Palo Alto NGFW & VMware NSX Integration- Use Cases Highlight Security Benefits

Everyone in IT has heard how Software Defined Networking (SDN) will change our world and that now, thanks to VMware and VMware’s NSX SDN solution, the Software Defined Data Center (SDDC) has become a reality.

Of course, once you enter SDDC world, you have a new set of challenges:

  • Lack of visibility into East-West (VM-to-VM) traffic
  • Manual, process-intensive networking configurations to deploy security within the virtualized environment
  • Security not keeping pace with speed of server provisioning
  • Incomplete or irrelevant feature sets within virtualized network security platforms

Many firewall vendors have stepped up with solutions to address these SDN challenges. Leading the pack is Palo Alto Networks with its NGFW tightly integrating with VMware NSX. The benefits of a virtual NGFW purpose-built for NSX are plentiful:

  • Using the VMware NSX platform’s extensible service insertion and service chaining capabilities, the virtualized NGFW is automatically and transparently deployed on every ESXi server.
  • Context is shared between VMware NSX and Palo Alto Networks’ centralized management platform, enabling security teams to dynamically apply security policies to virtualized application creation and changes.
  • Dynamic network security policies stay in sync with virtual application changes.
  • Enterprises can provision security services faster and utilize capacity of cloud infrastructures more efficiently without worrying about security.

So what are some of the actual use cases for VMware NSX and Palo Alto virtual NGFW? Let’s go over a few.

Use Case 1: VXLAN Segmentation with Advanced Protection Across Tiers

In this scenario, guest VMs are segregated using a traditional model of segmentation based on L2 domain separation: VMs are connected to dedicated VXLAN logical switches depending on their role. For instance, in a 3-tier application model, all web server VMs are connected to WEB logical switch, application logic VMs to APP logical switch, and database VMs to DB logical switch. The PAN virtual NGFW can be deployed alongside each of the logical switches and provide inter-tier security.

Use Case 2: Micro-Segmentation of a Multi-Tiered Application with Malware Protection

In this use case, we do not rely on traditional network constructs for segmentation (i.e., guest VMs segregated per L2 domain based on their role). With the integrated NSX and Palo Alto Networks solution, the segmentation is now independent of the network topology. Instead, the VMware NSX Security Groups with Panorama Dynamic Address Group Objects are leveraged for segmentation and security enforcement. A customer with an application that has a web front-end tier, an application tier, and a database tier no longer needs to create three network segments. All of these tiers and VMs can exist on one flat virtual network. NSX Security Groups, which define the micro-segmentation, align VMs with the tiers of the application.

Steering rules can then be created in NSX Service Composer/Security Policy that redirect traffic between any of the tiers to the Palo Alto Networks VM-Series firewalls. Using Panorama Dynamic Address Groups, VM-Series security policy based on the same tiers is enforced. In this way, we can ensure, for example, that only SQL traffic is allowed between the application and database tier.

Use Case 3: Enterprise Multi-Zone Security (PCI, Production and Development Zones)

In this scenario, an SDDC is created with three internal zones:

  1. Dev Zone—used for developers to create, test and validate new types of enterprise applications.
  2. Prod Zone—used for all applications running under production that are located in this part of the SDDC.
  3. PCI Zone—used for VMs that require access to customer personal information and payment card identification (compliance-driven environment).

Traffic from Dev Zone to Prod Zone is protected by NSX’s Distributed Firewall (DFW), which is the basic VMware firewall that can also forward traffic for inspection to Palo Alto VM-series firewall. For traffic between Prod Zone and PCI Zone, we require more granular protection with additional IPS and malware protection functionality. For this purpose, Palo Alto VM-series NGFW can be leveraged to provide advanced security features.

Use Case 4: Scale In/Scale Out for Elastic Applications

One major characteristic of cloud technology is its ability to dynamically adapt to user workloads. Consequently, during high activity periods, an application should be able to scale out rapidly and automatically in order to absorb all end-user traffic. In the same way, once activity goes back to a normal or even lower state, the application should be able to scale down dynamically to save energy and resources. A common name given to this type of application is “elastic application.”

For example, let’s take a 3-tier type of application with WEB, APP, and DB tiers.

In case of high activity, the WEB and APP tiers should be agile enough to expand quickly without any human intervention. Once VMs are instantiated on these tiers, consistent security policy should be enforced and, as such, overall systems always guarantee a high degree of protection, even in cases of dynamic workload creation and/or intrinsic application growth.

Starting with use case 2 (or use case 1, because the same concepts apply here), let’s consider a scale-out situation. The application must be expanded in order to support high demand at a point of time. This is practically translated by adding additional WEB VMs and APP VMs.

