Cybersecurity & Networking

  • Cisco and Google Cloud recently announced Cisco SD-WAN Cloud Hub with Google Cloud, a new collaborative turnkey networking solution. Cisco’s SD-WAN capabilities (policy, security, and telemetry) merged with Google Cloud’s software-defined backbone offer organizations an effective means to ensure that security and compliance policies—as well as application service-level objectives (SLOs)—can easily extend across the network. The solution offers organizations a comprehensive way to view the end-to-end network, providing secure on-demand connectivity from customer locations, through Google Cloud’s backbone, as well as applications running in Google Cloud, other clouds, private data centers, or SaaS applications.

    (more…)

  • The SOAPA video series is back! In this global pandemic edition, I speak with Hugh Njemanze, CEO of Anomali, a leading threat intelligence platform (TIP). In part 1 of my chat with Hugh, we discuss:

    • Security operations difficulties. Enterprise Strategy Group research indicates that 63% of organizations claim that security operations are more difficult than they were 2 years ago. Hugh agrees and believes these difficulties are related to the breadth of tools and practices that are creating visibility and process gaps.
    • Issues around alert fatigue and keeping up with security threats. Hugh reminds me that security operations is a big data problem. The challenge is to find threat intelligence insights and share this data with systems of record like SIEM and SOAR. This level of integration can bolster efficiency. 
    • Operationalizing threat intelligence. I hear this requirement often, so I ask Hugh what the term means to him. Hugh responds that organizations must make better use of threat intel trigger alerts that can help organizations capture the right data and take immediate actions.
    • Skills requirements for threat intelligence analysis. Not everyone can hire an ex-intelligence analyst so I ask Hugh how Anomali customers can get continuous value out of their TIP. Hugh described how Anomali Lens “reads” intelligence reports and highlights important details about adversary tactics, techniques, and procedures (TTPs) and indicator of compromise (IoCs). Furthermore, Anomali Match can then be used to compare threat indicators to historical network data. In other words, Anomali applies machine intelligence to help human beings interpret and act upon threat intelligence. 

    In my humble opinion, TIPs like Anomali are an undervalued but integral part of strong security operations. Thanks to Anomali and Hugh for participating in the ESG SOAPA video series, stay tuned for part 2.

  • cloud-network-securityIn addition to reporting very strong growth in its fiscal third quarter, Zscaler announced the completed acquisition of Edgewise Networks last week. At a price tag of $31 million, this won’t be a deal that turns many heads, but maybe it should. We’ve seen much of the industry shift to a cloud-delivered network security approach over the last 10 months, something ESG calls elastic cloud gateways (ECGs). In many ways, this is the logical evolution of the approach Zscaler introduced more than 10 years ago. However, the Edgewise Networks deal, along with the recent acquisition of cloud security posture management (CSPM) vendor Cloudneeti show that Zscaler is beginning to think beyond just user access and toward a broader approach to cloud security overall. Specifically, the addition of Edgewise Networks strengthens Zscaler’s zero-trust capabilities to address not only the workforce, but also applications and workloads.

    Edgewise certainly covers the essential capabilities for microsegmentation. Recent ESG research asked respondents for the most important attributes in a microsegmentation solution. The top factor cited by 42% of respondents was the ability to identify and map the traffic and relationships between workloads, applications, and other entities. Also of high importance is support across multiple deployment models (i.e., data center, public cloud, and containers), which was cited by 39% of respondents. Edgewise has both these bases covered.

    However, Edgewise provides an interesting take on these typical approaches to microsegmentation by adding a layer of identity authentication between applications or services. This, as well as some of the machine learning capabilities Edgewise brings to the table, could see interesting uses within Zscaler’s current zero-trust access solutions over time. Better visibility into user application access patterns, built-in identity validation, and the machine learning engine itself could all enhance Zscaler’s Private Access offering.

    One challenge Zscaler will face is getting this in front of the right people. The ownership for microsegmentation solutions remains fractured, with IT ops, SecOps, DevOps and application development, and the network security teams all potentially having input depending on the organization. Zscaler’s C-level focus should help here, as will providing solutions supporting a more well-rounded zero-trust approach. However, building DevOps credibility will be paramount.

    These recent tuck-in acquisitions have potential upside with limited risk due to the small acquisition costs. We expect to see cloud adoption continue to accelerate as organizations look for increased flexibility, agility, and cost-savings due to the impact from COVID-19. Microsegmentation capabilities to support a zero-trust approach and CSPM are two areas of security sure to benefit from the increased focus.

  • GettyImages-763156853I heard some alarming new statistics from IBM security this week. With COVID-19 as a backdrop, cyber-attacks are up 14,000% led by a spike in ransomware. IBM also revealed a 6000% increase in spam, as hackers social-engineer nervous users with fictitious coronavirus news and miracle cures. Other firms like DomainTools, FireEye, and Palo Alto Networks have reported similar data. Yikes!

