Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

For Security to Succeed We Need More Silo-busting




In my role as editor-in-chief of DevOps.com I hear, read and write a lot about the need for all of the various constituents of IT to work more closely together. As such, I’m always happy to hear about a company’s efforts at silo-busting. So when I saw Javvid Malik’s report (can we give link) on FireMon’s new Policy Optimizer and its ability to bust down silos, I’ll admit it brought a smile to my face.silos

Malik’s report talks about Policy Optimizer breaking down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even  security risks. Much of this silo busting is accomplished via automation. Again, this is music to a DevOps advocate’s ears.

Why is all of this silo busting and automation so important? The short, real world answer is that today’s speed of business will accept nothing less. A more detailed answer is in a world:

  • where changes – including changes to code – happen multiple times a day,
  • where “web-scale IT” measures servers and instances in the tens of thousands
  • where security must keep up or be left behind,
  • where automation and working closely with developers, operations and QA is no longer an option, but a necessity

Breaking down silos is a key ingredient in success.

I’ve been hearing that we need security to be “built in, not bolted on” almost since I first became involved in the security industry over 15 years ago; that security needs a seat at the IT table.  Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.

Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications. Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.

Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.

Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer. They give Ops insight into security decisions and policies.  Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos. Most importantly how we can tangibly change our security posture for the better.

For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working. We need new, more effective solutions. These solutions have to take into account the new way of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.

For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team.  I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.

As EShimelditor-in-chief of DevOps.com, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.

Gartner Guidance: No Farewell to Firewalls




Every so often someone in our fair industry suggests that the long-tenured presence of the firewall is no longer a necessity – typically based on the emergence of some emerging solution, or the notion that this most-mature of network defenses is no longer sufficiently capable.

However, if you listen to the experts – in this case leading industry analysts Gartner – such observations are clearly misguided, at best.
At the firm’s recent industry convocation in Washington – the annual Gartner Security & Risk Management Summit – nearly every session clearly
reinforced that firewalls, and more effective management thereof, are just as critical, if not more so, than ever.

From the summit’s opening keynote – which stressed the need for CSOs and other security officials to tie their efforts directly to overriding business initiatives (a core benefit of FireMon’s recently launched Policy Optimizer module) – to breakouts dedicated specifically to network security, the importance of retaining and improving stout firewall defenses was driven home quite emphatically.

Sure, there was the annual “Farewell to Firewalls” presentation in which Gartner’s forward-looking thought leader Dr. Joseph Feiman espoused the need for new applications-centric mechanisms (specifically embedded runtime application self-protection [RASP] capabilities).

But, as artfully advanced by Gartner network security guru Greg Young during the session and ultimately conceded by Feiman himself, even the continued development and adoption of such emerging technologies will require a continued and significant reliance on firewalls.

In other thought leadership-type presentations, in particular longtime Gartner risk expert Neil MacDonald’s session on “Continuous Advanced Threat Protection”, the pressing need for more proactive and context-aware management of network security infrastructure was further hammered home.

MacDonald’s call for “Adaptive Security Architecture” emphasized the need for strategy to shift away from traditional “detection” and “response” methodologies to focus on more “predictive” and “preventative” tactics. These observations absolutely validate FireMon’s own adherence to network security management grounded squarely in real-time, proactive intelligence.

And if all those points weren’t enough to cement the tremendous need for continued maturation of firewalls and other security device infrastructure, one needed to look no further than network security analyst Adam Hils’ overview of inquiries filed by Gartner’s own clients over the first half of 2014.

The hard numbers bear out the reality that firewalls remain of huge import and concern to organizations of all sizes and industries in today’s environment – with a whopping 51 percent of all network security inquiries, over 1500 interactions in total, relating directly to questions regarding firewalls (and less than 10 percent of those focused on so-called next generation firewalls at that!). The closest contender in terms of volume were calls related to IPS technologies, at only 22 percent).

So, there’s a good deal of evidence that any predictions that firewall solutions are either yesterday’s news or increasingly less strategic are… highly overstated; the Gartner numbers simply don’t lie.

We speak to all these Gartner analysts frequently and they understand precisely how valuable FireMon solutions can be in advancing your organization’s own network security interests. So why take our word for it – give them a call and find out for yourself.

Building The Fire 2014




FireMon celebrated an amazing 2013 as noted in our recent press release. The company also held it’s Global Sales Kickoff in mid-January, the theme of which was Building the Fire 2014. I thought I would share a couple of observations from the event with our blog readers.

