From The Founder’s Desk

Bayshore Networks founder and CEO Francis Cianfrocca continues his series on APT, with contributions and edits from M. E. Kabay, at Kabay’s Infosec Perception website. The latest publication is titled “Fighting Advanced Persistent Threat: Detection & Remediation”, and can be found here.

Where the primary focus of the first article centered around understanding Advanced Persistent Threats and identifying potential options that might be considered for use in defense against them, part two focuses on detecting and mitigating these types of attacks. Three key strategies are offered that should be part of any plan:

In order to reliably detect APT behaviour as it happens, it is necessary to analyse network traffic at the stream level. The most effective approach to accomplishing this is to perform continuous inline analysis of all traffic on network links which access critical servers and information resources. This approach would be equally suitable for both enterprise networks and industrial supervisory control and data acquisition (SCADA) system networks.

The Bayshore Networks white paper “Advanced Persistent Threat: From Detection to Remediation” (available with simple registration) discusses three essential elements to consider for mounting an effective APT defence:

1- Establish a pervasive network presence (sometimes called a “secure network fabric”) which requires that a protocol-inspection capability be present on all links in a complex application structure.

2- Conduct deep protocol analysis, which requires a Layer-7 analysis of protocol streams, not just packet analysis. The stream inspectors must be able to isolate all elements of a data protocol, especially those containing data inputs from clients.

3- Incorporate heuristic baselining. The application inspection system must construct a rich and multidimensional baseline of the behavioural patterns of each application, and store the baseline in a database that can be continuously added to. The database is then used to detect anomalous behaviour in real time. The detected anomalies are often indicative of APT attacks in progress.

Read the whole article HERE. (read more…)

Founder and CEO Francis Cianfrocca has written a paper titled “Fighting Advanced Persistent Threat: Analysing the Options” which was recently published, with contributions and edits from M. E. Kabay, at Kabay’s Infosec Perception website.

The paper takes a much-needed closer look at Advanced Persistent Threat, or APT, which “has received a great deal of attention in recent months”. The reason(s) for this, according to the paper, is “due, in large part, to a spate of highly-publicized successful attacks against the information assets of major enterprises and corporations. Much of the recent focus on APT has come as a result of the RSA breach, believed to be an APT-style attack, which led directly to a handful of serious attacks “down-line” within several of RSA’s major enterprise customers”:

“Most approaches to firewalling (selective blocking and/or modification of traffic at the network level) are aimed at detecting and blocking unauthorized traffic. The strategy for APT firewalling is necessarily different, however, because it aims to detect threats that use legitimate traffic.

The current approach is to detect a breach and shut down compromised endpoints or inhibit the foot-printing and attack activities against the applications themselves.[7] Remediation through endpoint clean-up is favoured by most of the relatively few organizations that are seriously addressing this problem because it’s simple and straightforward; periodic sweeps of the endpoints in a network seek to identify computers in which critical system files have been modified or rogue processes are running and, if found, these hosts are taken offline and rebuilt or replaced.[8]

Although straightforward, this approach is fundamentally reactive; it relies on static analysis, and operates out of band.[9] A better approach is to combine endpoint analysis with a proactive approach that can detect APT behaviour in real time and selectively report, obfuscate, or even block the behaviour.”

Read the whole article HERE. (read more…)

Since Bayshore launched our SingleKey Industrial Edition earlier this year, we have been enjoying very strong interest from ICS customers – from power distribution to building automation, utilities, and other highly sensitive sites. SCADA security solutions are nothing new; several private companies have been marketing their ICS security solutions for several years. But they have had limited success because their solutions are based on traditional Layer 2 and Layer 3 security technologies, which are not very flexible nor useful in securing the industrial control environment.