    (more…)

  • XDRIf you haven’t heard about it yet, there has been a ground swell of activity over the past 12-18 months with security vendors rallying around a new theme: XDR. There have been different interpretations of what the “X” in XDR stands for, but the general concept is built on the success of the endpoint detection and response (EDR) model, now extending that model to aggregate and correlate telemetry from additional security controls, adding network, cloud, email, and more. The promise is that with a broader view of activity across security controls, more automation can be applied to deliver better coverage, insights, and ultimately more automated response actions for today’s sophisticated attacks.

    (more…)

  • About a month ago, I wrote a blog about how COVID-19 was driving rapid and dynamic changes for CISOs. I followed this up with a second blog, detailing a number of subsequent cybersecurity phases CISOs are now pursuing to assess and mitigate COVID-19-based cyber risks.  

    Both blogs describe some fundamental problems. Corporate cybersecurity now extends to home networks filled with insecure IP devices with little or no security protection whatsoever. Meanwhile, hackers are exploiting societal malaise with online scams, rogue websites, and phishing campaigns preying upon COVID-19 paranoia. A recent article in the Washington Post described research from Palo Alto Networks identifying more than 2,000 malicious COVID-19 web domains and another 40,000 it classifies as “high risk.”

    So, work from home (WFH) initiatives have greatly expanded the attack surface AND pivoted traffic away from corporate networks instrumented with tried-and-true security controls. CISOs are struggling to figure out what’s out there and whether they are vulnerable to a growing barrage of COVID-19 cyber-attacks. 

    What can be done? Just like COVID-19 itself, one way to address this situation is through testing, testing, testing. Rather than novel coronaviruses and antibodies, however, WFH security vulnerabilities can be assessed through new types of continuous automated penetration and attack testing (CAPAT) tools. 

    These tools are provided as a SaaS offering so there’s no onsite hardware/software to install and operate. While CAPAT tools weren’t designed for WFH explicitly, I believe that CISOs may find them to be helpful for addressing current COVID-19 challenges by:

    • Mapping the attack surface. Cybersecurity teams aren’t sure exactly what’s on the extended network right now. Old insecure PCs? Chatty gaming systems? Mirai botnet infected video cameras? Discovering what’s out there is an important step as experienced red teamers often find lots of assets that cybersecurity teams don’t know about but are still responsible for. Some CAPAT tools address this visibility gap by discovering and mapping the attack surface – a good starting point for risk assessment and mitigation. 
    • Testing security controls. Organizations spend millions of dollars on endpoint security software, firewalls, and a potpourri of security controls sitting between the two. Do these things work? This basic question is worth pursuing – according to research from ESG and the Information Systems Security Association (ISSA), 38% of cybersecurity pros say that one of the main implications of the global cybersecurity skills shortage is that their organization cannot fully learn or utilize their security technologies to their full potential. Thus, an overworked cybersecurity staff can lead to human error and misconfigured security controls languishing on the network. CAPAT tools can help CISOs assess whether their defenses work and whether they would know about it if they failed.   
    • Pinpointing cyber risks. Armed with an attack surface map and CAPAT reports, CISOs can identify and address specific weaknesses with the right training, processes, and countermeasures. Yes, they do this already with penetration testing and red teaming exercises, but these tend to be expensive third-party services conducted once or twice per year. CAPAT tools replace costly service engagement with automation, providing a continual closed-loop cycle for risk assessment and mitigation. 
    • Supplementing existing security programs and technologies. CAPAT tools tend to emulate cyber-adversaries by breaking attacks into kill chains over time. Each CAPAT automated tactics, techniques, and procedures (TTPs) can then be mapped into the MITRE ATT&CK framework – a popular taxonomy that aligns security programs and tools to an ‘outside-in’ hacker perspective and timeline. I’ve also witnessed CAPAT tools used in conjunction with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools to fine-tune correlation rules and incident response runbooks. Finally, as CAPAT tools expose system configurations issues, these vulnerabilities can be programmed into deception technologies used to fool enemies and capture valuable threat intelligence.  

    To be clear, CAPAT tools aren’t a panacea but they can help expose WFH blind spots by increasing attack surface visibility – as the old management principle states, “you can’t manage (or in this case, secure) what you can’t measure.” Additionally, CAPAT tools can help security professionals “think like the enemy,” another fundamental tenet of cybersecurity. Finally, CAPAT tools have the potential to democratize penetration testing and red teaming. While most organizations can’t hire and retain experienced FTEs in these areas, CISOs should be able to find affordable SaaS options.

