Santa Clara, Calif., April 17, 2014 – Palo Alto Networks® (NYSE: PANW), the leader in enterprise security, today announced it has been positioned by Gartner Inc. in the “leaders” quadrant of the April 15, 2014 “Magic Quadrant for Enterprise Network Firewalls.” This is the third year that Palo Alto Networks has been recognized as a leader in the Magic Quadrant for Enterprise Firewalls.
According to the report, “through 2018, more than 75% of enterprises will continue to seek network security from a different vendor than their network infrastructure vendor.” The report also states, “products must be able to support single-enterprise firewall deployments and large and/or complex deployments, including branch offices, multi-tiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions.”QUOTE
“We’re thrilled to once again be named a leader in Gartner’s Magic Quadrant for enterprise firewalls report. We believe this echoes the momentum we’ve been experiencing as enterprise organizations see the value of a truly next-generation security platform – one that safely enables all applications and proactively prevents cyber threats for all users on any device across any network.”
– René Bonvanie, chief marketing officer at Palo Alto Networks
Leading the Way in Next-generation Enterprise Security
Nine years ago, Palo Alto Networks changed the network security industry with the introduction of the next-generation firewall. This breakthrough architecture brought unparalleled control through the safe enablement of applications, and exceptional levels of protection by blocking all known threats operating across a multitude of different vectors.
Two years ago, we again changed the industry with the introduction of WildFire and a next-generation threat cloud that focuses on detecting and defending against the most advanced, unknown threats. Most recently, through our acquisition of Cyvera, we added unique endpoint protection to the platform. The combination of our next-generation endpoint technology, our next-generation firewall and our next-generation threat cloud represents the most innovative, integrated, and automated enterprise security platform in the market.
With over 16,000 customers, our momentum is a testament to our innovative approach that protects organizations based on what matters most in today’s dynamic computing environments: applications, users and content – not just ports and protocols – and protecting them from the most advanced cyber threats.
Palo Alto Networks is leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Unlike fragmented legacy products, our security platform safely enables business operations and delivers protection based on what matters most in today’s dynamic computing environments: applications, users, and content. Find out more atwww.paloaltonetworks.com.
Palo Alto Networks, the Palo Alto Networks Logo and WildFire are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.
History
The issues and opportunities of cloud computing gained considerable notice in 2008 within the information security community. At the ISSA CISO Forum in Las Vegas, in November of 2008, the concept of the Cloud Security Alliance was born. Following a presentation of emerging trends by Jim Reavis that included a call for action for securing cloud computing, Reavis and Nils Puhlmann outlined the initial mission and strategy of the CSA. A series of organizational meetings with industry leaders in early December 2008 formalized the founding of the CSA. Our outreach to the information security community to create our initial work product for the 2009 RSA Conference resulted in dozens of volunteers to research, author, edit and review our first whitepaper.
We are leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market.
Our security platform natively brings together all key network security functions, including advanced threat protection, firewall, IDS/IPS, and URL filtering. Because these functions are natively-built into the platform and share important information across the respective disciplines, we ensure better security than legacy firewalls, UTMs, or point threat detection products.
With our platform, organizations can safely enable the use of all applications, maintain complete visibility and control, confidently pursue new technology initiatives like cloud and mobility, and protect the organization from cyber attacks — known and unknown.
Company Fast Facts
More than 16,000 customers in over 120 countries across multiple industries
More than 65 of the Fortune 100 rely on us to improve their cybersecurity posture
Ranked anenterprise firewall market leader by Gartner in 2011 and 2012 (published Feb 2013)
FY’13 revenues grew 55% year over year – more than any other publicly traded competitor
in our market
Added more than 1,000 customers per quarter for the last 9 consecutive quarters
Partnered with elite IT leaders such as VMware, Citrix, Splunk, and Symantec
Named “best place to work” by the Silicon Valley Business Journal
Over 1,375 employees worldwide
Global support organization with teams in the Americas, EMEA, Asia, and Japan
A critical vulnerability in OpenSSL (CVE-2014-0160: OpenSSL Private Key Disclosure Vulnerability) was recently disclosed, which affects servers running OpenSSL 1.0.1 through 1.0.1f, estimated at ”over 17% of SSL web servers which use certificates issued by trusted certificate authorities.” The vulnerability essentially compromises the integrity of SSL encryption, allowing attackers to steal sensitive data from this secure channel.
The vulnerability, also know as the Heartbleed bug, most severely impacts enterprise servers running vulnerable versions of OpenSSL, and in a worst-case scenario could expose end-user communication over SSL encryption.
