Archive for the ‘FireMon News’ Category

Over at Krebs on Security, a rare but fascinating look into the monetary and brand reputation effects a real-world breach can have on a corporation were outlined last week in the fascinating post “FDIC: 2011 FIS Breach Worse Than Reported“. The post provides an in-depth review of the impact of the 2011 breach at FIS in which FIS originally stated ““7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities” in their original filing with the SEC. The article provided two very interesting insights. First, there are truly real-word financial and brand consequences in failing to effectively implement network security controls. Kreb’s article provides an in-depth look at the results of the FDIC audits performed at FIS in 2011 and 2012 as a result of the original breach incident. What was interesting to learn is that as FIS is a service provider to banks and not actually a bank, the FDIC is unable to levy fines against it or shut it down directly. However, in May of this year, the FDIC sent the results of its audits to all of FIS’s customers, as the post highlights with a letter attached that began “We are sending you this report for your evaluation and consideration in managing your vendor relationship with FIS.” The FDIC made this decision despite the fact that FIS has spent over $100 million dollars in trying to shore up their network security controls. This will obviously have some negative brand and revenue impact for FIS as the result of the FDIC actions.

The second interesting point within the post was the details around the environment FIS was attempting to secure, and the amount of vulnerabilities they were dealing with. Portions of the FDIC report that were noted in the post showed that FIS was dealing with “approximately 30,000 servers and operating systems, another 30,000 network devices, over 40,000 workstations, 50,000 network circuits, and 28 mainframes running 80 LPARs”. The post also highlights that “The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due”. While 18,747 vulnerabilities identified in a scan might seem like a lot, it is not uncommon in a network of this size and scope. Many FireMon customers have seen scan results with an even greater amount of identified vulnerabilities. The challenge when faced with this amount of vulnerabilities is knowing which ones truly matter. Out of 18,000+ vulnerabilities, how would you know which ones to remediate first? Attempting to manually sort through the vulnerabilities or simply patching the highest value assets doesn’t actually solve the problem. An automated, intelligent and continuous real-time assessment of the vulnerabilities that shows what assets are truly reachable over the network by an attacker, and which remediation efforts will reduce the greatest amount risk (and access)  is the only way to proactively solve this problem.

Related articles

• FDIC: 2011 FIS Breach Worse Than Reported
• Nearly Quarter Of Global Banks Experience Security Breaches – Deloitte

Citing a report prepared for the Defense Department by the Defense Science Board, the Washington Post published an article today highlighting  attacks from Chinese cyber-spies that compromised US Weapons systems designs. The Post noted that the attacks exposed “programs critical to U.S. missile defenses and combat aircraft and ships.” The article specifically noted that “the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system” were compromised, as well as “vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship”.

The Post’s article does not specifically cover how the designs were stolen, what methods were used to attack networks, and whether these were attacks aimed at US Government networks or defense contractors, although anonymous U.S. officials cited in the article “said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.” The article also noted that a recent National Intelligence Estimate noted that “that China was by far the most active country in stealing intellectual property from U.S. companies”. This comes on top of Mandiant’s Intelligence Center Report earlier this year detailing the activities of APT1, a China based cyber-espionage group believed to be a unit in the People’s Liberation Army (PLA).

While the Cyber-warfare term has been hyped quite extensively and sometimes disingenuously within the information security community, these reports highlight that there are certain cyber threat actors today that are actively engaged in target specific attacks to gain information from networks. Without full details of how the attacks were executed, one can only speculate that the attackers discovered exploitable vulnerabilities within the network to gain access to and ultimately extract this data. It is yet further evidence that a reactive information security stance ultimately will not protect an organization from a dedicated attacker. To truly secure our networks, we as security practitioners must proactively identify the vulnerable system(s) on our network that could lead to a breach before the attackers do, and prioritize our remediation efforts around the systems the pose the greatest risk to attack. Furthermore, to ensure ongoing security, security practitioners must be able to know in advance if proposed network or security changes will introduce or expose systems to further risk or breach from attackers and remediate these exposures before the change is committed. We have discussed this topic many times here on the FireMon blog, and pointed out that the technology to enable a Risk-based security posture is already available. While many Federal officials have called for an expedited adoption rate around a proactive risk policy, articles like the one today in the Washington Post show that those calls are not being heeded fast enough.

