Google’s Gerhard Eschelbeck to Keynote at Cloud Security Alliance Congress US at Privacy.Security.Risk Conference

Registration Now Open for the Industry’s Premier Gathering for Cloud Education and Best Practices

San Jose, CA – July 6, 2016The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced that Gerhard Eschelbeck, Vice President, Security & Privacy Engineering at Google will present the opening keynote at the upcoming CSA Congress USA at thePrivacy.Security.Risk 2016 (P.S.R.) conference taking place September 13-16th in San Jose, CA.

As Vice President of Security & Privacy Engineering at Google, Eschelbeck leads the teams that ensure data and systems security, as well as user privacy. Gerhard admittedly has a passion for championing new technologies and is a trusted advisor to a number of early stage startup companies. He has published the “Laws of Vulnerabilities” and is one of the inventors of the Common Vulnerability Scoring System (CVSS), and holds numerous patents in the field of managed network security.

“Google is a critical part of the cloud computing ecosystem and we are very excited to have Gerhard kick off this year’s event to share best practices, proven approaches and lessons learned with our conference attendees,” said Jim Reavis, CEO of the Cloud Security Alliance. “Whether you are a long time user of cloud technology or a relatively new adopter, this year’s conference is guaranteed to take your knowledge to a new level with new ideas that attendees can readily walk away with and apply to their own organization.”

Presented by the IAPP Privacy Academy and CSA Congress, the P.S.R. Conference, now in its third year, is expected to draw approximately 1,500 privacy and cloud security professionals. The event brings together two related fields—privacy and security – with important perspective to help practitioners excel in their role. The event aims to deliver the most thought-provoking speakers and sessions led by the foremost experts and provides invaluable opportunities to connect and share ideas. The join event will provide attendees with more than double the education and networking opportunities with the leading innovators and practitioners in technology, security and privacy for the price of a single conference.

Registration is now open and with an early registration discount of $200 available until August 19. The most current conference program can be found at https://iapp.org/conference/privacy-security-risk-2016/sessions-psr16/

WHAT: Cloud Security Alliance Congress US 2016 at P.S.R.
WHEN: Workshops: September 13-14
Conference: September 15-16
9:00 am – 5:00 pm
WHERE: San Jose Marriott and San Jose Convention Center
ATTENDEE REGISTRATION: https://my.iapp.org/nc__event?id=a0l1a000000nBgQAAU
MEDIA REGISTRATION: kari@zagcommunications.com

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts. For further information, visit us atwww.cloudsecurityalliance.org.

About the IAPP
The International Association of Privacy Professionals is the world’s largest association of privacy professionals with more than 20,000 members across 83 countries. The IAPP is a not-for-profit association that helps to define and support the privacy profession globally. More information about the IAPP is available at www.privacyassociation.org.

Media Contact
Kari Walker
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Passage of EU NIS Directive Is a Milestone, But Next Steps Matter Even More

Today, with a plenary vote in the European Parliament, the EU took the near-final step in enacting its groundbreaking cybersecurity legislation, the Network and Information Security (NIS) Directive. This is the result of more than three years of effort by the European Commission, Council and Parliament, working with stakeholders from Europe and around the world. Proposed in response to growing concerns about cyberthreats, and in an attempt to raise the cybersecurity and resilience of network and information systems in EU member states, this is the first time the EU has legislated specifically on cybersecurity. Notably, the Directive frames cybersecurity in an economic and societal context, observing its importance in underpinning economic activities and growth as well as user confidence in online activities, and thus also in facilitating the internal EU market. The Directive will soon be published in the Official Journal of the European Union and will come into force 20 days after that. EU member states will then have 21 months to transpose it into national laws.

With implications for both industry and member states, the Directive establishes security and incident notification requirements for “operators of essential services” (e.g., providers of energy, transportation, healthcare services) and, to a less stringent extent, “digital service providers” (online marketplaces, online search engines, and cloud service providers). It requires member states to adopt national NIS strategies; to designate national competent authorities; and to have “well-functioning” computer security incident response teams (CSIRTs) to detect, prevent, and respond to cyber incidents and risks. It emphasizes coordination among member states, setting up a CSIRT network (also to include CERT-EU) to promote swift and effective operational cooperation, and a “cooperation group” to support and facilitate strategic cooperation and information exchange.

