Configuration Confrontation – Network Security’s Biggest Challenge




As numerous breach incidents have emphasized, the inability of organizations to properly configure existing defenses remains arguably their most significant network security challenge.

With the Target breach standing as perhaps the best example – as attackers subsequently infiltrated the retailer’s point-of-sale data after gaining access to other areas of the network – the problem has been reinforced in a number of high-profile incidents.

R7.blog.logo

This week, noteworthy vulnerability researcher H.D. Moore, perhaps best known as founder of the Metasploit pen testing platform, brought even greater attention to this issue, releasing new findings regarding a previously unreported firewall configuration issue that could expose many organizations to potential compromise.

The research, which affects organizations using devices made by Palo Alto Networks, a leader in the space, further highlights the fact that it is the challenge practitioners face in properly configuring such defenses – not vulnerabilities in those products – that remains so pervasive and troublesome.

As first detailed by Moore in a blog post and reported in news outlets including the U.K.-based Register, the issue involves misconfigured user identities set up for Palo Alto Networks firewalls that “leak” information onto the Web, exposing underlying services.

With VPN and webmail services among those affected, the issue revolves around possible credential exposure when Palo Alto Networks customers have improperly configured User-ID to enable WMI probing on external/untrusted zones, resulting in the User-ID agent sending these probes to external/untrusted hosts.

To its credit, Palo Alto quickly posted an advisory and associated best practices guidelines to help organizations address the issue. Vulnerability management specialists Rapid7, which purchased Metasploit five years ago and remains Moore’s employer, also posted an advisory.

By no coincidence, Palo Alto and Rapid7 are among FireMon’s closest technology and business partners. This is because we work with these companies every day to help customers identify and remediate precisely the type of issues highlighted by Moore’s ingenious research.

Network and applications vulnerabilities remain a huge problem, as do cutting-edge attacks. However, as illustrated by the Target breach, countless other incidents and the details of Moore’s latest work, erroneous and unseen configuration issues within network security infrastructure remain just as significant of a problem. And even better, one that when identified can be rapidly addressed.

The revealed Palo Alto firewall “vulnerability” isn’t a flaw at all but rather an opportunity for risk created by the complexity of firewall configuration and the lack of visibility that many practitioners retain into their current alignment – an issue intensified within large enterprises.

These are the very network security management challenges that led to the initial invention and continued advancement of FireMon Security Manager. Working alongside partners including Palo Alto and Rapid7, among many others, we help our customers identify and mitigate such issues.

In response to Moore’s research, FireMon immediately created a new custom audit check within Security Manager that allows organizations to analyze their Palo Alto firewalls to identify and check that user identification lookups are not allowed on public facing zones.

To be honest, doing so was almost painfully simple, because this is exactly what FireMon was designed to do!

As FireMon has been publicizing for many years – the level of complexity and change affecting configuration of network firewalls remains perhaps the greatest challenge facing network security practitioners.

If you’re concerned that the newly reported Palo Alto issue, or any of the countless configuration challenges affecting every manner of network firewall, may affect your organization, take a closer look at FireMon.

We help customers gain visibility into and control over this very type of problem. It’s what we do. It’s why we’re here. Learn more about our solutions, today.

Industry News – Advancing Network Threat Intelligence




When FireMon re-positioned itself around the concept of Proactive Security Intelligence at the beginning of 2014, the effort was undertaken with the notion of highlighting the critical role that data produced by our solutions plays in managing enterprise security and IT risk.

Sure, if you want to start at the most foundational element of the processes we support, as many of our customers do, it can be stated as simply as firewall management – getting a clear understanding of what network security device infrastructure is doing, then improving the performance and efficiency of those defenses, continuously.

cyber.threat.alliance

However, the truth is, “firewall management” is a far too narrow a manner of communicating the overall value of what the FireMon Security Manager Platform and its supporting modules offer in terms of strategic information, thus the new messaging.

With all the intelligence that we produce regarding policy workflow, compliance validation and risk management, along with enablement of related process automation, we felt it was far more appropriate, if not completely defensible, to adopt this broader PSI mantra.

