Whitelisting Is Important For Your Network – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver

 

Overview

Similar to any form of security, the world of IT security is one of establishing and implementing a set of allow/disallow rules – or more formally entitled, policies on security. And, merely stated, allow/disallow rules can be expressed as a ‘whitelist’ or a ‘blacklist’.

In the past, a lot of guidelines were blacklist in nature. The good ‘ole days were when we trusted almost everyone to behave well, and when they did this, it would be rather simple to recognize bad behavior or abnormalities. So, we would only have to compose a few blacklist guidelines. For example, “don’t permit anyone into the network originating from an IP address in say, Russia”. That was kind of the very same thing as your grandparents never ever locking the doors to your house on the farm, because they were aware of everyone within a twenty mile radius.

Then the world altered. Behaving well became an exception, and bad actors/habits became legion. Obviously, it occurred gradually – and in phases – dating to the beginning of the true ‘Web’ back in the early 1990’s. Keep in mind script kiddies unlawfully accessing public and secure sites, simply to prove to their high school pals that they were able to?

Fast forward to the modern-day age. Everything is on-line. And if it has value, someone on earth is trying to take or harm it – constantly. And they have plenty of tools that they can use. In 2017, 250,000 new malware versions were presented – daily. We used to trust desktop and network anti-virus solutions to include brand-new blacklist signatures – every week – to counter the bad guys utilizing malicious strings of code for their bidding. However at over 90 million new malware versions per year, blacklist strategies alone won’t suffice.

Network whitelisting innovations have been an essential form of protection for on premises network security – and with most companies rapidly moving their work to the cloud, the exact same mechanisms will be needed there as well.

Let’s take a closer look at both methods.

What is Blacklisting?

A blacklist lines out known malicious or suspicious “entities” that shouldn’t be enabled access, or execution rights, in a system or network. Entities consist of bad software applications (malware) including viruses, Trojans, worms, spyware, and keystroke loggers. Entities likewise include any user, application, process, IP address, or organization understood to pose a threat to a business.

The essential word above is “known”. With 250,000 brand-new variants appearing daily, the number that are out there we have no idea about – at least until much later in time, which could be days, weeks, or even years?

Whitelisting

So, exactly what is whitelisting? Well, as you may have guessed, it is the reverse of blacklisting. Whitelisting begins from a point of view that nearly everything is bad. And, if that is true, it ought to be more efficient just to define and permit “great entities” into the network. An easy example would be “all workers in the financial department that are director level or higher are permitted to access our financial reporting application on server X.” By extension, everyone else is locked out.

Whitelisting is often referred to as a “no trust” method – deny all, and allow just specific entities access based upon a set of ‘good’ characteristics related to user and device identity, behavior, location, time, etc

Whitelisting is widely accepted for high risk security environments, where stringent rules are more important than user freedom. It is also highly valued in environments where companies are bound by rigorous regulatory compliance.

Black, White, or Both?

Initially, few would suggest blacklisting is absolutely a thing of the past. Certainly at the endpoint device level, it is relatively simple to set up and preserve and somewhat efficient – specifically if it is kept up to date by third-party threat intelligence providers. However, in and of itself, will it suffice?

Second, depending upon your security background or experience, you’re most likely thinking, “Whitelisting could never work for us. Our organization applications are simply too diverse and complicated. The time, effort, and resources required to assemble, monitor, and update whitelists at an enterprise level would be untenable.”

Fortunately, this isn’t actually an either-or option. It’s possible to take a “finest of both worlds” stance – blacklisting for malware and intrusion detection, operating together with whitelisting for system and network access at large.

Ziften and Cloud Whitelisting

The key to whitelisting comes down to ease of execution – specifically for cloud-based work. And ease of implementation ends up being a function of scope. Consider whitelisting in 2 ways – application and network. The former can be a quagmire. The latter is far easier to execute and preserve – if you have the right visibility within your cloud deployments.