First, the growth of FireMon was phenomenal to see! When I joined the company in August of 2011, I was the 21st employee at FireMon. Having the honor and privilege of being the emcee for the kickoff, I found myself looking out at 103 other FireMon employees on the first morning of kickoff. There was a palpable sense that the company was truly about to explode as our President & CTO Jody Brazil shared the explosive growth numbers that we experienced in 2013. This was reinforced throughout the kickoff as all divisions discussed the growth experienced both in sales, technology enhancements and in employees within each division.

Secondly, the future direction of FireMon was exciting to see. The product roadmap and vision for 2014 was laid out for the company, and the continued focus on real-time, proactive Security Intelligence reinforced FireMon’s market-leading focus on security management and risk analysis. A number of new and exciting technologies and enhancements will be rolling out throughout 2014 within the FireMon Security Platform, and we are excited to share these with you as they come out.

Finally, the amazing culture of fun and teamwork that FireMon has built over the years was on display throughout the event. The FireMon Band, G Fish & Special Sauce, made their debut performance on the first night of the kickoff. The diverse talents of employees from Sales, Development and Executive Management were on display, accompanied by sing alongs and dancing from the entire company. A small sampling of the band is below:

The second night featured phenomenal food and fellowship while enjoying two Kansas City landmarks as the team dined on the world famous Fiorella’s Jack Stack BBQ at Boulevard Brewing Company.

FireMon is on a phenominal growth curve. We entered 2014 with 56 open positions around the world. While we have filled a number of them, there are still openings available. If you would like to be a part of a fun, dynamic, winning culture on the cutting edge of Security Intelligence, we invite you to join us as we Build The Fire in 2014.

 

Prevent IP Address Spoofing




Prevent IP Address Spoofing

“Things are not always what they seem; the first appearance deceives many”. Phaedrus.

IP Address Spoofing is sometimes referred to as IP Address Forgery, and as the name suggests it’s a technique commonly used by hackers to perform malicious activities, such as Man in the Middle (MiTM), Denial of Service (DoS) and Dedicated Denial of Service (DDoS) attacks. It is generally used to maintain anonymity and cause havoc on the Internet.

To first understand what IP Address Spoofing is; and how it is used, we need to have an appreciation of the underlying protocol(s) that open the door for manipulation. Which essentially is IP, TCP and UDP and the ability to manipulate the packet header information (source address field).

Current State and Attacks

In an age of Botnets where an attacker has a layer of abstraction behind a command and control server, some people think that IP Address Spoofing is no longer an issue. When in fact the reality is the opposite, IP Address Spoofing remains a real problem to defend against. In some cases, IP Address Spoofing is necessary for an attacks success, where it provides an additional layer of anonymity and protection for a botnet (see DNS DDoS Amplification Attack).

So, due to the inherent ability to manipulate a packets header in the protocol stack is where the ability to perform malicious attacks such as:

MiTM – Where a malicious user intercepts a legitimate communication between two parties. The injected, malicious host then controls the transmission flow and can eliminate or alter the information within the data stream without the knowledge of the original sender or recipient. In this scenario, the attacker fools the victim into disclosing confidential information by “spoofing” the original sender’s address / identity.

DoS / DDoS – Since some malicious users are only concerned with consuming resources and bandwidth, they attempt to “flood” the victim network with large volumes of traffic to consume system resources. In order to maintain the effectiveness of the attack, the attacker will “spoof” the source IP addresses to make stopping and tracing of the attack as difficult as possible. This is amplified when multiple compromised hosts all have “spoofed” addresses and are participating in the attack.

Defence Mechanisms

What can you do to defend against IP Address Spoofing attacks?

Firstly, ensure that your firewall and routers are configured correctly and restrict the advance of forged traffic from the internet. For many years now firewall vendors have included a configurable anti-spoofing defence mechanism to block the use of private (RFC 1918) addresses on the external interface. In addition, the external (internet facing) interface should not accept any addresses that are used in the internal network range as the source. You should also prevent source addresses from outside of your valid public network range, which will prevent any of your neighbour’s from sending spoofed traffic to the Internet.

As an example, if the attacker sits within the 203.42.5.0/24 network range that is provided Internet connectivity by ISP D. An input traffic filter on the ingress link of router 2 (which provides internet connectivity to the attacker’s network) restricts traffic to allow only traffic that originates from the source addresses within the 203.42.5.0/24 network prefix and prohibits the attacker from using any “invalid” source addresses that reside out of the prefixed range.