Intelligence, of course, has evolved into a very broad and encompassing industry buzzword, popular among security vendors of all breeds who feel that they provide some form of critical data to inform strategic decision making – which admittedly could be almost any company on the landscape today.

Of all the various uses of intelligence, clearly, the most widely recognized arena (perhaps beyond long-standing ties to the SIEM market) these days is that of “threat intelligence”, or the real-time aggregation and distribution of information regarding emerging attacks to help both products and practitioners respond more adeptly as threat-scape conditions evolve.

So, it’s with keen interest that we at FireMon saw the news this week that industry heavyweights Fortinet, McAfee and Palo Alto Networks, all of whom are close partners of ours, announced a new high-profile effort (along with endpoint experts Symantec) to drive threat intelligence even deeper into the domain of network protection.

Some may roll their eyeballs at the introduction of yet another pan-industry coalition, but this is a pretty influential group in our world, and as such the launch of the involved “Cyber Threat Alliance” is certainly intriguing.

The reason is simple. Of all the uses that a product maker or practitioner could find for the latest and most comprehensive information regarding emerging threats, using that intelligence to assure that network defenses are in place and assets are effectively segmented is certainly one of them – a case echoed in the accompanying research white paper launched by the new coalition.

As highlighted by McAfee EMEA and Canada President Gert-Jan Schenk in the related announcement, the unprecedented rate and severity of recent breach incidents has come at the hand of “complex and multidimensional attacks” that dictate attention far beyond installation of more effective anti-malware systems at the network gateway or on endpoint devices.

Given that we’ve long stumped for the need to use current, in-depth visibility into the real-world alignment of network defenses, in relation to underlying assets and known vulnerabilities, to address risk exposure and mitigate available attack paths, this effort on the part of our partners, industry leaders all, is definitely something FireMon would support, heartily.

As our self-appointed corner of the market – Network Security Intelligence – continues to evolve and we move to help organizations better align their defenses to account for emerging attacks it will be fascinating to see how threat intelligence continues to shape methodologies.

We’ll continue striving to be at the forefront, working with these types of thought leaders to enable more effective defense.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

For Security to Succeed We Need More Silo-busting




In my role as editor-in-chief of DevOps.com I hear, read and write a lot about the need for all of the various constituents of IT to work more closely together. As such, I’m always happy to hear about a company’s efforts at silo-busting. So when I saw Javvid Malik’s report (can we give link) on FireMon’s new Policy Optimizer and its ability to bust down silos, I’ll admit it brought a smile to my face.silos

Malik’s report talks about Policy Optimizer breaking down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even  security risks. Much of this silo busting is accomplished via automation. Again, this is music to a DevOps advocate’s ears.

Why is all of this silo busting and automation so important? The short, real world answer is that today’s speed of business will accept nothing less. A more detailed answer is in a world:

  • where changes – including changes to code – happen multiple times a day,
  • where “web-scale IT” measures servers and instances in the tens of thousands
  • where security must keep up or be left behind,
  • where automation and working closely with developers, operations and QA is no longer an option, but a necessity

Breaking down silos is a key ingredient in success.

I’ve been hearing that we need security to be “built in, not bolted on” almost since I first became involved in the security industry over 15 years ago; that security needs a seat at the IT table.  Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.

Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications. Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.

Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.

Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer. They give Ops insight into security decisions and policies.  Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos. Most importantly how we can tangibly change our security posture for the better.

For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working. We need new, more effective solutions. These solutions have to take into account the new way of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.

For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team.  I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.

As EShimelditor-in-chief of DevOps.com, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.

Gartner Guidance: No Farewell to Firewalls




Every so often someone in our fair industry suggests that the long-tenured presence of the firewall is no longer a necessity – typically based on the emergence of some emerging solution, or the notion that this most-mature of network defenses is no longer sufficiently capable.

However, if you listen to the experts – in this case leading industry analysts Gartner – such observations are clearly misguided, at best.
At the firm’s recent industry convocation in Washington – the annual Gartner Security & Risk Management Summit – nearly every session clearly
reinforced that firewalls, and more effective management thereof, are just as critical, if not more so, than ever.