Although today’s vote is a milestone, the next steps matter more. In turning the Directive’s prose into action through national implementation, member states must prioritize consistency. Operators of essential services and digital service providers need a sense of regulatory predictability. Under the Directive, member states determine which entities meet the criteria for “operators of essential services.” The Directive provides a common methodology to do so and directs member states to consult with each other when looking at companies serving multiple EU markets, which so many do. This is key—disparate methodologies or divergent views of what constitutes an “operator of essential service” could lead to confusion and possible misallocation of security resources. The same goes for member states’ authority to further define the security and incident notification requirements for operators of essential services: despite the flexible implementation allowed for by the Directive, consistency should be the goal.

Harmonized approaches to cybersecurity are an essential ingredient in improving cybersecurity worldwide. Cybersecurity resources are scarce in both government and industry and any redundant or inconsistent activities or requirements could divert resources from where security is needed and from the ability to develop responses to constantly evolving cybersecurity threats. Coordination is needed not just within the EU. We urge member states, the Commission, Parliament, and the EU Agency for Network and Information Security (ENISA) to continue to engage with governments and industry outside of Europe to ensure maximum alignment as the NIS Directive is fleshed out.

Many actions EU member states must take in terms of their own strategies and activities would, if implemented and resourced sufficiently, have great potential in raising the cybersecurity bar. For example, the CSIRT network is an important addition to the international CSIRT (CERT) community. Palo Alto Networks works with many CSIRTs across the EU and NATO. We look forward to working with others as they get up and running and to helping them start off strongly. Significantly, the Directive encourages member states’ CSIRTS to participate in international cooperation networks in addition to the CSIRT network established in the Directive. Cybersecurity threats are global, and cooperation among CSIRTs around the world helps pool knowledge and resources to address these common threats. In another example, the Directive requires member states to have national NIS strategies that include cyber education and raising awareness, which plays an important role in helping companies to assess and manage their cyber risks and citizens to better protect themselves when online.

The Directive instructs member states to ensure competent authorities have adequate technical, financial, and human resources to carry out their tasks effectively and efficiently. Cybersecurity resources are tight for governments everywhere, but we hope member states allocate what they can. To this end, partnerships are key. The Directive gives ENISA a variety of roles, such as, if needed, helping member states develop their strategies and establish CSIRTs. If member states also take advantage of the considerable industry expertise that exists, we can all improve cybersecurity more quickly.

We commend European policymakers for taking steps to put cybersecurity front and center. Moving forward, member states’ activities to implement the Directive will vary, given their different levels of preparedness. Some, notably Germany, France and the Netherlands, have worked on cybersecurity for years and introduced or passed their own cybersecurity laws in advance of the NIS Directive. They may need only to make small adjustments to align with the Directive’s minimum requirements, if at all. Other member states will benefit more substantively from the Directive’s guidance. Ultimately, the more all EU member states can raise the collective bar the more the global digital infrastructure will benefit.

[Palo Alto Networks Research Center]

NSS Labs Releases Data Center IPS Report – Recommends Palo Alto Networks

It’s exciting when we’re recognized in the market as the security vendor customers can count on to protect their users and their data. Now, we have a third-party report that publicly corroborates whatour customers have been saying: that Palo Alto Networks is effective when it comes to protecting the data center.

Today, NSS Labs published results from their 2016 Data Center Intrusion Prevention Systems (DCIPS) group test, and granted Palo Alto Networks their “recommended” rating. Most notable within our results report:

  • 100% effectiveness rating against all evasion techniques tested
  • 94.2% overall exploit block rate
  • Only 3 false positive triggers

I invite you to read through our report, and more importantly, look through the configurations used during this test.

