Four Imperatives for Cybersecurity Success in the Digital Age: Part 3

Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.

This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.

In my first two blogs, I covered Imperatives #1 and #2. Here are the major themes for each imperative:

  • Imperative #1 – We must flip the scales (published February 16, 2016)
  • Imperative #2 – We must broaden our focus to sharpen our actions (March 12, 2016)
  • Imperative #3 – We must change our approach
  • Imperative #4 – We must work together

Imperative #3 – WE MUST CHANGE OUR APPROACH

Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #3 in case the reader is pressed for time.

As a reminder from my previous two blogs, I use the four factors in Figure 1 to explain the concept behind Imperative #3 in a comprehensive way.

Figure 1

  • Threat: This factor describes how the cyberthreat is evolving and how we are responding to those changes.
  • Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities – or the what) and ways (methods, priorities and concepts of operations – or the how) to achieveends (goals and objectives – or the why).
  • Structure: This factor includes both organizational (human dimension) and architectural (technical dimension) aspects.
  • Tactics, Techniques and Procedures (TTP): This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.

In this third blog of the series, I’d like to describe Imperative #3 using the concept model outlined above and step through the implications.

Figure 2

EXECUTIVE SUMMARY:

What we have been doing in the past simply isn’t working. We MUST change our approach!

The first change in approach is to move away from a focus on known threat signatures toward a focus on suspicious activity in order to make unknown threat signatures known as rapidly as possible. We must scale the discovery of indicators of compromise through automation, determine in near real time that there are malicious techniques being employed, produce mitigations for those bad techniques, and automatically push them out to adjust the security posture of our networks and devices. Doing so imposes increasing costs on adversariesbecause it forces them to change their entire breach playbooks.

Next we must change our policies and strategies, recognizing that detection and response, while critical cybersecurity functions, are insufficient to resolve the problem on their own. It takes a strong prevention mindset, policies driven by the organization’s leadership, and accompanying strategies that align resources and methods to achieve the desired results.

An effective prevention-first policy means we must also change our approach by evolving from a legacy view that success is a result of bolting onto an organization’s network enterprise a bunch of independent point solutions to a more natively integrated platform approach. The point solution approach looks at different “pieces” of the attack lifecycle and creates an enormous volume of alerts – mostly false positives – causing lots of work. None of the point solutions are natively integrated to communicate with each other to put the whole threat picture together, so that takes lots of equipment, bandwidth, time, people and money. Next-generation technology allows you to look at the entire lifecycle process as a whole in a single pass by design, andleverages automation to alert only on threat playbooks and block them across the network enterprise.

Finally, at the procedural and technique level, there is magic in leveraging automation in ways we have not thus far. Traditionally, in a “detect and respond” approach, we measure our “incident response” in days, weeks and months because we rely almost exclusively on human decision-making and manual action. We must change our approach so that we leverage automation and save what only humans must, or are best suited to do for the slower, manual procedures. Automation in an integrated platform approach reduces your workload, gives you better visibility of potential attackers, and safely enables your organization to do its critical business functions.

DETAILED DESCRIPTION OF IMPERATIVE 3:

THREAT

So here’s the first important change in approach. We have to move from focusing on known threats and signatures to an approach that focuses on UNKNOWN threats … or at least making unknown threats known as quickly as possible (hopefully in near real time) so that we can then do something about them.

We have a problem that is giving today’s cyberthreats a significant advantage over our ability to secure and defend our networks. This problem pits a growing adversary marketplace that leverages information sharing, automation and the cloud at increasing speed and decreasing costs against an oftentimes slow, clumsy, manual and increasingly expensive cybersecurity community. Here’s where we can begin to get ahead and increase the cost to cyber adversaries.

If we can begin to scale the discovery of indicators of compromise through automation, determine that there are “bad” techniques being employed in near real time, produce mitigations for those bad techniques, and automatically push them out to adjust the security posture of our networks and devices, then we can begin to make a dent in adversaries’ agility, flexibility and scale.

Because remember, making an unknown threat known in a matter of minutes still means that something got through before it was discovered; but, if you can do what I just said in near real time, then because of the attack lifecycle process we know that it usually takes more than a few minutes to get through all the steps of an adversary playbook to achieve the final goal. The lifecycle process requires almost any cyber actor to first gather information and perform reconnaissance, next conduct the initial compromise, then lay down an exploit or inject malware, establish command/control, apply privileged movement through the network to get to the right location, and finally to achieve their objective, whether it be the exfiltration of information, disruption, deception or destruction.

