Signatures are Useless ?

I was shocked by a pre-sales consultant of a vendor telling that "Signature is Useless. Today we are facing challenge from zero day attacks."....Then he further emphasized his company security solution is strong in detecting new attacks.

The vendor has a strong network optimization background and has been aggressively penetrating to security area recent years. I just hope he is not going to spread this incorrect message to too much clients.

I agree that zero-day (or even negative-days) attacks pose serious security challenge to enterprises and vendors. However, an effective and comprehensive security practice on patches or signature updates is essential part of a solid security defense.

As from Gartner, “90% of successful attacks occurred against previously known vulnerabilities where a patch or secure configuration standard was already available.”

A few vendors emphasize "too much" on new attacks, zero-day attacks, or even negative-day attacks as for their marketing and promotion purposes. Known vulnerabilities, signature's importance has never decreased.

You may be interested in this article from Juniper, about "Understanding Our Approach to Addressing Known and Unknown Vulnerabilities".

Most MNC or large enterprise has vulnerabilities subscribed or purchased. I would say it is a wise investment. There is also available managed vulnerabilities scanning services which charge is very affordable for most companies.

Should All the Security Vendors Merge into ONE ?

Most enterprise looks for the so-called "best-of-breed solution" to cater each different levels of security concerns.

Network Firewall : Vendor A

Proxy                  : Vendor B

Web Filtering       : Vendor C

Application Control / Application Firewall : Vendor D

......and finally....

Security Incident and Event Management (SIEM) - to manage all above vendor solutions : Vendor Z

One day, one client would like us to provide the commonly used brands for different security solutions in the market. Frankly, it is not our style to start with telling about product straight away. Instead, we prefer to discuss with a risk management prospective, so as to advise what his company really need and what his company don't need. However, he "claims" it is only used for his internal reference. (Alright :| ) We try our best to "help" him. Hope we are not unintentionally making a trap for him.

(blurred image, no commercial here. :D )

While preparing a table as above (different types of security in different industries), ..

I think of :    Should all Security Vendors Merge into ONE?

I am not talking about all-in-one solution, like UTM, but having ONE single vendor to research and develop all the security products. Feasible or Not?

As a Security Specialist, one of our roles is to interface with different security vendors. Sometimes I dreamed of a day when every security vendors are integrated in one. My life could become easier, provided that I would not lose my job due to this "too-easy" work.

Back to the questions:  Should all Security Vendors Merge into ONE?   (Feasible?)

Despite of my personal preference of having an easier job, I still prefer existence of different vendors, because this generates....

1.  A healthy competition among vendors
• R&D teams to strengthen the products endlessly, they don't want to lag behind
• Sales and marketing team of different vendors aggressively promote their security solution to end client, which in turn provides free security awareness training to public


2. (Comparatively) Difficulties and complexity for hackers
• There is not "single vendor of failure"
• Hackers need to break into several layers of security control (provided by different vendors) before getting their target (for some cases)
3. Vendors' concentration on handling particular outbreak or vulnerabilities
• Recent example: Oracle is now focusing on fixing JDK v7 vulnerabilities, while other security vendors are aggressively promoting (teaching) how they are good at minimize the risk over browser.

When Selling UTM, NGFW, Network Firewall, IPS

An NSS Labs report has triggered me to share opinions and experience on selling UTM, NGFW, Traditional Network Firewall, and Network IPS.

• Most enterprise would NOT refer UTM
• I started to hear of UTM since 2005, when I was handling sales and marketing for SME segments. At that time we are selling Fortinet and Zywell UTM. However, most of the time, SME client use them as an afforable firewall or VPN Gateway. Check Point, Nokia, Cisco are considered as a luxury products for most SME. Clients seldom using the value-added anti-X features on the UTM.
• From my observation, larger clients (which I called Enterprise) would not prefer UTM. UTM are consideraed as a SME products.
• Nowadays, although UTMs are available in much larger throughputs and solution are getting more mature. Enterprises are still hesitate to use UTM (even used as a pure firewall) mainly because of corporate standard that can "encoded" Check Point (and the acquired Nokia), Cisco, or Juniper as the Firewall Standard.
• Another reason I could "feel" is a pretty political one (Please forgive me if I am saying it wrongly. Just my personal sharing here.). Most Enterprises (again large companies) has different personels or teams assigned to handled different IT solutions, like Team A is handling Firewall solution for e-banking and internal staffs, and Team B is handing IPS for internal staffs while Team C is taking care of DLP and End-Point security of internal staff. Each team is using different best-of-breed solution in that area. Most of the time those are not the same brand of solution, and are managed by different managment consoles by corresponding teams. It is not difficult to image the political and personel issue that could be generated if all the mentioned solutions are "integrated" into a single big UTM.