NSS Labs’ test rules allow vendors to configure their devices before the test but not during, which means that vendors must configure products to account for both performance and security, as this is the typical balance most customers must make when deploying security products in the data center. We configured our PA-7050 for this test using the defaults that a large portion of our customers use every day to protect their applications, users, and data. We encourage you to review our test configurations so you can see for yourself how our PA-7050 managed to achieve 94.2 percent security effectiveness and 30 Gbps, and compare them to the test configurations of other vendors who participated for complete context behind the comparative results of this test.

Protecting the data center is not new for us – we’ve been protecting data centers around the world from threats for the better part of a decade by addressing multiple stages within the attack lifecycle. Today we have the PA-7000 Series NGFW: two massive chassis that address the increased traffic throughput requirements of large data centers and service providers without sacrificing security.

How do we accomplish this? We take advantage of every opportunity to identify and stop an attack in as few traffic scans as possible.

Exploitation makes up one stage of the attack lifecycle. As our security score shows, we do a great job blocking exploits at the network level. But we’re also excellent at blocking subsequent attack stages, such as malware installation and command-and-control (C2). What you may not know is that anti-malware and C2 protection is grouped in with our platform’s IPS capabilities, so our performance results on this test are indicative of security beyond the exploit stage against which it was tested. Along with exploits, our platform blocks malware and C2 communication without additional performance degradation, software, or appliances. This approach has been one of the driving forces behind Palo Alto Networks success in protecting the data center.

Attack surface reduction through complete visibility into the applications that comprise data center traffic and the ability to granularly control which applications you want to allow and what kind of content they’re allowed to bring into and out of the data center is critical in keeping threats at bay. When you combine this with identifiable users – not just IP addresses, but actual user names – you further limit the opportunity attackers have to infiltrate your data center by allowing only certain users and user groups to access certain data via certain applications. While the focus of this particular test is on our IPS’s ability to block known exploits – which we clearly do well – and not on attack surface reduction, Palo Alto Networks has long known that reducing the attack surface through these mechanisms is the first step in effectively securing data center assets.

This latest NSS Labs DCIPS test report validates not only that blocking attacks at the exploit stage is an important tactic in preventing them, but also that our prevention technology stands up tall against data center threats and traffic loads. We hope that in sharing our test configurations, we can provide valuable information to practitioners that will help them achieve a similarly strong preventive stance against evasions and exploits in their data centers.

Read the full NSS Labs DCIPS test report.

[Palo Alto Networks Research Center]

Life (and Your Career) Is Not a Spectator Sport

Jackie Robinson, the world-famous baseball star, once said, “Life is not a spectator sport. If you’re going to spend your whole life in the grandstand just watching what goes on, in my opinion, you’re wasting your life.”

Your career and mine may not have the cultural significance that Jackie’s did, but how many of us accidently, or metaphorically, spend our lives or careers in the comfort zone of the grandstands? Watching and waiting for something to happen. We turn and talk to our fellow grandstanders about what “woulda, shoulda, coulda” been. They silently concur and resume watching, waiting.

“And then one day you find ten years have got behind you. No one told you when to run, you missed the starting gun.” –“Time” from the 1973 album Dark Side of the Moon by Pink Floyd

Some of the best, most rewarding things in our lives and our careers come in unexpected ways. We are taught that success and winning are everything. However, which one of two equally talented individuals learns more and works harder to improve:  the person who makes the game-winning play or the person who fails? The winner is carried off on teammates’ shoulders. The non-winner walks alone. The winner may have been skilled, a good guesser or simply lucky, but the “learning moment” is lost in the jubilation. The driven non-winner will be reviewing video, talking to coaches and working on being better.

“Champions aren’t made in gyms. Champions are made from something they have deep inside them-a desire, a dream, a vision. They have to have the skill, and the will. But the will must be stronger than the skill.” –Muhammad Ali

My point is this:  Who do you think comes back stronger? Which one steps out of the grandstand and pushes harder? Delivers more? My second and more important point:  which one are you? Do you join an organization or company and then metaphorically sit in the safety of the grandstands? Or do you actively jump in with both feet and participate by stepping out of your comfort zone?