Bayshore’s SingleKey Industrial Edition, however, leverages the core Layer 7 application protection technologies of our flagship products in the enterprise market while adding support for SCADA and other ICS products such as Modbus and C 12.19. In the defense vertical, where we have had many years of success, mission-critical customers have been shown to need Layer 7 application firewall from Bayshore because existing Layer 3 products from Cisco and Juniper are powerless in defending against APTs targeted at Google last year and more recently RSA. The same applies to ICS security where Layer 2 and Layer 3 security products from a handful of legacy SCADA security vendors are very ineffective in defending against the next Stuxnet.
(read more…)

Is the cloud ready for prime time? Not the current cloud services that are being offered by Amazon, Google, Microsoft, and so on. The recent outage at Amazon will make enterprises even more cautious in moving mission-critical applications to the cloud. And we agree with both the Gartner and Forrester analysts, who argue that security is a bigger cloud-related concern than performance and uptime for large enterprise customers.

Is the enthusiasm around cloud computing justified? We think it is because of the significant flexibility, manageability, productivity, and cost advantages associated with cloud computing. But up until now, leading cloud service providers have paid very little attention to security in their cloud data centers. Anyone who had a conversation with Amazon’s EC2 folks would agree with that. In addition to the Amazon outage, Sony announced that it had to shut down its online gaming and entertainment network because the personal information of 77 million users were breached by a targeted attack. Online gaming is probably the most pervasive cloud application in the world, particularly in Asia where people spend very serious money trading virtual goods amongst each other. And there are lingering security issues with Google Apps’ deployment at L.A. Police Dept..

So – are we beginning to lose trust in the cloud, from enterprises to consumers to government agencies?
(read more…)

A recent piece over at the Forbes Blogs (CIO Network) brings to light something we’ve been saying here at Bayshore Networks for a very long time; existing security products do not work!

As the authors rightly point out, security is already a $40bn a year industry and, by some estimates, it continues growing at a rate of almost 10% a year. Growth is not the problem however.

The problem is in continuing to throw money at things that don’t make us any more secure. It was only a very few years ago that we were talking, almost exclusively, about just credit cards and identities yet now we are talking about national security being at stake.

The industry tends to chase the next hot private company. Palo Alto Networks in the last 12 months has gotten a lot of credit evangelizing ‘Next Generation Firewall’ but when you look deep into NGFW, it is just the same old same old; enterprise firewall fully integrated with network IPS and rudimentary application classification and bandwidth management features. It might let you stop YouTube but allow IM. But would NGFW stop Stuxnet, Google attacks, RSA breach and other APTs? NO, NO, NO, and NO.

Our high end customers agree; Bayshore Layer 7 Application Firewall appears to be the only product out there that can stop APT attacks from causing loss of critical intellectual property. NetWitness and some other high end monitoring tools can tell you some bad guys are already inside, but Bayshore is the only one who can block the actual insider attacks on mission critical applications.

Link to Forbes article can be found HERE
(read more…)

Cyber Security Spending Will Remain a Priority:

In light of the current budget and federal deficit debate in Washington and President Obama’s proposal to cut the defense budget by $400 Billion over the next 12 years, there are a lot of questions around how the cyber security budget will be affected. According to the research firm Input, IT security spending by the federal government will grow to $13.3 B in 2015 from $8.6 B in 2010, at an annual growth of 9.1%. How much of this growth will be impacted (if any) by the possible budget cut?

We found a recent interview with Sen. Tom Carper, Chairman of the Homeland Security Subcommittee with jurisdiction over cyber security, quite interesting and promising for Bayshore Networks as we provide Actual Security and Safety for critical infrastructure, not just Compliance.

