In CIO's State of the CIO 2013, the top four priorities for IT executives and business decision-makers were aligned:

1. Improve the use of data and analytics to improve business decisions and outcomes
2. Improve IT project delivery performance
3. Develop new skills to better support emerging technologies and business innovation
4. Improve IT budget performance

So it's a good sign that CIOs and the business are more aligned than ever before, BUT security MUST be included in this discussion – as it is an integral part of the IT team – and not left as an afterthought. Security plays a very important role in driving the business because security can either impact the business positively or negatively. Streamlining and standardizing IT and security processes and systems can not only save money, but ultimately deliver services much more quickly and in turn help the business run and grow! In fact, in our State of Network Security Survey 2013, process was reported as the greatest challenge of managing network security devices.  Here are a couple of ways to get on the path to driving business agility through IT security simplicity:

1. Use information to improve process – Understanding where process breakdowns occur is an important step so then you can make the necessary improvements. Is it a matter of poor process? Is it a matter of process not being enforced well? Are the solutions in place not allowing the process to work as you want? These are all issues to identify and then you can map out a plan of attack. This all leads me to the next point…
2. Align the different stakeholders – Take the example of a critical business application in a data center… there are application owners who need to make upgrades and improvements to applications that fuel the business… there are network and security teams that must enable connectivity through firewall and router rules and ACLs – but these teams typically are not in synch so the business and IT are not working hand in hand. This is just one example of an opportunity for simplification and alignment- through improved visibility, streamlined processes and automation – and where IT can drive the business. Getting alignment across these different teams can simplify the overall change process and improve business agility – now IT and security teams can more quickly respond to changing business needs in a transparent process.

Revlon's CIO said it really well: "We do what the business needs – only faster, cheaper and better." The only thing I would add is "in a secure manner". In addition to the above ideas, last year on this blog we posted an article on 4 Ways to Persuade Upper Management that Business Agility Can Be Improved through Information Security.What other strategies and tactics should be included to simplify information security and to ultimately drive business agility?

The post Driving Business Agility through IT Security Simplicity appeared first on Security Management at the Speed of Business - AlgoSec Blog.

1. Those that know they’ve been breached.
2. Those who’ve been breached, but don’t know it.

With this being said, we need to start focusing on extrusion detection (coined by Richard Bejtlich, @taosecurity) as well as intrusion detection. We speak about security in layers a lot and this is just another way to detect threats. The problem is that often we immediately jump to shiny new objects out there such as Data Loss Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job done. While these are all helpful tools that can certainly improve your ability to monitor for the exfiltration of nefarious traffic, there are things you can do immediately to improve your security posture.

Log for Certain Alerts

There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM,  but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:

• Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.

• Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.

Detect the “Bad Guys” in Your Network

The network is where all the action happens in a breach. It’s like a highway during a high speed police chase: usually the network has rules that the bad guys must  follow, and often times that means letting them drive into the neighborhood. There are many things that can be done with firewalls, but we’ll get to those in my next blog. At this point let’s just focus on two things which can easily detect bad guys in the network itself.

• One area that takes some time to setup, but can be very beneficial once it’s configured properly is the ability to monitor an alert on what I’m going to call “Dark Networks”. Creation of these dark networks is for no other reason than to alert when people end up poking around in them. Once a bad guy’s in your network one of the first things they do is reconnaissance, and that’s normally done with network scanning. If you see network scans come across your dark network, you know something’s up.

• Setting up honeypots around your network, and in more than one area, will assist with the early warning of certain attackers. As I just mentioned, when attackers are in your network they will start feeling around and this is commonly done with scans. Once a scan against a honeypot is found you can be alerted and at times divert them to where they cannot cause you greater problems.

In the next blog, I’ll share some tips to get more out of your IPS and firewall implementations. Good luck!

The post Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2 appeared first on Security Management at the Speed of Business - AlgoSec Blog.

Yesterday's news

While IT security has traditionally been viewed by the business as a cost center, it really is needed and just one successful blocked attempt can provide you with 100% ROI. The question is how would you know? Do you have the auditing tools necessary to validate an attack or know if an attack is currently taking place?

IT Security in many respects should be considered before, during and after the planning of applications that will be stood up. Retrofitting IT security is never a replacement for planned security from the start. What do I mean?  Let's look at a typical banking application that supports your online checking account. Most, if not all, online banking is 'secured' by using https. This allows you to have a secure connection to that server, but it also provides cyber-criminals with a secure connection to that server! Therefore, if you did not have security baked into the planning and deployment of this online application, you stand a greater chance for the attackers to break in undetected. Once they have access to this server, they can now very easily expand their path to wreak havoc and steal valuable information.

