Author: Dr. Philip Cao

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

1. Customers will stop paying for failed technologies

It has become abundantly clear that traditional approaches to endpoint security are no longer effective. In this era of advanced threats, the endpoint is the critical line of defense that has not been adequately protected. Signature based anti-malware, behavior detection, or even whitelisting are not sufficient to protect against the most advanced malware and exploits.

Security professionals have taken note and have started to seek new endpoint protection technologies. The failure of traditional anti-malware also leaves security professionals wondering if they should continue to pay for expensive endpoint security suites that are no longer effective. According to Forrester’s Chris Sherman, “[security professionals] are now more than ever looking to augment or replace their failing antimalware tools with more effective solutions.” In a recent report, he also mentions that a “firm recently told Forrester that it’s looking to replace its third-party anti-malware tools with native OS-supplied anti-malware.”

I can tell you both from my own recent experience as a CISO and from speaking with customers that this is a very real trend. Evidence has already shown that customers’ willingness to pay for these failing technologies has eroded. According to Gartner, license revenue per seat was seen to be declining at the end of 2012.

We recently surveyed our customers and received 555 responses to this question: “Would you consider switching to ‘free’ enterprise Antivirus in order to fund more advanced endpoint protection for your company?” Forty-four percent responded either “Absolutely,” “Likely,” or “Already in progress.” What does this mean? It means that in 2015 we will see many organizations opt for free anti-malware products like Microsoft’s System Center Endpoint Protection (SCEP), which some customers will find they already own due to enterprise license bundling.

The significance of that 44 percent should not be understated. Many organizations are on a three year renewal cycle for anti-malware. So does that mean vendors of traditional endpoint anti-malware products should expect to lose approximately 14.67 percent of their renewals each year for the next three years? This depends on whether customers will be able to translate intentions into action by finding appropriate replacements for failing endpoint products.  Time will tell, but this will be a trend to watch in 2015.

2. Increased focus on the endpoint

In light of the many security breaches in the news these days, security professionals are re-examining strategies around advanced threats. In particular, two things have become clear: 1) strategies focused on network-based detection and response will continue to fail, and 2) advanced threat prevention is required on the endpoint.

Detection and response are necessary components of any security strategy but should not become primary objectives. The focus here is on finding breaches as quickly as possible and mitigating the damage. This has played out in companies detecting breaches months or years after they first occurred, leaving the company to deal with a massive and prolonged data breach that becomes a public nightmare for customers, executives, and investors. No software product can remediate that damage.

Network based controls, especially those that focus on prevention of advanced threats, are necessary but not sufficient. The last line of defense remains the endpoint itself and it is clear that network controls alone cannot block the most advanced threats. Furthermore, many organizations are faced with increasingly vulnerable endpoints because they still run Windows XP, which is no longer supported with security patches. The same will soon be true of Windows Server 2003. Now that many organizations have already adopted advanced threat prevention on the network, the endpoint will come into focus in 2015.

3. Consolidation of dynamic threat analysis onto Next-Generation Firewalls will make room in the security budget for Advanced Endpoint Protection

Many customers that I speak with are keen to reduce the number of disparate security vendors that comprise their security architecture. Organizations began this by eliminating separate IPS and URL filtering devices in favor of a Next-Generation Firewall. Then the need for network based dynamic analysis of files arose in order to detect advanced threats. Many customers added yet another set of devices onto the network.

Innovation has once again brought about a new opportunity for consolidation. Cloud based dynamic analysis on a Next-Generation Firewall not only reduces cost and administrative overhead, but also maximizes the ability to prevent, rather than just detect advanced threats. The next step is to integrate this with advanced protection on the endpoint via shared threat intelligence and the result is a platform that is far stronger than the sum of its parts. In 2015, I expect to see more customers eliminating point solutions for dynamic analysis that do on-device sandboxing in favor of integrated security platforms that leverage dynamic analysis in the cloud, enabling shared threat intelligence.

Endpoint security is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

 

Today we released our first Threat Landscape Review, which takes a high-level view of how malware is delivered to networks across major industries around the world. The data used for this report was derived from Palo Alto Networks WildFire™, which automatically identifies threats from malware over a wide array of applications by executing them in a virtual environment, observing their behavior. This data was collected from live systems in networks belonging to 2,363 different companies operating in 82 different countries.