This takes time – usually at least hours, but it can take days, weeks and even months depending on how stealthy a cyber actor wants to be.

So focusing on turning unknowns into knowns as quickly as possible forces the adversaries to change their entire playbooks at a rate that begins to put them on the wrong side of the problem.

POLICY and STRATEGY

I believe this next point is critical if we want to deal effectively with something that not only threatens our national security but also threatens our international stability and economic vitality. As a community we have traditionally taken an approach that focuses on detection andresponse. I’m not making light of those functions (detection and response) because they are, no doubt, vital. But they are insufficient. We are never going to get ahead of the problem, if we don’t change our approach to focus first on prevention, while also having good detection, response and resilience in place.

I believe this imperative starts at the leadership level of any organization; and, therefore, I include it as a policy category. Once leadership buys in, the challenge is to turn a policy of prevention into a viable strategy and align any organization’s limited resources with effective methods to achieve our goals and objectives.

ARCHITECTURE

If you accept the change in approach to focus on prevention in addition to detection and response, how do you make that happen? Is it possible? I wouldn’t be in this job if I didn’t believe that not only is it possible but this imperative for change is driving the way our technology works at Palo Alto Networks right now!

And here’s the key to success from an architecture point of view: we must change our approach away from a legacy set of isolated point solutions randomly placed throughout the network architecture and normally installed in a “bolted on” model. In this model network security solutions don’t talk to each other and don’t effectively integrate with one another without a considerable amount of complexity, friction, bandwidth, energy and time consuming procedures, so the hope of stopping threats based on an endless number of known signatures usually means you’re always in the business of cleaning up the disaster instead of preventing it in the first place.

Let me paint a picture for you about this point that our Regional CSO for Europe and the Middle East, Greg Day, developed. It’s very easy and low cost for an attacker to change just that one characteristic of a signature and reuse all the rest of a threat playbook. If we use a picture of an adversary’s face as an example, then this is the equivalent of changing that person’s eye color so you don’t recognize the face anymore.

Breaches, intrusions and attacks happen at CPU speed, so this “picture of a face” is typically changing thousands of times in a minute. You need to be able to recognize the whole face. If you can do that, then even if the threat changes one characteristic of the lifecycle or breach playbook, you can still spot the adversary by recognizing the whole face and blocking the person.

If you can do that, then it’s very expensive and hard work for attackers to change their approach because they would have to change all the characteristics of their entire face (all the stages of their playbook for a breach). That’s hard for them and expensive. So they are likely to go try somewhere else where their entire breach playbook or lifecycle is not blocked.

But this is typically what happens now, using various point solutions for the different facial features (sticking with the face example). So let’s say you have a threat with multiple stages of a breach playbook (a face with multiple features). And we have all these defenses, which are different tools designed to detect different aspects of a breach. These point solutions include legacy firewalls, URL filtering, antivirus, IPS, sandboxing, IDS, SSL decryption, and many more.

The different tools generate hundreds or even thousands of alerts. Most of them are false positives. Think about all the analysis you must employ to sift through them. This high workload exists because different parts of this security stack all produce alerts independently from each other.

There is a better approach in which all of the detection capability is built into a single platform that is designed from the start to work together, not retrofitted. This approach looks at the big picture – all the characteristics at once. This approach also “self-learns” in near real-time.

Here’s what I mean by being designed to work together. In the point solution model, the information about a suspected cyberthreat goes to the first component (say AV) and is unpacked so that it can be inspected and a response, created. After it’s unpacked, the unpacked version is discarded and the package is passed on to the next component (say URL filtering), unpacked and discarded…and again…and again.

In the first place, doing this unpacking many times is expensive because it is resource hungry and it’s been done over and over again. You need a lot of hardware to support this approach.

Secondly, it’s very difficult to manually correlate the results from each of the inspections to look at the context of what you have found – to form the big picture. Incidentally, 30 percent of traffic coming into networks today is encrypted, which makes the unpacking process even harder. This manual multi-pass approach is slow.

We must change from this approach to an “integrated platform” approach. The key is tonatively integrate the approach so that network security, endpoint device security, and the analytical backbone to feed the network and endpoint security with near the real time discovery of previously unknown threat signatures enables an organization to actually preventadversaries from stepping through the attack lifecycle process and completing their intended objective. This is possible with an integrated platform approach.

That means the unpacking happens once, and all the cyber breach characteristics are searched for afterward. That means it’s automated and fast. Instead of alerting every time a suspicious characteristic is found, it looks at the big picture, only alerting when there is high confidence that an actual breach is taking place – when there is high confidence that there is a match to the entire face instead of just one of many facial features.