The article about the latest online bank heist mentions, "To perpetrate the scheme, hackers tampered with prepaid and debit MasterCards processed by two companies with locations in India, which Reuters identified as EnStage Inc. and ElectraCard Services. They manipulated the card’s codes to increase their available balances and eliminate withdrawal limits, and then passed the infected codes to thousands of “cashers” who used them to suck funds from ATM machines."

My interpretation is that these attackers exploited vulnerabilities within the web application. This would be from having both the firewall and server open to ports not used by the application. Or maybe simply a patch of code not tested for this type of attack. Let's try and help our IT community as a whole and share your ideas on how to prevent this in your environment with the information we know about this recent heist.

How would you protect your company from attacks like this one? Do you need IPS/IDS?  Host-based or network-based or both? Do you have a web-based firewall?

The post Don't Gamble When it Comes to Information Security appeared first on Security Management at the Speed of Business - AlgoSec Blog.

• Technology – Probably the #1 reason for this acquisition. The firewall market has been extremely dynamic in recent years. Advanced capabilities often touted as “next-generation” such as application control, user identity and advanced malware detection/prevention are being adopted at a fast rate. The larger vendors naturally gravitate to buying versus building in order to remain competitive.
• Long Live the Perimeter – The acquisition strengthens McAfee’s network security play – and it’s no secret that a fast-growing mobile device market and a declining PC market does not spell good news for McAfee’s core desktop security business.
• Across the Atlantic – Stonesoft has carved out a good niche and enjoys a good brand in the European market which can complement McAfee’s stronger presence in the US market. McAfee’s distribution should bolster Stonesoft’s US Sales, which can explain the high premium of this acquisition.
• Enterprise – Stonesoft’s technology should make McAfee a more formidable player when it comes to enterprise-grade network security.

So what next? Looking ahead, it will be interesting to see if McAfee to integrates Stonesoft’s technology into its Firewall Enterprise offering (which is itself based on the SideWinder product from the Secure Computing acquisition) or if it maintains two firewall flavors (Did anybody say Netscreen/SRX?). One thing is certain – the network security market is continuing to change and evolve. Rest assured we will be on the lookout to help you do the best job managing your security policy.

The post Quick Takes on McAfee’s Acquisition of Stonesoft appeared first on Security Management at the Speed of Business - AlgoSec Blog.

So what's a security, network operations or application owner to do? What if these rules could be eliminated or tightened based on a more accurate and accessible understanding of related application connectivity requirements?

In this latest Firewall Management 201 video, Professor Wool examines the challenges of decommissioning business applications and offers recommendations for improving security without impacting network operations by removing firewall rules that are no longer in use. Enjoy!

The post Tips to Securely Decommission Business Applications appeared first on Security Management at the Speed of Business - AlgoSec Blog.

Audits push our behavior towards tactical response.  Working hard long hours does not always mean better overall results if the activity focuses on point solutions. Defining a unified approach towards compliance is a strategic task.  Especially where reuse or automation for repetitive tasks might allow more time to get other higher priority things done that can make a material difference to the organization.

During a great talk from Josh Corman (@joshcorman) at last year’s RSA, he compared auditors to the zombie apocalypse.  As an adversary group, they keep coming and coming, wave after wave. Their apparent motivation is the individual checklists they want completed – checklists that your organization must prepare for and complete.  PCI DSS 2.0 is 27 pages alone.  The audit preparation challenge is that the PCI DSS scales out recursively in direct relationship to the size of the network.

Using David Etue and Josh Corman’s Adversary based threat models, the attack patterns and the information targeted don’t line up with the work we do to prepare for an audit. PCI auditors focus on controls to safeguard credit card information, yet State sponsored groups don’t need to chase after credit cards  – they want to remain resident and exfiltrate as much intellectual property as possible.  Chaos actors (such as Anonymous) focus on SQL-injection to harvest names and contact information with a little defacement thrown in for good measure. Card thieves are more likely to go after individuals than companies, and even so, using the PCI DSS document, attackers who might be going after credit cards have a checklist of what is probably already hardened (or not.)  In other words, credit cards are “protected” using a readily available template for what to (or not to) attack depending on the size of the target.

The amount of effort required to deliver organization-wide PCI DSS compliance is immense. It distracts us in both time and resources that could be applied to developing a unified strategy to protect the Intellectual Property that is targeted.

So how can we deal with this?  How can we deliver tactical corporate compliance by adhering to the compliance process, and still have time at the end of the day to protect our organization?  I can answer this with one word: efficiency. Look at the various different audit requirements and identify common unifying threads.  Content that is requested in most reports.  Address these points, and develop a single report that can document it without a huge effort each time.  Focus on pro-actively engaging with auditors to get them to accept a common document or a document that gets 85% done.  The real value is the time spent developing a sustainable strategic framework, demonstrates internally and externally that the organization is as secure as it can be.

