Year: 2018

Posted on

Automating Cloud Security with Ansible and Palo Alto Networks

History has shown that using automation to perform repetitive tasks without human assistance can result in labor and production cost reductions as well as improvements to quality, accuracy and precision.

In the ongoing effort to protect applications and data from bad actors, automating repetitive security tasks allows you to achieve the same benefits of accuracy, precision and precious labor savings. However, the most significant benefit that security automation brings is that it allows you to enforce a strong, consistent and repeatable security posture.

For the past several years, Palo Alto Networks and Ansible have collaborated on a set of Ansible modules that automate a variety of configuration settings which can be used on our physical and virtualized next-generation firewalls. In the public cloud, these collaboration efforts have become invaluable to our customers as they adopt more rapid and iterative application development methodologies (i.e., DevOps, CI/CD) on AWS, Azure and Google Cloud.

The Ansible modules for PAN-OS, our security operating system, allow our customers to embed security into the application development lifecycle, eliminating the bottleneck that change control security best practices can introduce.

To learn more about how Ansible can enable you to automate security in the cloud, please register for our joint webinaron April 25 at 11:00 AM PST/2:00 PM EDT. This informative event will cover the following topics:

  • New Ansible modules, updates and enhancements for cloud deployments
  • How Palo Alto Networks protects organizations from threats and data exfiltration, from the network to the cloud
  • Using Ansible modules to deploy and configure Palo Alto Networks VM-Series firewalls on AWS, Azure and Google Cloud

The webinar will wrap up with a brief deployment demonstration and technical Q&A with our solution architects.

Register for “Automating Cloud Security with Ansible and Palo Alto Networks

[Palo Alto Networks Research Center]

Posted on

Should CISOs Expand Their Portfolios?

CISOs have traditionally focused on the triad of “Confidentiality, Integrity and Availability.” Recently, emphasis has been placed on confidentiality, hackers and zero-day attacks. However, industry trends now require that focus to broaden to all business information risks within organizations.

Since information is a key part of almost all business transactions, information risks are becoming pervasive. The trends I want to highlight include increased need for Security departments to partner with business colleagues to understand risks from their point of view, and increased importance of integrity and availability.

Integrity
In my mind, integrity issues go back to the ChoicePoint data breach in 2005. This breach did not result from a zero-day attack. It was carried out by fraudulent customers using fake accounts. This falls under the “data integrity” mandate. At the time, many would have thought that this breach was outside of the scope of information security. But this needs to change today.

Such incidents have taken off in recent years. Fake news incidents have regularly made headlines. The potential effects of fake information on SEO results also have been highlighted. Consider the reports of identity “theft” using synthetic identities. Or the recent scandal at Kobe Steel over the internal falsification of quality data.

After the Yahoo breaches cost that company US $300M, cybersecurity assessments have become a more important part of M&A transactions. This type of assessment has to mitigate business risk. Is the firm’s risk posture what it says it is? Class action lawsuitsin the state of Michigan for faulty software algorithms bring up another information business risk. Software development errors may have real human life consequences as well as business consequences.

Availability
In the recent volatile financial market, several investment firms suffered outages, even in our era of scalable, virtualized application architectures. Ransomware attacks last year led to real money being lost from victims, not from ransoms, but from outages. The largest ever DDoS attack recently was reported. These attacks are likely to continue to be common.

Confidentiality
This is still an important issue, but the diversity of incidents is increasing. An ex-Expedia employee pleaded guilty to stealingcompany information to facilitate his insider trading of company stock. Better keyless entry systems now facilitate faster theft by car thieves, not just theft of information. In 2016, steelmaker ThyssenKrupp lost trade secrets to cyber criminals. A large retailer recently was hit with a $27 million fine for stealing a small contractor’s intellectual property. Instead of just stealing IDs, criminals are now stealing whole systems and the intellectual property that goes along with those systems.

These incidents highlight newer ways to misuse information resources and adversely affect a business. More longstanding hacker attacks using technology are not going away; traditional technology controls are still needed to mitigate these risks and significant progress has been made in doing so. But these newer incidents highlight threats in which the misuse case and consequences are highly entwined with the business. To find these risks, CISOs will need, more than ever, to understand the business they are protecting and the risks that are seen by senior management. Security controls will need to be more integrated in business operations to be effective.

