Posted by: Greg Ness | April 16, 2018

The Beginning of the End of the Corporate Network

High CastleIt’s Time to Seize the High Ground

The cloud and IoT are rendering the corporate network obsolete, with or without the rise of advanced threats.  At least that’s the conclusion I reached after reading a remarkable blog post this weekend followed by a gloomy yet impeccably grounded Paul Gillin article in Silicon Angle on the degrading state of enterprise security.  If you haven’t read them, you should.

The CIOs Inevitable Strategic Withdrawal– by Mark Hoover

The Grim State of Cybersecurity– by Paul Gillin

The blog recommended that CIO’s make a strategic withdrawal from the traditional network to establish a new, tighter perimeter around high value applications.  It argued that it’s now too difficult to protect high value applications in the wilds of the increasingly connected corporate network, evoking images from “Naked and Afraid” except this time set in a server room instead of the jungles of Belize*.

I think it is one of the smartest responses to the specter of radical increases in spending and hiring in a vain effort to temporarily stem the tide.

The traditional network is no longer an efficient, complete, or effective environment on which to deliver the availability, agility and security requirements of the modern enterprise. – Mark Hoover, CEO Vidder

Brian Krebs, recently interviewed by Paul Gillin, really explains why a retreat to higher ground isn’t just imperative, but urgent if there is to be any semblance of protection.  See Silicon Angle’s The Grim State of Cybersecurity:

For criminals, he said, “the barriers to entry have never been lower and the low-hanging fruit never more abundant. The chances of success with low to moderate effort are high and there are seldom consequences for criminals. It’s no wonder that cybercrime is such a fast-growing industry.” – Silicon Angle

The problem at the core isn’t just malicious adversaries and advanced tools that can turn the weakest hackers into advanced threat propagators, but rather the breakdown in network security due to exploding connectivity, from personal devices with more software to partner sites and clouds.

Sure, the firewall vendors would love more spending on gear, even if in a vain attempt to imitate effective security, as is the case in much of today’s enterprise network. But they should also applaud the notion of a more efficient approach that doesn’t leave their customers in a constant state of apology.

The inescapable fact is, the state of cybersecurity keeps getting worse despite an explosion in the amount of investment and energy plowed into improving it going years back. And it’s only going to get worse, according to the unanimous assessment of 22 security industry chief executives, chief technology officers, security analysts and independent security experts contacted by SiliconANGLE. – Silicon Angle

Today’s enterprise network, built around a plethora of security appliances architected for much simpler missions, cannot be simply upgraded, even with “an explosion in investment” to scale to address the new jungle. This is where the idea of a strategic withdrawal comes in.

The Strategic Withdrawal has Merits

Why not create a high security zone (sometimes called a “zero trust network”) where it is much easier to scale and secure availability and security without having to spend and hire up to protect the vast jungle of users, devices and external resources. See Seizing the High Ground diagram from The CIO’s Inevitable Strategic Withdrawal.

High Ground Trimmed Circles

Hoover advocates business as usual for the outer circle. In other words, let your employees access the internet and other third party networks with minimal fanfare.  Within reason they can protect their own devices and partners can protect their applications. With workflow efficiency applications security is stepped up, with protection from various vectors with your next gen firewalls and identity and access management solutions keeping most adversaries at bay, versus trying to maintain such a level of security across the entire corporate network.

Then inside create your high ground, a zone where the standard for access is much higher and security and availability are of paramount importance. A high level or proven trust is required before any visibility is given into the zone.

To accomplish a trust barrier to these critical applications, Hoover argues that the network will need to evolve in the application layers. From Hoover’s blog:

It does make sense for enterprises to concentrate their money, time, and expertise to ensure the security, availability, and performance of their core applications. This leads to a careful retreat from the ongoing investments in traditional packet-defined architectures into an architecture that defines and controls connectivity at higher layers (L4-L7). – Mark Hoover

Hoover argues that it’s time to revisit the app layers to enforce trusted access across networks and clouds from a more cohesive control plane.  A kind of high ground where the CIO can exercise greater control of who accesses critical assets.  He is spot on:

This model for connectivity defined and controlled independent from the underlying network allows corporations to focus their security talent and spending only on the subset of the infrastructure related to delivering the core applications.  The network becomes a simpler underlying utility. – Mark Hoover

i-shall-return-againIf Hoover is right, we will see the network evolve again this time on a massive, much-needed scale with more security at the core and business as usual in the firewall jungle of LAN by LAN perimeters. Security returns where it matters and can be managed across LANs, clouds, etc from a single point of visibility, enforcement and control. Only then can security return to the network.

