Archive for the ‘Security Connected’ Category

Connected Cars: How One Vulnerability Can Turn Cybercriminals into Backseat Drivers

August 4th, 2017

Whether it’s turning the music up a little, or turning down the AC – when you’re in your own car, you’re the driver in all senses of the word. Well, usually. Now, with the recent boom in connected cars, cybercriminals may soon be a backseat driver, only they’re not executing commands from the back row. They have the capability to remotely track you as you drive, or even take control of the settings all due to this recent explosion of connected cars — and vulnerabilities within those cars that have yet to be addressed.

Our Advanced Threat Research (ATR) team addressed these vulnerabilities in preparation for this year’s DEFCON, a cybersecurity conference held annually in Las Vegas, that brings together the best and the brightest to poke and prod new technologies and discover and document vulnerabilities. Vulnerabilities in connected cars are a particularly severe issue, especially as internet-connected and semi-autonomous vehicles begin to become commonplace.

The first vulnerability explored, which our team disclosed before DEFCON, allowed a test ransomware attack. The simulated ransomware attack didn’t disable the car, it made being around the car a chore by playing a popular 80’s song at full volume until the target paid the ransom.

Another newly-discovered (and fixed) vulnerability found by our research team allowed them to make their way within into the car’s navigation system. There, they were able to find the web address the car used to check in with its manufacturer for navigation. As it so happens, the manufacturer no longer owned the domain — enabling our team to set up a honeypot site for any car that wanted to check into the manufacturer’s site. Our ATR team was surprised to see a number of cars check in. Not only that, but a number of vehicles gave their geographic location, their current navigation destinations, the GPS coordinates of waypoints and even the name of those waypoints.

That’s not all. Our team was also able to execute code through the S-Gold 2 (PMB 8876) cellular baseband chipset — a device used in a car to communicate with either the internet or a manufacturer’s intranet (an intranet being, essentially, a private internet). Obviously, our ATR team notified the relevant manufacturers of these issues, and a fix has been issued.

All of these vulnerabilities may sound concerning, but their public disclosure is actually good. Since we’ve notified Nissan and BMW of the S Gold 2 vulnerability, we have been told that a free fix has been issued to their dealers, which is available now to all affected customers in U.S. and Canada. It’s important both manufacturers and their drivers become aware of these issues, and take the necessary steps to keep their vehicles secure. To help keep your vehicle safe as a driver, follow these security tips:

  • Do your research before you buy. Conduct a quick scan online to see if any security issues have been reported with a car and its technology. That way, when looking to purchase your next car, you’ll be educated on the issues and buy with security in mind.
  • Check online notices. When made aware of vulnerabilities, manufacturers will notify the public, as well as make them aware of incoming fixes. Therefore, scan technical service bulletins or notices on a company site so that if a vulnerability does pop up with your existing car, you can learn what to do to help your vehicle stay secure.

And, of course, stay on top of the latest consumer security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Connected Cars: How One Vulnerability Can Turn Cybercriminals into Backseat Drivers appeared first on McAfee Blogs.

Posted in Consumer Threat Notices, cybersafety, Security Connected | Comments (0)

New Versions of Cloud Workload Discovery and McAfee MOVE AntiVirus Now Available!

April 20th, 2017

As part of our continued enhancements to our server security solutions, Cloud Workload Discovery 4.5.1 was released on March 27, 2017 and the McAfee MOVE AntiVirus 4.5.1 release followed on April, 20 2017.  These solutions have some valuable new features and benefits that I’d like to share with you.

Cloud Workload Discovery 4.5.1

Let’s start with Cloud Workload Discovery 4.5.1.  Cloud Workload Discovery, covering VMware, OpenStack, AWS and Microsoft Azure, provides end-to-end visibility into cloud workloads and their underlying platforms. You can get an in-depth description of Cloud Workload Discovery in our previous blog, “New Server Security Release Makes Borderless Cloud Security a Reality”.  Prior to version 4.5.1, Cloud Workload Discovery was available to work with two of Intel Security’s antivirus solutions, McAfee VirusScan Enterprise and McAfee MOVE AntiVirus.

Cloud Workload Discovery 4.5.1 extends visibility to McAfee Endpoint Security for AWS and Microsoft Azure workloads.  McAfee Endpoint Security is a collaborative, extensible framework for protecting Microsoft Windows and Linux servers against zero-day exploits and advanced attacks. Now that Cloud Workload Discovery supports McAfee Endpoint Security, we are adding two of its modules, Threat Prevention and Firewall, to all three of our server security suites, McAfee Server Security Suite Essentials and McAfee Server Security Suite Advanced for hybrid cloud protection and McAfee Public Cloud Security Suite.

