Archives for April 2015

What is a ‘sophisticated’ cyberattack?

Ira Winkler and Ari Treu Gomes have defined eight rules to help classify cyberattacks. They call them “Irari” rules, a contraction of their first names. Furthermore, each rule is actually a recommendation for improving enterprises’ security defenses.

I agree that the victims of cyberattacks too often classify their breaches to which they were subject as “sophisticated” when they were anything but. On the other hand, Ira and Ari have gone too far for the following reasons:

  1. No organization I am aware of has the resources to fully support all eight recommendations. So how do you prioritize? Risk management you say?
  2. The technology simply does not yet exist to successfully implement some of the recommendations.

There is good news though. During the last few years, largely due to the success of companies like Palo Alto Networks and FireEye, there has been a tremendous surge in well-funded innovative technical security controls that make many of the Irari recommendations feasible. By innovative, I mean (1) security efficacious, (2) enable process improvement, (3) low risk of negatively impacting business processes.

Here are the eight Irari rules and my comments:

The malware used should have been detected. Keeping your anti-virus up-to-date seems reasonable. However, you should not be too satisfied because signature-based anti-virus is a very low bar. In a variation on HD Moore’s Law, any attacker can buy software to modify her malware to bypass anti-virus products. I recommend starting the process of adding a non-signature based endpoint prevention solution and replacing “paid-for” A/V with Microsoft’s free tools.

The attack exploited vulnerabilities where patches were available. This is a tough one. First, is it really possible to patch every vulnerability? Second, if you are not going to, how do you prioritize? CVSS has some well-understood weaknesses. There are better ways to prioritize the risks of vulnerabilities.

Multifactor authentication was not in use on critical servers. This makes sense. However, the cost of managing certificates is, too often, not considered.

Static passwords were used in attacks on critical servers. While the concept of changing passwords frequently sounds good, too often the human costs measured in time consumed changing passwords are not considered. An automated password changer would be interesting.

If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training. Phishing is a primary attack vector. The issue is how effective is your security awareness program? Moreover, how well can you monitor its effectiveness? Note here that Ira Winkler’s company, Secure Mentem, provides security awareness programs.

There was poor network segmentation that allowed the attackers to jump from low-value networks to critical systems. There is no doubt that segmentation is of critical importance. It’s well understood, as the Irari authors point out, that better segmentation in a couple of areas would have prevented the credit card exfiltration of the Target breach. However, until very recently, the complexity and implementation costs of datacenter segmentation put it out of reach for most organizations.

User accounts that were compromised had excessive privileges. Another excellent recommendation that, until very recently, was extremely difficult to prevent or detect. Users need administrative privileges for a variety of reasons. But there are now security agents that prevent unneeded activities despite users having administrative privileges. There are also User Behavior Analytics tools that are easy to administer and operate that will highlight users whose application access rights are greater than their peers.

Zero Trust on the Endpoint

The Forrester Zero Trust Model (Zero Trust) of information security advocates a “never trust, always verify” philosophy in protecting information resources. Though the model has traditionally been applied to network communications, it is clear that today’s cyber threats warrant a new approach in which the Zero Trust model is extended to endpoints. Palo Alto Networks® Traps™ Advanced Endpoint Protection is an innovative endpoint protection technology that prevents exploits and malicious executables, both known and unknown. It has the proven capacity to act as the enforcer for Zero Trust and to serve as a vital component of an enterprise’s security architecture and compliance suite on the endpoint.

If you would like a copy of this whitepaper, please fill out the form on the right side of this page.

Links to Explore

Introducing Next-Generation Honeynets

Attivo whitepaper Picture1

Attivo Networks is introducing a next-generation, virtualized honeynet solution which enables you to quickly deploy information resources that appear to be part of your network. These honeynets are closely monitored virtual environments that appear to contain information and services of value to attackers that require very little maintenance. Attivo honeynets host multiple Windows and Linux operating systems running a multitude of applications and services so that attackers would falsely believe they are accessing production networks. Attivo honeynets represent a low maintenance, low false positive detection control to alert you to attackers who have bypassed your perimeter defenses.

If you would like a copy of this whitepaper, please fill out the form on the right side of this page.

Links to Explore

Introducing Active Breach Detection

LightCyber Introducing Active Breach Detection1

LightCyber’s Active Breach Detection identifies active attacks after they have circumvented your threat prevention systems and before they have created a material breach of confidential information. LightCyber uses a combination of (1) machine learning to continuously profile user and device behavior to detect malicious attack behavior on your network, and (2) validates the attack using agentless endpoint analysis. The result of this combination of coordinated network and endpoint analyses is high-quality alerts with a very low rate of false positives. Finally, LightCyber integrates with your prevention controls for remediation.

If you would like a copy of this whitepaper, please fill out the form on the right side of this page.

Links to Explore

Introducing the Cloud-DMZ (TM)


Sentrix Cloud-DMZ Picture1Sentrix has introduced a paradigm-shifting architecture for web application security that leverages the cloud as an enterprise protective zone (DMZ) to eliminate the complete range of web application/site attacks including DDoS. In addition, moving deterministic content to the cloud enables easy scalability when needed. Traditional Web Application Firewalls cannot keep up with the rapid changes driven by DevOps and marketing, and therefore devolve into low-value, blacklisting controls. Sentrix’s continous web application/site crawling automatically updates the secure, cloud-based content replica and white list rules to protect business transactions.

If you would like a copy of this white paper, please fill out the form on the right side of this page.

Links to Explore