I’m often asked “why did my system get infected when I had the latest system updates and anti-virus enabled?” Well, a fundamental concept behind security products is they can only look for so many things or use so many detection techniques before they must permit traffic. This means your defenses will fail if an attack uses a method that your detection system can’t see or scanner does not have an existing signature to scan against. This is why attackers hide exploits using techniques such as obfuscation to bypass security detection. Continue reading
There are many SIEM solutions available however I was extremely impressed with recent innovations from Splunk regarding a free Application that can be used to centralize security data from multiple cisco solutions. By definition, a security information and event monitoring system aka SIEM is typically just that; either a good information sorting tool or solution that helps identify and react to events.
One of Splunk’s key market differentiators is their extensive application library developed by customers and Splunk engineering. These applications turn the traditional SIEM into a business enabler to meet specific use cases. Splunk has developed cisco applications in the past however recently face-lifted the cisco Security Application to include Cisco access control (ISE), email security (ESA), web security (WSA), Cisco firewalls, and even SourceFire (both network and only SIEM as of today to support malware aka AMP). This application can link findings with other vendor data such as taking ISE context (IE Joey’s windows 7 laptop on port 1/0/14) and matching it to any captured log by Splunk (For example a McAfee IPS event). This provides a true centralized view of data across a network.
F5 just announced they are acquiring Defense.net. Distributed Denial of Service or DDoS is an attacks that attempts to make a server or a network resource unavailable to users (more on launching and preventing DoS and DDoS can be found HERE). Many sources such as the latest Verizon Breach Report as well as some of my customers are seeing a rise in this form of attack. Typically, DDoS / DoS attacks are volumetric meaning they are caused by a ton of systems targeting a specific server, which is hard to defend against. For this reason, the DDoS /DoS vendors are seeing an increase in Interest such as Arbor, Radware and now Defense.net. Continue reading
Many security professionals will make the claim “there is no silver bullet security solution”, which is completely true … but why? Why can’t large security vendors spending millions on research develop a way to ensure we are protected? We landed on the moon many years ago. Why not solve this? Well it comes down to a few concepts. Continue reading
My buddy Aamir Lakhani wrote a great post covering the recently exposed security vulnerability that impacts more than half of the websites on the Internet. Its something everybody needs to be aware of. The original article can be found HERE.
Heartbleed is a serious vulnerability affecting OpenSSL cryptographic libraries. The Heartbleed vulnerability allows an attacker to steal information protected under normal SSL TLS conditions.
Here is what you need to know:
- This is a very serious vulnerability.
- It harms personal computers and everyday users. Attackers could possibly steal user information.
- Many popular websites, including social media, search, email, banking, and health sites are vulnerable.
- The bug is found on most systems and has been present since 2012.
- Most likely, attackers knew about the vulnerability, and may have been exploiting it for a long time.
- Patching and updating systems will not protect owners from attackers who have already captured data.
My buddy Aamir Lakhani wrote about how traditional security products such as Stateful firewalls and older IPS/IDS solutions are not cutting it for today’s level of threats. This post covers why the “Next-Generation” of security technology matters. The original post can be found HERE.
Organizations are replacing their Stateful firewalls with Next-Generation firewalls (NGFW) and Next-Generation Intrusion Prevention systems (NGIPS). Most traditional firewalls are nothing more than packet filters that keep track of who initiated the traffic to automatically allow response traffic back to originator. IPS vendors such as Sourcefire and McAfee (Intel Security) are rapidly adding advanced features to protect against insider threats, application vulnerabilities, mobile devices, and malware. One must wonder are the days of traditional perimeter security devices such as Stateful firewalls and single-pass IDS systems numbered?
The future of security must reach beyond the capability of an appliance. There are too many attack vectors that are continuously changing to detect with a silo solution. It basically comes down to this …. there are only so many signatures that can be checked against as well as behavior algorithms that can be put in place before you must let traffic pass. Odds are, a malicious attacker will eventually bypass detection based on the fact that there are hackers out there with a rack of all the latest vendor IPS, Firewalls, etc. in a lab designed to test how effective a piece of malware is against any enterprise security solution. So in a nutshell, you will only be able to stop the majority of attacks launched against your network. Something will eventually get through. This means detecting and preventing can’t be your only security strategy. Continue reading
Management of security devices is a critical function for maintaining the best performance and being aware of security related events. Cisco has released their second generation of ASA, which includes new management options. This post will cover the new management interface and compare it to the previous options. Continue reading
Aamir Lakhani from drchaos.com wrote a good article on how chaining together social engineering tactics compromised a highly visible twitter account. The original post can be found HERE.
Who can we trust? It’s a tough question. We think we can trust our friends, co-workers, mentors, and colleagues because they are people we see and interact with often as frequently as we do with our family members. Unfortunately, there is risk in trusting others, particularly when those we trust have privileged access to our accounts and sensitive information. When our trust and exposure extends to those who we work with, and incorporates intimate knowledge of our business concerns, corporate cultural developments, and technology secrets, we must face the reality of insider threats. Unlike external attackers, those we consider to be on the inside of our trust circles do not need to hunt for valuable information, nor do they need to exploit strong perimeter defenses; insiders already know what is valuable and where it is stored.