This is where Ziften can help.

With Ziften, it becomes easy to:

– Identify and develop visibility within all cloud servers and virtual machines

– Gain continuous visibility into devices and their port use activity

– See east-west traffic streams, consisting of detailed tracking into protocols in use over specific port sets

– Transform ‘seeing’ exactly what’s happening into a discernable selection of whitelists, complete with exact procedure and port mappings

– Establish near real time notifications on any anomalous or suspicious resource or service activations

Important Observations At RSA 2018 – Charles leaver

Written By Logan Gilbert And Presented By Charles Leaver

 

After investing a couple of days with the Ziften group at the 2018 RSA Conference, my technology viewpoint was: more of the same, the normal suspects and the normal buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were wonderfully overused. Lots of attention paid to avoidance, everybody’s favorite attack vector – e-mail, and everyone’s favorite vulnerability – ransomware.

The only surprise I encountered was seeing a smattering of NetFlow analysis companies – great deals of smaller businesses aiming to make their mark using a very rich, however tough to work with, data set. Extremely cool stuff! Find the small cubicles and you’ll find tons of development. Now, to be fair to the bigger suppliers I understand there are some truly cool technologies therein, but RSA barely lends itself to seeing through the buzzwords to actual worth.

The Buzz at RSA

I might have a prejudiced view since Ziften has actually been partnering with Microsoft for the last six plus months, but Microsoft seemed to play a far more prominent leadership role at RSA this year. First, on Monday, Microsoft revealed it’s all brand-new Intelligent Security Association uniting their security collaborations “to focus on defending clients in a world of increased risks”, and more notably – reinforcing that security through shared security intelligence across this ecosystem of partners. Ziften is naturally proud to be an establishing member in the Intelligent Security Association.

Additionally, on Tuesday, Microsoft announced a ground-breaking partnership with many in the cybersecurity industry named the “Cybersecurity Tech Accord.” This accord requires a “digital Geneva Convention” that sets standards of habits for the online world just as the Geneva Conventions set guidelines for the conduct of war in the real world.

RSA Attendees

A real interesting point to me though was the different types included of the expo audience itself. As I was also an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less tee shirts.

Ok, maybe not suits per se, but more security Managers, Directors, VPs, CISOs, and security leaders than I remember seeing in the past. I was encouraged to see what I think are business decision makers checking out security companies in the flesh, instead of doling that job to their security team. From this audience I typically heard the exact same themes:

– This is frustrating.
– I can’t tell the difference between one technology and another.

Those who were Absent from RSA

There were certainly less “technology trolls”. What, you might ask, are technology trolls? Well, as a vendor and security engineer, these are the guys (always guys) that show up 5 minutes prior to the close of the day and drag you into a technical due diligence workout for an hour, or a minimum of until the happy hour parties begin. Their goal – absolutely nothing beneficial to anyone – and here I’m presuming that the troll really works for a company, so nothing beneficial for the company that actually paid thousands of dollars for their participation. The only thing gained is the troll’s self affirmation that they are able to “beat down the vendor” with their technical prowess. I’m being severe, but I’ve experienced the trolls from both sides, both as a vendor, and as a buyer – and back at the office no one is basing purchasing choices based upon troll recommendations. I can just assume that companies send out tech trolls to RSA and comparable expos because they do not want them in their workplace.

Discussions about Holistic Security

Which makes me return to the type of people I did see a lot of at RSA: security savvy (not just tech savvy) security leaders, who comprehend the corporate argument and choices behind security innovations. Not just are they influencers however in most cases business owners of security for their particular organizations. Now, apart from the above mentioned concerns, these security leaders appeared less concentrated on an innovation or specific usage case, however rather an emphasis on a desire for “holistic” security. As we know, excellent security requires a collection of innovations, policy and practice. Security savvy consumers wished to know how our innovation fitted into their holistic solution, which is a rejuvenating change of dialog. As such, the kinds of concerns I would hear:

– How does your technology partner with other solutions I already utilize?
– More importantly: Does your company actually buy into that partnership?

