Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
By Larry Hughes, Research Analyst, Cloud Security Alliance
Cloud computing has the potential to enhance collaboration, agility, scale and availability, and provides opportunities for cost reduction through optimized and efficient computing. The cloud trend presents a momentous opportunity to revisit not only how we think about computing, but also how we think about information security.
The Cloud Security Alliance (CSA) recently teamed up with Palo Alto Networks to produce a new whitepaper titled, “Security Considerations for Private vs. Public Clouds.” For purposes of definition, a public cloud deployment occurs when a cloud’s entire infrastructure is owned, operated and physically housed by an independent Cloud Service Provider. A private cloud deployment consists of a cloud’s entire infrastructure (e.g., servers, storage, network) owned, operated and physically housed by the tenant business itself, generally managed by its own IT infrastructure organization.
While the title of the paper implies a primary focus on security, we took the opportunity to expand the conversation and incorporate a wider set of considerations including:
Business and legal topics, including contracts, service level agreements, roles and responsibilities, and compliance and auditing. We touch on the importance of establishing principal business and legal feasibility early on in the process, before investing too much in technical requirements.
Physical and virtual attack surface considerations including a look at vulnerabilities that are accessible to would-be attackers.
Operational issues, including data migration, change management, logging, monitoring and measuring and incident management and recovery and the roles they play in determining which cloud deployment makes the most sense for an organization.
Cloud security is one of the most critical considerations, regardless of whether the deployment is public vs. private. But security is not black and white and no two companies looking to deploy a cloud infrastructure do so for exactly the same reasons. Wise organizations will take the long view and invest in security accordingly. As Thomas Edison once said, “Opportunity is missed by most people because it is dressed in overalls and looks like work.”
On Tuesday, June 23, Matt Keil, Palo Alto Networks Director of Product Marketing for Data Center, and I will be hosting a webinar to discuss the white paper in-depth and look at security considerations for public and private clouds. For more information and to register for the webinar, click here.
As part of our PAN-OS 7.0 release, you can now take advantage of many new Panorama features designed to simplify policy and device management. Read more about them in thePAN-OS® New Features Guide Version 7.0 or read on for features that were hand-picked by our staff as having the biggest impact.
Device Group Hierarchy and Template Stacks
Are convoluted and outdated rulebases hindering your productivity? Now, it’s easier than ever to set, group, and manage rules by creating nested device groups in a tree hierarchy—with lower-level groups inheriting the policies and objects of higher-level groups—and template stacks, which push the combined settings of multiple templates to firewalls. These panorama features empower you to organize firewalls based on functionandlocation without necessitating a redundant configuration.
As an administrator, your time is precious! That’s why we now enable you to control administrator access to information according to areas or levels of responsibility, providing you increased focus and context. Each Panorama Device Group and Template administrator can now have multiple access domains, each controlling access to device groups and templates, and each paired with an administrative role. This enables administrators to filter the Panorama web interface by domain.
If you’ve ever tried to migrate a configuration into Panorama, you might know that the process could be a bit tedious and complex. To alleviate this pain point, you can now import firewall configurations into Panorama and can also clone templates and template stacks. These features save you the effort (and headache!) of deleting, recreating, or renaming configuration elements when only a move or copy is needed.
Logs provide visibility. They enable you to analyze and correlate network events so that you can detect and respond to threats effectively. In Panorama, you can now enable log duplication for a Collector Group to ensure that, if any one Log Collector becomes unavailable, no logs are lost: you can still display all the logs forwarded to the Collector Group and run reports for those logs.
For more information about Panorama features in PAN-OS 7.0, check out the Panorama 7.0 Documentation page on the Technical Documentation Site, or select the 7.0 (under OS Version) and Panorama (under Product Category) facets on the Document Search page!
Happy reading!