Palo Alto Networks immediately addressed this vulnerability, ensuring our customers are protected against exploitation of Heartbleed, including the following updates:
PAN-OS, our core operating system, is not impacted by CVE-2014-0160, as we are not using a vulnerable version of the OpenSSL library
We released a content update on April 9th, 2014 that automatically detects and immediately blocks attempted exploitation of the vulnerability (IPS vulnerability signature ID 36416)
To be clear, Palo Alto Networks software is not vulnerable, and customers with a Threat Prevention subscription, and their users, are protected from Heartbleed. We advise that all Threat Prevention users ensure they are running the latest content version on their device.
Furthermore, we recommend that all enterprises update their web servers to the latest patched version of OpenSSL available as of April 7, 2014 (1.0.1g), and immediately replace SSL private keys after the patch is in place. Given the close relationships many of you have with your vendors and partners, it is important that you help identify vulnerable systems, and notify partners immediately.
As an end-user, continue to practice good Internet hygiene, such as not accessing public Wi-Fi hotspots, clicking on unknown links in email, or downloading and opening suspicious files.
What the newly exposed SSL/TLS threat really means for enterprises and end-users.
The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?
Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in the so-called Heartbeat function of TLS, and discovered some 600,000 affected out of 28 million SSL machines. He estimates that some one-third of SSL machines had been patched with the update to the buggy OpenSSL library. Netcraft, meanwhile, says the buggy Heartbeat extension is enabled on 17.5 percent of SSL sites, which include close to a half-million digital certificates at risk of theft and spoofing from the attack.
Heartbleed may be one of the biggest Internet security events since security expert Dan Kaminsky found and helped coordinate a fix for the massive Domain Name Service (DNS) caching vulnerability in 2008. Bruce Schneiergives Heartbleed an 11 rating on an ascending scale of 1 to 10, and security companies and experts are issuing warnings of the severity of the bug. The flaw, a two-year old implementation bug in the open-source OpenSSL, has been fixed with the new OpenSSL 1.0.1g, but experts say to assume it’s already been abused by nation-states or cyber criminals given the two years it wasn’t publicly known.
Fixing Heartbleed isn’t cheap. The estimated cost to remedy the flaw is hundreds or thousands of dollars per server or application, according to Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security. That adds up to more than a billion dollars in overall labor and certificate renewal costs worldwide, Ylonen says.
The bug, in Versions 1.0.1 and 1.0.2 beta, leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and the SSL server’s private key. While there have been reports of Yahoo passwords exposed by the bug and massive nefarious scanning for the flaw on the Net and signs of attacks since Heartbleed was revealed late Monday, there’s still debate over just how easily exploitable the bug really is.
“Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation,” Schneier says.
Carrying out an attack using this flaw is not for script kiddies, experts say. It would take a nation-state or organized crime organization. “There are not enough skilled attackers with non-attributable networks to safely carry out large-scale collection efforts using this vulnerability,” says security expert Ralph Logan, CEO of Kiku Software, a large data analytics software firm. For example, “In order to collect mail.yahoo.com uid:pass pairs using this vulnerability, you would need a giant non-attributable network larger than TOR, but TOR won’t work in this case because we all know that it’s attributable.
“Joe Hacker/single actor in the .ru still has to have a non-attributable network to infiltrate and exfiltrate large amounts of data across the web.”
But the bad news now that the cat’s out of the bag is that proofs-of-concept are out — and some attacks are under way. Jaime Blasco, director of AlienVault Labs, says his firm has spotted scans for the flaw as well as brute-force attack attempts on some of its customers. “We have seen active attacks” in the past 48 hours, Blasco says.
Mozilla’s former director of security assurance Michael Coates, now director of product security for Shape Security and chairman of OWASP, points out that the attacker must have access to network devices “along the communication” path of a user and a website. “In order to decrypt data exchanged between a user and a website, the attacker must have access to network devices along the communication path. This attack could most easily be launched by state actors, intelligence agencies, or criminal enterprises operating with collusion from network operators,” Coates said today in a blog post.
An individual attacker could also target users on a shared WiFi hotspot with Heartbleed, he says.
As for concerns about attackers stealing a website’s digital certificate via a Heartbleed attack, Errata’s Graham contends that panic over private keys leaking is somewhat overblown. “In most [packaged] software, this cannot happen. That’s because memory containing the private key is never freed, and hence allocated heartbleed buffers can never contain it,” Graham said in a blog post today:
The upshot is this. What you can eavesdrop on with heartbleed hacks is dynamic stuff, stuff that was allocated only moments ago. What you probably can’t get is static information. Certainly, you can’t get any static information that hasn’t been freed, and you probably can’t get static information that was freed long ago, such as program startup. It’s a great way to steal passwords from recent logins, but it’s unlikely to give private keys. Certainly, there is some poorly written software that when it validates the SSL connection, copies the private key into a buffer, uses it, then frees the buffer. Thus, there certainly exists some software that reliably leaks the private key, it’s just that on most software it’s not possible.