With Palo Alto and VMware NSX, as additional VMs are added, Palo Alto VM-series firewalls will be deployed automatically with the VMs. Moreover, existing firewall policy rules will be enforced on the two new VMs. There is absolutely no human intervention in scale out situations. The application grows organically, and both NSX and the Palo Alto Networks systems will be able to apply traffic redirection and traffic protection to the newly created VMs.

In case of a scale down scenario (i.e., WEB-VM-3 and APP-VM-2 are removed because of lower activity), both NSX and Palo Alto Networks systems behave the same way. The two new VMs will be automatically removed from their respective Security Groups and the associated Dynamic Address Groups will be immediately updated with this information. Again, no human intervention is required!

Today’s Hackers are High Tech Conmen. Plan Your Security Strategy Accordingly.

Today’s security strategies are predicated on attacks being technology based. Even after dismissing perimeter defense as passé, vendors point to end-point defense, east/west containers, internal network defense, catching Indicators of Compromise (IoCs) early, pitting our technological defenses against the hackers.  In fact, a key factor for most high-profile government breaches has been social engineering. This includes the latest DoJ/DHS breach that put a lot of government employee’s contact information on the street.

The hacker reportedly compromised the Email account of a DOJ employee and then, posing as that employee, persuaded DOJ tech support to provide a token code to access the DOJ web portal. Sure, this social engineering scheme should not have worked (and will not be repeated, we hope). However, experience shows that someone else will come up with a new and even more compelling social engineering scheme to abuse tech support at an agency. These bad actors are simply the newest form of conmen.

Modern conmen aren’t the slick smiling guys who schmooze old ladies out of their retirement savings.  Today’s conmen are “Microsoft tech support” and “The IRS” for the average person sitting at home. And at federal agencies, the conmen are the helpless employees calling tech support because they forgot their password or token code.  Remember the high profile Pentagon breaches that occurred because of well-crafted phishing Emails?  Again, conmen.

Security experts are trying to fight a war of wits with technology and losing.

Why is this happening?  Because the left hand isn’t talking the right hand.  Half the time when I talk to agencies, the network team runs some security tools, the tech support team runs patching and AV (don’t get me started).  The security team might, just might, own the firewall.  Maybe.  Hey, at least they own the SIEM.  But do you think every system that should send syslog does?  Don’t bet on it.  When you’re dealing with conmen the only way to catch them is communication.  Anyone who has read the “Winnie the Pooh’s New Clothes” remembers that the reason the Sly Fox could con everyone was because they were too afraid to look “un-wise” to talk to each other. Sound familiar?

Even if I could wave a magic wand and put all the security infrastructure in the hands of the SOC, it wouldn’t solve the biggest problem, which is the need to synchronize all the security tools and data into one integrated, automated infrastructure.  I am frustrated when I see a SIEM as the only integration point.  Just because all the logs from various security tools end up in one repository that an agency can query or write correlation rules against, it does not mean the security infrastructure is integrated and automated.

We need threats to be identified locally as they occur and shared across heterogeneous resources.  The SDN controls need to be told to quarantine an endpoint when the malware analysis comes back convicting.  The NAC needs to be told what to look for when a device re-enters the environment from the outside.  (Did you see the Tripwire Airport WiFi report?  UGH.)

There is so much more to say on this, but you get the picture.  This needs to happen and requires that the products from companies like PaloAlto, ForeScout, VMware and others are implemented to work together.  The industry is doing some work on this, but not enough.  Fed Agencies need to take advantage of the integrations available and also demand more cooperation as well.

What to look for in a Next Generation Firewall (NGFW)

Your legacy Cisco ASA firewalls are nearing the end of life (EOL) and so now your boss has tasked you with selecting a new firewall solution. You’ve heard that the Next Generation Firewall (NGFW) is the next big thing when it comes to protecting network perimeters, but you really don’t know a lot about it. Where do you start? What do you look for? What questions do you ask?

In this blog entry, I will provide some quick pointers on how to create a list of requirements against which you would evaluate potential NGFW candidates.

If you are starting your requirements development from scratch, an easy place to start is the Payment Card Industry Data Security Standards (PCI DSS) organization. The PCI DSS publication, “Requirements and Security Assessment Procedures,” can be used as a foundation for developing NGFW requirements for your agency. The latest version of the PCI DSS publication is version 3.1 from April 2015. You can download it here.

You can create the language your boss wants to see by copying, pasting, and editing the PCI DSS document. Once that’s done, you will have a bunch of vendors hitting you up for meetings. What questions do you ask these guys to make sure you are getting the right product for your requirements?