As well as alerting you, it blocks all the combinations of what your adversary is trying to do. It does this by self-learning and reprogramming itself. It can only do this because of the speed at which it operates. The result is fewer alerts to deal with, better visibility of what is happening, and automated blocking or prevention actions taking place.

TTP

Down where the rubber meets the road at the tactical, procedural level, here’s the other key to successfully moving from a legacy to a “next generation” approach. We are taking a page from the threat itself with this imperative for change. Today’s advanced threats, even the modestly advanced ones, don’t operate at manual speed. They operate at the speed of automation.

The threat is always going to beat our manual efforts to defend when they leverage automation and cloud to come at us in “nth degree” permutations of code adjustments (like changing different facial features thousands of times a minute), and that’s exactly what they do. We have to do the same thing to gain an advantage over the threat and change our approach from a procedural point of view.

Traditionally, in a “detect and respond” approach, we measure our “incident response” in days, weeks and even months because we rely almost exclusively on human decision-making and manual action. However, when it comes to the issue of human-based, manual action versus leveraging the power and scale of automation, we must change our approach so that weleverage automation and save what only humans must or are best suited to do for the slower, manual procedures.

Here, cloud capabilities are vital. This can raise concerns regarding a number of issues, so we believe that you have to allow for different types of cloud options, such as true cloud versus on-premises cloud capabilities.

So how do you make sure that this model can scale to whatever shape and size your organization will grow to? Remember, current organizations take different products from different vendors to look for the different characteristics that adversaries might use. And they try to integrate these in some way, mostly using manual procedures and people to look at the different alerts. That’s labor- and resource-intensive and focused on detecting and respondingafter they have been breached.

The use of automated procedures and techniques in an integrated platform approach can reduce your workload and give you better visibility of potential attackers. This is the capability ofnext-generation technology and helps an organization to securely manage traffic coming into the network, so that critical business functions can go on uninterrupted. This is a big step toward prevention and state-of-the-art cybersecurity.

CONCLUSION:

Imperative #3 is about changing our approach:

  1. From a threat focus on known signatures to suspicious techniques and making unknown signatures known rapidly.
  2. From a policy and strategy focus on detection and response to prevention first.
  3. From an architectural structure focus on retrofitted legacy point solutions that don’t communicate effectively or efficiently to a natively integrated platform.
  4. From a procedure/technique focus on human-based manual action to automated action.

Taken together, these four different factors represent an imperative for future change if we want our cybersecurity efforts to be successful in the digital age, so that we can continue to place our trust in the digital environment while more effectively managing the growing risks associated with that same environment.

The final blog in this series will be about the tremendous advantage that the cybersecurity community can gain by leveraging a strong team approach and building effective partnerships because, in today’s advanced threat environment, you simply cannot go it alone and be successful.

Written by John A. Davis, Major General (Retired) United States Army, and Vice President and Federal Chief Security Officer (CSO) for Palo Alto Networks

[Palo Alto Networks Research Center]

Cloud Security Alliance Releases Results of Software-Defined Perimeter Hackathon

CSA, The World’s Leading Cloud Organization Collaborated with Verizon and Vidder To Validate Security and Feasibility of High Availability Public Cloud Architecture at Fourth Annual CSA Hackathon at the RSA Conference 2016

SEATTLE, WA – March 31, 2016 – The Cloud Security Alliance (CSA), today released The Software Defined Perimeter (SDP) Hackathon #4 Report: High Availability Public Cloud Research. The report is based on the findings and key learnings from the fourth annual Hackathon held by CSA’s SDP Working Group during the RSA Conference 2016 held last month in San Francisco. Conducted over a four-day period, the goal of this year’s Hackathon was to validate the concept of creating a high availability application environment by combining the compute resources of multiple public clouds. With the support of Verizon and Vidder, the contest was designed to challenge the pre-conceived notions of public cloud security and reliability.

Jim Reavis, CEO of the CSA commented, “We would like to thank Verizon and Vidder for their leadership, resources and support in this year’s Hackathon. We are encouraged and pleased that it worked to validates the SDP’s working group theory that a high availability application infrastructure can be created for mission critical applications by combining multiple public clouds.”

In this fourth iteration of the Hackathon, Verizon helped define the architecture to ensure it reflected real world that included use of Vidder’s PrecisionAccess SDP Gateways deployed in two different public clouds while providing access to a redundant application that was located in a third cloud. To monitor contest activity, Vidder deployed its Insight real-time monitoring system to identity attackers. While this Hackathon saw a significant increase in the number of highly sophisticated attacks, the result was that no attacker was able to breach the SDP gateway even though they were provided a full packet capture of a valid connection.