• Vendors of Tradition Firewall are "Changing" their solution to Next-Generation Firewall

• Due to increased attack on application level, traditional firewall no longer satisfied the need. Therefore, NGFW is getting market attention.
• Check Point and Cisco, having a strong footprint on Enterprise market, are developing NGFW to target lower end market, like Mid-Market and SME, since around 2009. Obviously, aims of this action is to expend the market share as well. There has triggered a lot of struggle among these vendor and their key partners, because of this stift of focus on the solution, where the mid-market and SME segment may not be the focus of those key partners.
• However, when coming to Mid-Market, these "big" vendor would face competition from other "smaller" vendor, like Fortinet, Juniper, Sonicwall, etc.
• On the other hand, "smaller" vendors are no longer still small. By referring Fortinet and Juniper website, firewall/NGFW with extremely high throughput are generally available. These vendors are starting to win some big cases in FSI, due to it price/value performance.
• Beside the shift of market position among vendors, pricing of firewall/NGFW has been changing quite a lot. Firewall price is getting higher, while NGFW is getting lower.


• No Matter UTM or NGFW, Best-of-Breed are still more Technically preferred.
• Throughput the years of my selling of UTM (or NGFW), it is not rare to hear client's negative feedback on "additional" features of on the "Firewall". For example, the non-working bundled SSL VPN, un-ready secure remote access from mobile device with only beta version of hotfix available. Poorly downgraded performance is recorded when anti-X features are activated.
• This is pretty in-synch with NSS labs comment in 2012 NGFW group testing.

This free-to-download brief report, although not disclosing very much in details, has discovered some key point from NSS labs. I would recommend you can download and take a look. NSS Labs Report (What do you need to know about NGFW)

Mobile Device Management (MDM) (5) - Containerization Features (Demo with Good)

Besides basic provisioning, policy enforcement and administration function (as discussed in Part 3, Part 4) , MDM solutions are differntiated by their containerization nature. 

 

Native MDM solutions

Container Security applications

Native MDM solutions are build upon API natively offered by differemt OS (iOS, Android, Windows Mobile, etc …), only light weight MDM agent is to be installed on the device, whereas Container Security Applications are developed as independent having their own security standards whatever the OS you use, a MDM "application" needs to be installed on the device.

There are many native MDM solutions (Mobile Iron, Airwatch etc …) and a few Container Security applicaitons (GOOD etc)
 
(source: Gartner)

Here we take Good as an example to demostrate how "containerization" looks like.

Dowload and install Good as if other usual application you used to download from Play Store. Log with the account and key provided by the administrator.

Once login to Good (the "Container"), you could see several application developed by Good, like email, calender, etc.

You can also see  a browser within Good, adminstrator can configure to control allowable websites. In case of visit to unauthorized website, Good will force log out (from Good) and will trigger use to use his/her browser OUT of the Good "container".  User has to login again if wants to use the MDM and those application with Good.

Administration page porital

(Happy New Year!) Security Best Practice for Enterprise 2013

One of the client asks me for Security Best Practice, so he can propose security improvement to his management for the coming good year.

I found two lovely papers from:

1. SAN reading room --- "Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information System".
2. CERT --- "Common Sense Guide to Mitigating Insider Threats 4th Edition"  (Not just common sense at all)

My client is not a Government Agency. Instead :

• it is a large enterprise group' headquarter office.
• This group are having many subsidiaries on business in different areas, like retail, trading, telco, etc.
• In the headquarter office, there are around 100 senior management having mobile device remote access right.
• A number of applications within the group to be used, where servers has been installed in headquarter, and subsidiaries can access those service/server through IPSec VPN, that has been built.
• My clients office seems likes a "government" within the group.

Therefore, I choose to share with him this paper with a bit of summary.

Agenda:

(1) Threats to an Enterprise Information System (Internal, External)
(2) Risks to Information System
(3) Creative Ways for CIO to Stretch for IT Budgets
(4) Techniques for Protecting Enterprise Information System (Hardware, Software, Policy)

Summary

(1) Threats to an Enterprises Information System

• Attacks form individuals and groups with malicious sources of threat include information warfare, hackers, virus writer and disgruntled employee and contractors.
• Sources can be classified into two types of threats to information system: internal and external

(1.1) INTERNAL:

• Internal threats:  mostly defined as either current or former personnel (employee or contractor).
• These individuals have greater access to sensitive information and security weaknesses through their current or previous work experience.
• Additionally, an insider has established a trust relationship so the person may not be question if seen in an authorized location or asks for special networks access.
• Cybercriminals may use internal employees as their attack vector for causing mayhem as well (Most Successful Method: Social Engineering)
• Social engineering is when an attacker convinces an individual to perform an action and provide information about their computing environment that is not public knowledge. The attacker will usually state they are an IT support personnel and ask the “victim” to perform “diagnostic” activities which can assist them in their attack.