At a minimum, your questions should focus on application identification, application policy control, threat prevention, management, networking, and hardware. Here is the list of questions you should ask. Feel free to copy and modify to fit your own procurement needs.

Application Identification (App-ID)

  1. Describe how the gateway will accurately identify applications and the mechanisms used to classify applications.
  2. Is identification based on an intrusion prevention system (IPS) or deep packet inspection (DPI) technology? You want DPI.
  3. If it’s DPI, how is its classification accuracy and completeness? And are there performance issues when App-ID features are turned on?
  4. How is the traffic classification mechanism different from other NGFW vendors?
  5. How are unknown applications handled?
  6. Are custom application signatures supported?
  7. How is SSL-encrypted traffic identified, inspected, and controlled?
  8. How do the SSL controls delineate between personal protected (e.g., banking, shopping, health) and non-personal protected traffic (e.g., Gmail, Facebook, Dropbox)?
  9. How many applications are identified (provide a list) and what is the process for updating the application database (for example, software upgrade or dynamic update)?
  10. If a new application is needed, what is the process for adding it to the device?
  11. Can an end-user submit an application for identification and analysis and/or define custom applications?
  12. Does the product support URL filtering? Describe the URL filtering database. Is the database located on the device or on another device?
  13. Describe/list any other security functions that can leverage the application information collected, including drilldown details and user visibility features.

Application Policy Control

  1. Describe the process for implementing policy-based application controls.
  2. What are the available application policy control parameters (e.g., user, IP address, date and time) and how they can be used for policy enforcement?
  3. Can policy controls be implemented for all applications identified?
  4. Can policy controls be implemented for specific users or groups?
  5. How are remote access environments supported (for example, Citrix and Terminal Services)?
  6. Can port-based controls be implemented for all applications in the application database?
  7. Can the solution perform traditional firewall-based access controls?
  8. Can policy controls be implemented from a single management interface? For example, Cisco is notorious for having to use ASDM to manage the legacy ASA chassis and FireSIGHT console to manage NGFW features. You don’t want that.
  9. Are users warned when they attempt to access a URL or application that violates policy?

Threat Prevention

  1. Describe the intrusion prevention features and antivirus engine.
  2. List the types of threats that can be blocked. List the file types that can be blocked.
  3. Is data filtering supported?
  4. Can the threat prevention engine scan inside SSL-encrypted traffic? What about compressed traffic?


  1. Describe the management capabilities and visibility tools of your NGFW solution.
  2. Does device management require a separate server or device?
  3. Are application policy controls, firewall policy controls, and threat prevention features all enabled from the same policy editor?
  4. What tools provide a summary view of the applications, threats, and URLs on the network?
  5. Describe any log visualization tools.
  6. Are reporting tools available to understand how the network is being used and to highlight changes in network usage?
  7. Describe the logging and reporting capabilities of the solution.
  8. Describe how management access is ensured when the device is under heavy traffic load.
  9. Are there any central management tools available?


  1. Describe Layer 2 and Layer 3 capabilities of your NGFW solution.
  2. Are 802.1q VLANs supported? What is the VLAN capacity?
  3. Is dynamic routing supported (for example, OSPF, BGP, and RIP)?
  4. Describe any QoS or traffic shaping features.
  5. Is IPv6 supported?
  6. Are IPSec VPNs supported? SSL VPNs?
  7. What deployment options are available (e.g., L2 in-line, L3 in-line, tap, passive)?
  8. Describe any high availability (HA) capabilities.


  1. Is the solution software-based, an OEM server, or a purpose-built appliance?
  2. Describe solution architecture. Is it single-pass, multi-pass? How is data plane and control plane separated?

Phew … what a list! Hopefully this comes in handy. For more help, don’t hesitate to reach out to SwishData. We have a team of engineers available to help you navigate through the NGFW procurement process.

Advanced Persistent Threat (APT) – Revisiting the Definition

In today’s connected world, we hear a lot of talk about advanced persistent threats (APTs). In fact, the term “APT” is thrown around so often that many people have forgotten what it means. They just know it is something bad, relates to computers, and may be caused by a nation state. So I think it will be useful to revisit the definition of APT and describe its key attributes.

The term “advanced persistent threat” is widely cited as originating with Col. Greg Rattray of U.S. Air Force in 2006 or thereabout. The term stuck and became so widely used that even the National Institute of Standards and Technology (NIST) included a definition of APT in its publication 800-53:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

In a 2013 report titled “APT1 Exposing One of China’s Cyber Espionage Units,” Mandiant (now part of FireEye) presented the results of its research into alleged Chinese attacks between 2004 and 2013. The attacks spanned hundreds of organizations across multiple industries and had all the characteristics of what we now know as an APT.