====

 

 

 

*BTW- in January our family explored the Mayan temples in the ATM Caves in western Belize– but we wore bathing suits.

 

Advertisements
Posted by: Greg Ness | February 23, 2018

VMware Intends to Buy CloudVelox

VMware 3; Cisco 0 <== More on this later.

Another brilliant move by VMware as it shifts away from competing cloud to cloud with the likes of AWS and Azure and focuses on areas where it has strategic advantage.  Well done!

Read the VMware blog post: VMware Announces Intent to Acquire Technology and Team from CloudVelox

Posted by: Greg Ness | February 23, 2018

Secure Enclaves now on AWS Marketplace

It is great to see secure enclaves now listed in the AWS Marketplace. It’s a big step forward for cloud security and early participants are large enterprises creating highly secure cloud environments.

This is important because it allows organizations to render the AWS boundary invisible (all within the excellent AWS shared security model) and only allows authorized access to the enclave.

Interested in high security AWS cloud environments?

Over the last few years there has been significant security improvements in public clouds.  Secure Enclave (1)For example, AWS now offers transparent data encryption, key management and secure compute features. Unfortunately, even with the advances in public cloud computing, organizations like financial institutions have been unable to leverage these services because many analysts work in secure facilities that have no Internet access. Now they can…

Read How to Build a Secure Enclave on AWS.

Posted by: Greg Ness | February 15, 2018

Time for a New Look at Segmentation?

The perimeter protecting the network, once considered impregnable, has been degraded by advanced threats and an explosion in the number of connected devices (and apps running on them) and a new generation of predatory malware attacks.Does segmentation

Since the dawn of the networking era, enterprises built open (flat) networks to offer every user access to (almost) every application. Many of these networks are global, spanning business units and national boundaries with unprecedented connectivity. Amazing. Powerful. Everything and everyone is accessible.

Today that access is now available to adversaries.

Some enterprise networks have become a kind of playground for hackers that offers up everything to everyone with minimal effort, not even the need to wait in line. With a few easily available tools or tactics adversaries can penetrate business critical apps and data. They simply compromise one of a growing population of connected devices.

From a single compromised device, attackers can then access other devices, servers and even printers to establish a robust foothold inside the network. From there they search for privileged users to get privileged access to servers, applications and data. Even with traditional network segmentation this can be a problem. (see diagram)

DC segmentationblog

Because of the difficulty and expense required to protect the entire network from these types of attacks, CISOs are taking steps to segment (or isolate) applications so they cannot be easily reached by adversaries, yet still be reachable by employees.

The problem is too much access, stolen credentials, and the ability for compromised devices to access servers from inside the network.

Segmentation is the new perimeter strategy, and it should begin with the protection of applications and servers from attacks from compromised endpoints.  Yet CISOs have been “educated” by PCI compliance to think of server segmentation as a priority, instead of protecting servers from the most common threats.

It’s Time to Think Differently about Segmentation

A recent paper, Segmentation for Security by Silicon Valley veteran Brent Bilger, takes you through the various hops, attack vectors and approaches to effective isolation and access and reviews common approaches for security and business impacts. I highly recommend it if you have an open network and are looking for where to start.

Second Panel on Ukraine’s Cyber War held at GWU

==> UPDATE Feb 15 2018: See HR1997.

===> Feb 15 2018 White House blasts Russia for cyber attack on Ukraine.

====> Feb 16 2018: DefenseOne coverage of Ukraine cyber war.

GWU2

Last fall we discussed how digital societies are more vulnerable to cyber mayhem and cited the recent Future in Review panel on Ukraine’s cyber war. Last week (Feb 7) a follow-on panel was held at George Washington University: The U.S.-Ukraine Cybersecurity Partnership. It is well worth watching.