Get the report

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunictions.com

About Vidder

Vidder PrecisionAccessTM isolates the protected applications from all networked users and devices, connecting only authorized users and trusted devices to applications they are authorized to access. The resultant new paradigm enables enterprises to achieve agility with security, augmenting cloud migration and business ecosystem collaboration, while reducing risk for traditional IT. PrecisionAccess is the industry’s first and most widely deployed solution based on the Software-Defined Perimeter (SDP) framework for advanced access control promoted by the Cloud Security Alliance (CSA). In 2015, Gartner named Vidder a Cool Vendor in Cloud Security Services. The company’s headquarters are in Campbell, Calif. For more information, visit http://www.vidder.com.

[Cloud Security Alliance News]

Four Security Solutions Not Stopping Third-Party Data Breaches

A new breed of cyberattack is on the rise. Although it was practically unheard of a few years ago, the third-party data breach is rapidly becoming one of the most infamous IT security trends of modern times: Target, Home Depot, Goodwill, Dairy Queen, Jimmy John’s and Lowes are just a few of the US companies to have lost massive amounts of customer records as a result of their contractors’ usernames and passwords falling into the wrong hands.

What went wrong? Hackers have started to see contractors as the easy way into their targets’ networks. Why? Because too many organizations are still using yesterday’s security solutions, which weren’t designed for today’s complex ecosystems and distributed (read cloud-based) applications and data.

Here are four examples of solutions that, in their traditional forms, simply aren’t capable of stopping third-party data breaches. Could your company be at risk?

1. Firewalls and Access Control Lists
Many organizations still control traffic flow between network segments in the same way they’ve done for decades: with firewalls and access control lists (ACLs). Unfortunately, security in the modern age isn’t as simple as just defining which IP addresses and ranges can access which resources.

Let’s say you have a single VPN for all of a department’s workers and contractors, with every authenticated user getting a DHCP-allocated IP address. Your firewall rules are going to have to be wide open to suit the access needs of each user on the IP range, and yet you’re not going to be able to trace suspicious activity back to a particular account and machine.

It’s also a lot of work for your IT department to set up and maintain complex firewall rules across the entire organization, so it’s not unlikely that they’ll make mistakes, respond slowly to employee departures, and leave access wider open than it should be.

2. Authentication and Authorization
Leading on from this, another problem with ACLs is that they generally rely on static rules, which in no way account for the security risks of today’s distributed workforces. A username and password pair will unlock the same resources whether used from a secure workstation at a contractor’s premises or from an unknown device on the other side of the world.

Authentication and authorization rules should be dynamic rather than static, and adjusted on the fly according to the risk profile of the connection. One of your contractors needs remote access to a management network segment? Fine – but only if they use a hardened machine during office hours. If the context of their connection is more suspicious, you might consider two-factor authentication and more limited access.

3. IPsec and SSL VPNs
More than nine in ten organizations (91 percent) still use VPNs – a 20-year-old technology – to provision remote access to their networks. It’s potentially their single greatest risk factor for third-party data breaches, because both IPsec and SSL VPNs are readily exploitable by hackers.

In an IPsec session, remote users are treated as full members of the network. Nothing is invisible – they have direct access to the underlying infrastructure. So, if they’re malicious, they can start digging around and looking for vulnerabilities in seconds.

SSL VPNs, meanwhile, deliver resources via the user’s browser. And what web application has ever been secure? Tricks like SQL injection and remote code execution attacks make it trivial for hackers to start widening their foothold on the network.

4. IDS, IPS and SIEM
Finally, a word on the technologies organizations use to detect data breaches. IDS, IPS and SIEM are generally mature and effective solutions that do the job they’re intended to do: identify suspicious activity on the network.

However, the combination of the antiquated technologies described above means that most networks are rife with false positives: legitimate users and harmless applications causing suspicious traffic in the network layer. Change this model, and IDS, IPS and SIEM systems might start to deliver more value. As it stands, though, they’re often resource-intensive and reactive rather than proactive, so they’re not really equipped to stop hackers in their tracks.

The Alternative to Prevent Third-Party Data Breaches
In the new world of pervasive internal and external threats, distributed organizations and global ecosystems, the perimeter is more porous and less relevant than ever. The old models simply aren’t working. We need to move from perimeter-centric, VLAN and IP-focused security to a model that focuses on securing the entire path from user to application, device to service – on a one-to-one basis.

