the cloud itself, SECaaS is the scalable solution that can handle your growth but also downgrade in the event your business shrinks. Even an in-person, onsite IT expert is not available 24 hours a day, 7 days a week, but a SECaaS is. The service can deploy solutions instantaneously when problems or suspicious activities arise, unlike in a traditional setting where everyone is waiting around for the IT professional to respond to a call for help.

The high price of data breaches
As for breaches, a 2016 study showed that the estimated cost of a data breach for a company is US $4 million. If your company has an extra $4 million lying around, by all means don’t fret about your cloud security. That figure might seem high at first glance, but there’s far more at work here than merely a loss of data or intellectual property. When you take a public data breach, word travels fast. Your best employees will be more receptive to offers from competitors. Your recruitment will suffer as those entering the workforce and those seeking to switch employers will take a lot harder look at what sort of company gets breached and what kind of company they’re looking to work for. And last but not least is the impact your data breach will have on your company’s public perception. The public has an incredibly long memory when it comes to embarrassing incidents for public companies. Don’t believe it? Fast-food giant Jack in the Box had a scare with mislabeled meat in 1981, and 37 years later, it’s still one of the top Google results for the restaurant chain.

Nobody wants the minimum
You didn’t get into business to do the bare minimum when it comes to protecting your assets and your customers’ information. No salesman has ever told a customer that he’d do the absolute least amount of work he could to get the customer’s business. The same excellence you strive for in taking command of your market and maximizing your profits should be applied to keeping your cloud secure.

To ensure the security of your cloud, consider adding dimensions such as multifactor security, where even if an employee’s login name and password are stolen or compromised, the party that took it still cannot access your cloud without an additional layer of security. Simple steps like this can be the difference between a secure cloud system and one just waiting to be picked apart by hackers.

Marty Puranik, CEO, Atlantic.Net

[ISACA Now Blog]

Posted on

Inclusion and Diversity: How Do We Lead?

At Palo Alto Networks, we’re committed to creating an environment where all the members of the team feel inspired to do their best work and contribute to the mission of protecting our way of life in the digital age. To do this, our team must better reflect the world we live in and secure with our products and services. For us, this means Palo Alto Networks should lead our industry on inclusion and diversity (I&D). It’s ambitious, but achievable, as we focus on fostering a workplace that welcomes every culture, gender, age, sexual orientation, disability, background and experience.

A key feature of our corporate culture is self-awareness, so let me start by sharing my perspective on how we’re currently doing. The short answer: we must do better as a company.

On our website, you will find numbers and percentages associated with the composition of our team across race and gender, which, as you can see, does not represent the world in which we live. While the data is humbling, sharing it is an important step in the work and commitment required to achieve true inclusion and diversity across our organization.

As a company, we’re experienced at bringing technology leadership to the market: launching, iterating, improving, and repeating those steps until we are the best. We will do that here as well. Research shows conclusively that diverse teams are more creative, innovative, and perform better than teams that are not diverse. Having people from different backgrounds – particularly those who have been historically underrepresented in the tech industry – at the decision-making table will lead us to better business outcomes and result in better products to meet the needs of the broad spectrum of people we serve worldwide. It’s common sense backed by empirical research. More importantly, it’s the right thing to do.

These numbers have prompted me to think a lot about the corporate culture we have cultivated at Palo Alto Networks. While I am proud of our core values of putting our customers first, transparency, and a “no egos” approach, at the end of the day, inclusion and diversity must be part of our company DNA if we are to make meaningful change. We need the entire company to embrace this effort.

Ultimately it all comes down to action. We’ve launched a number of initiatives to build a culture of inclusion at the company, through our own internal programs and by signing on to the CEO Action for Inclusion and Diversity pledge. Here’s a snapshot of where we’ve been focusing:

  • Launched our “Power of Inclusion” training program to help employees understand the research on inclusion and diversity, reflect on their experiences, personalize what inclusion and diversity means to them, and identify actions they can take to create a more inclusive workplace. All people managers worldwide will be expected to complete the training by July 31.
  • Recognizing that training is not enough, we are also in the process of planning ongoing, systemic efforts to put this training into action with toolkits and resources for employees and managers to help build more inclusive teams and a more inclusive culture.
  • Enhanced our hiring practices to better focus on attracting candidates with diverse backgrounds and expertise. For example, we’ve partnered with organizations like Direct Employers and InHerSight to post our jobs on over 150 channels focused on diverse communities. We are ensuring diversity in our interview teams and rolling out a “License to Hire” training program for interviewers to eliminate unconscious bias in our hiring processes.
  • Expanded our Employee Networks to foster a greater sense of community across our organization. So far, we have network groups for women, veterans, Black and Latino employees, and early-in-career professionals. Muslim, Asian and LGBTQIA+ networks are in the early stages of forming, and I encourage more to come.
  • Established the Mosaic advisory board, a diverse group of women and men from across the organization responsible for providing guidance on companywide I&D investments and championing I&D efforts within their own organizations.
  • Deepened our relationships with the National Center for Women & Information Technology (NCWIT), AnitaB.org, Women of the Channel, VetsinTech and National Society for Black Engineers (NSBE). With NCWIT, for example, we are creating training and resource kits for thousands of community college career counselors to encourage female and minority students to consider cybersecurity, and we will launch a new Collegiate Cybersecurity Award to recognize the cybersecurity achievements of college women.
  • Through our collaboration with Girl Scouts of the USA (GSUSA), we are introducing cybersecurity education to millions of girls across the United States through compelling programming designed to increase their interest and instill in them a valuable 21st century skillset. This national effort is a huge step toward eliminating traditional barriers to industry access, and will target girls as young as five years old, helping to ensure that even the youngest girls have a foundation primed for future life and career success. The first in a series of 18 Cybersecurity badges will be available to Girl Scouts throughout the United States in September 2018. We’re also partnering with Black Girls Code to develop a cyber camp that will be delivered this August.

There is so much more to do and, in addition to the internal discussions we’ll have as a company, we continue to seek input and advice from outside experts. We are committed to providing you with updates on our progress and look forward to suggestions and feedback.

Mark

[Palo Alto Networks Research Center]

Posted on

Traps “Recommended” in NSS Labs Advanced Endpoint Protection Test

We are excited to announce that Palo Alto Networks Traps advanced endpoint protection has achieved a “Recommended” rating, and is positioned in the upper-right corner of the NSS Labs AEP Security Value Map (SVM), indicating outstanding protection and low total cost of ownership.

Attackers must complete a certain sequence of events to successfully accomplish their objectives, whether stealing information or running ransomware. Nearly every attack relies on compromising an endpoint, and although most organizations have deployed endpoint protection, infections are still common.

By combining multiple methods of prevention, Traps stands apart in its ability to protect endpoints. Traps blocks security breaches and successful ransomware attacks that leverage malware and exploits, known or unknown, before they can compromise an endpoint. The NSS Labs AEP test validates Palo Alto Networks prevention-first philosophy.

The Palo Alto Networks Security Operating Platform addresses these challenges by integrating network, cloud and endpoint security with threat intelligence to provide automated protection that prevents successful cyberattacks. Our platform natively integrates security capabilities across the entire ecosystem and applies them at the right place, addressing all stages of an attack lifecycle.

NSS Labs performed an independent test of Palo Alto Networks Traps v4.1. The product was subjected to thorough testing at the NSS Labs facility in Austin, Texas, based on the Advanced Endpoint Protection (AEP) Test Methodology v2.0, which is available at www.nsslabs.com. This test was conducted free of charge, and NSS did not receive any compensation in return for our inclusion.

Highlights from the test include:

  • 100% malware delivered via docs and scripts blocked
  • 100% exploits detected and blocked
  • 100% evasions blocked
  • 0% false positives
  • Low TCO due to high block rate and low operational overhead

Read the full report.

 

 and 

[Palo Alto Networks Research Center]

Posted on

See the Graph Security API in Action at RSA Conference 2018

Today, Microsoft announced the public preview of their Microsoft Graph Security API. The security API enables a single point of programmatic access to aggregated security insights from Microsoft and partner security solutions, as well as business information from other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) that can add high-value context to threat analysis.