Opening remarks from Frank Cilluffo, Director of the Center for Cyber and Homeland Security, and Dr. Leo M. Chalupa, Vice President for Research at George Washington University, highlighted that whatever threats Ukraine faces will eventually be seen globally. 

For additional background you can watch the entire Future in Review 2017 panel here. It covers the cyber conflict in Ukraine and implications for the modern digital society. The GWU Conference takes things a step further with a deeper technological discussion with implications for the future.

 

Posted by: Greg Ness | November 14, 2017

Secure Enclaves in the Cloud: A Game Changer for AWS

A powerful game-changing idea is now a reality thanks to advances in cloud security capabilities and software defined perimeter technology.

One of the most significant new opportunities for public cloud is the processing and storage of regulated data.  Until recently the idea was deemed heretical, mainly due to regulatory, compliance costs and the difficulty in interlocking physical and virtual security controls.  That has changed due to a recent Vidder secure enclave project for a public financial services firm.

Read more at Building Secure Enclaves on AWS.

Secure Encave Interlocks

Here is a link to Flackbox Guide to Mastering Cisco Networks  and a Udemy $10 course coupon from Neil Anderson, an Archimedius reader.

Posted by: Greg Ness | November 10, 2017

Western, Digital Society is more Vulnerable to Cyber Mayhem

Two Ominous Warnings from the US and Across the Pond

For the most part westerners live in open societies.  And many of them are undergoing accelerating connectivity across almost all aspects of their culture.  There is a dystopian underbelly to this, which was recently brought out in a prescient SiliconAngle interview on the weaponization of social media and search by 2020 and a disturbing panel at the Park City Future in Review tech conference.

They immediately suggest a historical precedent for the role of trust and access, even in a city with high walls and a formidable army.

Trust and Access and the Fall of Troy (The Burning of Troy by Johan Georg Trautmann)

 

Burning of Troy

You can view the panel in its entirety via this link but I’ll summarize. You can also read the coverage in Newsweek.

  • Experiments in cyber mayhem are becoming increasingly powerful and sophisticated.
  • Chaos and mayhem campaigns target infrastructure, groups and individuals.
  • No one connected to the internet is immune, even if protected by the current security stack, per Ukraine’s Cyber Czar.
  • Social media and critical systems are fair game as targets for fake news and targeted pulse campaigns using behavioral science aimed at voters.
  • The recent NotPetya attack targeted Ukraine yet spread in days to shut down critical infrastructure. More are coming.

It is becoming increasingly apparent that trust and access are critical factors for the survival of the western “open” society. And methods for weakening these societies are being tested in Ukraine and some of these early tests have already spilled across borders, shutting down critical systems at hospitals and shipping companies globally.

DmytroFire

Over the last three years the Russians have aimed to “disrupt, destroy the West’s presence [in Ukraine],” per Ukrainian cyber czar Dmytro Shymkiv (pictured). At times most of Ukraine’s infrastructure was impacted. That leads to a bigger discussion across the pond.

As tools become more sophisticated and enable less talented hackers to become more powerful, will western defenses address the trust and access problems with the existing security stack or experience a massive Troy-like breach against the very commercial and social fabric of western civilization?

Read more at SiliconAngle: It’s Time for a Cyber Security Reboot.

Malware has evolved to evade traditional security defenses and move laterally looking for vulnerabilities.  It may even force a generational shift in security. In a recent CUBE interview with security expert Junaid Islam, host John Furrier asks Junaid a question about the state of security in a new era of nation-sponsored activities and IoT.

UPDATE October 28 2017- Also see recent article in Daily Caller: Russia Testing Hybrid War Capabilities in Ukraine.  “What happens in Ukraine doesn’t stay in Ukraine.”

Both the questions and answers are revealing in terms of what kind of shift in thinking is required for increasingly interconnected enterprises in an age of state-sponsored attacksVidder Junaid Islam Cube John Furrier_.

“Generational Shift”

John called it a generational shift. He suggested security might even require a “do over.” What has changed beyond the exponential growth in IoT and digital supply chain connectivity? Perhaps it is the evolution of predatory malware that moves laterally through layers of existing solutions in search of vulnerabilities. Once in it has access to increasingly complex configurations of devices, drivers and servers, a kind of hackers’ playground that was once protected against attack and is now exposed. Because of digitalization the stakes are higher than ever.