That’s where solutions like AppGate that enables organizations to adopt a software-defined perimeter approach for granular security control become increasingly a must have security solution. AppGate makes the application/server infrastructure effectively “invisible.” It then delivers access to authorized resources only, creating a ‘segment of one’ and verifying a number of user variables and entitlements each session—including device posture and identity—before granting access to an application. Once the user logs out, the secure tunnel disappears.

Philip Marshall, Director of Product Marketing, Cryptzone

[Cloud Security Alliance Blog]

A Tool to Help You Develop Your Cybersecurity Career

We’ve all heard that cybersecurity is a booming field. But sometimes it can be challenging to know career-wise where to begin, or how to take the next step.

The new CSX Career Road Map is a valuable educational tool for young professionals looking to jump-start or launch a career in the cybersecurity/ information security field. The Road Map is comprised of three sections:  your background, your current skills, and future goals and aspirations in the cybersecurity field.

The first stage takes you through basic information such as building your profile by providing your name, current job title, current role (technical or nontechnical), education level, years of relevant security experience, and any certification(s) you have earned. After completing this, there is a little circle below which tells you which level on the CSX certification path you are currently at and what the actual path is.

The second stage consists of your current skills. It asks you what managerial and soft skills you have. After entering the information, the tool tells you how many job titles you qualify for. This is an awesome feature.

The job titles also include nice descriptions so that you will know exactly what each entails and can compare that against where you want to go in cybersecurity. At this stage, you should have a good idea of what job you can be looking for in the market if you are not yet employed. However, if you are already employed, this stage gives you a good idea of what you should be responsible for in your current cybersecurity role, as well as some alternate areas to consider pursuing.

The third stage helps you determine where you want to be in the future in the cybersecurity field based on the path that appeals to you most (managerial/technical). It gives you a list of future job considerations and development goals that you can choose from to reach your goals.

Since I currently work as an information security analyst—the equivalent of a cybersecurity practitioner in the CSX Career Road Map tool—I was able to determine where I am now and where I am supposed to be next in my cybersecurity/information security career.

Another great feature of the CSX Career Road Map is that it gives you a great level of detail on suggested potential roles, which may help you discover new roles you might be interested in pursuing. Importantly, it also tells you possible certifications to earn in order to strengthen your path to a successful cybersecurity/information security career. Certifications are really important in the cybersecurity field in order to validate your skills. With that, I was able to see what certification I need to earn in order to get to an information security manager (ISM) role. It also gives hints on what to do to achieve your development goals.

Overall, this is an awesome tool that provides very valuable information. It will not only help many young professionals starting their careers in cybersecurity find out what to do and where to start, but it will also help practitioners like me who are already in the field figure out how to advance to the next level to better identify, protect, detect, respond and recover.

Yaro Sadek Tahirou, Information Security Analyst, Affinity Plus Federal Credit Union

[ISACA Now Blog]

Customer Spotlight: Travel Service Takes Cybersecurity to a Whole New Place

Schauinsland-Reisen, an independent travel agency based in Duisburg, Germany, is the seventh largest package tour operator in Germany and currently offers travel services to over 60 traveldestinations. This nearly 100-year-old company, with a team of over 300, provides excellent customer service, but with a growing web business and a network of over 11,600 partner travel agencies, Schauinsland-Reisen saw a steady rise in cyberthreats.

Unfortunately the company’s Linux-based firewall and antivirus software did not provide adequate protection of critical network assets and endpoint devices. Since implementing the Palo Alto Networks Next-Generation Security Platform, Schauinsland-Reisen has seen a dramatic improvement in network visibility and intrusion prevention.

The platform, consisting of Palo Alto Networks Next-Generation Firewall, Threat Intelligence Cloud, and Advanced Endpoint Protection, blocks daily cyberattacks while ensuring the smooth flow of legitimate network traffic, and also proactively guards against new cyberthreats and prevents damaging code transported by malicious emails and applications from infecting its endpoint devices.

Schauinsland-Reisen is happy to now have a comprehensive, end-to-end cybersecurity platform to protect its business and assure travel customers that their private information is safe on Schauinsland-Reisen’s systems.

“The Palo Alto Networks Next-Generation Security platform opened a whole new universe of options for us. We could finally see how many cyberattacks were coming in from the web every day. It was quite alarming,” Michael Mrugowski, technology team leader at Schauinsland-Reisen comments. “Yet, having the Palo Alto Networks security platform in place, we can say with certainty that compromises to our network are being effectively prevented.”

Read the full case study in English or German.

[Palo Alto Networks Research Center]

English
Exit mobile version