Tuesday, January 31, 2017

Cloud Adoption is Driving Security Innovation

Cloud adoption is bringing about a revolution in security innovation. Only a few short years ago security professionals were terrified to even utter the word “cloud”, but today as organizations see the benefit of moving towards the cloud it’s adoption has forced innovations that weren’t around just a few short years ago. If the cloud was to ever be taken seriously cloud service providers knew security had to be wrapped in from the start. By taking this approach leading cloud providers have driven security into their infrastructure and have arguably created environments that are not only as secure as where a business’s data was previously, but potentially even better. In many cases it’s up to the organization to create and manage the configuration in a secure manner. With this being said, CSP’s and security vendors have taken advantage of security in the cloud and are pushing it to their advantage and securing their clients in the meantime.

Cloud Service Providers Benefit from Security
It’s not a secret that AWS and Azure have been making giant strides in security. This has been done by either partnering with third party vendors to integrate their solution into their infrastructure, or with home grown features allowing clients the ability to have the needed architecture to implement a secure network. The security risks of the cloud were made known right away and without the CSP’s foreseeing this blocker as early as they did the cloud adoption wouldn’t be as prevalent as it is today. Not only did they secure their infrastructure to a point where it would pass regulatory audits, but added additional features within their cloud ecosystem that allowed security to come to the masses (E.G Logging, WAF, firewalls, security assessments, etc) that are built into their offerings. In the past other companies might have shied away from these options with on premise equipment, but having these services available has helped spread the awareness and implementation of security to the masses. The major CSP’s have to be given credit on the way they’ve banked on security and turned their offerings not only more secure, but more successful.

Security Vendors Adoption and SecSaas
With the cloud providers shoring up their infrastructure it was only a matter of time before the security vendors started to dabble in the cloud. Today there numerous cloud options available to security your enterprise and the security industry has made a large push to make sure that they’re products are all functional in a cloud based architecture. The security industry has been given a green light to proceed developing their products to be cloud friendly. If they didn’t they’d be left behind by competitors that are taking advantage of all the benefits the cloud has to offer. Just like the CSP’s pushed security into their offering early on, the security vendors are now pushing cloud into theirs.
Security vendors are using the cloud now to produce innovate products that are changing the way businesses work. The flexibility of the cloud and the capability to communicate remotely is allowing vendors to perform additional analysis, monitor more efficiently and remove management systems that once lived on premise at a client’s site. This is also allowing protection of endpoints to be up consistently up to date no matter where that endpoint happens to be. These vendors are also able to setup SOC like monitoring since all data lives on their site and assist the clients with 24x7 monitoring. No longer does an endpoint leaving the boundaries of your enterprise also leave security behind with it. These vendors are able to have their hybrid solutions produce the same level of security and monitoring without being tied to a geographic location.

Also, this has produced a huge increase in SecSaaS or security as a service. These services allow customers to have the flexibility of security services in the cloud and outsource the infrastructure to a third party. This industry has been growing and will continue to be a large part of the security in the cloud. A few examples of these services would be: MFA, IdP, SIEM, spam/phishing, DLP, MDM and the list goes on. These providers are taking particular security services that would normally be done on premise and outsourcing them to the cloud. The innovation here allows quick turn around on implementation, mergers and acquisitions to be unified, adoption of technology that might not have the in-house resources to manage, etc.

Many security companies today will start in the cloud and by having the ability to launch something in startup mode allows for innovators to test their ideas without having to be strapped for capital. This allows the burden of finances to be lifted and for new technology to be developed without the fear of financial loss. The cloud is enabling new ideas that are able to be tested quickly and efficiently and with that the industry will continue to grow and ideas that might have been stifled in the past will flourish and have the ability to be used by the masses.

Monday, January 30, 2017

Reviewing the Stampado Ransomware Variant

It seems like every day there's a new variant of ransomware popping up in the wild. Attackers are constantly tweaking code and making feature enhancements to their product to keep one step ahead of defenders. In this article, we discuss the Stampado variant, how it worms its way through your netowrk and why it became so popular.

