Detecting threats on endpoints like laptops and mobile devices is important but not enough to defend against the threats we see against our users. Reason why is Anti-Virus and host IPS/IDS can only scan for so many signatures and leverage so many behavior checks before they must let the traffic go through or it will impact the user experience. This is why many users get compromised by clicking the wrong email, accessing the wrong website, share the wrong USB drive and so on. Detection needs to extend beyond the doorway and look at files that have breached a host’s defense to determine if that system has been compromised as well as offer a method to remediate the entire outbreak. Continue reading
Many industries rely on revenue generated by sales and if credit is used, Payment Card Industry (PCI) compliance is mandated. This includes all industries that process, store or transmit credit card information. Like any compliancy standard, this is the minimal level of real security and should not be considered the goal to protect sensitive data. All compliance mandates that matter must go through various review and audit processes that take time and cause the results to be dated compared to the speed of new attacks you should expect against your network. This means meeting mandates such as PCI should just be part of your overall security strategy. Continue reading
I’m often asked “why did my system get infected when I had the latest system updates and anti-virus enabled?” Well, a fundamental concept behind security products is they can only look for so many things or use so many detection techniques before they must permit traffic. This means your defenses will fail if an attack uses a method that your detection system can’t see or scanner does not have an existing signature to scan against. This is why attackers hide exploits using techniques such as obfuscation to bypass security detection. Continue reading
There are many SIEM solutions available however I was extremely impressed with recent innovations from Splunk regarding a free Application that can be used to centralize security data from multiple cisco solutions. By definition, a security information and event monitoring system aka SIEM is typically just that; either a good information sorting tool or solution that helps identify and react to events.
One of Splunk’s key market differentiators is their extensive application library developed by customers and Splunk engineering. These applications turn the traditional SIEM into a business enabler to meet specific use cases. Splunk has developed cisco applications in the past however recently face-lifted the cisco Security Application to include Cisco access control (ISE), email security (ESA), web security (WSA), Cisco firewalls, and even SourceFire (both network and only SIEM as of today to support malware aka AMP). This application can link findings with other vendor data such as taking ISE context (IE Joey’s windows 7 laptop on port 1/0/14) and matching it to any captured log by Splunk (For example a McAfee IPS event). This provides a true centralized view of data across a network.
F5 just announced they are acquiring Defense.net. Distributed Denial of Service or DDoS is an attacks that attempts to make a server or a network resource unavailable to users (more on launching and preventing DoS and DDoS can be found HERE). Many sources such as the latest Verizon Breach Report as well as some of my customers are seeing a rise in this form of attack. Typically, DDoS / DoS attacks are volumetric meaning they are caused by a ton of systems targeting a specific server, which is hard to defend against. For this reason, the DDoS /DoS vendors are seeing an increase in Interest such as Arbor, Radware and now Defense.net. Continue reading
Many security professionals will make the claim “there is no silver bullet security solution”, which is completely true … but why? Why can’t large security vendors spending millions on research develop a way to ensure we are protected? We landed on the moon many years ago. Why not solve this? Well it comes down to a few concepts. Continue reading
My buddy Aamir Lakhani wrote a great post covering the recently exposed security vulnerability that impacts more than half of the websites on the Internet. Its something everybody needs to be aware of. The original article can be found HERE.
Heartbleed is a serious vulnerability affecting OpenSSL cryptographic libraries. The Heartbleed vulnerability allows an attacker to steal information protected under normal SSL TLS conditions.
Here is what you need to know:
- This is a very serious vulnerability.
- It harms personal computers and everyday users. Attackers could possibly steal user information.
- Many popular websites, including social media, search, email, banking, and health sites are vulnerable.
- The bug is found on most systems and has been present since 2012.
- Most likely, attackers knew about the vulnerability, and may have been exploiting it for a long time.
- Patching and updating systems will not protect owners from attackers who have already captured data.
My buddy Aamir Lakhani wrote about how traditional security products such as Stateful firewalls and older IPS/IDS solutions are not cutting it for today’s level of threats. This post covers why the “Next-Generation” of security technology matters. The original post can be found HERE.
Organizations are replacing their Stateful firewalls with Next-Generation firewalls (NGFW) and Next-Generation Intrusion Prevention systems (NGIPS). Most traditional firewalls are nothing more than packet filters that keep track of who initiated the traffic to automatically allow response traffic back to originator. IPS vendors such as Sourcefire and McAfee (Intel Security) are rapidly adding advanced features to protect against insider threats, application vulnerabilities, mobile devices, and malware. One must wonder are the days of traditional perimeter security devices such as Stateful firewalls and single-pass IDS systems numbered?
The future of security must reach beyond the capability of an appliance. There are too many attack vectors that are continuously changing to detect with a silo solution. It basically comes down to this …. there are only so many signatures that can be checked against as well as behavior algorithms that can be put in place before you must let traffic pass. Odds are, a malicious attacker will eventually bypass detection based on the fact that there are hackers out there with a rack of all the latest vendor IPS, Firewalls, etc. in a lab designed to test how effective a piece of malware is against any enterprise security solution. So in a nutshell, you will only be able to stop the majority of attacks launched against your network. Something will eventually get through. This means detecting and preventing can’t be your only security strategy. Continue reading