As Junaid says, increased interconnectedness leads to increased vulnerability and risk. Yet that is the direction we’re going. Then as nation states get involved and “malware that moves by itself” appears the interconnectedness of the US demands new countermeasures.

WannaCry as a Weapons Test

WannaCry was likely a weapons test and it’s up to enterprises to secure their own systems against these new advanced attacks. Security teams need to be aware of these risks and plan accordingly.

Junaid recommends new policies and laws for people holding assets and encouraging the adoption of new, advanced countermeasures. Authenticated access including multifactor authentication should be required for critical systems.

The writing is on the firewall discussed two recent announcements from VMware and Verizon which are likely responses to the state of security and more harbingers for the hardware-bound firewall and network access control vendors.

New Thinking, New Strategies, Secure Enclaves

While security pros spend more time addressing process creep required to keep their firewalls and access control hardware up to date with the latest lists and updates, these new attacks are piercing high profile defenses. New thinking around zero trust is morphing into strategies for establishing secure enclaves where access, lateral movement and even user behavior is trust-based in real-time and granular versus “once you’re in your all in” which is common in traditional security infrastructure.

These are demands which traditional solutions weren’t architected to address. At conclusion Furrier asks Islam about efforts to establish a new US national security initiative. Junaid advises that as soon as an approach is taught hackers will evolve to evade them. “We need to rethink how we share information on a worldwide basis.”

Stay tuned…

Posted by: Greg Ness | September 21, 2017

The Writing is on the Firewall

VMware and Verizon Announce App Security as a Service: Here’s Why It Matters

In a “tip of the hat” to how polluted devices and networks have become, VMware and Verizon announced new service offerings to protect applications from cyber attacks.  VMware announced App Defense at VMworld a few weeks ago. Vidder announced yesterday that its technology is being integrated into a new Verizon Software Defined Perimeter managed service for protecting high value apps from advanced threats.

The Writing is on the Firewall

These announcements matter because they mark a break from traditional thinking about security, from hardware to services and from network security to applications and access control. 

Services are becoming the fastest-growing segment of security spending according to Gartner. One recent forecast predicts a massive cyber security skills shortage in less than four years.

Why think differently about applications and access control? Increasingly powerful doses of cyber security reality are hitting overworked security teams:

  • defending apps and networks with traditional firewalls and network access control solutions is futile at best, even in firms with large security budgets;
  • exploding populations of endpoints will never be secure enough on their own to protect the critical systems they can access;
  • enterprise security faces increasing skills shortages, complexity and process creep just as attackers are getting faster and more capable; and
  • Application-centric access control is becoming strategic, especially for high value apps supporting users who demand LAN and remote access.

Clearly VMware and Verizon both see the writing on the firewall. A new Gartner report shines more light on the coming radical transformation of what was once a bastion of network security (see Secure Web Gateways by Pingree and Contu, published Sep 12, 2017).  Think firewall-as-service in the future.

Until the firewall disruption the focus needs to be on protecting high value apps from attacks that today easily penetrate firewalls and network access control defenses. Petya, for example, spread from its targets in Ukraine around the world in a matter of days, and was responsible for shutting down everything from hospital to shipping company systems.

Developing a Zero Trust Strategy

Synergy is key: New app-centric services can add more powerful capabilities to existing security teams without the headaches of adding new layers of increasingly complex static security infrastructure. Planning Matrix

Your team gets closer to the notion of zero trust, not just for networks but devices as well. They can start by prioritizing security for high value applications, especially those with complex access demands. Then focus on high value apps with simpler access demands.

When endpoints and networks are polluted, trust needs to be established for any user to access any high value application. Think Trusted Access Control: a powerful defense for key apps that augments existing resources and is delivered as a service.

Your security infrastructure is then augmented with specialized software and services that protect apps from malware and credential theft. Access is only granted after trust is established and access is only granted to a specific application.

++++

Verizon Field Tests Vidder Technology at Operation Convergent Response

Related: After extensive tests and hackathons, Verizon recently field tested Vidder technology by securing real time, live action, first responder communications at Operation Convergent Response, last June in Perry, Georgia. For more information check out Junaid’s blog.