Threat Prevention scans for viruses, spyware, unwanted programs and other threats – automatically with user access or on demand at any time.  The Firewall module monitors communication between the computer and resources on the network and the Internet to intercept suspicious communications.

 McAfee MOVE AntiVirus 4.5.1

McAfee MOVE AntiVirus is a key component of McAfee Server Security Suite Essentials and  McAfee Server Security Suite Advanced.  McAfee MOVE AntiVirus can now protect Linux virtual machines in agentless deployments as part of the 4.5.1 release, including 64-bit versions of SUSE Linux Enterprise Server 12, Red Hat Enterprise Linux 7 and Ubuntu 14.04 LTS.  This includes all the Linux distributions supported by VMware NSX 6.3. In addition, McAfee MOVE Antivirus (Agentless) is now certified for VMware NSX 6.3 so that customers can be sure that these solutions work seamlessly together.

Learn More

Here’s some links for our server security suites and McAfee MOVE AntiVirus if you’d like to find out more about these solutions:

McAfee Server Security Suite Essentials

McAfee Server Security Suite Advanced

McAfee Public Cloud Server Security Suite

McAfee MOVE AntiVirus

The post New Versions of Cloud Workload Discovery and McAfee MOVE AntiVirus Now Available! appeared first on McAfee Blogs.

Posted in antivirus, Cloud security, endpoint security, Security Connected | Comments (0)

McAfee and the Security Innovation Alliance: Together is Power

April 11th, 2017

New McAfee is here. We turn the page in the next chapter of this company’s story. It’s one we have written with customers, partners, and employees alike. It readies us to be even more focused and innovative than ever before, with a singular mission of protecting all that matters to those who matter most to us.

The McAfee Security Innovation Alliance team is committed to keeping the world safe from cyber threats. Read our pledge:

 

The post McAfee and the Security Innovation Alliance: Together is Power appeared first on McAfee Blogs.

Posted in McAfee partners, Security Connected | Comments (0)

These Are 10 Cybersecurity Myths That Must Be Busted

April 6th, 2017

Cybersecurity was huge in 2016. From ransomware to weaponized Internet of Things (IoT) devices to foreign hacking of elections – last year saw it all. But many of these threats aren’t new and will never really go away. Over the last 25 years, one of the most valuable things I’ve learned in attending conferences and talking to cybersecurity experts around the world is that one of the greatest weapons we have to prevent cyber attacks is our own mindset.

My column has previously touched on the importance of online hygiene and why you should think of your online activities like eating. This post will cover some misconceptions about cybersecurity itself. There are many cybersecurity myths, but an accurate understanding of these 10 is critical to your cyber posture as an individual, as a business, or as a government.

1. ”Cyber risk” is a separate category of risk. There’s no such thing as “cyber risk” – it’s risk. It’s the same risk that encompasses everything from protecting intellectual property to competitiveness and safety of personnel, and needs the same level of attention from the board of directors and the executive team. The concept of cybersecurity risk isn’t useful by itself, and treating it as a separate form is a distraction you can’t afford.

2. Cybersecurity is just an IT issue. Earmarking online threats as something for the IT department is one of the best ways to help those threats proliferate. It’s important to remember that cybersecurity cuts across departments and is the same regardless of the IT implementation or vertical. Once information is digitized, everything from accuracy, privacy and availability to integrity needs to be protected. Cybersecurity requirements are paramount across an organization, from the data center to the branch office and mobile device.

3. Protecting yourself is good enough. Organizations must be aware of others in their community and how they’re acting when it comes to cybersecurity questions. Some of the biggest headline-grabbing breaches of recent years involved third parties or organizations subordinate to the entity that was hacked. Everything in your ecosystem, from subcontractors to subsidiaries, vendors and accounting firms can be a threat vector. Security is only as strong as the weakest link, and sometimes that weak link is beyond your four walls.

4. Digital and physical security are separate systems. In today’s automated world, more and more devices, such as the elevator in your building and components in the public transit system, are getting connected and being controlled digitally. It’s now common for attackers to modify device software and potentially destroy physical infrastructure – at a minimum, creating tremendous inconvenience with potential catastrophic consequences.

5. Going back to paper (or disconnecting from the internet) minimizes risk. The unplugging approach can lead to many problems apart from the potential damage to efficiency and productivity. Disconnecting, implementing “air gaps” or going back to paper can actually increase vulnerabilities. One can’t know if paper copies of data have been illicitly copied or removed. Meanwhile, air-gapped and disconnected networks are harder to monitor because of less logging of data that takes place; also, due to the inconvenience, they’re not updated with security patches as often. Ironically, increasing your attack surface this way makes it easier for criminals to find the valuable information and strike unnoticed.