    There are a host of innovative CAPAT vendors out there including AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, Verodin (FireEye), and XM Cyber, amongst others. Some focus on attack surface discovery, some test controls, and some automate red teaming. I believe CAPAT tools will ultimately become a key technology in the SOC arsenal.

  • What’s in your Hybrid Cloud Infrastructure?

    GettyImages-1135140156 (1)Digital transformation initiatives have been well documented over the last few years and result in significant changes to an organization’s people (skills), process, and technology. The top goals of these initiatives, as reported in ESG’s 2020 Technology Spending Intentions survey, are to drive greater operational efficiencies and deliver differentiated customer experiences. To accomplish these goals, organizations are actively modernizing their application environments.

    (more…)

  • Next Steps for Dealing With COVID-19/WFH

    Work from home

    Last week, I wrote a blog describing 3 ways that COVID-19 is changing CISO priorities for 2020. COVID-19 drove large scale work from home (WFH) initiatives where the priority was getting users up and running as quickly as possible. Security leaders were then forced into an unanticipated follow on sprint to deliver elementary security safeguards for remote employees (i.e., VPNs, endpoint security controls, network security controls, etc.).

    This is the new reality and it’s an ongoing scramble, but what comes next? 

    Let’s call the current situation phase 1, which is about employee access, network communications confidentiality/integrity, and basic endpoint security. 

    Since posting my last blog, I’ve heard of additional IT efforts to address network performance and user productivity (phase 1A). Some organizations are implementing split tunneling so key employees can access VPNs and the internet simultaneously. Some are paying to upgrade employee bandwidth, especially for executives spending their days on Zoom/WebEx meetings while their children use the same networks for home schooling. My colleague Bob Laliberte also tells me about companies instrumenting key employee systems with WAN optimization software. Back at corporate, there’s also lots of load balancing and SD-WAN activity.

    From a security perspective, forward-thinking CISOs are now on to phase 2 focused on situational awareness and risk assessment. This is directly related to the fact that a lot of LAN traffic has been rerouted to WANs and internet connections. The goal? Scope out the new realities of usage patterns and the attack surface.

    To gain this level of visibility, organizations are deploying endpoint security agents to assess device posture and system level activities. Think Tanium agents and EDR software from vendors like Carbon Black, CrowdStrike, and Cybereason. Security pros also recognize that employee home networks may be populated with insecure IoT devices, out-of-date family PCs, etc., so I’ve heard of instances where security teams are doing home network scans here as well. Finally, there is an increased focus on network traffic monitoring travelling back and forth on VPNs or directly out to SaaS providers and the public cloud. 

    Leading organizations are also ramping up monitoring of cyber-adversaries and threat intelligence, looking for targeted attacks, COVID-19 tactics, techniques, and procedures (TTPs), IoCs, etc. I’ve also heard that threat analysts are more actively sharing intelligence and participating in ISACs. In other words, I’m seeing an increase in collaboration within the cybersecurity community. 

    In about 4 weeks, organizations will have visibility and enough historical data to proceed to phase 3, a full risk assessment and a board-level report. These reports will examine the WFH infrastructure, new traffic patterns, perceived vulnerabilities, rising threats, etc. They will also dig into a more thorough look at emerging WFH issues like insider threats, expansive privileges, data security exposures, insecure cloud application configurations, and others. The goal? Quantify risk and then work with executives to prioritize actions.

    This leads to phase 4, which is all about risk mitigation. Based upon my conversations, the goal is to address this by mid-May at the latest. During the risk mitigation phase, organizations will likely employ controls for data privacy/security, assign least privilege to networks and applications, and segment home network traffic to protect WFH assets from gaming systems, smart refrigerators, security cameras, and the like. We’ll see more deployment of technologies like multi-factor authentication (MFA), zero trust networking tools, privileged account management, and DLP/eRM at that point. Process automation will also be added during this period. 

    At the end of phase 4, WFH should be set up for threat prevention, detection, and response at scale.

    A few final things I’ve heard:

    • While the four phases are a general project plan, CISOs are also busy patching tactical holes like blocking Zoom bombing by using meeting IDs and issuing passwords. Issues like this come up daily.
    • Another issue I’m hearing about is securing “shotgun” applications, developed and deployed quickly to support remote workers, business partners, and customers.
    • Security will continue to play catch-up, with IT leading on network performance and service availability. User support and productivity is paramount while security remains behind the scenes.
    • The need for speed is causing CISOs to have a “SaaS first” mentality.
    • CISOs are taking a long-term approach since no one can tell how long the lockdown will last. Many also feel like this is a game changer for the future of IT and security. 

    I’ll continue to report on what’s happening in the CISO trenches as desperate times call for desperate measures. Your feedback, inputs, and suggestions are most welcome.