While there are currently over 4,000 organizations using WildFire to defend their networks the data for this report was specifically collected from organizations in 10 key verticals:

• Critical Infrastructure
• Finance
• Government
• Healthcare
• High Tech
• Higher Education
• Hospitality
• Manufacturing
• Professional Services
• Retail and Wholesale

The following are key findings from this report:

• Globally, our platform detected malware delivered in over 50 distinct applications. 87% of this malware was delivered over SMTP, 11.8% through Web-Browsing (HTTP) and 1.2% in the remaining applications.
• While all verticals saw SMTP and HTTP as the primary channels for malware delivery, they varied greatly in the percentage for each. Retail and Wholesale organizations received almost 28% of malware over the web channel while Hospitality organizations received less than 2% through the same channel.
• Over 90% of unique malware samples were delivered in just one or two sessions, while a much smaller proportion was delivered in over 10,000 attacks.
• While the US is still the leading callback location across all verticals, analysis revealed a variance in callback prevalence by country based on each vertical.
• One malware family, known as Kuluoz or Asprox, was responsible for approximately 80% of all attack sessions recorded in the month of October. This malware sends copies of itself over e-mail quickly and to users all around the world and then attempts to download additional malware, impacting 1,933 different organizations.

Download the full report here.

Subscribe to Unit 42 threat intelligence alerts here.

[Palo Alto Networks Blog]

The New York Times recently published an article, “Hacked vs. Hackers: Game On,” discussing the current state of network security, and in it made a couple of interesting points about the prevalence of breaches, the need for federal regulation, and how current network defense technology is failing.

While I agree that better defenses are needed because traditional detect-and-prevent solutions aren’t doing enough, I don’t agree that a better solution isn’t out there. But as long as there is money to be earned, attackers will not stop conjuring new methods of attack, making security a constant battle. The winners in this sphere will be the ones who are innovating security measures at an equally rapid rate.

If there is no silver bullet, traditional firewall and antivirus technology are like rubber bullets. To be fair, many companies realized this years ago and have already switched to next-generation enterprise security technology, deployed sandboxes, and have turned up the dial a couple of notches on their IT security and remediation teams. Customers of web applications, particularly those with enterprise contracts, are demanding safer products, 3rd party penetration testing, and brisk vulnerability remediation time.

However, while much progress has been made in the past few years, there is still a gaping hole where network security is concerned because even most next-generation security technology isn’t doing enough to keep up with determined attackers. Detection-focused technologies are great at detection, but costly and slow when it comes to prevention. Stand-alone, point solutions are great at preventing attacks whose delivery methods are primitive or well known, but are no match for advanced threats. Stateful, next-generation solutions are great at identifying traffic with certain protocols on certain ports, but are blind when it comes to the evasive maneuvers of clever attacks.

To echo the New York Times, “patch and pray” is not a good security strategy — for some it isn’t a strategy, period. Upgrading to the latest, patched version of an application is a luxury not available to enterprises that can’t afford even a few seconds of system downtime. Even when upgrades are done diligently, organizations are still at the mercy of their vendors. If the vendor doesn’t deem a vulnerability a priority, it’s not getting fixed. Likewise with deployed security devices, too many alerts or false positives thwart any kind of timely preventive or remediable reaction.

Securing a network — really securing it, not just checking off boxes on someone else’s to-do list — requires deep understanding of how attacks are delivered, and security components deployed at each step within that delivery chain. Those components must be closely integrated with each other so the data they supply gives a complete picture of who, what, when, where, why, and how an attack was launched. Only then can security professionals can begin to think about and plan their network defenses more strategically.

Palo Alto Networks is and has been thinking this way for years, and it’s in this aspect that our story diverges from the rest of the “next-generation security” pack. We built a platform that extends its protections against advanced threats to data centers, public and private clouds, and endpoints — both in-office and mobile. Customers have our exhaustive threat intelligence to rely on, and are backstopped by one of the industry’s best support organizations. We live and breathe “prevention” because we know how important network, data, and cybersecurity is, even if the rest of the world is stuck on “detect and remediate.”