A second preventative mechanism is to implement authentication and encryption to reduce the likelihood of threat. IPv6 implements both of these features.
ISP-Router-Example
How can FireMon Help?

IP Address Spoofing is a difficult problem since its inherent weakness is due to the design of the protocol suite. However, understanding how and why one would use a spoofing attack can greatly increase your chances of successfully defending an attack. Using Security Manager, FireMon provide the ability to perform a regular assessment of your firewall and its configuration against best of breed configuration practices. Security Manager includes a number of pre-built compliance reports that will save your security administrators valuable time and effort and assist your organisation to quickly find misconfigurations, the implementation of risky services and unused rules that could expose your network to attack.

A quick glance at the Firewall Configuration Best Practices report can provide your security managers with the detailed information needed to appropriately manage your organisations security on a regular basis.

Dashboard Review

Each configuration check that Security Manager is able to perform can be drilled into by clicking the item to show more detail.

Configuration Checks

Don’t be fooled by a masquerading IP; contact a Firemon representative today for a demonstration of Security Manager and how we can help your organisation and prevent your systems from being spoofed.

For Seahawks, Super Bowl Hinges on Predictive Defense




For Seattle Seahawks Cornerback Richard Sherman and his defensive teammates, stopping Quarterback Peyton Manning and the vaunted Denver Broncos offense will clearly be the deciding factor if they are to win Super Bowl XLVIII on Sunday.

superbowl

Not to discredit Seattle Quarterback Russell Wilson and the Seahawks’ offense, or to dismiss Denver Cornerback Champ Bailey and the Broncos’ defense, but even the casual observer has to assume that the game will likely come down to the matchup between Manning, Sherman et al.

After all, Manning, a first ballot Hall of Fame quarterback in his own right, has led an offensive assault that achieved nothing less than breaking the NFL single season scoring record. Across the field, it has been the Seattle defense, led by shutdown corner Sherman, which has carried Seattle into the NFL season finale.

How can Seattle hope to achieve such a task? One can easily compare the challenge facing the Seahawks’ defenders to the grueling task tackled each day by enterprise IT practitioners in attempting to stop today’s avalanche of malware threats.

To break it down, Seattle’s coaching staff and players can enlist a few basic tactics in trying to stave off the Broncos’ offensive onslaught including:

• Reviewing game tape to isolate and prepare for Denver’s tendencies.
• Creating an innovative game plan to deter the Broncos’ offense.
• Reading and reacting during the game as effectively as they can.

The same can be said of enterprise security and IT risk management experts in attempting to stave off attacks via methods including:

• Reviewing network security controls to isolate potential weaknesses.
• Creating an innovative security/risk management strategy to deter attacks.
• Monitoring and best responding to current conditions and threats.

To create the strongest likelihood of success, NFL teams invest massive resources in the best available players, coaches and multimedia equipment – even computer modelling applications that model all possible conditions (think “Moneyball”).

Enterprise organizations similarly recruit leading IT security management and operational pros, and certainly invest as much if not more than their NFL counterparts on solutions aimed at best preparing against any potential attacks.

Yet, much as even the most efficient NFL defenses can be vanquished, today’s headlines still carry news of massive security failures such as the recent Target breach.

So what cutting-edge cyber-security Moneyball sabermetrics can today’s enterprises employ to try to outwit and outlast the league of threats they face?

As our President and Founder Jody Brasil highlighted in his blog reviewing the Target breach and attack escalation, FireMon Security Manager platform represents a totally unique and unparalleled capability to maintain visibility into the current state of network defenses to stop today’s real-world malware campaigns.

In addition to providing critical, real-time game film to understand and improve potential gaps in defense, Security Manager also identifies all the possible “attack paths” available across the network and surfaces the real-world exposure of any underlying vulnerabilities, as well as automating security policy management.

Consider that no NFL defense will always make the first tackle or defense every pass before it’s caught, plays must be stopped downfield more often than not.

Likewise, coaches must drill players on how to react once a play has breached the defensive line, small gains must be prevented from becoming big plays.

And, before the ball is ever snapped, coaches must align players in the most strategic formations possible, constantly adjusting alignment to address offensive maneuvers.

At the end of the day, whether you’re Seahawks’ Head Coach Pete Carroll or one of today’s enterprise IT security practitioners you have to prepare as relentlessly as possible and best configure your defense to make the big plays on game day.

Much like Peyton and his orange-clad teammates, today’s attackers are hungry for their next big score.

Play to win; take a closer look at FireMon Security Manager platform today, and upgrade network security and IT risk management to Super Bowl level.