From the summit’s opening keynote – which stressed the need for CSOs and other security officials to tie their efforts directly to overriding business initiatives (a core benefit of FireMon’s recently launched Policy Optimizer module) – to breakouts dedicated specifically to network security, the importance of retaining and improving stout firewall defenses was driven home quite emphatically.

Sure, there was the annual “Farewell to Firewalls” presentation in which Gartner’s forward-looking thought leader Dr. Joseph Feiman espoused the need for new applications-centric mechanisms (specifically embedded runtime application self-protection [RASP] capabilities).

But, as artfully advanced by Gartner network security guru Greg Young during the session and ultimately conceded by Feiman himself, even the continued development and adoption of such emerging technologies will require a continued and significant reliance on firewalls.

In other thought leadership-type presentations, in particular longtime Gartner risk expert Neil MacDonald’s session on “Continuous Advanced Threat Protection”, the pressing need for more proactive and context-aware management of network security infrastructure was further hammered home.

MacDonald’s call for “Adaptive Security Architecture” emphasized the need for strategy to shift away from traditional “detection” and “response” methodologies to focus on more “predictive” and “preventative” tactics. These observations absolutely validate FireMon’s own adherence to network security management grounded squarely in real-time, proactive intelligence.

And if all those points weren’t enough to cement the tremendous need for continued maturation of firewalls and other security device infrastructure, one needed to look no further than network security analyst Adam Hils’ overview of inquiries filed by Gartner’s own clients over the first half of 2014.

The hard numbers bear out the reality that firewalls remain of huge import and concern to organizations of all sizes and industries in today’s environment – with a whopping 51 percent of all network security inquiries, over 1500 interactions in total, relating directly to questions regarding firewalls (and less than 10 percent of those focused on so-called next generation firewalls at that!). The closest contender in terms of volume were calls related to IPS technologies, at only 22 percent).

So, there’s a good deal of evidence that any predictions that firewall solutions are either yesterday’s news or increasingly less strategic are… highly overstated; the Gartner numbers simply don’t lie.

We speak to all these Gartner analysts frequently and they understand precisely how valuable FireMon solutions can be in advancing your organization’s own network security interests. So why take our word for it – give them a call and find out for yourself.

Building The Fire 2014




FireMon celebrated an amazing 2013 as noted in our recent press release. The company also held it’s Global Sales Kickoff in mid-January, the theme of which was Building the Fire 2014. I thought I would share a couple of observations from the event with our blog readers.

First, the growth of FireMon was phenomenal to see! When I joined the company in August of 2011, I was the 21st employee at FireMon. Having the honor and privilege of being the emcee for the kickoff, I found myself looking out at 103 other FireMon employees on the first morning of kickoff. There was a palpable sense that the company was truly about to explode as our President & CTO Jody Brazil shared the explosive growth numbers that we experienced in 2013. This was reinforced throughout the kickoff as all divisions discussed the growth experienced both in sales, technology enhancements and in employees within each division.

Secondly, the future direction of FireMon was exciting to see. The product roadmap and vision for 2014 was laid out for the company, and the continued focus on real-time, proactive Security Intelligence reinforced FireMon’s market-leading focus on security management and risk analysis. A number of new and exciting technologies and enhancements will be rolling out throughout 2014 within the FireMon Security Platform, and we are excited to share these with you as they come out.

Finally, the amazing culture of fun and teamwork that FireMon has built over the years was on display throughout the event. The FireMon Band, G Fish & Special Sauce, made their debut performance on the first night of the kickoff. The diverse talents of employees from Sales, Development and Executive Management were on display, accompanied by sing alongs and dancing from the entire company. A small sampling of the band is below:

The second night featured phenomenal food and fellowship while enjoying two Kansas City landmarks as the team dined on the world famous Fiorella’s Jack Stack BBQ at Boulevard Brewing Company.

FireMon is on a phenominal growth curve. We entered 2014 with 56 open positions around the world. While we have filled a number of them, there are still openings available. If you would like to be a part of a fun, dynamic, winning culture on the cutting edge of Security Intelligence, we invite you to join us as we Build The Fire in 2014.