A recent presentation by Facebook CISO Alex Stamos also highlighted these issues. In his talk, Stamos distinguishes between two components of technology risk: traditional InfoSec and “abuse.” He defines abuse as “technically correct use of a technology to cause harm.” In his view, the abuse category of risk is much broader than the traditional InfoSec concerns. Some of his solutions to better manage the abuse category of risk include broadening the focus of security practitioners and increasing empathy toward business users and leaders.

My own conclusion is: if the issue involves company information, and misuse can affect the company’s risk posture, then CISOs need to play an active role in mitigating that risk.

Frederick Scholl, Ph.D., CISM

[ISACA Now Blog]

Posted on

CCSK obtains course mapping approval under IMDA’s CITREP+ Programme

SINGAPORE – March 21, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, is pleased to announce that its Certificate of Cloud Security Knowledge (CCSK) course has successfully completed course mapping under CITREP+

Through this recognition, attendees who are Singapore citizens and permanent residents can attend the 3-day CCSK training course at subsidised costs under the Critical Infocomm Technology Resource Programme Plus (CITREP+) as a part of TechSkills Accelerator (TeSA), a programme which supports local professionals and working professionals to continuously reskill and stay abreast of the latest in-demand technical skills, to remain valued and competitive in Singapore. Singaporeans and permanent residents are also eligible for CITREP+ funding to take the CCSK examination.

“We look forward to seeing greater awareness, as well as deeper knowledge and understanding of cloud security in Singapore,” said Dr. Hing-Yan Lee, Executive Vice-President of CSA APAC. “With it, we expect increased cloud adoption towards achieving Singapore’s cloud vision of sharpening its overall competitiveness, as well as enhancing the vibrancy and growth of Singapore’s ICT sector through the development of a cloud ecosystem.”

There are several authorized CCSK training providers in Singapore. One of these is HP Education (HPE). Another authorized CCSK training provider is NTUC Leaning Hub Pte Ltd (LHUB) & RapidStart Pte Ltd. CSA plans to appoint more training providers to conduct CCSK training in Singapore.

Mr. Kwek Kok Kwong, CEO of LHUB shared, “Singapore is one of the most connected nations in the world. Digital technology is evolving everywhere, and it is becoming increasingly important to adopt measures that ensures security in the cyberspace. Time and again, we see cyber-attacks and it is crucial that we step up awareness of security amongst cloud users. We are therefore happy to partner with CSA to equip and deepen the necessary skillsets for individuals, in a bid to provide organisations with broader security capabilities when adopting cloud computing solutions for their businesses.”

“We are excited to announce our partnership with CSA which will continue to broaden our offerings in Cloud Computing Technology. There’s no doubt about the growing demand for skills and expertise in Cloud Computing and this partnership will enable us to join forces and collaborate with CSA together to address local industry needs”, said Dr Anton Ravindran CEO of Rapidstart Pte Ltd.”

Going forward, CSA will map CCSK to the Skills Framework for ICT, which is a guide for individuals, employers and training providers to promote ICT skills mastery and lifelong learning. The Skills Framework for ICT is also part of TeSA, an initiative of SkillsFuture. The framework can be used by employers to develop career maps and articulate job requirements, used by individuals to guide their skills identification and development to stay relevant, and used by training providers to devise ICT courses. Some critical skill areas include network and infrastructure, software development and engineering, data and analytics, cyber-security.

Since CSA first released CCSK in 2010, thousands of IT and security professionals have taken the opportunity to upgrade their skill sets and enhance their careers by obtaining the CCSK. Certification Magazine has listed CCSK at #1 on the Average Salary Survey 2016. CIO.com, Top Ten Cloud Computing Certifications, says: “This is the mother of all cloud computing security certifications. The Certificate of Cloud Security Knowledge certification is vendor-neutral, and certifies competency in key cloud security areas.”

In addition to the CCSK, CSA together with (ISC)2 has developed the Certified Cloud Security Professional (CSSP), which recognizes IT and information security leaders who have the knowledge and competency to apply best practices to cloud security architecture, design, operations and service orchestration.

About TechSkills Accelerator (TeSA)

The TechSkills Accelerator (TeSA) is a tripartite initiative between the government, industry and the National Trades Union Congress (NTUC), to build and develop a skilled Information and Communications Technology (ICT) workforce for the Singapore economy, and to enhance employability outcomes for individuals.