  • GettyImages-591407425The notion of a matrix of “anyness” describes how the combination of knowledge worker mobility and the broad use of cloud services has significantly impacted the cybersecurity remit. The recent surge in remote workers has brought this concept to the fore and shown how conducting business on any device from any location at any time accessing any app and any data is the norm. This reality certainly challenges the castle and moat security model, highlighting the need to evolve how we think about the perimeter, to one that contemplates the many aspects of identity.

    (more…)

  • SD-WAN Enabling WFH During COVID-19 Pandemic

    Work from home

    For the last couple of years, SD-WAN technology has been on a roll. Businesses going through digital transformation initiatives are increasingly leveraging cloud platforms to host applications (both IaaS and SaaS) that are critical to the business. However, the legacy hub and spoke networks leveraging private telco links were not designed for direct connection to cloud-based apps from remote locations. Instead, all the traffic was funneled through the data center, creating a lot of round trips, latency, and poor user experiences.

    SD-WAN changed all that and enabled organizations to effectively take advantage of multiple broadband connections to create highly performant and secure connections from branch offices directly to cloud platforms, corporate data centers, and other remote offices. Leveraging broadband connections (or a combination of broadband, MPLS and even 4G) provided greater flexibility, access, and even lower costs. Additionally, these SD-WAN technologies provided a number of other benefits to the business including:

    1. Zero touch deployments to enable site to be turned up rapidly.
    2. Prioritized application traffic to ensure critical voice and video applications always perform well.
    3. Effective and efficient use of all existing bandwidth.
    4. Securely segmenting application traffic ensures business apps aren’t mixed with gaming traffic.
    5. Centralized policy management and distributed enforcement ensures changes are implanted at every site.

    Over the last week or two, I have spoken to a number of SD-WAN providers (VMware VeloCloud, QoS Networks, Silver Peak, and Cato Networks) who are reporting that in light of the COVID-19 pandemic that businesses are now adapting SD-WAN to enable work-from-home (WFH) initiatives. It stands to reason that if it can provide benefit to the branch office, it can do the same for the employee now working from home. Here are a couple of examples:

    • There is a large insurance company that ordered 5,000 new SD-WAN instances to be rolled out over 10 days to ensure their employees have optimized access to internal and cloud applications and that corporate policies can be enforced at these new edge locations –employee homes. In this case, a partner was handling the staging, distribution and turn up of services with an extremely expedited timeframe. Fortunately, zero touch provisioning and centralized policies ensure minimal involvement is required by the employees.
    • In another instance, the technology is being used to enable doctors and healthcare professionals to more effectively and securely deliver TeleHealth/Telemedicine from not just their offices, but also their home locations as well. Given the risk so many of those on the front lines are facing, the ability to screen potential patients from remote locations or enable doctors from different parts of the country to help those in the hardest hit areas, this is a great application of SD-WAN technology.
    • A call center business handling medical-related issues rapidly transitioned from an on-premises business to a work-from-home model, bringing up 300 agents in less than one week from placing the order, 400 agents within two weeks, and now have 800 employees set up to work from home. Again, because of the innovative zero touch provisioning and centralized control, these technologies are able to be deployed in a very short time frame. For a call center business, SD-WAN technology will provide significant benefit by optimizing real-time audio and video services to ensure the best possible customer experiences, regardless of where the call center operators are located. Click here for more information.

    Clearly the COVID-19 pandemic has forced all organizations to rethink their business continuity plan. As employees shift to work from home to remain safe, we are starting to see innovative technologies like SD-WAN be deployed to ensure call center agents can still deliver services, health care professionals can interact with patients, and other medical centers and employees can access mission-critical business and collaboration apps with prioritized access – especially with so many students also at home, vying for bandwidth for online gaming and streaming video!

  • 2020 Cybersecurity Spending Trends

    Most organizations will increase cybersecurity spending in 2020, driven by the desire to protect business processes and counteract dangerous threats. In fact, organizations targeted by cyber-attacks like ransomware are far more likely to increase spending than those that have not. While most are likely to invest in AI/ML-based analytics, data security, network security, and application security, CISOs will spread budget dollars around in many areas. The data indicates that many organizations are in the process of reengineering their entire cybersecurity infrastructure in an attempt to improve efficacy, streamline security operations, and support new technology-driven business processes.

    (more…)

  • Fundamental changes to application architectures and the infrastructure platforms that host them is antiquating existing cybersecurity technologies and challenging traditional approaches to protecting business-critical workloads. Additionally, the continuous integration and continuous delivery (CI/CD) process of DevOps is as impactful a change to cybersecurity programs as the changes to the applications and infrastructure that these methodologies manage.

    In order to get more insight into these trends, ESG surveyed 371 IT and cybersecurity professionals at organizations in North America (US and Canada) responsible for evaluating, purchasing, and managing cloud security technology products and services. These organizations are mature cloud users in terms of public cloud services and/or containers.

    (more…)