Your friendly Technical Publications team
Recently, US President Barack Obama signed a new Executive Order to promote cyber security information sharing. As a government security leader and member of ISACA’s Government Relations and Advocacy Committee, I believe that this directive was significant because it demonstrates that government leaders can take bold steps to improve our security posture without an act of Congress. Some may argue that without legislative edicts, the new voluntary information sharing framework lacks the teeth to be successful. But I wholeheartedly disagree. As a longtime voluntary member of the Multistate Information Sharing and Analysis Center (MS-ISAC), I know from firsthand experience the value proposition of being part of an information sharing community, even one that is voluntary. If they build it, people will come, because in today’s threat-laden world, prompt access to actionable intelligence is vital.
So what does the Executive Order do? First, it elegantly expands the existing sector-based ISAC model to include regional and other information sharing constructs. In the order, all information sharing groups are collectively rebranded as Information Sharing and Analysis Organizations (ISAOs). The Executive Order also positions the National Cybersecurity and Communications Integration Center (NCCIC) to serve as the epicenter of ISAO information sharing. And finally, the order requires the adoption of consistent information sharing standards to be used by all ISAOs. Additional details can be found in the FAQ document on the White House website.
The US Department of Homeland Security is now soliciting feedback as it works to build out this new and vital link in our national security ecosystem. I am proud to report that I am one security leader who plans to belly up to the bar to lend my support because the more that we collaborate, the more secure we all will be.
As a member of ISACA, I am interested to hear your thoughts on this very important Executive Order.
Christopher P. Buse, CISA, CISSP, CPA
Chief Information Security Officer, MN IT Services
Today Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia. The adversary group responsible for the campaign, which we named “Lotus Blossom,” is well organized and likely state-sponsored, with support from a country that has interests in Southeast Asia. The campaign has been in operation for some time; we have identified over 50 different attacks taking place over the past three years.
Background and Findings
Unit 42 has linked more than 50 individual attacks across Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia to the Lotus Blossom group. These attacks share a number of characteristics, including:
They are against military and government targets
Spearphishing is used as the initial attack vector
They use a custom Trojan backdoor named “Elise” to gain a foothold
A decoy file appears during initial compromise with Elise, tricking users into thinking they opened a benign file
Attacks by the Lotus Blossom group rely heavily on the use of spearphishing emails that use enticing subject lines and legitimate-looking decoy documents to trick users into opening a malware executable they think is a legitimate document. This document is usually a personnel roster for a specific military or government office.
We believe that the Lotus Blossom group developed the Elise malware specifically to meet the needs of the attack campaigns, and we’ve observed three variants across 50 samples during the three-year period of these attacks. Elise is a relatively sophisticated tool, including variants with the ability to evade detection in virtual environments, connect to command-and-control servers for additional instruction, and exfiltrate data.
Operation Lotus Blossom is a prime example of how a well-resourced adversary will deploy advanced tools, over an extended time period, sometimes years, in order to reach its goals. In this case, the pattern of behavior suggests that the actors behind this group were nation-state sponsored, from a country with an interest in the government and military affairs of Southeast Asian nations.
Unit 42 discovered this attack using the Palo Alto Networks AutoFocus service, which allows analysts to quickly find correlations among malware samples analyzed by WildFire. Palo Alto Networks customers are protected from the malware used in Operation Lotus Blossom via WildFire and our Security Platform’s Threat Prevention capabilities (IPS signature 14358).
We recommend that other security practitioners review the Indicators of Compromise (IoCs) in the full report to ensure they have not been targets in this campaign, and add the appropriate security controls to prevent future attacks.
The full report on Lotus Blossom from Unit 42 can be downloaded here, which includes all IOCs.
Visit Unit 42 for new research and a full list of speaking appearances, as well to subscribe to updates.
A big change is happening in the world of data centers. The software-defined data center (SDDC) is coming, and the biggest data center operators are leading the way – cloud providers, telecoms and social media companies. The change is all about service agility and driving down cost. In short, it is about maximizing data center ROI.