Per Mandiant’s report, what makes an attack an APT is that it generally follows this lifecycle:

  1. Initial compromise – Use social engineering and spear phishing, over email, using zero-day viruses. Plant malware on a website that the targeted victims will likely visit.
  2. Establish foothold – Plant remote administration software in the victim’s network, and create network back doors and tunnels allowing stealth access to its infrastructure.
  3. Escalate privileges – Use exploits and password cracking to acquire administrator privileges over the victim’s computer and possibly expand it to Windows domain administrator accounts.
  4. Internal reconnaissance – Collect information on surrounding infrastructure elements and perform data harvesting on them.
  5. Maintain presence – Ensure continued control over access channels and credentials acquired in previous steps.
  6. Complete mission – Exfiltrate stolen data from victim’s network.

So there you have it. A quick review of the etymology of the term “APT” and a summary of the APT lifecycle.

Your security infrastructure doesn’t cover mobile use

For many workers, a laptop is essential for them to be productive when away from the office. They take their laptops on travel. They bring them home in the evenings and on weekends, perhaps to catch up on work or be on call to handle emergencies.  A new report by CYREN highlights how attackers are using the habits of remote and mobile workers to circumvent the robust security infrastructure larger organizations like Federal agencies have in place.

“Cybersecurity professionals report that as employees return to the office on Monday and login to corporate networks, security alerts begin popping up. These professionals speculate that when employees take their laptops home over the weekend, they connect to the Internet through public or unsecured WiFi, and proceed to surf the web and download content …. It turns out that Fridays are the peak distribution days for malware and spam.”

Federal agencies design access for employees over VPN to secure data and rightly so.  But that doesn’t mean that everything the remote laptop is used for will go through that VPN.  Because of physics, adding a hop through VPN for non-internal applications makes users feel that the Internet is slow.  Nearly everyone will tell you “my home Internet is faster than work.”  This leads to users to disconnecting VPN to do work they can get done without internal servers.   This can include browsing the web for legitimate work and personal uses or downloading Email, especially personal mail.

This is not only a problem on Friday through Sunday, but for any device that leaves the organization’s physical walls.  When the device re-enters the internal network, the device can become “patient zero” that spreads infection and results in lateral movement to sensitive data, as the security professionals reported back to CYREN.

So how do Federal agencies deal with this problem?

There are two ways to address this problem.  First is a security endpoint product that monitors for Indicators of Compromise (IoCs) and has Incident Response (IR) built in, instead of legacy Aniti-Virus (AV) products.  There are several good products that do this and your choice will probably depend on what your infrastructure currently has in it.  This next-gen endpoint can include looking for malware through “fuzzy hashing” by products like CloudHash.  These products will identify problems early, possibly before the endpoint connects to the network, but if not, quickly when it is connected to the network.

The second way to address this problem is to force each returning endpoint to receive a health check through a next-gen Network Access Control (NAC).  ForeScout is SwishData’s leading product here.  When the endpoint reconnects, it can be scanned for patches that were missed, files that have been installed and even compared against new vulnerabilities and threats the infrastructure has learned about since the device left the network.  Depending on the settings and the results of those scans, the device can be granted full access, be refused access, or quarantined for further administrative action.  Patient zero contained.

Defending the network from returning systems that have been infected “in the wild” is a real problem.  Between the above two solutions, and the possibility of them working together through pre-defined integration points, it is possible to defeat this problem.  It’s a real problem, but can be addressed.  For more about how SwishData can help you with these problems and simplifying your environment while making it more secure, contact us here.

‘Tis to the Season: Give Your Family the Gift of Security

The holidays are upon us.  It really is the most wonderful time of the year.  I don’t know about you, but I for one love giving gifts, especially to my children and other family members.  Nothing is more thrilling than watching their excitement.

I still remember the birthday dinner for my oldest son when he turned 13 years old and got his first iPhone.  Most of his friends had them for years prior.  He was so excited he didn’t take a bite of his dinner.

Christmas and the surrounding holiday season is similar to that moment … only on a much grander scale.  It is the season of giving.  Likewise and for kids of all ages, it has become the season of the tech boom.  New gadgets and widgets are being purchased at record breaking paces.  Every one of them connected and integrated into an online world with so much to explore and do.

While this is all very exciting, it can also be very sobering and troubling, especially for parents who are now enabling our children to have ungoverned communication, media and information at their fingertips like never before.  Much of this is good, but we also need to guard against the bad that our children may be exposed to.

Consequently, I have decided that I would use this blog space for readers who may have concerns similar to mine.  I will list some of my favorite tips and products that can be used to set a parent’s mind at ease while protecting our finest assets–our children—as well as ourselves and family members of all ages.

