Networks Without Borders

​​I’ve spent the better part of twenty years focusing on network security. That wasn’t what I started out to do in my life, I was just sort of there and the industry grew up around me. I now see a day where network security is the exception rather than the rule.

Twenty years ago, people were using a few apps mostly hosted onsite from a few, wired locations. Most of the communications were not encrypted to boot. This made it practical to use a perimeter security devices to restrict who could go where and monitor the flow of data.

These days, networks are abundant and broadband. Users have multiple devices to connect across multiple networks, few of which go through some sort of perimeter security device you can control. Communications are plentiful with an increasing percentage of them encrypted. The applications used are also plentiful and increasingly hosted in the cloud, i.e. on someone else’s infrastructure.

In new organizations where Software and/or Infrastructure as a Service, the traditional perimeter gateway serves almost no purpose. There’s nothing in the network to segment and there little you can do in the network to protect.

To be clear, the traditional perimeter is not going away anytime soon for many organizations. There’s far too much legacy infrastructure that still needs protecting and a perimeter gateway may be your best bet. However, if you’re only looking at security from a network perspective, you’re missing out on an increasingly larger part of the picture. In the long run, visibility and security controls has to move closer to the endpoints. Not only those the end user uses, which includes traditional desktop/laptop and mobile devices, but the servers they connect to.

For cloud infrastructure hosted in VMware, OpenStack, AWS, Azure, or similar, this can be done through the use of microsegmentation, but make sure you are able to inspect traffic beyond layers 3 and 4. The good news is that Software Defined Networking technologies make it easy to apply deep inspection only to the traffic that needs it and not for all traffic. With the right solutions, the security will be enforced dynamically based on groups defined in the virtualization environment without regard to IP addresses. Also, traditional physical network security controls can make use of this information to make more intellegent enforcement decisions!

For Software as a Service offerings, you may need to utilize something like a cloud access security broker (CASB), a software tool or service that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. A CASB allow you to integrate familiar security controls with SaaS applications to extend visibility and enforcement of security policy beyond on premise infrastructure.

On endpoints, it’s simply not enough to employ regular anti-virus anymore, but tools that can block zero-day threats, which can enter a system usually through a web browser, email, or USB. Some vendors offer solutions to this that use highly instrumented solutions similar to Microsoft EMET or on-endpoint virtualization, which of course adds load to endpoints that probably already have too many agents installed. Keeping the protection lightweight and effective is key.

Mobile devices have their own challenges. Mobile Device Management is a good start, but for true bring your own device models, end users may object to the controls this provides. It also does not address issues of user/corporate data segmentation or mobile-focused malware. A specific threat prevention solution for mobile threats is definitely required.

Ideally, of course, all of these solutions can be managed centrally with events correlated across them. Some centralized identity framework that supports both on-premise and cloud-based applications will also be useful. Having identity correlated with your security events is even better.

It’s a challenge, but I feel like we finally have the technology to get this security thing right, or at least better than we’ve been able to do in the past. It’s going to take some effort to get there, along with supporting business processes and people, but I am hopeful organizations can and will get there.

Disclaimer: My employer, Check Point Software Technologies, does offer solutions to some of the above challenges. The views above, however, are my own.

Get Over Windows Defender Already, AV Vendors!

​From That’s It. I’ve Had Enough!:

Users of Windows 10 have been complaining that the system is changing settings, uninstalling user-installed apps, and replacing them with standard Microsoft ones.

A similar thing’s been happening with security products.

When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs… you guessed it – its own Defender antivirus. But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible? Even if software did manage to be compatible according to the initial check before the upgrade, weird things tended to happen and Defender would still take over.

And then the piece goes on to talk about how Microsoft is being anti-competitive and Kaspersky is going to take this up with official government bodies in the EU and Russia.

If we’re simply talking about Anti-Virus here, I don’t know that Kaspersky, or anyone else for that matter, is doing anything that much better than anyone else. The technology has inherent limits and, generally speaking, efficacy comes down to how quickly signatures are generated and deployed.

We know how effective AV is in general. It’s why Check Point and numerous other vendors, including Kaspersky, offer different solutions that address threats AV cannot by itself. This is where security software vendors should be focusing their efforts. Stop fighting with Microsoft over Windows Defender.

Disclaimer: My blog, my personal opinions. I’m sure you knew that.

Is Past (Security) Performance Indicative of Future Results?

It’s a phrase you will see in the fine print of any document related to past performance of a money manager, mutual fund, or managed financial account: “Past performance is not necessarily indicative of future results.” The same disclaimer could easily be applied to information security products and their ability to stop threats.

The most obvious technology this statement applies to: anti-virus. While it does a great job at doing what it was designed to do–block known, malicious files–it has limitations in the kinds of malicious files it can identify. It also can be a source of additional vulnerabilities, such as what recently was discovered in Symantec’s Endpoint products by Google. I suspect any widely security technology will suffer a similar fate: either the technology itself is attacked or the technology is rendered ineffective through innovation by the bad guys.

Where I think “past performance” is indicative with security products is: how quickly are security issues discovered with the product remediated. Because let’s face it: every security product will be vulnerable to some discovered issue at some point. What ultimately matters is: how quickly do you remediate these issues.

For a company that uses “Prevention is Non-Negotiable” as their marketing message, Palo Alto Networks is not so good at fixing security issues discovered in their products. Here’s the latest example from the PAN-OS 7.1.4 release notes:

PAN OS 7.1.4 Fixed CVE

The National Vulnerability Database lists this as a high-severity issue. The time to issue a public patch? Nearly 6 months from date of discovery. Based on the response times Check Point has seen when security vulnerabilities were responsibly disclosed to them, this timeframe doesn’t seem all that surprising.

To be fair, it’s possible that Palo Alto Networks did a risk assessment on these issues and determined the likelihood of exploit is low enough that they didn’t need to fix these issues urgently. They may be right, but when you preach “Prevention is Non-Negotiable,” taking 6 months to fix a known security vulnerability in your product just looks bad. Actions, ultimately, speak louder than marketing.

Disclaimer: My employer, Check Point, believes in addressing issues like this quickly. These views, however, are my own.

Do You Really Need Threat Intelligence?

​From Beyond Whack-A-Mole “Intel”:

In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)?

To put it another way: you spend a lot of time figuring out what happened, but not why it happened. Not the technical reasons–those are easy–but who was behind the attack, what was their motivation, what are they really after, and so on.

The author of this piece suggests a need to actually perform this research–after whacking the mole, of course. I see a couple of problems with this suggestion:

  1. Most organizations are not actively targeted. They are merely collateral damage suffered from larger efforts to spread malware. These organizations lack the resources to do this sort of research anyway and, even if they did, barely have the resources to act on that information.
  2. The largest organizations that are actively targeted have the staff to do this (and they largely already are). Could they be better at it? Sure.

I’m not saying threat intelligence is a bad thing, I’m just saying in the hierarchy of information security needs, there are several base needs that must be satisfied first. Many organizations will never get to the point of needing this.

What I think would be useful to a larger percentage of organization are tools that leverage threat research others are already doing and actually act on that research automatically. And no, I’m not talking about just IOCs (which will undoubtedly be part of this)

I know what you’re thinking: it sounds like an easy button for security. It doesn’t exist today, but I have no doubt someone will create it. We’re going to need it to stay one step ahead.

Disclaimer: My employer, Check Point, may or may not be working on such a thing, I don’t know. These views, however, are my own.