Key highlights:
(read more…)

To all utilities companies in the U.S.: It is time to take industrial control security seriously before it is too late. In a stunning survey of 291 IT professionals employed in the utility and energy industries by Ponemon Institute, less than half believe security is “strategic across the enterprise” and they typically spend almost 10 times as much in physical security as in IT security. Have they heard what Stuxnet did to the nuclear facilities in Iran? If it happened to the Iranians, it could well happen to us in the U.S. Some argue that industrial control networks are mostly offline (not connected to the Internet) and are less vulnerable. Stuxnet did not get into the Iranian nuclear plant via the Internet. It got in there via a USB drive instead. And all utilities are undergoing major efforts to bring their networks to the 21st century by connecting them to the IP networks, which would make them even more vulnerable.
(read more…)

The Security Industry was rocked recently when it was reported that EMC’s RSA security division was hacked and data about its critical security technology was stolen. Last Friday RSA provided more details and an explanation of its SecurID® breach in a blog posting at their website.

We agree with RSA that a new defense doctrine, without relying on Layer 3 perimeter and end point security, will be necessary to defend against future attacks like this latest, targeted attack, at RSA. The truth is, large organizations cannot prevent one or two employees from inadvertently opening a malicious attachment which, in RSA’s case, was a simple phishing attack that was designed to disguise a more nefarious APT attack. Like Stuxnet, RSA’s hackers used a simple way to get in and the reality is that large organizations have to assume the bad guys are already inside. In order to protect their mission-critical digital assets (such as the secret sauce of RSA’s SecurID®), they need to deploy multi-protocol Layer 7 application firewalls. This is the cleanest way to protect important applications without deploying company-wide authorization which is very difficult and costly to accomplish.

The critical nature of Enterprise Security is fast becoming a fiduciary duty for Boards of Directors and CEOs now, as Oracle President Marc Hurd recently pointed out. As important as this might be to shareholders, companies also have a duty and a responsibility to our fellow citizens. As we confront the increasingly sophisticated nature of these APT-style attacks (and others), any network run by an industrial enterprise is no longer just a corporate asset, but also a focus of national security.
(read more…)

It took Detroit almost 20 years to fix their quality problems….how long will it take the largest security vendors to do the same?? Last week it was RSA, this week it’s McAfee…

The biggest security vendors are facing very serious credibility issues with their customers. We know and have been saying Layer 3 security products from incumbent security vendors simply don’t work for customers…it is becoming clear that the same products that generate billions of dollars of revenues for the incumbent security vendors are useless in defending security vendors’ own networks!!! So, what have they been selling all these years??!!

The $30 billion-dollar cyber security industry is facing its biggest credibility test. As an emerging player with the industry’s leading Layer 7 security platform, Bayshore Networks is urging the largest players such as McAfee, RSA, Cisco, Symantec, and Juniper to take a hard look at their security product portfolio and start selling products that can actually secure the networks and applications. Perhaps they can start from their own networks, and deploy Layer 7 security internally.

Detroit finally did it, with a visionary CEO (at Ford) and two government bailouts (at GM and Chrysler). Let’s hope our industry can do much better than that.

Full Network World article here (read more…)

ICS-CERT, Industrial Control Systems Cyber Emergency Response Team (which is under the DHS umbrella) issued security vulnerability alerts that could potentially impact hundreds of thousands of SCADA industrial controllers/sensors at power plants and other civil infrastructure. ICS-CERT went one step further and recommended “Users minimize network exposure for all control system devices. Control system devices should not directly face the Internet”.

Bayshore Networks SingleKey™ Industrial Edition are currently in POC deployment at U.S. government agencies to secure our nation’s critical civil infrastructure. SingleKey™ IE is a Layer 7 firewall custom-built for SCADA environment and can protect the interfaces between IP networks and non-IP industrial control networks. We are working with security researchers, academics, industrial conglomerates, and government agencies to set the initial security standards and best practices to secure industrial control networks. We believe a network-based approach (using SingleKey™ IE Layer 7 firewall) provides the most flexible and scalable architecture to secure the SCADA infrastructure. In contrast, a host based approach (such as the one proposed by McAfee using embedded software on the sensors/controllers) requires software updates on the decade-old controllers/sensors in the field and could create huge headache for the very thin IT staff at the power plants and other civil agencies.
(read more…)