Forget Mobile Apps the Battle's on Your Infrastructure

Mobile apps might be a newer threat landscape within information security, but it’s not where the war is being waged. Don’t get me wrong there are some very dodgy things happening in the mobile arena and it’s something we need to be diligent with when it comes to security, but the biggest threats are occurring here, they’re happening in your infrastructure. Many mobile apps, I’m saying many when I refer to Apple, receive timely software updates, solid data permissions and configurable privacy settings. This doesn’t mean they’re impenetrable as we’ve seen with the recent Stagefright and Trident attacks against both Android and iPhone respectively. With this being said, the infrastructure is still the target. It’s where the malicious actors are looking to conquer and mobile apps are just one way into this battle.

A few years ago everyone was concerned with locking down the perimeter and making it impenetrable. I honestly think we’ve done a decent job of this and attackers have shied away from walking right through the front door. I’m sure this still happens today with misconfigurations and weak firewall rules, but an enormous amount of time and money have been spent to protect the perimeter from attack. It boded so well that attackers started looking into other areas of attack and brought the focus back to the internal infrastructure, in particular the endpoint. The endpoints within your infrastructure are comparable to the battlefield today. Included within this battle are not only mobile devices, but every endpoint that a user is touching. These are the entry points into the network and allow attackers the ability to gain a foothold into your environment.

With the war being focused back to the endpoint we’re seeing an entire new market based off analytics appear to protect the endpoints from attack. This is more than needed since the old method of using signatures has become a reactive approach of catching malicious actors moving through your systems. By being able to have additional visibility into your network from an east-west perspective improves your chances of detecting an attacker before they’ve compromised additional endpoints. The fight being brought down to the endpoint has spawned new technologies that didn’t exist just a few years ago. Just like the rise in technology produced during World War II to protect those against harm ushered civilizations into a new age of advancement after the war. The crisis of malware and attackers infecting endpoints has forced many vendors to generate technology that helps remediate some of the larger issues at hand within their infrastructure.

These technologies are in a direct response to the onslaught of attacks occurring within these networks against their infrastructure and endpoints. Many of these technologies are able to produce agents that allow segmentation for isolation, are signatureless, allow for an understanding of your compliance as hole, etc. Included within these detections are also systems that allow for deception to catch attackers within the infrastructure, use baselining analytics to catch endpoint behavior out of the norm and even allow third party “hunt teams” to search your network for malicious actors and events.

The endpoints within your infrastructure are where the battle is being waged and the technology is catching up once again to assist with giving people the ability to defend themselves. This of course is not a panacea by any means, but it’s an exciting advancement to the call of duty that security practioners require to assist them on the frontlines. Let’s hope that with the advancement of new technology the discouragement of attackers will be pushed back giving defenders just enough time to prepare for the attackers next avenue of attack. The cat and mouse game will continue, it’s just a matter of when and where.

Thursday, January 26, 2017

Tuesday, January 24, 2017

Using Security as an Business Enabler

Security is no longer a dirty word in most organizations. It’s become something to be embraced rather than a roadblock. With all the public hacks we’ve seen sprawl the headlines management has taken notice. Many organizations are looking to take the opposite approach when it comes to security now and embrace it as a business enabler. They’ve noticed that not only is it wise to secure their data and business, but it could essentially be used as a business benefit. The security mindset is seeping into the board room and it’s assisting with the growth of security as a business enabler. Here are a few areas that can assist with watering this thought throughout your enterprise.

One of the first steps in transforming a company to use security as an enablement is to permit the in-house security resources to be evangelists. This starts with the security management and works its way down through the entire department. This has been talked about numerous times in multiple other articles, but what they don’t talk about is allowing the security team to be put on display and network with other teams. At the end of the day they’re the ones who will be performing the work and are the disciples who will be pushing the security culture throughout the company. If they’re able to circulate into other groups spreading the word of security it will disseminate through the company much faster. In doing this, the security team needs to be careful of using FUD to get there way. Let’s be honest, by using Fear, Uncertainty and Doubt a security team will enforce some issues in the business, but it’s a short-term win. By creating a culture of partnership with groups first will gain clout in your decisions when it comes to matters of real importance. Bullying teams into security only makes them want to circumvent the process the next time you’re involved. This doesn’t lead to security enabling anything within a business. Let’s put a check on the ego’s here.