There is definitely some truth to the premise that a catastrophic event with severe physical destruction or loss of life must occur in order to get the proper amount of attention cybersecurity needs. There aren’t any recorded deaths as a result of a cyber attack — and, gawd, I hope it never comes to that — but the potential for death and destruction is staring us in the face. But the other piece necessary for garnering deserved attention is making sure the public really understands what a cyber attack is — the how, what, who, and why important in grasping any complex concept.

The public is somewhat shielded from the gritty reality of cyber crime, primarily because it requires some technical knowledge, but also because what business in their right mind would want to admit details of their failings after a particularly dangerous breach in a way that the masses would understand? Breaches mean headlines, and as we’ve seen this past year, headlines for breaches mean C-level executives lose their jobs and business their reputations.

When the federal government finally does step in and start regulating data security and breach handling — which is where I’m certain we’re headed — the sense of urgency associated with security will naturally increase, and liability will be very clear-cut.

Until then, it’s up to us, the security vendors to admit traditional technologies aren’t doing enough, that there are gaps. But it’s one thing to be realistic about the state of security, or lack thereof, and another to admit defeat and say it can’t be done.

I’ve seen the havoc a breach can wreak not just on the business but on the lives and livelihoods of the everyday people who are at the ultimate receiving end any attack. This is why I think working in security is important. At the end of the day, it’s about preventing attackers from targeting my family, my friends, my country, and the technology and ideas that will ultimately make the world better.

I know this problem can be solved, and I know that Palo Alto Networks is solving it. Head hereto read about our Enterprise Security Platform, which fills the gaps, intelligently fortifies network defenses, and takes a preventative approach protecting businesses and governments from advanced threats.

[Palo Alto Networks Blog]

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

Reading the collective tealeaves for adversaries 12 months from now is almost always a losing proposition. You are essentially trying to predict the tools, tactics and techniques that are going to be employed by incredibly skilled and intelligent attackers. Yes, we know more data breaches will occur, more records will be stolen, new technologies will be exploited, and more malware will be created than has ever been seen before. These are all givens in today’s threat landscape—the bad guys are out there, getting more efficient at their jobs, and constantly evolving.

The question becomes, what can we do about this in 2015? Here’s how I see it:

1. The year big data security analytics goes mainstream.

For advanced threats, the problem has always been attempting to find the small indicators that could reveal an attack. Many have tried to bring together enough intelligence, horsepower and analysis to find these “needles in a haystack,” but it hasn’t been enough. While there have been hints of success, applying big data analytics techniques to security will come into its own in 2015. We have hit the inflection point where computing power, availability of data, analytic models and most importantly the willingness and drive to see them through are here. We will see massive advances this coming year in our ability to collect, analyses, search, correlate, visualize and turn data into actionable security intelligence.

2. Tailored threat intelligence.

Increasingly, sophisticated organizations are realizing that certain types of attacks, or certain groups of attackers come after them. For example, there are certain steps an adversary will take to compromise a retail companies’ Point of Sale (POS) systems versus an entertainment organization’s databases, or the customer records at a major hospital. The motivations are different, the exploits and malware unique, and the methods change in each case. 2015 will be a banner year for profiling how attacks differ by industry, which vectors are higher risk for individual organizations, and tailoring custom protections in each case.

3. Sharing security intelligence.

Many major enterprises have learned the critical importance of sharing intelligence about the current state of the threat landscape – such as those in organizations like the FS-ISAC. Everyone benefits from information shared by one member, and collective immunity can be developed, stopping advanced attacks before they can compromise multiple organizations. This coming year will represent widespread adoption and acceptance of information sharing. The days of “holding it close” are over – the volume and sophistication of attacks requires a joint response.

A common theme runs through my thoughts on 2015: making better use of the data we have. Whether it is better algorithms to predict the next attack, understanding your risk posture, or sharing what you know with others – intelligence is key. Turning the massive churn of data enterprise organizations see each day into actionable intelligence, automatically, will be a major theme for 2015.

 

Threat intelligence is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.