6. Getting hacked is an embarrassment. Many people hesitate to share their stories about getting hacked. This can be perceived as losing face, especially in Asian countries. However, it’s important to understand that everyone is vulnerable and it’s better to learn from one another by communicating. Unfortunately, there are only two types of organizations today: those that have been hacked and those that have been hacked but just don’t know it yet. Hiding a breach and letting it fester will only worsen the long-term damage.

7. Using antivirus software is enough. AV might have worked in 1997, but 20 years later it sure won’t. Hackers have found multiple ways to subvert antivirus software and hide their own attacks in a system, in many cases for an average of six months. With the advent of ransomware, the timeframe from infection to damage has become almost instantaneous. In today’s world of quick and persistent threats, a prevention mindset to mitigate both known and unknown threats is essential. AV is terribly outdated.

8. Cybersecurity is just a form of defense. Again, this is a shortsighted view of an essential resource and way of thinking. Security needs to be positioned as a strategic advantage since it can boost efficiency and save money. Not only is security by design and by default important for protection, creating an integrated implementation will enhance usability products and services and generate a competitive advantage. At a minimum, it will allow us to take back the many benefits ICT provides, and in a safe and secure manner. Stop thinking of cybersecurity as merely a cost center and understand its value as a business enabler.

9. New features of IoT devices trump security. Security by design is becoming increasingly common in IoT devices. It basically means implementing features so devices can work and survive in a “zero trust” environment. Security should be integrated, automatic and transparent. Usability is key. You can’t expect people, especially elderly users, to jump through technical hoops to ensure security at the expense or productivity or efficiency.

10. You’ll never get attacked or breached. This kind of thinking – that it will never happen to me – is almost a guarantee that it will. It’s equally unwise to have total confidence in the strength of one’s security and especially one’s security devices. There’s no such thing as perfect security – the key here is resilience. That’s the ability to take a hit and keep going, or in certain cases failure, to default to a protected state. You should architect security with a prevention-first mindset, and also view attacks as an opportunity to learn about vulnerabilities and grow stronger based on that knowledge.

 

This article was written by William H. Saito from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post These Are 10 Cybersecurity Myths That Must Be Busted appeared first on McAfee Blogs.

Posted in Security Connected | Comments (0)

These Are 10 Cybersecurity Myths That Must Be Busted

April 6th, 2017

Cybersecurity was huge in 2016. From ransomware to weaponized Internet of Things (IoT) devices to foreign hacking of elections – last year saw it all. But many of these threats aren’t new and will never really go away. Over the last 25 years, one of the most valuable things I’ve learned in attending conferences and talking to cybersecurity experts around the world is that one of the greatest weapons we have to prevent cyber attacks is our own mindset.

My column has previously touched on the importance of online hygiene and why you should think of your online activities like eating. This post will cover some misconceptions about cybersecurity itself. There are many cybersecurity myths, but an accurate understanding of these 10 is critical to your cyber posture as an individual, as a business, or as a government.

1. ”Cyber risk” is a separate category of risk. There’s no such thing as “cyber risk” – it’s risk. It’s the same risk that encompasses everything from protecting intellectual property to competitiveness and safety of personnel, and needs the same level of attention from the board of directors and the executive team. The concept of cybersecurity risk isn’t useful by itself, and treating it as a separate form is a distraction you can’t afford.

2. Cybersecurity is just an IT issue. Earmarking online threats as something for the IT department is one of the best ways to help those threats proliferate. It’s important to remember that cybersecurity cuts across departments and is the same regardless of the IT implementation or vertical. Once information is digitized, everything from accuracy, privacy and availability to integrity needs to be protected. Cybersecurity requirements are paramount across an organization, from the data center to the branch office and mobile device.

3. Protecting yourself is good enough. Organizations must be aware of others in their community and how they’re acting when it comes to cybersecurity questions. Some of the biggest headline-grabbing breaches of recent years involved third parties or organizations subordinate to the entity that was hacked. Everything in your ecosystem, from subcontractors to subsidiaries, vendors and accounting firms can be a threat vector. Security is only as strong as the weakest link, and sometimes that weak link is beyond your four walls.

4. Digital and physical security are separate systems. In today’s automated world, more and more devices, such as the elevator in your building and components in the public transit system, are getting connected and being controlled digitally. It’s now common for attackers to modify device software and potentially destroy physical infrastructure – at a minimum, creating tremendous inconvenience with potential catastrophic consequences.