If you can’t speak the language of risk a company will never see security as an enabler. Learn to be bilingual when dealing with those that might not understand security and bring the concept of risk into the conversation. Not all vulnerabilities, misconfigurations, etc are equal and if you’re running around like Chicken Little each time something is wrong, your influence can be tarnished. I’m not saying to not be security concise, that’s the last thing I’m saying, but applying risk to security is how it ends up becoming an enabler. This can be used against new threats coming into the enterprise, during mergers and acquisitions and essentially any business decision making process. This allows security to be seen as confident and astute when it comes to complex enterprise decisions and not as a panic-stricken department looking to catch up to the threats of the day.

This allows security to become a partner and change the perception of what your mission is within the business. You’re not here to stop projects or become a roadblock to progress, but to become a shareholder in assisting with moving the organization to the next level. By reaching this level it brings together the ability to work together with the business to not only protect the brand, but to protect the bottom line. By making security a trusted advisor in your business it allows an organization to continue customer loyalty or even gain additional respect, sell more products, complete compliance and reach higher levels of standards, wile first and foremost protecting your data and brand. By building relationships, networking, speaking security in a language that others will understand not only helps your internal security function more efficiently, but it will spread throughout the organization making security part of the process and a driver in your business going forward. 

Saturday, January 14, 2017

Alexa, are you spying on me?

It wasn't law enforcement. or an oppressive regime, that installed surveillance in our homes, but a population bowing to convenience. With the increase of virtual assistants, like Amazon's Alexa, we're causing self-inflicted privacy wounds from the likes of big brother business and government. These systems are dutifully listening to our every word while recording and storing this information to be used at a later time.

This is an emerging topic we're rushing headlong into without thinking about the future of privacy or security in our homes. Not to sound sarcastic, but right now it seems like we're more concerned about walking into a room and "speaking" the lights on or asking Alexa random questions without having to get off the couch. It's a topic that definitely needs more conversation.

I wrote this article for Tripwire to discuss the current and long-term privacy concerns of implementing virtual assistants. Hopefully, this article helps stimulate some thoughts on the issue.

Wednesday, January 11, 2017

Maintaining Digital Privacy in an Evolving World

I wrote this article in attempts to take the best tools in the digital privacy space and have them listed under one blog. There are many other good tools available, but these in my opinion are the most important and easily accessible tools to help bolster your online privacy right away.

This article touches on browser, email, messaging, mobile and cloud storage alternatives which can be utilized to protect your privacy today. Please give it a read and let me know if there are other applications you recommend that aren't in it. If so, I'll add them to a blog in a future post to get the word out.

Here's the article:

Saturday, January 7, 2017

Chronicling Ransomware

Check out this excellent resource from "PrivacyPC" on ransomware updates and variants starting from May of 2016. The timeline goes through release dates, updates, ransomware decryption and other related events. This is definitely something worth keeping in your toolbox as "PrivacyPC' continues to maintain the list.

Tuesday, January 3, 2017

What to Expect When Moving to Amazon's AWS

So your organization has decided to make the move to AWS and they’re thinking about ways to manage the migration with the least amount resistance. Good for you! When moving to AWS there are multiple tasks that need to be completed for a successful migration or new implementation within their cloud offering. There are in-depth checklists, Amazon actually has one of their own and in this article, we’re going to review six areas we think should be considered before your move to Amazon occurs.

Applications and Data

When migrating to the cloud an organization needs to consider the applications they’re currently using and if they’ll function properly in AWS. It’s very possible an organization is using legacy apps that might not function properly up in the cloud. Yes, believe it or not, people still use legacy apps. Understand the needs of these applications and if they’re even able to be installed within AWS. Also, get a firm understanding of the data being stored in the cloud. If this data is sensitive, think PHI or PCI, determine if you have the proper controls implemented to cover both security and compliance. If you don’t have this capability after moving to the cloud, you’ll have to start utilizing security solutions to protect this data, either with the AWS native security resources, or other solutions you have configured as an EC2 instance or within a hybrid install. Examples of these solutions would be a web application firewall, data encryption (rest and transit), logging and security assessments. Amazon offers all these services, but it’s possible the organization already has virtual or hybrid solutions which will fulfill your needs. Lastly, it’s important to determine if you’ll be using a public or private cloud model with your data/applications. This could come into effect if there’s a busy tenant causing resource issues which inadvertently cause your stack/application to have performance degradation.