Intranet Heartbleed Not all SSL servers are public Internet-facing, of course: Also at risk are internal intranet SSL servers that run internal corporate applications. And VPN software such as the open-source OpenVPN software was exposed but has since been patched.
“You need to change all certificates and keys,” says Kevin Bocek, vice president, security strategy and threat intelligence, at Venafi. “What’s inside the firewall is a lot more” lucrative to an attacker, he says.
“If I’m an advanced attacker, this is just a heyday. Now I can easily punch a server. I can get the keys and certs that allow me to [move] internally, which before would have taken a lot more effort. [Heartbleed] is also an internal concern.”
Enterprises should confirm whether their servers and VPN products are vulnerable if they have not done so already, and if they are, update them and obtain new digital certificates to be safe. Once they’ve cleaned that up, then they should institute end-user password changes, experts say.
End users should change their passwords on websites that were vulnerable, but not until after they’ve been patched. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable,” says Matt Willems, an engineer for LogRhythm Labs. “The best advice is to follow normal best-practices for online identity information. Change your passwords regularly, and if an online service says your information may be at risk, follow their directions.”
Meanwhile, SANS Internet Storm Center is tracking software vendors that have updated their products here. And several free online scanning tools are available for testing SSL servers for the flaw, such as this and this.
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, CommunicationsWeek, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at The College of William & Mary. Follow her on Twitter @kjhiggins.
Chances are good you have already seen news about the OpenSSL Heartbleed vulnerability (i.e., CVE-2014-0160). It’s a pretty significant bug, particularly since it impacts popular open-source web servers such as Apache (the most popular web server) and Nginx. This means that a combined population of up to 66 percent of the Internet is potentially impacted (based on data from Netcraft).
One significant area that has been covered less in the industry press is the impact this issue could have outside of the population of vulnerable web servers. Now clearly, the impact to web servers is a big deal. But consider for a moment what else might be impacted by this. Here’s a hint: it’s Internet of Things Day today. In other words, consider the impact on embedded systems and “special purpose” systems (like biomed or ICS).
OpenSSL has a very developer-friendly license, requiring only attribution for it to be linked against, copied/pasted or otherwise incorporated into a derivative software product. It is also free. This makes it compelling for developers to incorporate it into anything they’re building that requires SSL functionality: everything from toasters to ICS systems, medical equipment, smoke detectors, remote cameras, consumer-oriented cable routers and wireless access points. It’s literally the path of least resistance as a supporting library/toolkit when developing new software that requires SSL.
We’ve seen an analogue of this in the past. Remember the fallout from the string of ASN1 parsing vulnerabilities a few years ago (e.g., CVE-2003-0543 and CVE-2003-0544)? Take a look at the long list of products and vendors affected by that bug in the link above. The underlying reason for the wide reach of that problem is that the code for ASN1 parsing was reused and recycled so extensively in other products. Because ASN1 parsing is hard to do, finding code that does it already and incorporating it into derivate software is a huge timesaver. Likewise, SSL functionality is complicated to write—it is advantageous to incorporate something that is already written (like OpenSSL), particularly when doing so doesn’t incur additional cost to you or lock you in to a particular operating system platform, such as with OS-specific proprietary libraries.
From a practical standpoint, there are a few ramifications to this. While a webserver can be upgraded (relatively) easily to use the fixed OpenSSL code, an embedded system is quite a bit more challenging to upgrade. Upgrading a biomedical system, for example, without careful coordination with the vendor who supplies it can (quite literally) have a life and safety impact to patients. Upgrading an ICS system, likewise, requires careful coordination and specialized testing.
Given these facts (and not to be hyperbolic about it), recovering from this issue could literally take years.
So what can organizations do about it? Patching webservers is obviously a good idea. Folks who run websites might also wish to consider getting a new certificate since it’s possible private key data might have been exposed. Everyday users might consider changing their passwords since they could have been exposed.
For the longer-term issue that could be lurking in embedded devices or specialized systems? That’s a thornier issue. One thing that could be helpful is encouraging vendors of those systems to confirm explicitly (and in writing) that they are not vulnerable to this if they provide SSL functionality (or to provide instructions on remediation if they are). By doing this, organizations with a population of these devices can get an assurance that someone at the vendor has at least evaluated the issue and how it might impact production deployments.
Ed Moyle
Director of Emerging Business and Technology, ISACA