A Few Disclaimers

Before I get started, I want to mention three things:

  • I understand that there is a difference between “control” and “accountability.”  The information I’ll share below covers both of these areas. You’ll find a decent mix of each.  I realize that everyone is different in terms of preference and maturity levels when it comes to such things.
  • The products that I mention below are not sold by SwishData.  They are simply things that I have enjoyed or seen success with.  There are many others out there like them and I encourage everyone to do their homework before making a decision.
  • The information below is intended to be an overview—a starting point—not a tutorial on how to enable and use the controls and accountability tools.  Each product does a nice job of providing those instruction on its own site for those who might be interested.

The best way to approach this is by category.  Here we go.


A great starting point here is with “restrictions.”  I encourage you to check out the options.   You can set a passcode that is different than the one for the device itself, so you can lock down installing apps, deleting apps, and in-app purchases. You can also put age-appropriate levels on things such as music, movies and shows that can be watched from the device. And you can disable the stock browser in favor of another browser that will allow more accountability.  These action are very basic but very effective—and free!


iTunes lets you restrict or prevent access to the iTunes Store, shared libraries, and certain types of content. For computers with multiple user accounts, you can set different controls for specific users, but still allow unrestricted access from administrator accounts.  In order to do this, simply go to the help menu in iTunes and search on the word “parental.”  It will provide you with all of the information you need to get started.  Also very quick, effective and free!

BluRay, DVD and Streaming Formats of Movies/TV Shows

I’ve recently come across an excellent product called ClearPlay.  You set content preferences based on your family values. ClearPlay Smart Parental Controls then automatically filters out the images and dialogue you don’t want in the movies and TV shows you own or rent or stream.  You control what your family does – and doesn’t – see and hear, so everyone can enjoy worry-free family time.

ClearPlay has settings for Vulgarity, Nudity, Substance Abuse, Sensuality, Violence, and more. And the controls stay in place even when you’re not around.

I just recently invested in this myself and, so far, it is awesome.  In case you haven’t noticed, “PG-13” is the new “R.” This really allows me to watch the movies I want to enjoy with my kids without cringing and feeling like I have done them a real disservice as a parent.


Another excellent product that I recommend is Covenant Eyes.  The best way to change or avoid bad online habits is with the help of relationships, accountability, transparency, and healthy conversations. And that’s exactly what Covenant Eyes software provides.

The way it works is pretty simple.  You pick an accountability partner who gets a confidential report of your activity. Only the people you trust will see your report.  It works for families, individuals, and at the office. For example, you can set it up to see the report of your kid’s online activities or the activities of your accountability partner. You also have flexible content filter settings that you can enable as well.

If you or your kids need an extra layer of protection, you can also apply Internet filtering to block inappropriate web content based on age-appropriateness. You can even create custom block-and-allow lists, or block the Internet completely at certain times of day.

It works for all age groups. Your 16-year-old can handle different content than your 5-year-old, so you don’t have to keep them at the same level. You can easily update the filter settings for their unique usernames as their needs change.

Covenant Eyes is easy to install and use on Windows, Mac and smart phone devices.  In most cases it works with your stock browser, with no changes needed.

Social Media and Texting

This is probably the most complex of all.  The choices are seemingly endless – Facebook, Twitter, Instagram, Snapchat, iMessage, etc.  The best advice I can give here is to know which your kids are using and restrict the use of others.

Each of them generally has a way to ensure that you don’t have a public profile and you can secure your personal information.  At the very least, this should be enforced with children.

I would also strongly encourage that if your child is on one or more of these social media, that you also participate with them. That is, if their “friends” or contacts can post it or say it in front of them, then they should have no worries posting it or saying it in front of you.

Last but not least: Don’t be fooled by some of these outlets that appear to put everything out in the open.  Most of them have an integrated private messaging mechanism as well.  Direct messaging or private messaging, for example, in Instagram and Facebook, allows folks to communicate one on one or in a smaller group setting without it being seen in public. This is something you should be aware of.

I’ll close by reminding everyone that all tech gadgets and devices are man-made.  And as with everything that is man-made, they have the potential to be used for good or for bad.  This isn’t anything to be afraid of, but it is something to be aware of.

The online community and tech boom can sure be a lot of fun if we take the time to educate ourselves and be accountable to the good things while holding our families to the same standards.  I hope you find this helpful, and that it allows you as a parent or loved one to have an even greater peace and security this holiday season.

Merry Christmas and Happy Holidays to all!


Solutions for Endpoint Problems: Digging into MeriTalk’s Federal Survey

Palo Alto Networks has been working hard to solve agencies’ endpoint problems with Traps™, its new next-generation endpoint product.  It’s a good product to look at.