5. Going back to paper (or disconnecting from the internet) minimizes risk. The unplugging approach can lead to many problems apart from the potential damage to efficiency and productivity. Disconnecting, implementing “air gaps” or going back to paper can actually increase vulnerabilities. One can’t know if paper copies of data have been illicitly copied or removed. Meanwhile, air-gapped and disconnected networks are harder to monitor because of less logging of data that takes place; also, due to the inconvenience, they’re not updated with security patches as often. Ironically, increasing your attack surface this way makes it easier for criminals to find the valuable information and strike unnoticed.

6. Getting hacked is an embarrassment. Many people hesitate to share their stories about getting hacked. This can be perceived as losing face, especially in Asian countries. However, it’s important to understand that everyone is vulnerable and it’s better to learn from one another by communicating. Unfortunately, there are only two types of organizations today: those that have been hacked and those that have been hacked but just don’t know it yet. Hiding a breach and letting it fester will only worsen the long-term damage.

7. Using antivirus software is enough. AV might have worked in 1997, but 20 years later it sure won’t. Hackers have found multiple ways to subvert antivirus software and hide their own attacks in a system, in many cases for an average of six months. With the advent of ransomware, the timeframe from infection to damage has become almost instantaneous. In today’s world of quick and persistent threats, a prevention mindset to mitigate both known and unknown threats is essential. AV is terribly outdated.

8. Cybersecurity is just a form of defense. Again, this is a shortsighted view of an essential resource and way of thinking. Security needs to be positioned as a strategic advantage since it can boost efficiency and save money. Not only is security by design and by default important for protection, creating an integrated implementation will enhance usability products and services and generate a competitive advantage. At a minimum, it will allow us to take back the many benefits ICT provides, and in a safe and secure manner. Stop thinking of cybersecurity as merely a cost center and understand its value as a business enabler.

9. New features of IoT devices trump security. Security by design is becoming increasingly common in IoT devices. It basically means implementing features so devices can work and survive in a “zero trust” environment. Security should be integrated, automatic and transparent. Usability is key. You can’t expect people, especially elderly users, to jump through technical hoops to ensure security at the expense or productivity or efficiency.

10. You’ll never get attacked or breached. This kind of thinking – that it will never happen to me – is almost a guarantee that it will. It’s equally unwise to have total confidence in the strength of one’s security and especially one’s security devices. There’s no such thing as perfect security – the key here is resilience. That’s the ability to take a hit and keep going, or in certain cases failure, to default to a protected state. You should architect security with a prevention-first mindset, and also view attacks as an opportunity to learn about vulnerabilities and grow stronger based on that knowledge.

 

This article was written by William H. Saito from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post These Are 10 Cybersecurity Myths That Must Be Busted appeared first on McAfee Blogs.

Posted in Security Connected | Comments (0)

Stop using password manager browser extensions

March 22nd, 2017

It’s been over a year since I presented on LostPass at ShmooCon, and in that time, many more bugs have been found in password managers. The most severe of which are in browser-based password managers extensions such as LastPass.

Tavis Ormandy yesterday demonstrated a remote code execution on the latest LastPass version. This isn’t the first extremely severe bug he’s found in LastPass, either; there’ve been so many extremely severe bugs in LastPass it would be tedious to list them out. But LastPass isn’t alone: Keeper, Dashlane and even 1Password have had severe vulnerabilities that allowed attackers to steal all of the passwords in a user’s account without their knowledge.

This should be obvious to everyone who has been paying attention: browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malvertising.

When you use a browser extension password manager, you give attackers an API to interact with your password manager via JavaScript or the DOM. That’s how LostPass worked, and it’s how many of the new attacks work, too. Desktop-based password managers have no such access, as they require compromising the local machine first, which is much harder than visiting a webpage.

Your password manager extension de jour might not be as bug ridden as LastPass, but it suffers from the same risk vector if it’s a browser extension. If you’re using it in a corporate environment to share passwords, now only one user of many needs to be attacked to steal all of your passwords via a previously undisclosed bug.

If you think criminals aren’t mining LastPass and others for bugs right now, you’re naive.

What password managers should you use instead?

Does this mean you should give up and not use a password manager at all? No, but the choice is trickier than these companies’ marketing would leave you to believe.

Desktop-based password managers

Any program that is not resident in your browser is safer than one that is. There are many choices to choose from in this category, and none of them suffers from the direct-access-via-JavaScript risk category.

If you do use one, do not install the browser extensions. Copy and paste the passwords from the app into your browser. I use pass because it’s simple to understand for technical folks, but I have many friends who use KeePass. If you are buying a password manager from a company, you should ask to see the details of their latest source code security review. If they’re reluctant, maybe you should be reluctant to put the crown jewels of your company in their hands.

