Author: Dr. Philip Cao

Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Posted on

Web Security Tips: How PAN-DB Plays an Important Role in the Cyber “Kill Chain”

Organizations are facing persistent, elusive and sophisticated cyber-attacks more than ever. Sometimes these attacks might seem unavoidable, leading you to believe that your network and data cannot be protected. But if you think about how cybercriminals need to successfully infiltrate your network, remember the various steps in the cyber kill chain required to do so, including “breach premier,” “deliver malware,” “endpoint operation” and “exfiltrate data.”

The good news is that blocking just one step in this cyber-attack chain, you can protect your network and data from attack.

The above model shows how we think about the cyber kill chain at Palo Alto Networks. PAN-DB plays a critical role in three of the four stages, highlighted in red. As we discussed in the recent blog post, “Web security tips: How PAN-DB works,” PAN-DB has a rich database of malicious URLs that can be used to block malware downloads, and to disable Command and Control (C&C) communications. This database will help you to block attacks throughout the cyber kill chain.

Here are a few examples

Breach perimeter

Advanced attacks commonly try to breach the perimeter. PAN-DB gives you protection against breach perimeter by blocking risky websites such as hacking, phishing, malware, drive-by-download and exploit sites.

Deliver malware

Once the perimeter is breached, attackers try to make you download malware on to your network. PAN-DB helps you to block downloads from malware sites. In addition, by blocking file downloads from unknown URL category (as we discussed in another recent blog, “Web security tips: Using URL categories in your security policy”), you can reduce the risk of downloading malware significantly.

Exfiltrate data

Malware can enter your network by evading your gateway security, such as through an employee’s own laptop or USB drive. Malware in your network communicates with the attackers and exfiltrates data. But PAN-DB helps you to disable such C&C communications by utilizing C&C URL and IP database as provided in WildFire.

URL filtering should do more than prevent unwanted web browsing

Traditional URL filtering was born to block non-business web access for productivity and compliance purposes. Although those purposes still hold true for URL filtering, the solution is incomplete unless it can also filter harmful websites to protect your network and data from cyber-attacks.

PAN-DB will add more protection to your Palo Alto Networks Enterprise Security Platform. We hope you utilize the power of PAN-DB to protect your network from advanced attacks.

To learn more about web security, please visit our resource page, “Control Web Activity with URL Filtering.

[Palo Alto Networks Blog]

Posted on

Bringing a Semblance of Order to Policy Chaos

Ask firewall administrators about their day-to-day challenges and sooner or later they will come around to one that I am calling policy chaos. The term chaos aptly defines both the daily fire drills associated with physical firewall appliances as well as the rapid rate of change typical of moving into a cloud or virtualized environment. Maybe the marketing team needs a new application and the deadline is tomorrow, or an employee needs access to a restricted database for research. The necessary management approvals on the business side might go quickly, but in most companies, the firewall policy changes require more steps– review, approve, request change control, implement, push live.

As companies move toward virtualization and cloud computing, this chaos will only increase. The beauty of virtualization is that it lets organizations efficiently use of a pool of compute resources to create virtual machines and associated applications that are spun up and taken down in minutes to meet changes in demand. But that rate of change in a virtualized or cloud computing environment is far faster than the traditional process for deploying security policies allows. Enter more policy chaos.

One of the many ways to address a chaotic environment is through automation, a technique that has proven effective across a wide range of industries in bringing order to policy chaos. At Palo Alto Networks, we can bring some semblance of order to your policy chaos using Dynamic Address Groups, VM-Monitoring and the XML API – all standard features in PAN-OS.

Here’s how these features work. Your computing resource pool may include a combination of both physical and virtual servers. These servers all have an IP address, but they also have other attributes or characteristics such as the OS, the application, and perhaps location. The policy automation with begins with VM-Monitoring collecting the compute resource attributes from resource management tools such as vCenter, ESXi and AWS-VPC or the XML-API. PAN-OS then converts those attributes into tags, which you can use to define a Dynamic Address Group.

Based on the tags you use in the group definition, the associated compute resource IP addresses are collected and used as part of the security policy. As new VMs or physical servers that fulfill your group definition are added or their attributes change, the policy automatically updates. The result is your security policy can now keep pace with the rate of change occurring in your virtualization environment.

Another piece that excites firewall administrators is automated policy removal. As servers or VMs are taken out of service, the address group is updated automatically, as is the policy. The end result is your policy chaos is reduced and you may say, “We don’t know what that rule is, but we left it because it might have broken something,” far less frequently.

Check out a short video below to see these features in action.

[Palo Alto Networks Blog]

Posted on

Defeating APTs in Government Networks

Many advanced persistent threat (APT) solutions only detect these APTs – and don’t prevent them. These same solutions only support two applications rather than the host of applications attackers now use. This approach simply won’t solve the larger problem.

We invite you to read a new whitepaper, co-authored with MeriTalk, Defeating APTs in Government Networks, to learn about the growing problem of APTs on government networks and how your security platform must adapt for this new era.

Download the report here.