Recently, the Palo Alto Public Sector team hired MeriTalk to survey federal managers and employees and produce a report on endpoint security.  The report offers some recommendations that we at SwishData support:

  • Identify All Connected Assets
  • Patch Vulnerabilities
  • Implement Endpoint Security for Zero Day Threats
  • Require End-User Training
  • Vaccinate Your Endpoints

Most of these are features that Palo Alto’s endpoint system can help with, but there are some additional solutions that can assist federal agencies.  Here are some ideas to make these recommendations even more successful in securing your endpoints.

Identify All Connected Assets. Sounds good, but how?  One way is a solution like ForeScout Technologies’ CounterACT™ system and RedSeal Networks’ network mapping tools.  These two working in concert help significantly.  A ForeScout video provides a good explanation of how CounterACT and McAfee’s DXL combined with ePO can create an underlying architecture to accomplish this.

Patch Vulnerabilities. Sounds simple, but pushing out patches in a large network for every single vulnerability discovered by scanners like Tenable’s Nessus and endpoint management tools like Tanium and CloudHASH is daunting.  How do you prioritize?

If you simply try to digest all of them at once, you may not patch quickly enough.  One way to prioritize is through RedSeal.  It digests vulnerability scan outputs and network configuration data and then displays both a map of the network and a heat map of the most pressing concerns for the most important data.  This makes patching less daunting and more effective.

The second challenge is how do you patch?  Push through Microsoft administrative tools?  There are several tools out there that allow you to solve these issues, usually falling under the incident response category.  Currently, my favorite is CloudHASH, with the caveat that it needs McAfee ePO.

Implement Endpoint Security for Zero-Day Threats. Sounds easy, and many claim to do it.  Truth is no one can guarantee finding true zero-day threats.  The reality is that you need a combination of endpoint IOC monitoring, scheduled queries from a product like Tanium, network monitoring for C&C traffic and a quality sandbox that does both dynamic AND static analysis. Preventing the initial infection of a zero day is nearly impossible, despite what many claim, but catching the infection and activity quickly is possible.  Organizations can contain lateral infections by using an integration of the above products that utilize automation and orchestration in response.  One key to this is being able to quarantine or off-line infected systems with EXTERNAL controls over the infected box through something like ForeScout’s CounterACT.

Require End-User Training. This isn’t a technological solution, but it is one of the most critical activities.  I jokingly call users the “layer 8 vulnerability,” but they are indeed the biggest threat to an agency’s network security.   Hackers tend to be really good conmen.  Witness the success of the recent phishing attack against many agencies and the Verizon DBIR report that validates phishing attacks as the most common high-profile breach method.

Vaccinate You Endpoints. This means information sharing inside an organization or “Local Threat Intelligence” for quick incident response.  Too many times, a breach is detected and the single endpoint is cleaned up too slowly, while other endpoints are not patched, queried for IOCs, and cleaned up quickly, if at all.  Many organizations pay huge sums to companies such as Mandiant and CrowdStrike because this process is difficult to do manually.  Automation and orchestration is needed to achieve incident response effectively in a large enterprise.  Unfortunately, achieving automation and orchestration is not easy.

There are reference architectures that can combine Palo Alto NGFW, sandbox threat data (McAfee ATD, Palo Alto WildFire and FireEye NX), ForeScout Control Fabric, CloudHASH endpoint management, several major SIEMs and a McAfee infrastructure to completely automate this process in a jaw-dropping, efficient manner.  You can even add other technologies such as Brocade, Bromium, Gigamon, MaaS360, MobileIron, RedSeal, Splunk Tenable, TrapX, and more to the reference architecture through direct and API integrations.

For more information about any of these recommendations and the reference architecture, you can contact me at for a briefing.

OPM Information Breach – “Fed Up!”

I recently received a USPS-delivered “official business” letter from the US Office of Personnel Management regarding last summer’s cyber security breach at the agency.

The letter began, “As you may know, the Office of Personnel Management (OPM) was the target of a malicious cyber intrusion carried out against the US Government, which resulted in the theft of background investigation records.”

I didn’t have to read on to determine that my information had been compromised.  Nonetheless, I did continue reading, only to be informed that my Social Security Number and “other personal information was included in the intrusion.”  To make matters worse, because I am an individual who has been investigated for and holds a security clearance, the information that was compromised included my family members’ information, my home address, date and place of birth, my fingerprints and “various other personal data.”

As I re-read the letter in disbelief, I was thinking:  “Let me get this straight. Holding a high-level US government security clearance—in which I entrust the government to secure and keep private both my as well as my family’s personal information in the same manner that I have sworn to secure the government’s classified information—is the very reason that I am vulnerable to this type of intrusion and identity theft.  Wow.”