Copying and pasting passwords into the wrong place is not a large enough risk to use a risky browser password manager extension. If you accidentally paste one password in the wrong place, it is easy to change. If you get all your passwords stolen by a new bug, you’ll never even know, and you’ll have little to no recourse.

Built-in browser password managers

Every major browser now has a well-designed, built-in password manager that is easy to use. These are a nice choice if you dislike copying and pasting passwords into websites. All of them also offer mobile sync so you can have your passwords on the go. Since two-factor authentication is not available for these, use a very strong and unique passphrase.

I recommend non-technical users use the built-in password managers because they’re easy to use and plenty secure.

Literally anything else

An encrypted text file on your computer is safer than a browser extension password manager. Think of how it would be compromised: Someone would need to get at least user-level access to your computer and then either read it when it’s temporarily unencrypted, or wait for you to unencrypt it. That cannot be done by efficient attackers at scale. And if they’ve compromised your machine, you have bigger things to worry about.

The future

I don’t know if these browser extension password managers will ever improve enough for me to recommend them. The risk of having an attacker be able to directly interact with them is just too high. Many of them are for-profit companies that obviously have not invested a lot of resources in an in-depth audit of their source code because of the trivial bugs that are found by researchers in an hour.

TeamSIK’s excellent work into finding Android password manager bugs shows that the lack of security isn’t necessarily limited to browser extensions, but is rather a systemic issue in the password manager ecosystem. However, the increased risk of password manager browser extensions makes these vulnerabilities severe.

We need less of the “military grade encryption” marketing from them and more transparency around how often their code is audited, the results, and how they’ve fixed the vulnerabilities. Maybe then it’ll get better. But until then, avoid browser extension password managers.

 

This article was written by Sean Cassidy from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Stop using password manager browser extensions appeared first on McAfee Blogs.

Posted in Security Connected | Comments (0)

Smarter authentication makes mobile experiences more secure, user friendly

March 22nd, 2017

To make our lives easier, digital experiences have become much more interconnected, and the volume of personal data captured in the cloud is growing exponentially. While these trends make us more productive, they can also make security breaches much more damaging. Once a hacker gains access to one aspect of your digital life, he can easily reach across multiple applications and accounts, laying a path of destruction and heartache.

Today’s mobile and digital experiences need authentication strategies that keep up with the constantly changing digital ecosystem, and simple passwords are not enough.

Authentication must be fast, easy to use

Multifactor authentication strategies are growing in popularity, but the tradeoff of usability and security is a constant balancing act. If authentication solutions are not simple, quick and easy, users will find ways around them. And if they are not secure, hackers will quickly exploit weaknesses. Sophisticated smart authentication strategies are coming to market that are less visible and easier to use than messaging-based two-factor authentication approaches or biometrics. Approaches such as behavioral biometrics and adaptive authentication are leveraging data and sophisticated algorithms to create more secure and easier-to-use experiences.

Leveraging contextual data and behavioral biometrics to authenticate a user involves analyzing patterns to determine if they match behaviors exemplified by the account holder or if they correlate with known hacker activities. For example, if a device being used to access an app is in a location that is known to be a hotbed for hackers, instead of the home or office location of the account holder, access can be blocked or additional authentication could be required. Similarly, if a request to access an account does not originate from a phone connected to the registered user’s phone number, security could be tightened.

More sophisticated and secure authentication solutions

As with any security solution, the devil is in the details, and the industry has to stay one step ahead of the villains. Hackers can spoof phone numbers, so more secure solutions will identify specific devices with the device ID instead of simply the phone number. Also, more robust solutions will use GPS coordinates to pinpoint location instead of IP addresses, which can also be faked.

Even more sophisticated behavioral biometrics solutions use more granular and historical data to authenticate users. Tracking GPS movements to identify patterns and matching them with past behaviors will provide greater assurance that the same person is carrying a device. Tracking the time of day a user typically logs on to an app or service can also flag suspicious activity if access is requested at an unusual time. Even the way a certain application is navigated by the user or the frequency that features are used can be leveraged to authenticate account holders.

Tracking contextual and behavioral data is a great way to increase the confidence level that a user is who he says he is, but these methods are not foolproof. A user’s behaviors may change, but the user remains the same person – it is just that the risk of fraud is heightened.

This is where stepped-up or adaptive authentication enables improved security. If the system detects an anomaly in the user’s behavior or a heightened threat level is triggered, additional authenticators such as a one-time pin (OTP) delivered by SMS could be requested before access is provided. With this type of system, users have to authenticate themselves only when patterns change, improving the user experience.