Palo Alto Networks has built a proof-of-concept application to demonstrate our ability to consume alerts from the Graph API, enrich those alerts with additional threat intelligence from AutoFocus, and send alert notifications to the Graph API. This information has the potential to provide security teams with a holistic view of their environment, and enable more coordinated policy updates, to ensure a consistent security posture across the security portfolio. We will be demonstrating a proof of concept for these use cases at the Microsoft Intelligent Security Graph demo station at RSA (booth 3501 in the Moscone North Exhibit Hall).

Because Context Matters

Traditional security approaches are suited to protect against known threats, and adversaries get around these defenses by making slight changes to existing exploits and attack vectors. Microsoft and Palo Alto Networks actively hunt to identify these variants, new attack profiles, and IPs (indicators of comprise and attacks, collectively) being used by bad actors for attacks, exfiltration, and command and control.

You can minimize your exposure to these attacks by blocking at the network layer, and we have built a proof of concept to show how we can both add this additional contextual information to any alerts surfaced through the security API and take action on those alerts to block the attacker IPs and domains across all of the Palo Alto Networks next-generation firewalls deployed in your environment.

For the demo, we will showcase an application that uses the security API to poll alerts from multiple security solutions – in this case, we’ll focus on an alert from Azure Security Center. The alert is enriched with additional information from Panorama and AutoFocus, and action is taken to block the threat across all of the firewalls deployed within the customer environment. For this scenario:

  1. Azure Security Center detects communication to a malicious IP address, likely a command-and-control center. The alert is surfaced in the Security Center, and our demo application via the security API.
  2. Our demo application then correlates the alert with logs from Panorama to determine whether this attack has been detected by a firewall. The application also queries AutoFocus, our threat intelligence service, to pull all of the information we know about that attack: the attacker, the family of this attack, indicators of compromise, and known IPs and domains used by these attackers for their activities.
  3. The demo application will then update the tags of the original alert, via the security API, with the threat intelligence from AutoFocus – sharing these added insights with other security products that integrate with the Graph.
  4. Finally, the demo application can then be used to block the malicious IPs associated with the attack. In the future, the security API will enable programmatic response, such as updating the policies on all your firewalls to block this traffic in the event they are not already configured to do so.

Today, you can create automated playbooks to update your firewall policies via Panorama based on Security Center alerts. In the future, this orchestration will be enabled via the security API across providers and consumers connected to the Graph.

Give Me More Data!

The logical next question is how to enable alerting from Palo Alto Networks firewalls to feed into the Intelligent Security Graph. We have also developed a Palo Alto Networks Provider as part of this proof of concept. Applications and services consuming alert data through the security API can access alerts from our firewalls via the API and this provider. This provider could be extended in the future to enable more functions from the Panorama API, such as to implementing policy updates and blocking.

There are two components for this proof of concept: a provider application that acts as the intermediary between Panorama and the security API, and the Microsoft Graph Security API Demo App that is subscribed to our provider. To enable applications to subscribe to Palo Alto Networks alerts via the Graph, we did the following:

  1. Register this demo provider with the Microsoft Security Graph.
  2. Microsoft Graph Security API Demo App subscribes to notifications from our provider.
  3. When new alerts are available, our demo provider will send a webhook notification to the Microsoft Demo App.
  4. After receiving the notification that new alerts are available, Microsoft Demo App will query our provider to retrieve the security alerts.

What’s Next?

Microsoft and Palo Alto Networks are working together to help our customers better defend against increasingly sophisticated attacks. In fact, we are one of the founding members of the Microsoft Intelligent Security Association. We are partnering across multiple teams and products to share alerts and threat intelligence to enable faster detection, remediation, and prevention so your organization can stay ahead of these attacks. The proofs of concept demonstrated here at RSA are just the first steps in our collaboration.

Stop by the Microsoft booth, #3501, in the Moscone North Exhibit Hall to view these demos in action, and you can learn more about Palo Alto Networks just a few feet away at booth #3715. You can also learn more information about the Microsoft Graph Security API by following this link.

[Palo Alto Networks Research Center]

Posted on

What the Skills Shortage Means for Existing Cybersecurity Practitioners

By now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.

Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.

Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.

However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.

What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”

Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.

In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?

Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.

First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily …  but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.

Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.

As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that.

Ed Moyle, Director of Thought Leadership and Research, ISACA

[ISACA Now Blog]

English
English
Exit mobile version