As I read on, they attempted to reassure me.  First, it was explained that “federal experts” don’t believe the technology to utilize my fingerprints maliciously is “mature enough yet.”  But it “could be in the future.”  These are the same experts who were charged with securing my data in the first place that are making this reassuring claim.

Second, they do offer a credit and identity monitoring service that I can enroll in with a PIN number and ID where they will keep an eye on things to see if any of my information is being misused.  Keep in mind that they sent me the website URL and my PIN Numbers for this service in open text in the US mail – and remember the breach included my home address as well.  Brilliant!  Should I further entrust them to monitor my use and activity when they are undoubtedly levering a system that can also be hacked and exploited?  What would you do?  And what came first anyway?  This all feels surreal, like playing that child’s game asking which came first, the chicken or the egg.

The moral of the story here is short and simple.  It’s no child’s game.  Cyber Security within the US public sector is clearly still in its infancy.  Anyone who works in federal IT, expert or not, and claims otherwise, is simply not informed.

The bad guys are leaps and bounds ahead of the good guys.  Taxpayer dollars are still not being properly applied to fight the cyber war.  While it has certainly improved it is nowhere near what it needs to be.  Reactive measures and systems aren’t enough.   Yet many agencies continue to kick the can down the road with tech refresh cycles of the same technology that has been in place for a decade or by using the same systematically successful IT integrators that provide the “lowest price technically acceptable” solutions and services.  Why?  Because it’s easy and because it’s a known entity.  It isn’t difficult to justify and utilize a federal budget that is funded by the taxpayers by slapping a label on projects and IT integrator service expenditures which deem them to be “cyber security” or “cloud” related.  In the last three years, people have reinvented these terms in scores of creative ways to meet their desired budgetary and expenditure outcomes and make little to no innovative progress in proactively fighting the war on cybercrimes.  It doesn’t require a technology discussion or debate to prove or disprove this fact.  The measuring stick is clearly included in the information I’ve shared above.

It is time for federal employees and contractors to step up to the plate and insist upon a new way of doing IT business.  For starters, it’s time for federal IT leaders and administrators to stop talking so much and start listening.  Bring in the experts and listen to them versus telling them what you want to spend on and pre-determining the solution, as we so often do in the IT space.  Zero-day intrusion detection, data access governance, data-at-rest encryption and behavioral analytics tools are just a handful of solutions that simply aren’t getting enough attention or being properly vetted and implemented within the federal IT enterprise.

Out with the old, in with the new.  Something has to change.  As a taxpayer who has also sworn to protect the integrity of the US federal government and its classified information, I am frustrated beyond belief with the same old government IT spending and implementation antics.   I have entrusted them with my now compromised personal information. I implore each and every one of them to step outside of the box and act on real change.

Translating the NIST Cybersecurity Framework into Practice

If you are an IT professional, you undoubtedly have heard of the NIST Cybersecurity Framework. And if you are an IT professional in the federal government, you have probably been in meetings with upper management discussing what the NIST Cybersecurity Framework guidance means for your agency.

The problem that most technical folks have with documents like this is that their high-level management speak offers no clear way to translate their guidance into practice. This blog is going to provide that translation with a “cheat sheet” that maps the Cybersecurity Framework Functions to solutions and actual products that will enhance the cybersecurity posture of your organization or agency (see Cybersecurity Enhancement Act of 2014 [Public Law 113-274]).

First a bit of background. It all started with an Executive Order (EO). In 2013, the White House came out with Presidential EO 13636, Improving Critical Infrastructure Cybersecurity, which outlines the responsibilities for Federal Departments and Agencies to bolster cybersecurity defenses. In response to this order, in February 2014, the National Institute of Standards and Technology (NIST) issued the Cybersecurity Framework. The NIST Cybersecurity Framework is voluntary guidance. The idea behind the framework is to help federal organizations better understand, manage, and reduce cybersecurity risks.

The graphic below presents the NIST Cybersecurity Framework in a nutshell. If you’re an IT professional, you should probably memorize it.

Andrey NIST Blog

It all starts with:

  1. Identifying assets and associated risks – hence the IDENTIFY
  2. Then, once we know what assets we’ve got, we have to implement defenseshence
  3. So we’ve got our walls and moat, but we should still have some watchmen seeing if anyone is trying to swim the moat or, maybe, attempting to get a Trojan Horse into the city gate – we need to
  4. Once we’ve detected something suspicious (such as an Advanced Persistent Threat [APT]), we need to RESPOND to what we detected.
  5. Finally, if there was any damage done, we need to rebuild and RECOVER, and revisit step 1 above to see what it is we are actually protecting.

