Configuration Confrontation – Network Security’s Biggest Challenge




As numerous breach incidents have emphasized, the inability of organizations to properly configure existing defenses remains arguably their most significant network security challenge.

With the Target breach standing as perhaps the best example – as attackers subsequently infiltrated the retailer’s point-of-sale data after gaining access to other areas of the network – the problem has been reinforced in a number of high-profile incidents.

R7.blog.logo

This week, noteworthy vulnerability researcher H.D. Moore, perhaps best known as founder of the Metasploit pen testing platform, brought even greater attention to this issue, releasing new findings regarding a previously unreported firewall configuration issue that could expose many organizations to potential compromise.

The research, which affects organizations using devices made by Palo Alto Networks, a leader in the space, further highlights the fact that it is the challenge practitioners face in properly configuring such defenses – not vulnerabilities in those products – that remains so pervasive and troublesome.

As first detailed by Moore in a blog post and reported in news outlets including the U.K.-based Register, the issue involves misconfigured user identities set up for Palo Alto Networks firewalls that “leak” information onto the Web, exposing underlying services.

With VPN and webmail services among those affected, the issue revolves around possible credential exposure when Palo Alto Networks customers have improperly configured User-ID to enable WMI probing on external/untrusted zones, resulting in the User-ID agent sending these probes to external/untrusted hosts.

To its credit, Palo Alto quickly posted an advisory and associated best practices guidelines to help organizations address the issue. Vulnerability management specialists Rapid7, which purchased Metasploit five years ago and remains Moore’s employer, also posted an advisory.

By no coincidence, Palo Alto and Rapid7 are among FireMon’s closest technology and business partners. This is because we work with these companies every day to help customers identify and remediate precisely the type of issues highlighted by Moore’s ingenious research.

Network and applications vulnerabilities remain a huge problem, as do cutting-edge attacks. However, as illustrated by the Target breach, countless other incidents and the details of Moore’s latest work, erroneous and unseen configuration issues within network security infrastructure remain just as significant of a problem. And even better, one that when identified can be rapidly addressed.

The revealed Palo Alto firewall “vulnerability” isn’t a flaw at all but rather an opportunity for risk created by the complexity of firewall configuration and the lack of visibility that many practitioners retain into their current alignment – an issue intensified within large enterprises.

These are the very network security management challenges that led to the initial invention and continued advancement of FireMon Security Manager. Working alongside partners including Palo Alto and Rapid7, among many others, we help our customers identify and mitigate such issues.

In response to Moore’s research, FireMon immediately created a new custom audit check within Security Manager that allows organizations to analyze their Palo Alto firewalls to identify and check that user identification lookups are not allowed on public facing zones.

To be honest, doing so was almost painfully simple, because this is exactly what FireMon was designed to do!

As FireMon has been publicizing for many years – the level of complexity and change affecting configuration of network firewalls remains perhaps the greatest challenge facing network security practitioners.

If you’re concerned that the newly reported Palo Alto issue, or any of the countless configuration challenges affecting every manner of network firewall, may affect your organization, take a closer look at FireMon.

We help customers gain visibility into and control over this very type of problem. It’s what we do. It’s why we’re here. Learn more about our solutions, today.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

Real-World Breach Shows Prioritizing Vulnerabilities Matters




Over at Krebs on Security, a rare but fascinating look into the monetary and brand reputation effects a real-world breach can have on a corporation were outlined last week in the fascinating post “FDIC: 2011 FIS Breach Worse Than Reported“. The post provides an in-depth review of the impact of the 2011 breach at FIS in which FIS originally stated ““7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities” in their original filing with the SEC. The article provided two very interesting insights. First, there are truly real-word financial and brand consequences in failing to effectively implement network security controls. Kreb’s article provides an in-depth look at the results of the FDIC audits performed at FIS in 2011 and 2012 as a result of the original breach incident. What was interesting to learn is that as FIS is a service provider to banks and not actually a bank, the FDIC is unable to levy fines against it or shut it down directly. However, in May of this year, the FDIC sent the results of its audits to all of FIS’s customers, as the post highlights with a letter attached that began “We are sending you this report for your evaluation and consideration in managing your vendor relationship with FIS.” The FDIC made this decision despite the fact that FIS has spent over $100 million dollars in trying to shore up their network security controls. This will obviously have some negative brand and revenue impact for FIS as the result of the FDIC actions.

The second interesting point within the post was the details around the environment FIS was attempting to secure, and the amount of vulnerabilities they were dealing with. Portions of the FDIC report that were noted in the post showed that FIS was dealing with “approximately 30,000 servers and operating systems, another 30,000 network devices, over 40,000 workstations, 50,000 network circuits, and 28 mainframes running 80 LPARs”. The post also highlights that “The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due”. While 18,747 vulnerabilities identified in a scan might seem like a lot, it is not uncommon in a network of this size and scope. Many FireMon customers have seen scan results with an even greater amount of identified vulnerabilities. The challenge when faced with this amount of vulnerabilities is knowing which ones truly matter. Out of 18,000+ vulnerabilities, how would you know which ones to remediate first? Attempting to manually sort through the vulnerabilities or simply patching the highest value assets doesn’t actually solve the problem. An automated, intelligent and continuous real-time assessment of the vulnerabilities that shows what assets are truly reachable over the network by an attacker, and which remediation efforts will reduce the greatest amount risk (and access)  is the only way to proactively solve this problem.

Former Federal IT Execs: A Risk Based Approach to Security Needed




A Federal Times article recently noted that three former Federal IT Executives, including two high ranking IT security officials from the Office of Management and Budget (OMB), felt that government IT security was too focused on compliance and “oftentimes do not reflect their agencies’ most critical security needs”. In a new report entitled “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity”, the authors note that government agencies “continue to spend scarce resources on measures that do little to address the most significant cyber threats.”

The report outlines the authors proposal for a new approach to security, the Organization Cyber Risk Management Framework. This is a risk-centric security management posture that focuses on establishing a security baseline for agencies that allows them to correctly asses their risk posture based on empirical data. The authors note that in order to move to this framework, agencies must first implement automated continuous monitoring programs, which they identify as “continuous diagnostics and mitigation, configuration management, threat assessment, and remediation practices.” We at FireMon could not be more excited to see the report identify the importance of configuration management, and we have highlighted the importance of configuration management as it relates to risk on this blog previously. When discussing a risk-based approach, security practitioners tend to gravitate to threat management. Threat management is sexy; it includes attacks and attackers, and makes security practitioners feel more like MacGyver vs. Dilbert. Configuration Management on the surface seems less sexy. Getting notification that someone added a new ACL to a router doesn’t invoke images of thwarting a hackers attack. Consider the all to common scenario though where the router admin fat-fingered said ACL, and accidentally enabled access to an internal network that should not have access from the outside world. Without real-time configuration change alerting that can identify a violation of agency or corporate security policy, an attacker might end up being the one that ultimately alerts the organization to the misconfiguration.

The report is very comprehensive, and provides a very through framework for how to implement a risk based security practice. While it is clearly focused on Federal Government agency environments, it provides some good insights for corporate security practitioners as well. The report concludes that “To fix the problems of today and those of the years ahead, government should implement a more consistent method of evaluating cybersecurity threats — one which is measurable, transparent, and outcome-oriented.” It is refreshing to not only see a recommendation on moving to a risk-based security posture, but one that includes the importance of device configuration management and its importance in truly knowing your risk posture.

Enhanced by Zemanta