The age of the customer has made customer experiences almost more important than the products and services offered. This makes a smooth authentication experience vital to maintaining valuable customer relationships. Companies need to ensure that they effectively balance usability with security when authenticating users, and smarter authentication solutions are making it easier.

 

This article was written by Peter Crocker from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Smarter authentication makes mobile experiences more secure, user friendly appeared first on McAfee Blogs.

Posted in Security Connected | Comments (0)

Looking for a UEBA Solution? Here Are Some Key Considerations Before You Buy

January 23rd, 2017

As you begin mapping out your security defense strategy for 2017, you’ve undoubtedly seen a relatively new acronym on your radar—UEBA, or User and Entity Behavior Analytics. This game-changing innovation promises to connect the dots of an attack to provide advanced levels of detection and to unify security. UEBA solutions accomplish this by taking into account users who are involved, the assets that are at risk, and how the attack is unfolding.

The first products in this market were called User Behavioral Analytics (UBA).  Then in August of 2015 (1), Avivah Litan at Gartner introduced the term “entity” into the title creating “user and entity behavioral analytics” (UEBA).  This change came as vendors began to support machine learning and analytic models that tracked and risk scored more than just user accounts.  To understand and give context to risks and threats, vendors added the ability to visualize not just user accounts, but also machines and servers, files and other data assets, IP addresses, and even applications.  These capabilities are critical to detecting and giving context to sophisticated threats and build on the capability to ingest and correlate multiple data classes.  More importantly, the ability to calculate risk to critical files and assets creates a “data centric” threat detection capability answering questions like; what files or digital assets are under attack? What critical files or digital assets are located on highly risky machines?  An analytics based data centric view of risk compliments DLP deployments and offers a new kind of threat visibility.

As with any emerging technology, it’s risky to assume that all UEBA vendors offer the same level and range of capabilities. To help clear up any confusion you might have, we interviewed Stephan Jou, Chief Technology Officer, with Interset, an Intel Security Innovation Alliance partner. As a starting point, Stephan suggests that you consider some key criteria as you investigate potential vendors.

Q. You stress the importance of scalability and having a true “Big Data” architecture in a UEBA solution. What should buyers look for?
A.
Just about every UEBA vendor today claims that they support Big Data and Hadoop, but we’ve seen scalability issues at some customer deployments. The open source, Java-based framework Hadoop does indeed support the storage and processing of large data sets in a distributed environment, but, on its own, it’s not a Big Data platform. Supporting only a few components of a Big Data platform, but not a complete set, will result in scalability issues and bottlenecks. You need to ask UEBA vendors to clearly explain their architecture and all its components. If you have access to a Big Data expert, have them review the vendor’s architecture. Finally, contact customer and analyst references and ask them about any scalability issues they might know of.

Q. Why is it critical for UEBA solutions to support multiple data classes?
A.
Today’s UEBA solutions should support ingestion and correlation of multiple classes of data. Why? Because this will provide you with visibility and contextual understanding of threats across a broader threat surface—strengthening your detection capabilities. If the UEBA product can provide this capability, security analysts can quickly identify the attack, its target, and its methods. When you’re evaluating a UEBA solution, ask your vendor about what data classes are supported from what data sources and whether they are available out of the box. And, to avoid expensive customizations, make sure the products; analytic models work with your required data classes.

Q. Why is it important for a true UEBA solution to include analytics for both users and “other entities”?
A.
Early products in this market tracked only user behavior. Today, true UEBA solutions that incorporate machine learning and analytic models track both user accounts and computing resources, such as desktops, laptops, servers, files and other data assets, IP addresses, and even applications. This is critical to detecting and providing context around complex threats. By including entities, a UEBA solution can calculate risk to critical files and assets. This helps answer important questions, like “What files or digital assets are under attack?” and “What critical files or digital assets are located on highly risky machines?” When you’re looking at UEBA solutions, make sure that they support multiple entities and ask the vendor to demonstrate a risk score for each entity type.

Q. Why is mathematics so important in differentiating UEBA solutions?
A.
You’ll often see vendors tossing out sophisticated math terminology—like the Monte Carlo method, Gaussian profile estimation, and Recursive Bayesian Estimation—mostly to impress you. But really, what’s most important is how well their mathematical methods help you detect threats. The math used is important in three critical ways: it completely eliminates the need for rules and policies, it determines the accuracy and speed of detection, and it determines the breadth of entity visibility and threat detection coverage. When you’re reviewing UEBA products, be sure that the product does not require rules or thresholds—ever—and that it uses more than one type of math for machine learning and analytic detection. Also, the vendor should be able to explain the mathematical models and how they are applied to each type of threat or use case. Above all, ask vendors to prove their claims of use case coverage and detection accuracy. They should be able to run tests with your own data sets.