The Infocomm Media Development Authority (IMDA), which drives TeSA for ICT professional development, takes an integrated approach to ICT skills acquisition and practitioner training – in core ICT skills and in sector-specific ICT skills – and enhance employability outcomes through place and train programmes, and career advisory services. As of November 2017, TeSA has enabled more than 21,000 ICT professionals to upskill and reskill themselves.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

The Cybersecurity Canon – CISO: Desk Reference Guide; A Practical Guide for CISOs Volume 2

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

 

Executive Summary

I recommend “CISO: Desk Reference Guide; A Practical Guide for CISOs volume 2” be included in the Cybersecurity Canon Hall of Fame candidate list alongside its first volume companion. These two books will provide any CISO – newbie or ragged veteran – the reference material to build and improve their security programs. The authors present the essentials and represent the perfect example of what a desk reference guide should be: a collection and starting point for topics that all current and aspiring CISOs should know about. The content may not be the final word on many of these subjects, but it is a fantastic place readers can start to think about their own ideas regarding what the role of a CISO is and will be in the next decade. Where they take that knowledge from there is on them.

 

Introduction

Full disclosure: I have known Gary Hayslip, one of the three authors of this guide, for a number of years. He is a no-nonsense network defender, and his wisdom expressed at the various security conferences we all attend has been, in many cases, the sole reason to go. He brings that same sensibility to volume two of the CISO’s Desk Reference Guide. Gary and his fellow authors, Bill Bonney and Matt Stamper, published volume one back in 2016; and Canon Committee member, Ben Rothke, recommended it as a Cybersecurity Canon Candidate at the end of last year. Rothke said that the book is “an excellent example” of what a desk reference guide should be: a collection and starting point for topics that all current and aspiring CISOs should know about. It may not be the final word on many of these subjects, but it is a fantastic place to start so that readers can begin thinking about and developing their own ideas regarding what the role of a CISO is.

 

Topics Covered

In volume one, they specifically covered these topics:

  • Office of the CISO organization
  • Policy and audit
  • Information classification
  • Third party-risk
  • Metrics
  • Board management
  • Risk management
  • Tools

For this volume, the authors complete the picture by including:

  • Finding talent
  • Cyber awareness training
  • Basic cyber hygiene
  • Monitoring
  • Threat intelligence
  • Continuity planning
  • Incident response
  • Recovery
  • Forensics
  • Strategic planning

 

This is not a book you read cover-to-cover; rather, you have it on your desk to refer to when you need a pointer or two. When I was in the U.S. Army, we called these things our “smart books,” and they contained bits and pieces of knowledge that we learned through the school of hard knocks. The best thing about these volumes is that you have three seasoned professionals giving us their notes so that we don’t have to go through the pain of discovery ourselves.

 

Picking Some Nits

As with any reference book on a topic as complex as this one, there are a few things here that might have used more detail or I felt didn’t explore certain sides of an issue.

In the talent section, the authors rightfully point out that there is a giant shortfall of qualified personnel for the over 2 million open positions in the industry today. Their general suggestions about how to fill your open positions are spot on. I was disappointed that they did not mention the diversity issues also prevalent in our industry. Minorities and women are severely underrepresented, and whatever your strategy is to hire for your team, it had better include a healthy dose of diversity and inclusion.

In the hygiene section, the authors make the case that basic common-sense actions to protect themselves will go a long way in preventing cyber adversaries from being successful. I was disappointed that they did not discuss the recent DevOps or DevSecOps movement, whereby the entire community is moving toward automating these kind of hygiene items.

In the threat intelligence section, the authors do a good job of defining what threat intelligence is; how it is not a one-size fits all; and that you have to build the kind of intelligence your organization needs based on your culture, your senior leadership’s desires, and what you think are the basic intelligence needs for your organization. They lay out the benefits of information sharing and describe a number of potential sharing organizations that any CISO might consider joining. I was pleased to discover a mention of the Palo Alto Networks open source intelligence sharing tool, MineMeld, that organizations can use to connect to one API, collect and reformat information, and redirect it to another API. But I was disappointed that they did not describe the intelligence life cycle. For any intelligence program to be effective, intelligence professionals continuously work their way through a four-stage cycle.

First, they define the CEO/CSO Information Requirements (CIRs). These are the high-level questions the leadership wants the intelligence team to work on. Second, they evaluate their sources of information through the lens of “can the intelligence team answer the CIRs.” If they can, fine. If they can’t, they need to seek additional intelligence sources. Third, they need to transform the raw information into intelligence reports. This is the actionable intelligence that you have heard everybody in our industry talk about. Lastly, they have to deliver those reports to the right customers to take action.