Billing and Cost

As with anything cost and billing are important. This will almost always be an operational expense and the budgeting of moving to the cloud should be spoken of with finance before considering a move. This being told there are a few items to keep your eyes on with AWS. The first thing to determine is if there are other accounts setup with Amazon that might be active within the organization. With it being as easy as setting up instances with a credit card it’s possible a business is already in the cloud and you don’t even realize it. If this occurs or there’s a need to have multiple accounts created there should be an AWS master account created to link back all the services to the organization. Secondly, create billing alerts that will notify you when configured thresholds have gone over. The last thing you want is a misconfiguration or security issue causing additional dollars without knowing about it upfront. There are many other areas to review with billing, but these are two areas you might want to start off with.

Change Management and Automation

This is a big deal in the world of cloud. When deploying systems in the cloud everyone thinks it will be automation nirvana, but because of this flexibility, change, and config management need even more attention. When dealing with a purely AWS environment it needs to be determined who can build and launch instances within your account. AWS has something called Amazon Machine Image (AMI) which allows the needed information for an instance to be built. These need to be monitored as to not have issues with deploying wrong instances and keeping up with updates. Also, how will an organization deal with system hardening, patching, firewall changes (since security groups need to be understood before making inappropriate security holes). When dealing with additional changes and config management on instances it’s very easy to start VM creep and creating a decommissioning process should be written for cost, operational and security concerns.

Incident Response and Security

This is a topic that can have multiple articles written on it alone, but we’re going to try and cram as much as we can in here now. If you’re using AWS for your entire ecosystem then bringing in their security services is a must. Amazon has published native services that allow the ability to use them for IAM, logging, cloud WAF, MFA, encryption with HSM’s and security assessments. Using these tools is a must if you’re going to go all in with Amazon. Using their tools can assist with security since they have native integration with each tool within the Amazon ecosystem. Last, but not least, incident response in the cloud needs to be reviewed. Performing IR in the cloud is a different animal and you’ll need to determine if your normal procedures, tools and runbooks will fit while performing IR in the cloud. There will be areas you can’t touch, like logs on a system within a multitenant environment, and working with Amazon during this time is essential. Learn what you need to do upfront before you have too late.

Remote Management

Obviously, since the systems aren’t on-premise there needs to be a way to remotely access your instances securely. With this there are a few options that need to be thought out before even creating a single instance in AWS. The access to the console needs to be secured and logged right away. It should also have MFA on it and locked down to a particular range if possible, possibly via VPC. This is the access to your world in the cloud and it needs to be secured. Also, there will be applications that have access to the API’s which essentially could have complete access to the instances in AWS. These need to be protected and configured in a way that this access doesn’t get compromised. It’s a big subject and one that needs to be reviewed in greater detail. Lastly, understanding if you’ll be using federation services to tie back to any on-prem LDAP or other identify instance is a thought that must be understood during the design phase of the cloud implementation.

Disaster Recovery and Resiliency

Reviewing how your new cloud environment is built for disaster and resiliency is another major factor to consider when investing in AWS. Get a feel for the availability zones you’ll be hosting your environment in and where you’d like to fail in case of emergency. It’s possible to fail to availability zones in different countries and if that’s that case you should review the data laws of the country your data will no reside in afterward. For your applications and systems, there should be no single point of failure and all critical apps should have a process to make it resilient. Amazon has multiple load balancing, snapshot and synchronization services that allow a customer to keep their data available at all times.

AWS offering is deep and before investing your money into moving into their architecture a customer should have a firm understanding of both their current architecture, where they’d like to be in the future and what AWS has to offer. The options are vast and planning up front is needed for a successful implementation.