Q. When it comes to UEBA, why is having an extensible engine so important?
A.
Investing in a UEBA solution can significantly improve threat detection and response over the long term. The UEBA engine can literally become the automated threat detection brain of your security architecture if the analytics engine is extensible. This means it needs to cover multiple use cases and can be easily expanded to cover even more in the future—including unknown threats. How can you determine whether the solution is capable of this before you make a purchase commitment? Follow these four steps:

  • Share your threat detection and use case coverage roadmap with the vendor and find out if their roadmap matches yours.
  • Ask the vendor what it takes to add new use cases and whether they have ever done that previously.
  • Find out if the vendor has a repeatable process for threat coverage expansion.
  • Inquire as to whether customized projects around new data classes, new analytics, and new threats coverage are planned for future releases.
  • Finally, when selecting a UEBA product, ensure that the product supports multiple entities including user/account, machine/servers, files/digital assets, and application. Require that the vendor demonstrate a representation of each entity with associated risk scores – “most risky” report for each entity type.

Market Guide for User and Entity Behavior Analytics, Avivah Litan ID: G00276088

Stay up to date on the latest news and developments regarding the Intel Security Innovation Alliance. Subscribe to D.J. Long’s blog

The post Looking for a UEBA Solution? Here Are Some Key Considerations Before You Buy appeared first on McAfee Blogs.

Posted in DLP, Intel Security Partners, McAfee partners, Security Connected | Comments (0)

A New Year with No Patch Management Hangover

January 17th, 2017

The frequency of database and application vulnerabilities is increasing.  Testing and deploying vendor-issued patches is an ongoing, arduous process that results in a time window of system vulnerabilities that exists until IT staff can bring business-critical databases and applications off-line and deploy patches. The longer the vulnerability window the greater the security risk.

Traditional Patch Management Challenges

With the growth of vulnerabilities, many organizations struggle when using traditional patch management strategies for remediation.   Our new white paper from Aberdeen Group, “Beyond the Patch: Reducing the Risk of Database and Application Vulnerabilities” identifies the key shortcomings of traditional patch management that make remediation so painful:

  • Vendor patches may not be available
  • Vendor patching may not be possible or practical
  • Vendor patching is costly, time consuming and inconvenient
  • Vendor patching does not support up-to-date visibility into what’s happening in your environment

In fact, Aberdeen found that in a $100 million company with 100 database instances, vendor  patching over the course of one year is likely to be complex and time consuming.  Click here for an Infographic with more details on vendor patching issues that may impact your organization.dbpatchingstatsA Virtual Patching Strategy

This New Year you may want to try a different patch management approach.  In comparison to traditional vendor patching, virtual patching can be a highly effective strategy for addressing both the likelihood and business impact aspects of security-related risk.  Aberdeen defines virtual patching as establishing a policy enforcement point that is external to the resource being protected to identify vulnerability exploits before they reach their target.  Virtual patch management offers the following benefits:

  • Automatic updates since direct modifications to resources being protected are not required.
  • Reduced risk since virtual patching reduces the window of vulnerability when vendor patching is not available, not possible, not practical, or deferred to avoid cost and inconvenience.
  • Lowers business impact because virtual patching reduces lost user productivity and lost revenue during the time that databases and applications are disrupted by traditional vendor patching.

A Virtual Patching Solution

McAfee Virtual Patching for Databases shields databases from the risk presented by unpatched vulnerabilities by detecting and preventing attempted attacks and intrusions in real time without requiring database downtime or application testing. This virtual patching solution also helps you continue to protect databases running old database management system (DBMS) versions that are no longer supported by the vendor, adding to the useful life of legacy databases and saving your organization time and money.

McAfee Virtual Patching Advantages

  • Gain protection from threats even before installing vendor released patch updates
  • Eliminate the need for IT and security teams to have DBMS–knowledge
  • Keep production databases online, thanks to non-intrusive software design
  • Protect databases seamlessly with automatic distribution of ongoing updates
  • Facilitate compliance with standards such as PCI DSS, HIPAA, and others

Next Steps

Click here to learn more about how McAfee Database Security can help you solve your traditional patch management challenges.  Plus, download our Aberdeen Group white paper, “Beyond the Patch:  Reducing the Risk of Database and Application Vulnerabilities”, to get more detail on traditional patch management issues and virtual patching strategies.

