- \n
- Ransomware <\/em><\/li>\n
- Return and use of macros<\/em><\/li>\n
- Mirai botnet and the \u201cBotnet of Things\u201d attack<\/em><\/li>\n
- \u201cOilRig\u201d campaign<\/em><\/li>\n
- \u201cShamoon 2\u201d attacks<\/em><\/li>\n
- Yahoo: biggest breach of one source to date<\/em><\/li>\n
- Russian gang amass of 1.2B credentials<\/em><\/li>\n<\/ul>\n
I won\u2019t use this blog post to repeat the many details we\u2019ve already published from the year<\/a>. But I do want to reiterate the good news that I repeated to the audience at CDANS, and even more with the latest release of our PAN-OS 8.0<\/a>: you, too, have automation<\/em> available to protect your data and your network assets. (More on that later.)<\/p>\n
Late in 2016, I commissioned a study of how the U.S. federal government is using automation to improve all aspects of its attack mitigation processes \u2013 from external threat intelligence consumption to what security sensors and capabilities are doing to help. The results, published in MeriTalk\u2019s \u201cPedal to the Metal\u201d<\/strong><\/a> report, were in some ways disappointing, yet were informative in where I feel Palo Alto Networks can help.<\/p>\n
Here are some highlights:<\/p>\n
- \n
- Fewer than half of U.S. federal agencies guard against emerging and critical attack vectors, increasingly used as attack entry points.\n
- \n
- Most focus on traditional entry points (mail server, internet gateway, web)<\/li>\n<\/ul>\n<\/li>\n
- 55 percent say their agency is currently not automatically<\/u> correlating threat campaign information from different locations<\/u><\/em>\n
- \n
- 30 percent do so manually, and<\/li>\n
- 25 percent don\u2019t do it at all<\/li>\n<\/ul>\n<\/li>\n
- When faced with a new (unknown) threat\u2026\n
- \n
- A low 15 percent can create <\/em>new protections within a few minutes (over a third still take days to take any action)<\/li>\n
- Only 17 percent can distribute<\/em> new protections within a few minutes<\/li>\n<\/ul>\n<\/li>\n
- Security operations teams ingest an average of 25 external threat feeds daily\n
- \n
- 47 percent: Still purchase feeds only consumed via email<\/li>\n
- 72 percent: Few hours to a few days to assess presence of unique threat and determine whether actionable<\/li>\n
- 81 percent: Few hours to a few days to create actionable changes in security posture to protect against a new threat received from external sources<\/li>\n<\/ul>\n<\/li>\n
- Security operations teams are allocating skilled and limited resources on tasks that can be automated<\/li>\n<\/ul>\n
Most don\u2019t need more<\/em> data (or people to review it) but the ability to make faster decisions <\/em>from the data they have. But do they understand that?<\/p>\n
As Einstein said, \u201cWe cannot solve our problems with the same thinking we used when we created them.\u201d It\u2019s time to embrace innovations in automation, just as we\u2019re seeing governments now slowly but surely embrace the cloud. Reduce time to act on anything new hitting your networks. Your goal with today\u2019s technology should be under five minutes for new protection to be created and deployed. This could be malware signature creation, detecting and blocking new IP addresses and domains associated with command-and-control infrastructure. When it comes to exploits, they can be stopped immediately \u2013 don\u2019t settle for anything less.<\/p>\n
For government, these changes may seem like radical departures but keep in mind that you can start with incremental change to a long-term goal. Don\u2019t be overwhelmed. Perhaps start with one aspect of your network with:<\/p>\n
- \n
- Security focused on one location that\u2019s more vulnerable<\/li>\n
- Security focused on one aspect of the threat<\/li>\n
- Security focused on one attack vector (internet gateway, north\/south into your data center, east\/west traffic within your data center, Office 365 and Azure environments, your use of SaaS applications, etc.)<\/li>\n
- Preventing phishing: You can detect if a link in an email is malicious, and then block connections to those sites.<\/li>\n
- Preventing stolen credentials: Now in PAN-OS 8.0, you can block authenticated lateral movement, using multi-factor authentication within the network, from adversaries trying to compromise a network.<\/li>\n
- Reduction of efforts and time to correlate and make actionable use of threat intelligence (from internal and external sources). With our MineMeld tool that\u2019s offered as freeware or supported as part of AutoFocus, you can even do correlation, de-duplication, and can create automatic blocklists from your threat intelligence feeds.<\/li>\n
- The people part of the equation. I still hear stories about teams refusing to work together. Resolve to improve teaming between those with security responsibility. Perhaps choose two teams to focus improved communication: start with network and IT security teams, later adding collaboration with DevOps, endpoint and other teams. And don\u2019t forget to include the ICS & SCADA teams, where applicable.<\/li>\n<\/ol>\n
For your OT environments, if your country doesn\u2019t have regulatory guidelines, use NERC CIPv5 as your baseline, and consider the Purdue model<\/a>.<\/p>\n
![\"pic_1\"]()
<\/span><\/div><\/a><\/p>\nI used a military analogy to which many can relate \u2013 regardless if you were ever part of an airborne mission or are a gamer. Looking out of that cockpit, traversing enemy territory, the timeliness (and accuracy) of the information that you receive is critical. Just as in the physical domain, every second counts in our cyber domain<\/em>. We don\u2019t have to repeat the mistakes of 2016. It is<\/u><\/em> possible to appropriately secure our data and networks \u2013 however we extend them from SaaS to public cloud to remote locations to support our troops, our government operations, and our citizen services.\u00a0 Let\u2019s use 2017 to reclaim control and use automation to our<\/u> <\/em>advantage <\/strong>\u2013 to reduce the risk to our governments and critical infrastructure and to ensure the resiliency of our digital way of life.<\/p>\n
To learn more about our other activities at CDANS 2017 this year, please visit:<\/p>\n
- \n
- CDANS 2017: Keeping Cybersecurity Skills Sharp With Cyber Range <\/a><\/li>\n
- Securing Our Networks with Women in Cyber<\/a><\/li>\n<\/ul>\n
And if you haven\u2019t had a chance, please read about all of the exciting enhancements we made in PAN-OS 8.0<\/a>.<\/p>\n
![\"\"]()
<\/a><\/h3>\nFederal Ignite '17 Security Conference: Washington, DC<\/h3>\n
- Securing Our Networks with Women in Cyber<\/a><\/li>\n<\/ul>\n
- CDANS 2017: Keeping Cybersecurity Skills Sharp With Cyber Range <\/a><\/li>\n
- Only 17 percent can distribute<\/em> new protections within a few minutes<\/li>\n<\/ul>\n<\/li>\n
- A low 15 percent can create <\/em>new protections within a few minutes (over a third still take days to take any action)<\/li>\n
- Return and use of macros<\/em><\/li>\n
![\"pic_1\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/03\/Pic_1.png\")
<\/span><\/div><\/a><\/p>\n![\"\"](\"https:\/\/ignite.paloaltonetworks.com\/federal\/assets\/img\/masthead_federal.png\")
<\/a><\/h3>\n