And Now, a Short, But Related Story
I joined ISACA because a friend, the chapter president, asked me to help him do more with the local chapter. As a chief technology evangelist/CIO, it was not at the top of my list of organizations to join, much less be on its board. In my time running large IT shops, I worked closely with a lot of internal and external auditors—some good, some not so good. In my head, my confirmation biasthe tendency to search for, interpret, focus on and remember information in a way that confirms one’s preconceptions—kicked in, and I still saw ISACA as simply an “IT auditing” organization. It is a reasonable assumption that auditors have a similar opinion or bias toward IT professionals.

Over the first few months, while I familiarized myself with the global ISACA organization, its offerings and its direction, a funny thing happened. The people were very giving and sharing. They freely talked about the challenges of being “perceived as a burden,” a “tax collector,” and as “paper tigers.” They wanted to do their jobs as well as they could for their companies and clients. They were very open to understanding the perspective of a “recovering CIO.” Constructively, I gave them both barrels from the IT perspective. Instead of wincing or recoiling defensively, they leaned in and said, “How can we (IT, info sec, the business, and audit) work better together?”

Well folks, I have to admit, I am a sucker for anyone attempting to focus on the business or people side of the equation and work together for the betterment of the business organization. So, I jumped out of the grandstands, gulped down the Kool-Aid, and said,“Put me in, coach!” I became much more involved in several areas beyond those assigned to me. The personal growth was incalculable. Not only did I get some very fresh perspectives on stale thoughts, but I also gained a renewed sense of adventure. Yes, adventure with auditors! This new sense of adventure culminated in March when our chosen delegate to the 2016 ISACA Global Leadership Summit was injured and the chapter turned to me. My old reaction would have sounded a little like, “Um, let’s see…um…400 auditors you say?… three days?…oh, yeah, I just remembered…”

Instead, I went to the Lisbon event and found 400 chapter leaders from over 80 countries, all attempting to “make things better.” It was three days of work, but I met some really extraordinary individuals from around the globe. Their insights and approaches to challenges, challenges the normal American would never face, were simply inspiring. That combined with a global organization attempting to reinvent itself and address the needs of the new era by reaching out to professionals, members, etc., made the experience a truly rewarding one.

NONE of these great experiences would have happened had I sat and watched from the grandstands.

The meta-message:
Changing up US President John F. Kennedy’s famous quote a little, my advice is this:

“Ask not what an organization can do for you, but rather what you can do for the organization.”

Pick one organization inside or outside your comfort zone. Join. Contribute. Expand. Excel!

Editor’s note:  Blair Baker serves as 1903 Solutions’ chief technology evangelist, ghost-executive, catalystic optimizer, interdepartmental liaison, speaker and coach.

Blair Baker, Chief Technology Evangelist /CIO, 1903 Solutions LLC

[ISACA Now Blog]

A Quick Update On Our LabyREnth CTF Challenge

Congratulations to those who solved an introductory challenge hidden in our initial LabyREnth announcement!

If you decode the binary in the Palo Alto Networks logo on http://labyrenth.com, you get the following ascii message:

“For reals yall. Has anyone really been far as decided to use XOR even go want to do look more like? You’ve got to even have been kidding me with this PAN. I’ve been further even more decided to use even go need to do look more as anyone can for Rules and even more than Prizes have been the Overviews. Can you really be far from Ordering even as decided half as much to use Digits go wish for that?”

This message gives you a clue about how to decode the rest of the binary code. If you notice, certain words are capitalized: XOR PAN Rules Prizes Overviews Ordering and Digits. If you take the binary from the digits in the countdown clock, in order from 0 through 9, and XOR them with the key PAN, you’ll get the URL for the Overview, Rules, and Prizes pages.

As you can see, we’ll be giving away $16,000 in cash prizes, and participation prizes for anyone that finishes a track or all of the challenges. We hope you enjoy the LabyREnth challenge!

The challenge will start on Friday July 15, 2016, at 4pm PST and will run until August 14, 2016, at 11:59pm PST.

Follow the countdown at LabyREnth, and check out the overview of the challenge. Information about the rules and prizes are also there, if you are clever enough to find them! We’ll announce updates here on the blog and through Twitter: @unit42_intel, @wartortell, and #labyrenth.

[Palo Alto Networks Research Center]

English
Exit mobile version