Related articles

• Chinese hackers access major U.S. weapons designs
• Report: China Hacked Costly U.S. Missile Defense, Weapon Designs
• Chinese hackers reportedly accessed US weapons designs – CNET

FireMon announced the release of Security Manager version 6.1 yesterday. We are extremely excited about the new features and functionality that are a part of this release, which further extend FireMon’s unparalleled ability to strengthen both operational effectiveness and security posture. One feature that we are particularly keen on is the new Access Path Analysis (APA). Leveraging the patent-pending FireMon behavior analysis framework, IT personnel can both proactively predict and forensically record the flow of packets through network configurations and obtain detailed path analysis – including routes, interfaces, firewall and NAT rules that a packet encounters while traversing the network. Access Path Analysis uses the behavior of normal traffic as it traverses the network to understand what vectors and/or behaviors could allow malicious traffic to find critical assets. This allows more effective risk analysis and better informed remediation activities.

The 6.1 release includes additional features, including FireMon Insight, Device Packs and a new FireMon Query Language  (FMQL) API. FireMon Insight is a real-time dashboard of all your security configurations. Insight consumes the configurations of all major firewall vendors and presents data across all of them in a single, customizable dashboard. There is a critical need to transform configuration data into a usable form that can be quickly digested and acted upon. Insight enables security practitioners to quickly get the results of your queries even across hundreds of thousands of rules and millions of objects in multi-vendor environments. Turn those queries into meaningful, automatically generated security metrics in a matter of seconds. Device packs will enable FIreMon to add support for new devices quicker and not require an upgrade to Security Manager. The FMQL API will enable large organizations with a development staff or managed service providers to pull FireMon data and analysis into other systems. You can learn about all of these new features here, and read what Dark Reading wrote about the release as well.

Every organization, regardless of size, has limited resources when trying to address the security of their network. Whether you work in a large Fortune 500 environment, or a small business, the limitations of the resources allocated to security require you to make some tough decisions about what you will or won’t do when it comes to securing the organization. Here at FireMon, we believe there is really only one question that matters when prioritizing what to do when if comes to securing your network: What assets are truly at risk?

As Securosis pointed out in their excellent Vulnerability Evolution Management white paper earlier this year, organizations “ need the ability to analyze threat-related data, combine it with an understanding of what is vulnerable, and provide visibility to what is meaningfully at risk.” When trying to address the risk to their environment, most organizations have relied on the vulnerability scanner.  Vulnerability Scanners are extremely effective at their job, and are the core component to being able to identify vulnerabilities within your network. Simply running a vulnerability scanner by itself though, and then deciding which of the hundreds, thousands or tens-of-thousands of vulnerabilities should be patched is not enough. Without a knowledge of the network topology and the mitigating security controls that are in place, the vulnerability scan results are just another list of things to get to at some point when trying to prioritize your network security activities.

Fortunately, we have done a lot of work in developing a tool that understands what assets are truly vulnerable on your network. FireMon Security Manager with the patented Risk Analyzer add-on enables you to visually see exactly what assets are meaningfully at risk. Our partnership with Rapid7 and the integration of Metasploit with Risk Analyzer takes this understanding to an even deeper level, allowing you to prioritize what assets are not only vulnerable, but what assets can have exploit code executed on them by an attacker. You can learn more about this enhanced integration in a joint on-demand webinar we did recently with Rapid7 here. FireMon will also be highlighting the importance of operationalizing risk on day 2 the 2012 United Security Summit as well. We hope to see you there.

FireMon is at Black Hat USA 2012 & Bsides in Las Vegas this week. Black Hat has grown every year since its inception 15 years ago, and this year proves to be the largest conference yet. Today’s keynote from Shawn Henry focused on changing the security paradigm and taking back your network. He noted that intelligence is the key to winning the battle against attackers. The more intelligence you have about your organization and threats facing it, and knowing what your attackers are focused on, the better prepared you will be to defend your network.