Read the news coverage related to the Verizon and Vidder software defined perimeter technology partnership.

Posted by: Greg Ness | August 16, 2017

Is Ukraine a Testing Ground for Cyber Attacks?

As nations and syndicates pursue their interests, they will become sponsors of offensive and defensive cyber capabilities, including information warfare, theft, and attacks designed to take down critical infrastructure. This could explain why–after billions in losses–there are no cyber treaties in place and attacks against election infrastructures are mere diplomatic affairs.

Let’s face it. We are all in the epicenter of an ongoing conflict, exposed to a new kind of Ruins1digital age risk. And in the years ahead it will get harder to discern who or what to trust. And trust is the fabric of civilization. Trust in institutions.  Trust in the availability of water, power or even banking and/or health services. When trust is broken many more things eventually break.

Many civilizations have discovered this the hard way. Today as the pace of life quickens and the ability to mobilize gets easier, institutions struggle with maintaining stability. As we’ve seen around the world, nations running on file folders and traditions cannot keep up with populations empowered by digital connectivity. Connectivity is the new backbone of a nation and yet its biggest vulnerability.

Radio, television and print were all essentially one to many broadcast mediums that helped public institutions maintain trust. The internet and social media are many to many mediums that can erode trust faster than the broadcast media can maintain it. So we see mayhem in Ukraine. And its spread throughout the world, shutting down hospitals and shipping companies.

We’ve entered a new era. And Ukraine may be its poster child.

Ignore Ukraine at your Own Peril

Ukraine has evolved into a kind of microcosm of the East/West conflict and, even more importantly, it is digitally connected to the east and west. It is the front line in a global cyber conflict.

In June I explained how increasing digital connectivity and blurred lines between nations and digital systems will expose servers and applications globally to more collateral damage from the ongoing conflict in Ukraine.  More recently I discussed how global brands will be increasingly vulnerable to cyber attacks. The digital age will separate trusted and untrusted brands.

Ukrainian infrastructure is already being attacked, most likely in order to undermine public trust in the young government. Some of those attacks have already spread well beyond Ukraine. The NotPetya malware attack, for example, is estimated to have caused almost $1B in damages globally.

The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities. That’s why the malware went out of control.

– Telebots are Back, Anton Cherepanov, welivesecurity, June 30, 2017

This year at Future in Review we decided to shift from the evolution of cloud computing1 track (which had lasted more than 6 years) to the rise of cyber security as a critical and strategic IT theme. I cannot think of a more timely topic.

I highly recommend this panel as an insight into the world’s future and this cyber conflict and the impact it could have on trust, the fabric of digital civilization. Here are the videos from last year’s Future in Review.

 

Ukraine is the Cyber War Front Line: Future in Review Panel

Actual date and time (entire event is October 10-13) is being set.  I’ll update as soon as it is published. See Fire agenda here.

October 11, 2017 230-300PM.

Dmytro Shymkiv – Deputy Head of the Presidential Administration of Ukraine

Bob Flores – Founder/Partner of Cognitio and Former CTO of the US Central Intelligence Agency

Phillip Lohaus2 – Research Fellow, Marilyn Ware Center for Security Studies, American Enterprise Institute

Moderated by: Gregory Ness, VP, Vidder

 

Background

Wired – How an Entire Nation became Russia’s Test Lab for Cyberwar – Andy Greenberg

US News and World Report – A Vulnerable Castle in Cyberspace – Phillip Lohaus

Reuters – Corporate profits to take more hits from Ukraine cyber attack – Jim Finkle and Eric Auchard

Newsweek – Whose Cyberattack Brought Ukraine to a Shuddering Halt? – Nolan Peterson

Vidder blog– We are Now at War – Cyber War – Gregory Ness

welivesecurity – TeleBots are back: Supply-chain attacks against Ukraine – Anton Cherepanov

======

 

1- The cloud track started in 2009 with a panel that led to the formation of the now-defunct Infrastructure 2.0 Working Group and culminated with last year’s Future in Review cloud panel.

 

2- Phillip is the author of A Vulnerable Castle in Cyberspace- see Background

 

Older Posts »

Categories