(1.2) EXTERNAL:

• External threats:  can be defined as “any vulnerability which can be exploited to gain access to an environment from outside the [host] environment”.
• Vulnerability can be viewed as an attacker using weakness in the information system or security policy to their advantage
• Examples of vulnerabilities:
• Lack of software patch management,
• Cross site scripting,
• Weak passwards, or
• Unnecessary ports open on the firewall
• Espionage
• Competitors that damage information system for political or economic gain
• Attackers will target the enterprise and also key contractors as well
• Contractors may be slower in adopting the same security standard of the enterprise
• Spear-phishing
• Attackers aim to gain unauthorized access to confidential data
• Examples of a successful spear-phishing attack email subject line include “mailbox exceeded”, “helpdesk assistance required” or “password expired”
• The message ”appeared” from a trusted source (e.g. IT admin)
• Employee click on the link supplied in the message, they are asked to “log in” with username/password
• Attackers use the victim’s login for network access, and send the same email message to increase the pool of people to be compromised.

(2) Risk to Information System

• Risk Management : defined as “the process of managing risks to enterprise operation”
• Risks to Information system include:
• Resources: company financial information, business transaction information
• Sensitive information: internal staff record, client records, 

(3) Creative Ways for CIO to Stretch for IT budget

• BYOD
• Security professionals now need to weight the business case for using personal devices and their lack of security in a new light

• Cloud
• Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS)
• The premise behind using cloud computing is to eliminate the need for agencies and departments to have their own data centers for application hosting, and security monitoring.
• Instead, enterprise are to reply on certified third-part vendors to host agency data and applications.
• With these new changes, security professionals new need to keep their data and information system secure when they are located all over the place.

(4) Technique s for Protecting Enterprise Information Systems

• Hardware
• Firewall, intrusion detection system (IDS), intrusion prevention system (IPS), host intrusion protection system (HIPS) and Multiple-factor devices (eg. secure token devices, etc.)
• Portable media encryption – Sensitive data stored on desktop and laptop computers are protected
• Network Access Control / Identity Service Engine (eg. Cisco) – device is required to be “securely checked-in” every time when it is trying to connect to the network (including mobile device)
• Data loss prevention/ email security (especially on email) (eg. Ironport, Check Point) and web-content filtering (eg. Check Point, BlueCoat, Palo Alto ) deployed in the gateway, to avoid phishing and malware
• Two-factor authentication solution


• Software
• End point devices (desktops, laptops, mobile devices) are needed to be deployed with Anti-Virus (Anti Malware) software (eg. McAfee), which can be centrally managed by McAfee E-Policy Orchestrator (ePO). (including Mobile devices)
• Patch management for all Windows based equipment is required
• (optional for confidential email): Public key infrastructure (PKI) encryption should be enforced
• (for sensitive desktop or laptop): Device is suggested have Encase forensic software applet installed. This allows IT/Security team to conduct initial forensic investigation “over the wire” as means to catch potential compromise in real time. In the event that the “over the wire” forensic did not work, IT support will remove the drive and send to a proper custody procedure.
• USB Port control and Removable media encryption solution

• Policy
• Ensuring contracts have the standardized security clause.
• “Policy” is the duties of Information Security Officer (ISO) but IT personnel, contracting officers (Cos) and supervisors play a role in compliance as well.
• Segregation of duty (personnel who manage the data, personnel who protect the data)
• Software protective measures (in previous slide) to enforce security policy as a means to decrease exposure to malicious software.
• All employees, contractors are required to take security awareness training and privacy training within 30-day entry into duty, to be trained on their information security responsibility
• Security training provides information on what should be done in certain situations (eg. sensitive information protection, avoidance of providing logins via suspicious email links)
• Refreshment training is required annually
• All employees with significant information security responsibility should complete role-based training. Depending on the role, the individual may take one course which is tailored to their specific job (e.g. database admin, system admin, CIO, etc)
• Ticketing system and Reporting Procedure to report potential information security or privacy incident
• Incident handling procedure (Print copies must be always available) in place
• Incident Response Team should be ready there  - this team ensures that all necessary reporting procedures are followed if a breach has been confirmed.
• Have to maintain the security posture through continuous monitoring

Reference:

Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information Systems
Common Sense Guide to Migrating Insider Threat 4th Edition