This is essentially inventing the wheel.  You have just created your own baseline compliance report… modify as necessary to get more auditors onboard so that you can re-use it. They understand the problem that they are not the only ones who are trying to schedule an onsite, and they are no strangers to the idea of a Unified Compliance Framework.

The post Audit Preparation: Around and Around We Go, When We’ll Stop We’ll Never Know appeared first on Security Management at the Speed of Business - AlgoSec Blog.

Process is the Problem - A majority of respondents (60 percent) cited poor processes and lack of visibility into security policies as the greatest challenge of managing network security devices. Organizations that have poor processes defined and/or enforced commonly face a multitude of security and business risks.

Out-of-Process Increases Out-of-Service - More than three-quarters of respondents (76.6 percent) suffered a network or application outage due to an out-of-process change – an increase of 21.1 percent from last year's findings. What this tells us is that IT organizations are struggling to keep up with the pace of the business and in cases where changes are made "out-of-process", oftentimes the result is quite harmful to the business.

Application-related Rule Changes Gone Awry - A whopping 80.6 percent of survey respondents said they suffered an outage, security breach or decreased network performance due to an application-related rule change. Enterprise applications fuel the business, but these applications and the underlying network security policy – while tightly intertwined – are often managed in silos which can result in outcomes that are bad for security and bad for business!

Firewall the Next-Generation is Now - The number of respondents that have adopted Next-Generation Firewalls (NGFWs) is now at 57 percent, up from 41.2 percent in our 2012 survey. But, in exchange for increased security, 56 percent of respondents said they had increased work to manage the firewall process, with 46 percent citing they must make more changes.

The Lurking Threat from Within - One of the more controversial findings is that survey respondents noted that the most significant risks come from insiders – 40.8 percent of  identified accidental insider risks, i.e. data leakage, as the greatest risk while 24.6 percent noted malicious insiders. BYOD also plays a significant role in this discussion since two-thirds of respondents said that allowing employees to connect personnel devices to the network increases the risk of a security breach. These findings are in stark contrast to other research, like the Verizon Data Breach report, which notes that external threats represent the greatest risk to organizations. It's worth noting that The State of Network Security Survey is not analyzing breaches, but asking security and operations professionals to share their concerns. So maybe this is a perception versus reality? This topic certainly deserves more discussion and debate!

Security in the Cloud a Cloudy Forecast? - Another finding that may raise some eyebrows is that a majority of respondents (60 percent) said they have less than a quarter of their security controls in the cloud – and the larger the organization, the less likely they will have more security controls in the cloud.

The goal of our survey is to understand the concerns of pracitioners and use this data to identify areas of improvement. I'm sure as with any survey findings, this will be dissected and reviewed and we look forward to continuing the discussion and debate. If you'd like to read the entire report, you can download it from http://www.algosec.com/en/resources/network_security_2013.

The post Examining The State of Network Security 2013 Survey Findings appeared first on Security Management at the Speed of Business - AlgoSec Blog.

An automated and application-centric approach to security policy management is essential to bridging the divide between network, security, and applications personnel, who don't speak the same language and thus are not typically on the same page. This approach is also critical to maximizing the availability of business applications, reducing risk from unauthorized access, and improving IT agility.

In this video, Professor Wool examines the challenges of managing business applications and their connectivity requirements and offers tips for bridging the gap between application owners and network and security teams – to ensure faster, more secure deployment, maintenance and decommissioning of critical applications.

Enjoy!

Related articles

Understanding the Link Between Business Applications and the Security Policy

Three reasons you shouldn't neglect your application security

The post Examining the Need for Application-Centric Security Policy Management appeared first on Security Management at the Speed of Business - AlgoSec Blog.

Here's a List of DDoS Preparations You SHOULD Consider:

1. If you went through the time and money to protect your network from a DDoS attack you better be setting up process and procedure on how to act once it happens. If you’re lucky you’ll never need to put these into action, but if you’re not (and you should assume that you will get hit at some point) you’ll be happy they are in place.
2. Each department should know exactly what they’re doing if a DDoS attack happens and how to respond to an attack once one occurs. There should be written instructions per team that’s involved on what to do during an attack (this isn’t cookie cutter and will change) and how they should sound alarm if they see something that smells like DDoS.
3. The teams should meet on a scheduled basis to review any incidents, either at the company or in the news, and discuss what they can do in order to make the procedure better.
4. There should also be “Red Team” drills that incorporate getting your DDoS incident management team in a room to discuss potential scenarios of attack and how they would react.

The keys here are to be consistent with the meetings and clear with the documentation.