Security is an essential enabler of this change. It has to be embedded in the fabric of the SDDC. What are the key factors for achieving this, and how is Palo Alto Networks able to deliver on those requirements better than any other partner?
1. Zero Trust Security
The amount of machine-to-machine, east-west traffic far eclipses the volume of traffic flowing into and out of the data center. Once malware gains a foothold in an infrastructure, it will move laterally in order to compromise more hosts, gain access to data, and steal or damage assets. With customers and business processes sharing the same physical infrastructure, there is a need for strict security isolation of inter-VM traffic, based on those business processes, rather than on ports, protocols and IP addresses. The Palo Alto Networks® VM-Series security platform provides these fine-grained traffic controls needed to achieve strong risk mitigation in shared environments. By enforcing a Zero Trust model of communication within each business process, the integrity of each process is well secured.
Figure 1. Zero Trust security with Palo Alto Networks VM-Series for KVM/OpenStack®
2. Positive Security Controls
A positive security control model allows only what is explicitly identified as good (“whitelisting”). A negative control model (“blacklisting”) only blocks what is known to be bad. By definition, a negative security model cannot stop unknown threats. Traditional, port-based firewalls implement positive controls, but these controls do not extend to the application layer. To address this gap, legacy firewall vendors have added intrusion prevention system (IPS) functionality to port-based firewalling. However, IPS is still a blacklist approach — anything not known to be bad is assumed to be good. This is how hackers exploit traditional defenses. Our solution implements a positive control model through Layer 7, giving security architects the power to create policies that limit application and data traffic flows to the specific requirements of a business process. No other security solution does this.
Figure 2. Application/User/Content-based policy engine enables positive security control model
3. Security Orchestration
A positive, Zero Trust-based security architecture is of no value if it cannot be implemented and maintained in the software-defined environment. Traditional firewalls are designed to work in relatively static environments, where security policies are tightly coupled with network layer parameters (e.g., IP addresses, ports, protocols). This approach is not adapted to environments where the network topology dynamically adjusts in response to changing demand for services.
The Palo Alto Networks solution architecture is fundamentally different. Policy definition is based on business process-based parameters: the application, the user and the content. Security policy is associated with the logically defined resources (e.g., SQL servers supporting credit card transactions) that implement the business process — regardless of where those resources reside at the network layer. This architectural difference enables security controls to be instantiated dynamically and in concert with the compute, storage and network resources that are instantiated in response to changing demand. Equally important, when resources are removed, the security instances and policies associated with those resources are also removed. Figure 2 illustrates this capability (Dynamic Address Groups).
Figure 3. Security Orchestration with Dynamic Address Groups
4. People and Partnerships
As security and networking become software-defined, service providers are facing a growing skills shortage. Their staffs need to acquire new skills in scripting languages, writing to APIs and combining software packages into full solutions. In short, networking and security engineering is also becoming software-defined. The skills issue is possibly the biggest barrier to meeting the aggressive targets large DC operators have set for themselves.
At Palo Alto Networks, we have invested heavily in developing our people and the industry partnerships needed to help service providers take SDDC from the drawing board to implementation. Our platforms are tested to work with the virtualized platforms and orchestration stacks favored by service providers and enterprises. Our engineers and consultants have the real-world experience working with service providers to implement orchestrated, software-defined security solutions. This strong set of skills, experience and proven solutions are critical success factors for bringing SDDC projects to life on time and on budget.
Conclusion
Security is not a just a perimeter issue for the SDDC. There is an essential need to monitor and control east-west traffic, even within a single, physical server. Positive security controls must provide full visibility, reduce the attack surface to a minimum, and stop unknown threats. The security architecture must be business process-oriented; otherwise, the rules for enforcing policy cannot be orchestrated in tandem with the system as a whole. Finally, it only makes sense to work with a vendor that, not only offers a sound technology foundation, but also has proven solutions, a partner ecosystem, and the people to help you be successful.