 

Conclusion

Like I said, I’m just picking some nits. I recommend that this book be included in the Cybersecurity Canon Hall of Fame candidate list, along with its first volume companion. These two books, alongside a Hall of Fame winner, “Winning as a CISO,” by Rich Baich, will provide any CISO, newbie or ragged veteran, the reference material to build and improve their security programs. All three books represent a block of material that is a great place to start. The block is not complete by any means. If it were, it would be over a thousand pages long and instantly out-of-date the day the authors published it. To misquote Ferris Bueller, “[Things] moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” But these books present the essentials. Where you from there is on you.

 

References

“The Cybersecurity Canon – CISO Desk Reference Guide: A Practical Guide for CISOs Volume 1,” book review by Ben Rothke, 28 December 2017, last visited 14 March 2018,

https://researchcenter.paloaltonetworks.com/2017/12/cybersecurity-canon-review-ciso-desk-reference-guide-practical-guide-cisos/

 

“Winning as a CISO,” book review by Rick Howard, 12 January 2015, last visited 14 March 2018,

https://researchcenter.paloaltonetworks.com/2015/01/cybersecurity-canon-winning-ciso/

[Palo Alto Networks Research Center]

Posted on

What is Standalone Virtual Reality, and Why Are Enterprises Betting On It?

If you are interested in virtual reality, you surely know that the buzzword of 2018 is “standalone.” All the major VR companies are betting on standalone VR devices: HTC Vive China president Alvin Wang Graylin announced in a recent interview that his goal for 2018 is to see standalone devices becoming successful and Oculus’ Hugo Barra has expressed a similar opinion.

But what are standalone VR devices? And why do all of these important people believe in them? Let me answer these questions for you.

What is a standalone VR device?
The typical virtual reality headset can come in two flavors:

  • Connected to a PC for an expensive, high performance experience (e.g. Oculus Rift and HTC Vive);
  • Integrated with your mobile phone for a cheap, low quality experience (e.g. Gear VR and Daydream).


Figure 1 Oculus Go standalone headset (Image credit: Oculus)

Standalone VR sits somewhere in the middle between these two extremes: it is a good quality experience, for an affordable price. But its peculiarity is that standalone VR headsets do not require anything else to work: they don’t need a phone or a PC; they work out of the box. A standalone device is similar to a mobile VR headset, but it already includes all the required electronical parts, it already embeds the display, the processing power and all the other hardware inside. It is a computer on its own.


Figure 2 Vive Focus device (Image credit: HTC Vive)

This means that the user can buy it, unbox it and then put it on his/her head to start living VR experiences immediately.

Why are all the companies betting on them?
Standalones offer a lot of clear advantages over the other available VR devices:

  • They are affordable. A standalone VR headset costs less than a Samsung phone plus GearVR or than an Oculus Rift plus VR-ready PC. Some standalones are really cheap: the upcoming Oculus Go, for instance, will cost only US $200, and this will let a lot of people afford entering virtual reality;
  • They are easy to use. They don’t require setups of any kind. Every person can use them, even without technological expertise. The user just has to just put the device on his/her head. This means that virtual reality may exit the techie realm and enter into the consumers domain;
  • They are handy. It is very easy to carry a headset with you by just putting it in your backpack;
  • They come in various flavors, like:
    • very cheap standalone devices, such as the Oculus Go and Pico Goblin, that offer a very basic experience;
    • more expensive devices that let the user move inside virtual reality, like the Vive Focus and Lenovo Mirage Solo;
    • Oculus Santa Cruz and Pico Neo that offer an expensive experience but with the ability to move and interact within the virtual world.

In my previous post, I highlighted how price and ease of use are two of the pain points of virtual reality. Standalone devices can solve both. They can make virtual reality mainstream and can be the key to eventually get 1 billion people in virtual reality, as Mark Zuckerberg wants. That’s why always more companies are betting on this form factor.

But …
There’s a big issue that I want to highlight: in the very short term, standalones are VR-only devices, so they require people to spend money just to experience virtual reality. But the general consumer still doesn’t understand the purpose of VR and, in fact, a lot of free Cardboards and Gear VRs gather dust on the shelves. This means that the various manufacturers will have to convince people why they need to spend money to have VR.

Standalone devices will be important for VR widespread diffusion. But, as you can see, the road to mainstream adoption is still long.

Antony Vitillo, AR/VR Consultant and Blogger

[ISACA Now Blog]

English
English
Exit mobile version