The post A New Year with No Patch Management Hangover appeared first on McAfee Blogs.

Posted in database, Security Connected, virtual patching, Vulnerability | Comments (0)

It starts with architecture – DXL enhances the approach

November 16th, 2016

Today’s digital world is drastically different than it was 10 years ago.  It is arguably, drastically different than it was 1 year ago.  The migration from on premise solutions to cloud solutions, mobility, IoT, client computing have all evolved to name a few.  The numerous innovations are continually evolving. Those innovations are plaguing security professionals constantly trying to “keep up”.  The notion of doing more with less is exhausting.  As a security professional, it’s only a matter of time until the threats become too frequent, malicious, and over whelming.

Collaborating with many organizations, both private and public, their approach to security many times is tactical and not strategic in their thinking.   Typically, organizations don’t budget enough for quality talent to help ensure good security outcomes.  Instead of paying for the “rock-star” talent they merely settle for an individual with a security certification.  As the late Steve Jobs put it, “A small team of A+ players can run circles around B or C players.”  The top-tier players are sparse and are in more demand than ever before.  Another option, is to apply a different architectural model to the enterprise to enable the security teams rather than disable them.

Historically, for protection the philosophy has been to throw layer on layer and hope that one of the layers catches the bad guy.  This is practical because, frequently, we don’t have enough people to address every potential security event.  The complexity becomes a chasm of consoles which makes it difficult to derive context quickly and accurately and invariably is more costly.  Is this bad or is this good?  For decades the approach has continually resulted in throwing another technology on top of technology, while, expecting a different outcome.  Is that the definition of insanity?  Perhaps. Now more than ever, we must think differently and approach the problems with an architecture rather than a sum of dysfunctional parts – that work well on their own, but not as a combined group of functions.

The approach – many of us frequently travel and know that one of the most critical aspects of the aviation industry is safety, what the industry calls the “Critical Area” – this area of the airport is where all aircraft, vehicles, persons or physical obstructions must remain clear when the aircraft’s instrumentation is in use to prevent signal interference.  This helps ensure the aircraft is able to safely land without obstructions to the overall landing procedure.  In other words, the Critical Area is a clear line of sight to reduce risk and ensure success in a critical window of time.

critical-area

Figure 1: Critical Area for aviation – a defined architecture*

 

Can you apply the analogy of the Critical Area to security?  The answer is yes – without a doubt.  The Critical Area is a sum of parts and procedures.  Similarly, a defined architecture allows different elements to be plugged into, allowing the sums of the parts to become better than if they are alone.  For example, the relationship of the aircraft with the tower or runway with the aircraft – all of them are needed and hence work better together in that architecture.

There is hope – such a security architecture exists – it exists so that current security investments, that would otherwise be disparate in their approach, can now easily be inserted into an adaptable security architecture.  Its guiding principles are Protect, Detect and Correct; meaning now it’s possible for all security technologies to collaborate with one another, whether they are from one vendor or a 3rd party.  The technologies can now enhance each other’s abilities, allowing for better protection, faster detection and much faster correction.  The layered model is loaded with propriety detection capabilities.  The layered model generally doesn’t allow for collaboration with other detection technologies unless an expensive connector has been built that leverages an API.  This layered model is slow and permeable, allowing for the rat in the maze to find the cheese which is just a matter of time.

It DOES start with architecture.  

McAfee Data Exchange Layer, DXL for short – is the essential enabling security messaging architecture that changes how we approach the fundamental problem of security tools and their implementation of those tools.  DXL breaks down the silos of security technologies and allows them to seamlessly collaborate with one another.  Rather than individual integrations between individual applications and vendors, each app integrates with an abstraction layer—simple, fast, and agnostic to the proprietary architecture of the individual vendor. Through a publish/subscribe model, an app can get updated when data changes, or ask and get a quick answer, such as the answer to the question “is this safe or is this bad?”  The DXL architecture matures the security approach and transforms the various security tools to “plug-in’s” and, therefore, enhances their overall value to the business.  And, by the way, DXL is now open as OpenDXL, with a github project for industry developers.

To conclude ask yourself some questions –

  • “Are we approaching the problem the same way?”
  • “Is our security staff tired of street fighting?”
  • “Is our security spending too high with little notable results?

 

Changing the approach to security with architecture is the right path to generate better results, which will allow us all to keep our sanity. 

 *Critical Area – https://en.wikipedia.org/wiki/Critical_area_(aeronautics)

The post It starts with architecture – DXL enhances the approach appeared first on McAfee Blogs.

Posted in DXL, Neutralize Threats, openDXL, Optimize Operations, Security Connected | Comments (0)