Here are a few things you SHOULDN’T do regarding a DDoS that can make things much worse:

1. Don’t take this opportunity to be the first time you speak with law enforcement. Make sure you have a working relationship with local and federal law enforcement before an incident occurs. When the time comes, and hopefully it won’t, you’ll already have the contact and procedure of reporting incidents. Many of these attackers are testing sites and selling the information to the highest bidder. You might not see tangible effects of the alerting them right away, but speaking with law enforcement when appropriate can potentially help them piece together something a lot larger and take down an attacker before they wreak havoc.
2. Never, ever trust one solution. If you hear a vendor say they’re the end-all-be-all solution for DDoS attacks walk the other way. You need layers of protection that start at your policy and procedures and move into hardening your environment. Additionally, seek help from the ISPs and potentially a third party mitigation solution. One-stop-shops don’t work for DDoS… just say no!
3. Do Not Communicate with the Attacker. If the attacker tries to contact you don’t communicate with them if possible. Anything written should be sent to your law enforcement contacts, and anything verbal, if called, should let them know that anything you say will be recorded and that law enforcement is involved. That’s all – keep it cool.
4. Don't Talk to the Press. What’s the first rule of Fight Club? The theory stays the same. Don’t speak to anyone about it that’s not “in the know”. Keep it off social media and don’t speak to the press about it in anyway. The appropriate people will speak to those that need to know and alert the media if and when needed. The word is mum, otherwise.
5. Don’t assume that attackers are just DDoS’ing you. Many times attackers will DDoS a company and use this as a smoke screen. While you’re there fighting the crippling DDoS on a particular site, they could also be taking advantage of a flaw on your network that allows them to gain access or steal data. Many attackers are using DDoS as an electronic flash grenade to distract and disorient defenders away from what they’re about to do.  Verify that your normal security monitoring is still taking place during a DDoS.

So with this in mind DDoS is here to stay and we should keep these attacks as something extremely serious. There are many motives behind DDoS attacks, from financial to political, but the end still stays the same… and you need to be ready. Knowing your environment and getting the proper pieces in place to protect you from the inevitable DDoS attack now, will pay back in spades when the attack is underway. You may as well prepare yourself now.

The post An In-Depth Look at DDoS – Part 3: DDoS Do's and Don'ts appeared first on Security Management at the Speed of Business - AlgoSec Blog.

• Do you have an IPS with DDoS signatures enabled?
• Is your router/firewall configured with rate limiting?
• Should you consider blocking certain countries on your edge?
• And many more…

There are many things that can be done with existing network equipment to protect against network layer attacks. If you know that your equipment can barely handle the current production load then being hit with a small DDoS is going to tip you over.

From an application layer perspective, know where you weak points are. How many connections can you database hold without dying? Do you have the opportunity to failover or cluster websites, DNS, etc to push the load of traffic to other sites or distribute the traffic to where you want it?

Knowing what you currently have in your arsenal can really come in handy when you’re attacked later. Also, there are on site or premise devices that are strictly there to protect your network and applications against DDoS attacks. These are looking at the traffic coming into your network and will start mitigating once bad traffic is identified. The problem here is what happens when the load is too much for that system, the routers or your internet connection? I’m glad you asked.

Some options to consider:

1. Partner with Your ISP – Once you’ve done your due diligence on verifying what you own internally, it might be time to understand how third parties can extend this protection. If you can’t handle a DDoS with your current infrastructure it’s very important to reach out for help. One of the ways of doing this is partnering with your ISP and attempting to get assistance upstream from them.  Since these attacks have to come over their network they sometimes have the capability to block certain IP addresses from ever hitting your network. This can become like playing whack-a-mole if it’s based solely off IP address, but it’s something to keep in your back pocket.
2. Examine CDN Services – If you’re a large company and are using CDNs (Content Distribution Networks) to help get your site out to the world more quickly and efficiently, it might be worth taking a look at services they offer. Since these services are meant to return any traffic sent to them, many times they have the ability to absorb simple DDoS attacks by design, but they don’t cover everything.
3. Scrub Your Traffic – The last option is to partner with a scrubbing facility that allows you to route traffic over to them either by DNS redirects or BGP changes. Doing this allows you to have your dirty DDoS traffic scrubbed clean by going through these partners using a plethora of DDoS mitigation systems and techniques before having the clean and happy traffic sent back to you. Many of these companies offer monitoring of DDoS traffic that give you early warning signs that something evil might be coming. This part of the service, either owned by you, or as a third party is very important.

The last thing you want is to not know you were slowly being attacked until it’s too late. You’ll never get those 15 minutes back. Next we'll examine some Do's and Don'ts when it comes to securing your network from DDoS attacks.

The post An In-Depth Look at DDoS – Part 2: Considerations to Improve Your DDoS Defense appeared first on Security Management at the Speed of Business - AlgoSec Blog.