Industry News – Advancing Network Threat Intelligence




When FireMon re-positioned itself around the concept of Proactive Security Intelligence at the beginning of 2014, the effort was undertaken with the notion of highlighting the critical role that data produced by our solutions plays in managing enterprise security and IT risk.

Sure, if you want to start at the most foundational element of the processes we support, as many of our customers do, it can be stated as simply as firewall management – getting a clear understanding of what network security device infrastructure is doing, then improving the performance and efficiency of those defenses, continuously.

cyber.threat.alliance

However, the truth is, “firewall management” is a far too narrow a manner of communicating the overall value of what the FireMon Security Manager Platform and its supporting modules offer in terms of strategic information, thus the new messaging.

With all the intelligence that we produce regarding policy workflow, compliance validation and risk management, along with enablement of related process automation, we felt it was far more appropriate, if not completely defensible, to adopt this broader PSI mantra.

Intelligence, of course, has evolved into a very broad and encompassing industry buzzword, popular among security vendors of all breeds who feel that they provide some form of critical data to inform strategic decision making – which admittedly could be almost any company on the landscape today.

Of all the various uses of intelligence, clearly, the most widely recognized arena (perhaps beyond long-standing ties to the SIEM market) these days is that of “threat intelligence”, or the real-time aggregation and distribution of information regarding emerging attacks to help both products and practitioners respond more adeptly as threat-scape conditions evolve.

So, it’s with keen interest that we at FireMon saw the news this week that industry heavyweights Fortinet, McAfee and Palo Alto Networks, all of whom are close partners of ours, announced a new high-profile effort (along with endpoint experts Symantec) to drive threat intelligence even deeper into the domain of network protection.

Some may roll their eyeballs at the introduction of yet another pan-industry coalition, but this is a pretty influential group in our world, and as such the launch of the involved “Cyber Threat Alliance” is certainly intriguing.

The reason is simple. Of all the uses that a product maker or practitioner could find for the latest and most comprehensive information regarding emerging threats, using that intelligence to assure that network defenses are in place and assets are effectively segmented is certainly one of them – a case echoed in the accompanying research white paper launched by the new coalition.

As highlighted by McAfee EMEA and Canada President Gert-Jan Schenk in the related announcement, the unprecedented rate and severity of recent breach incidents has come at the hand of “complex and multidimensional attacks” that dictate attention far beyond installation of more effective anti-malware systems at the network gateway or on endpoint devices.

Given that we’ve long stumped for the need to use current, in-depth visibility into the real-world alignment of network defenses, in relation to underlying assets and known vulnerabilities, to address risk exposure and mitigate available attack paths, this effort on the part of our partners, industry leaders all, is definitely something FireMon would support, heartily.

As our self-appointed corner of the market – Network Security Intelligence – continues to evolve and we move to help organizations better align their defenses to account for emerging attacks it will be fascinating to see how threat intelligence continues to shape methodologies.

We’ll continue striving to be at the forefront, working with these types of thought leaders to enable more effective defense.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

Real-World Breach Shows Prioritizing Vulnerabilities Matters




Over at Krebs on Security, a rare but fascinating look into the monetary and brand reputation effects a real-world breach can have on a corporation were outlined last week in the fascinating post “FDIC: 2011 FIS Breach Worse Than Reported“. The post provides an in-depth review of the impact of the 2011 breach at FIS in which FIS originally stated ““7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities” in their original filing with the SEC. The article provided two very interesting insights. First, there are truly real-word financial and brand consequences in failing to effectively implement network security controls. Kreb’s article provides an in-depth look at the results of the FDIC audits performed at FIS in 2011 and 2012 as a result of the original breach incident. What was interesting to learn is that as FIS is a service provider to banks and not actually a bank, the FDIC is unable to levy fines against it or shut it down directly. However, in May of this year, the FDIC sent the results of its audits to all of FIS’s customers, as the post highlights with a letter attached that began “We are sending you this report for your evaluation and consideration in managing your vendor relationship with FIS.” The FDIC made this decision despite the fact that FIS has spent over $100 million dollars in trying to shore up their network security controls. This will obviously have some negative brand and revenue impact for FIS as the result of the FDIC actions.

The second interesting point within the post was the details around the environment FIS was attempting to secure, and the amount of vulnerabilities they were dealing with. Portions of the FDIC report that were noted in the post showed that FIS was dealing with “approximately 30,000 servers and operating systems, another 30,000 network devices, over 40,000 workstations, 50,000 network circuits, and 28 mainframes running 80 LPARs”. The post also highlights that “The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due”. While 18,747 vulnerabilities identified in a scan might seem like a lot, it is not uncommon in a network of this size and scope. Many FireMon customers have seen scan results with an even greater amount of identified vulnerabilities. The challenge when faced with this amount of vulnerabilities is knowing which ones truly matter. Out of 18,000+ vulnerabilities, how would you know which ones to remediate first? Attempting to manually sort through the vulnerabilities or simply patching the highest value assets doesn’t actually solve the problem. An automated, intelligent and continuous real-time assessment of the vulnerabilities that shows what assets are truly reachable over the network by an attacker, and which remediation efforts will reduce the greatest amount risk (and access)  is the only way to proactively solve this problem.

Chinese Hack of US Weapons Designs Emphasizes Need for Proactive Risk Posture




Citing a report prepared for the Defense Department by the Defense Science Board, the Washington Post published an article today highlighting  attacks from Chinese cyber-spies that compromised US Weapons systems designs. The Post noted that the attacks exposed “programs critical to U.S. missile defenses and combat aircraft and ships.” The article specifically noted that “the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system” were compromised, as well as “vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship”.

The Post’s article does not specifically cover how the designs were stolen, what methods were used to attack networks, and whether these were attacks aimed at US Government networks or defense contractors, although anonymous U.S. officials cited in the article “said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.” The article also noted that a recent National Intelligence Estimate noted that “that China was by far the most active country in stealing intellectual property from U.S. companies”. This comes on top of Mandiant’s Intelligence Center Report earlier this year detailing the activities of APT1, a China based cyber-espionage group believed to be a unit in the People’s Liberation Army (PLA).

While the Cyber-warfare term has been hyped quite extensively and sometimes disingenuously within the information security community, these reports highlight that there are certain cyber threat actors today that are actively engaged in target specific attacks to gain information from networks. Without full details of how the attacks were executed, one can only speculate that the attackers discovered exploitable vulnerabilities within the network to gain access to and ultimately extract this data. It is yet further evidence that a reactive information security stance ultimately will not protect an organization from a dedicated attacker. To truly secure our networks, we as security practitioners must proactively identify the vulnerable system(s) on our network that could lead to a breach before the attackers do, and prioritize our remediation efforts around the systems the pose the greatest risk to attack. Furthermore, to ensure ongoing security, security practitioners must be able to know in advance if proposed network or security changes will introduce or expose systems to further risk or breach from attackers and remediate these exposures before the change is committed. We have discussed this topic many times here on the FireMon blog, and pointed out that the technology to enable a Risk-based security posture is already available. While many Federal officials have called for an expedited adoption rate around a proactive risk policy, articles like the one today in the Washington Post show that those calls are not being heeded fast enough.