For more

[Palo Alto Networks Blog]

Posted on

The Providential Apple Pay

Apple introduced its new Apple Pay, which allows Apple users with enabled devices, such as the iWatch, to use their devices to check out at participating vendors. The announcement was well received by the industry and industry analysts.

Despite the increased attention to security issues of the payment card industry, people seem to agree that the concept from Apple of keeping your personal information secret and using a random or one time generated token seems providential.

It is too early to tell what impacts Apple Pay will have, but it will surely start the journey away from PCI DSS (Payment Card Industry Data Security Standard). The main players—Visa, MasterCard and American Express—have shown great support to ensure the service works and large retailers are also supporting this change. Mobile operators are also showing support and are devising new SIM cards for 2015.

So the question is—how secure are the devices involved with processing Apple Pay, including the wearable? Should we worry or not?

The iWatch and your iPhone will be available to use with Apple Pay using NFC (near field communication) technology, which already has its concerns. Apple has addressed some concerns by integrating its Touch ID fingerprint scanner and its Passbook ticket-buying app into Apple Pay. This new approach keeps personal information on the device—instead of moving account data into storage servers within easy reach of thieves.

What happens if you lose your iPhone or iWatch? Some argue that you could lose your wallet as much as one of these devices, however due to the potential to access an enormous amount of personal data, the security and personal information on these devices today is of greater concern.

Although Apple has tried to address security concerns there are still some legitimate questions from a normal user perspective. How does someone verify a legitimate Apple Pay terminal or application on their device? What security does the mobile network provide on their end?

As with all new features and technology, I would suspect that elite criminal hackers may already be identifying opportunities to steal identities and mass-harvest payment card information from this new service.

What do you think—will Apple Pay be secure? As auditors and security experts, where do we stand and how are we preparing for this technology?

Kris Seeburn

[ISACA]

Posted on

How I Became A CISO: Quinn Shamblin, Boston University

The man now leading security for a major university first got the security bug when dealing in government secrets about nuclear power.

If you had a broken toy that needed fixing when you were a kid, Quinn Shamblin was the neighborhood boy to take it to. Even as a child, Shamblin was “the guy who liked to know weird, unusual stuff,” and the go-to guy for taking things apart and putting things together.

“Infosec is the first career I really latched onto that uses all those old things that were drivers for me as a kid,” says Shamblin, now the executive director and information security officer at Boston University (which does not use C- titles like CISO).

He did not, however, set out for a career in infosec. He was a physics major, and after school was recruited to teach Naval forces about nuclear power.

It was then, while dealing with so much classified information, that he became interested in security.

He pursued that new fascination by going to work for Proctor & Gamble. At P&G, it wasn’t just the intellectual property confidentiality that was important, it was availability. They required 99.997% uptime, says Shamblin. “Eleven minutes would cost the company $200,000.”

Also at P&G, he met the manager who would be a professional mentor for the rest of his career.

“You need to have people believe in you,” says Shamblin. “Someone has to look at your work and say, yeah, wow, there’s value here.”

For Shamblin, that person was Kevin McLaughlin, a former felony investigator for the Army, who shared some of the same attitudes Shamblin had developed through his tenure in the military.

The two worked well together, so when McLaughlin left the company to go create a new information security department at the University of Cincinati, he invited Shamblin to join that new team.

It was McLaughlin again who recommended Shamblin for the job at Boston University in 2010, while declining the offer to take that job himself.

Shamblin is continuing the tradition by playing the role of mentor himself. Instead of hiring people who’ve done precisely the same job elsewhere, he hires people with promise and trains them up.

“I want people to get better and better at their job,” he says, “and I want them, at some point, to leave.” Shamblin believes that he’s preparing his employees for great careers wherever they decide to go, and in a broader sense, “improving the industry by investing in these people.”

Although most companies hire CISOs from outside the organization, Shamblin wants his successor to be someone he trained, and deliberately prepared to take over.

Most of the lessons he’s passing on to those future CISOs have little to do with technology, and everything to do with business sense and communication skills.

“As a CISO, it’s more important to understand risk and the business than to understand technology,” he says. “Understand that if I do X I won’t have a business.”

Shamblin says that a CISO needs to sound like a CFO. He or she must appreciate the balance of risk and reward, and must be able to comprehend a financial analysis. He did earn an MBA himself while working at the University of Cincinati, but there is something else he gives more credit for his success than his degrees.

“I can talk,” he says. “I’m genuinely interested in [people] and they can see it.”

One key piece of advice he gives to all aspiring CISOs is to improve their communication skills, both written and face-to-face. He urges them to get formal training on this, because the difference between a well-written email or document and a poorly written one is huge — but without training you might not see the difference.

If he weren’t an information security pro, Shamblin says he would pursue another career in emergency response — and isn’t that what a lot of infosecurity is all about?

This is part three of Dark Reading’s “How To Become a CISO” series. Read parts one and two now. Come back next Monday for the next CISO origin story, which is set in a law school.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

[DarkReading]

English
English
Exit mobile version