That’s the essence of the NIST Cybersecurity Framework. Of course, each function can be further subdivided into different areas of business, and protective controls can be assigned to each. For example, the IDENTIFY (ID) function is subdivided by NIST into:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy

An organization can dig down and create a set of categories as granular as it wants. However, as an IT professional, you would need a technical control to address the security of each category. In other words, you may need a firewall box to PROTECT, an IDS appliance to DETECT and a continuity of operations (COOP) site to RECOVER. The cheat sheet shows the product/app/solution/box/appliance you need to provide security for each of the NIST Framework functions and associated categories (see Figure 1 below).

We at SwishData understand the NIST Cybersecurity Framework and developed a comprehensive solution offering to help your agency be protected. For each solution in the far right column of Figure 1, SwishData works with the best-of-breed vendor for that particular category. We pride ourselves on taking the time to research all products in our cyber portfolio and work only with vendors who are security industry leaders and visionaries. When you hire SwishData to architect your agency’s cybersecurity defenses, you will be working with the world’s best security companies on your side!

SDC Cybersecurity Framework

Figure 1: Federal IT managers can use this SwishData “cheat sheet” to identify the appropriate cyber solutions for each of the major functions in the NIST Cybersecurity Framework.


How Phishing Sites Use ‘Reverse Proxies’ and Why You Should be Worried About It

Many IT savvy folks are too careful to get caught by phishing Emails, but most also believe that even if they do get caught, they would never fall for a phishing site.  Paying close attention to the details will protect them.

Not so fast.

The cyber-criminal and cyber-espionage groups have gone high tech and are now using Application Delivery Controllers (probably virtualized versions) to “reverse proxy” legitimate sites without the owners’ knowledge.  And this is giving the bad guys clever new ways to steal usernames and passwords for unimpeded access bank accounts and sensitive corporate and government data.

For those not familiar with Application Delivery Controllers, it’s a valuable tool for businesses to streamline, improve and protect their web content and applications.  (That last part about “protect” is  ironic, given this new vulnerability.)  Here’s how it works:


Figure 1: From Wikipedia

Enterprises use reverse proxies to do things such as:

  • Load balance web traffic between multiple web servers of the same content
  • Secure Remote Access
  • Intelligent compression
  • Caching
  • Break and inspect SSL traffic (catch that?)
  • Application delivery firewall

There is one more thing that a reverse proxy can do that is important:  Substitute content.  Let’s say you have a home-grown application that has millions of lines of code.  Your organization wants to make a change to that logo or a string of text quick and fast, but the original code was not written optimally to accomplish this.  You can use a reverse proxy to replace content with a simple script.  “Request is X, return to user Y instead.”

So let’s recap.  Bad actors are standing up reverse proxies that front legitimate websites without the owners’ knowledge, a capability that allows them to do things such as break and inspect SSL encryption and substitute content.  Again, it must be emphasized, the original server will have NO IDEA this is going on.  In addition, the users who accidentally hit these sites will get the correct site, be able to log in as normal with their username and password, and even be able to use their two-factor authentication when enabled.

The only difference is that the bad actors can replace intended content with their own content for profit, break the Search Engine Optimization rules, and—most worrisome—break and inspect the traffic to log usernames and passwords at will.

How might bad actors use this for cybercrime? As one example, they could target users of a specific website by sending them an Email that looks very legitimate and comes from an Email address that looks authentic, but contains a link to their reverse-proxy front of the site.  Banking sites, of course, would be the most common targets, being the juiciest.  In such a case, when the recipients hit the link, they will get their bank site just like they expected. They log in, just like expected, review their account (or whatever is requested in the Email), and then log out.  Nothing bad seems to have happened, no malware has been introduced, and the user just logged in and logged out.  Then sometime soon after, their account is empty.  Gone.

The most effective cyber-espionage use of this technique is to use the content replacement feature to either make configuration changes or add malware to the user’s computer.  Either way, if successful, the bad actor then uses that to gain access to the compromised system for data exfiltration.

There is one footnote to this issue.  With the advent of external cloud usage in the Federal Government space, and the public knowledge of what agencies are using what cloud services, cyber-espionage can be accomplished by using the same SSL break and inspect for cloud applications.  This includes the AWS isolated GovCloud and even the vaunted C2S, if the bad actor could get inside the direct network traffic flow.  If bad actors can somehow get a Federal Government user to use their proxy instead of directly accessing the cloud application, then they can capture and log the activities live, or capture the login and password for direct access.

The bottom line: This is a severe threat that should be monitored for.

Cyber Attack Defenders