Blackhat 2012 (Photo credit: sally_monster)

FireMon’s Security Manger 6.0 with Risk Analyzer add-on is a key tool in arming yourself with that intelligence. Security Manager with Risk Analyzer will map your entire network, highlight what assets are at risk and how they could be pivoted off of to exploit multiple layers within your environment. Security Manager 6.0 also provides a  prioritized list of remediation actions that will reduce the greatest amount of risk with the least amount of effort. Security Manager 6.0 automates the analysis of your infrastructure, and provides real-time updates to your risk posture when changes occur to your infrastructure. FIreMon gives you the intelligence you need to understand your network, and know exactly what your attackers will focus on. To see the worlds first Security Posture Management solution in action, please visit us at booth 517 a Black Hat.

At the RSA Convention yesterday, our President Jody Brazil moderated a fascinating panel discussion on the state of the firewall and whether it would remain a relevant tool with the increase in virtualization and cloud adoption. The panel featured Chris Hoff, Chief Security Architect at Juniper Networks, Manny Rivelo, EVP of Security at F5 and Vik Phatak, CTO of NSS Labs. OVer 600 people attended this lively session. All of the panelists agreed that firewall’s will remain a relevant security tool, but Cloud and virtualization will provide an opportunity to develop new ways to deploy the firewall. The panelists all agreed that the firewall will evolve to be a service that is delivered within the Cloud or virtualized environment, and will ultimately move from CLI’s and GUI’s to API’s.

The discussion also touched on security in general within these new network paradigms, and the panelists were asked to identify 1 or 2 key points the attendees should consider when they returned to their own networks after RSA. Chris Hoff stated that as security practitioners, we need to move from managing vulnerabilities and reacting to incidents to managing risk. Operationalizing risk is the key to effectively reducing and remediating risk within your environment. At FireMon, we couldn’t agree more. Our Risk Analyzer product enables you to manage risk in real-time on your network, and proactively eliminate potential vulnerabilities before an attacker can exploit them. This tool will allow you to improve your risk posture over time, and demonstrate the effectiveness of the security controls you have deployed within your environment. As we noted previously, Risk’s time is now.

Today at the Juniper Networks Global Partner Conference, FireMon was honored to be invited to participate in the keynote address. FireMon’s President & CTO, Jody Brazil, joined Juniper’s CEO Kevin Johnson to demonstrate FireMon Risk Analyzer running on Junos Space. We at FireMon are thrilled to be partnering so closely with Juniper. The Space platform represents a significant development in terms of network programability and extensibility. FireMon Risk Analyzer leverages the rich real time configuration data provided by Junos Space to maintain the most accurate and update network topology within Risk Analyzer. FireMon also announced that while the current release of Risk Analyzer supports hooks into space, the release of Junos Space 12.1 would see the release of Risk Analyzer running natively within Junos Space. FireMon and Juniper will continue to work closely together to create the most accurate and real time risk analysis and remediation tool for Juniper environments, with many more exciting developments to come throughout the year.

As those of you who have followed this blog over the past couple of months know, we have been slowly revealing bits and pieces about our new Risk Analyzer product here at Firemon. Over the next week and  in the coming months, you will see and hear a huge push around Risk from all areas of Firemon. The official release of Risk Analyzer is imminent, as our CEO noted in his twitter feed this morning. We have also highlighted our partnership with Juniper Networks around Risk Analyzer and JunOS Space. You can get even more insight into what we are doing together on Juniper’s YouTube channel.

Why are we suddenly so focused on Risk, and why is it something you should care about? At the end of the day, all of the security controls organizations have put in place, the firewalls, IDS/IPS’s, proxys, ACL’s, desktop firewalls, etc., are there to help reduce and eliminate the risk to your IT infrastructure. Risk is what we are trying to control and limit. However, as we have previously highlighted, analyzing risk in today’s networks is a huge challenge. We tend to rely on a single tool to determine risk, and in the complex network environments we live in today, these tools can present 1000′s of items that an organization needs to address. Attempting to manually review that list and prioritize the remediation results in organizations spending to little or too much time attempting to reduce their risk. Furthermore,  those tools lack the full contextual awareness of your entire network topology and how data flows through the environment, which is a real key to accurately identifying the areas of your infrastructure that are most at risk.