That last concern is vital, basically asking if our collaborations are just fodder for a site, or, if we genuinely have an acknowledgment with our partner that the whole is greater than the parts.

The latter is what security specialists are looking for and require.

Summary

In general, RSA 2018 was terrific from my point of view. After you get past the lingo, much of the buzz centered on things that matter to clients, our market, and us as individuals – things like security partner environments that add value, more holistic security through genuine collaboration and significant integrations, and face to face discussions with business security leaders, not innovation trolls.

Unmanaged Assets In The Cloud Can Lead To Disaster – Charles Leaver

Written By Logan Gilbert And Presented By Charles Leaver

 

All of us identify with the vision of the hooded villain hovering over his laptop late during the night – accessing a business network, stealing important data, vanishing without a trace. We personify the assailant as smart, persistent, and sly. However the reality is the vast bulk of attacks are enabled by easy human carelessness or recklessness – making the job of the cyber criminal a simple one. He’s examining all the doors and windows continuously. All it takes is one error on your part and hegets in.

What do we do? Well, you already know the action you need to take. We spend a hefty portion of our IT budget on security defense-in-depth systems – developed to identify, trick, trip, or outright obstruct the villains. Let’s park the discussion on whether we are winning that war. Because there is a far easier war taking place – the one where the enemy enters your network, business vital application, or IP/PPI data through a vector you didn’t even know you had – the unmanaged asset – often referred to as Shadow IT.

Believe this is not your business? A recent study recommends the average enterprise has 841 cloud apps in use. Remarkably, most IT executives think the variety of cloud apps in use by their company is around 30-40 – implying they are wrong by an element of 20 times. The exact same report highlights that more than 98 percent of cloud apps are not GDPR ready, and 95 percent of enterprise-class cloud apps are not SOC 2 ready.

Defining Unmanaged Assets/Shadow IT

Shadow IT is specified as any SaaS application utilized – by employees, departments, or whole business groups – without the knowledge or consent of the company’s IT department. And, the introduction of ‘everything as a service’ has actually made it even easier for workers to gain access to whatever software application they feel is required to make them more efficient.

The Impact

Well intentioned staff members normally don’t understand they’re breaking corporate rules by triggering a new server instance, or downloading unauthorized apps or software application offerings. But, it takes place. When it does, 3 problems can develop:

1. Corporate standards within a company are compromised considering that unapproved software indicates each computer has various capabilities.

2. Rogue software typically includes security flaws, putting the whole network at risk and making it much more tough for IT to handle security dangers.

3. Asset blind spots not just drive up security and compliance threats, they can increase legal threats. Information retention policies created to restrict legal liability are being skirted with details stored on unapproved cloud assets.

Three Key Factors To Consider for Resolving Unmanaged Asset Threats

1. Initially, deploy tools that can supply detailed visibility into all cloud assets- managed and unmanaged. Know what new virtual machines have been activated this week, along with what other machines and applications with which each VM instance is communicating.

2. Second, make certain your tooling can provide constant stock of licensed and unapproved virtual devices running in the cloud. Make certain you can see all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis functions search for a service that offers a capture of any and all assets (physical and virtual) that have actually ever been on the network – not simply a service that is restricted to active assets – and within a brief look back window.

Unmanaged Asset Discovery with Ziften

Ziften makes it easy to rapidly discover cloud assets that have actually been commissioned outside of IT’s province. And we do it continually and with deep historic recall within your reach – consisting of when each device first linked to the network, when it last appeared, and how frequently it reconnects. And if a virtual device is decommissioned, no problem, we still have all its historic habits data.

Identify and secure covert attack vectors originating from shadow IT – prior to a disaster. Know exactly what’s happening in your cloud environment.