Risk Analyzer provides that full context of network topology awareness that is so critical to accurate risk analysis. It automatically shows you what actions to take to reduce the greatest amount of risk with the least amount of effort, ensuring your valuable resources are spending the exact amount of time needed to effectively reduce risk to your infrastructure. It’s patented analysis engine that has been proven for the past 4 years in the largest DOD and Intelligence networks produces results in seconds as opposed to hours or even days that other solutions require.  It graphically shows you where you are at risk from any part of your infrastructure. Risk Analyzer will help you automate the reduction of risk to your IT infrastructure.

This is why we are excited about Risk Analyzer and so focused on Risk. Risk, after all, is the key.

The amount of news generated around attacks in 2011 has been overwhelming. In just the last week, the reports around SCADA based attacks have reached almost histrionic levels. Attacks on NASA, AT&T & VCU have all been highlighted this month as well. Despite the fact that companies will spend over $8 billion dollars on network security this year, hackers continue to successfully breach networks with an alarming regularity.

In an article on APT’s  posted on Dark Reading  yesterday, Sean Brady from RSA had an interesting quote. He said “Identifying the entry point — where an attacker got into a company’s network — is a key aspect of identifying and responding to an advanced attack”. At Firemon, we couldn’t agree more. However, we would also ask why wait until you’ve been attacked to discover the entry point? Why not proactively find the entry point yourself? As clearly indicated by the attack coverage we’ve seen in the press this year, the attackers are actively looking to find the entry point into your network even as you read this post.

Firemon’s new Risk Analyzer technology is designed to proactively find the entry point into your network that can be exploited. Risk Analyzer will also identify where an attacker can pivot off that access point, and what other resources within your network can be compromised. Risk Analyzer will also prioritize what patched vulnerabilities can reduce the greatest amount of risk with the least amount of effort, helping to focus your organization’s remediation efforts. Don’t be the last to discover the entry points that are exposed in your network; he who finds the entry point first wins.

I read a quick blog post this morning from Rick Holland at Forrester. In fact, part of my title is borrowed from a line in his post. As security professionals, I think it is important to recognize that despite our best efforts, many of the network security controls that have been deployed have still failed to prevent breeches and attacks from occurring. Holland along with John Kindervag have published a new report called “Planning for Failure”. They note that this years headlines have not been encouraging for the security world, as evidenced yet again yesterday by the Steam website hack and the take down of Estonian hackers in Operation Ghost Click.

The deluge of news around breeches and incidents that have occurred this year should not cause us to throw our arms up and head for the exits. It should ultimately galvanize those of us in the security world to be more proactive about assessing the risk posture of our organizations, identifying the areas of weakness we have, and fixing them before an incident occurs. As Holland notes in his post “An ounce of preparation is worth a pound of remediation”. The full Planning for Failure report also stresses the importance of testing. We at Firemon could not agree more. Our new Risk Analyzer technology enables organizations to test their entire network topology, factoring in the network security controls that are in-place, and identify exactly where attackers could breach your network. Risk Analyzer will even highlight systems that are susceptible to client-side vulnerabilities that attackers could gain access to despite effective network security controls, and identifies where the attackers could further penetrate into the network by pivoting off these assets. Risk Analyzer’s patented analysis engine provides real-time analysis, and graphically shows you where in your topology you are vulnerable. Risk Analyzer also helps you to laser focus on what remediation steps will reduce the greatest amount of risk with the least amount of effort by providing a prioritized list of remediation actions, and allowing a user to virtually apply said patches, graphically showing the impact that remediation effort has on the networks risk posture.

We are excited to release Risk Analyzer this month, and believe it is the key part of a proactive testing process that all security organizations should implement as part of their overall Incident Management plan. Risk Analyzer will allow you to substantially reduce your risk posture, prioritize your remediation efforts, and to measure the effectiveness of the security controls you have put in place.