Rapid Micro-segmentation using Application Rule Manager Recommendation Engine
Customers understand the need for micro-segmentation and benefits it provides to enhance the security posture within their datacenter. However, one of the challenges for a Security admin is how to define micro-segmentation policies for applications owned and managed by application teams. This is even more challenging especially when you have tens or hundreds of unique applications in your data center, all of which use different port and protocols and resources across the cluster. The traditional manual perimeter firewall policy modeling may not be ideal and may not be able to scale for the micro-segmentation of your applications as it would be error-prone, complex and time consuming.
NSX addresses the how & where to start micro-segmentation challenge by providing the built-in tool called Application Rule Manager (ARM), to automate the application profiling and the onboarding of applications with micro-segmentation policies. NSX ARM has been part of NSX, since the NSX 6.3.0 release but here we will talk about Application Rule Manager (ARM) enhancement, Recommendation Engine, introduced as part of NSX 6.4.0 release. This enhancement allows you to do Rapid Micro-segmentation to your data center application by recommending “ready to consume” workload grouping & firewall policy rules.
Recorded Future Gives Companies Single View, Analysis of Security Threats
The SaaS pushes as much of the work as possible to computing and the human on top of it "rides into victory."
Nuage Networks Q&A: The 5 Key Success Factors on your Digital Transformation Journey for the WAN and Beyond
Thanks to all who joined us for the Nuage Networks webinar: The 5 Key Success Factors on your Digital Transformation Journey for the WAN and Beyond. With over 20 SD-WAN solutions in the market it is increasingly difficult to select the right one. Nuage Networks provided an evaluation framework that can be used to not... Read more →
ExtraHop Makes its Security Status Official with Reveal(x)
Security has been ExtraHop customers’ top use case for its real-time analytics software.
Giving the Monkey a Smaller Club
Over at the ACM blog, there is a terrific article about software design that has direct application to network design and architecture.
What do monkeys and clubs have to do with software or network design? The primary point of interaction is security. The club you intend to make your network operator’s life easier is also a club an attacker can use to break into your network, or damage its operation. Clubs are just that way. If you think of the collection of tools as not just tools, but also as an attack surface, you can immediately see the correlation between the available tools and the attack surface. One way to increase security is to reduce the attack surface, and one way to reduce the attack surface is tools, reduce the number of tools—or the club.
The best way to reduce the attack surface of a piece of software is to remove any unnecessary code.
Consider this: the components of any network are actually made up of code. So to translate this to Continue reading
Trump Administration Considers a Nationalized 5G Network, Report Says
FCC Chairman Ajit Pai compared the proposal to a lead balloon made out of a Ford Pinto.
The problematic Wannacry North Korea attribution
Last month, the US government officially "attributed" the Wannacry ransomware worm to North Korea. This attribution has three flaws, which are a good lesson for attribution in general.It was an accident
The most important fact about Wannacry is that it was an accident. We've had 30 years of experience with Internet worms teaching us that worms are always accidents. While launching worms may be intentional, their effects cannot be predicted. While they appear to have targets, like Slammer against South Korea, or Witty against the Pentagon, further analysis shows this was just a random effect that was impossible to predict ahead of time. Only in hindsight are these effects explainable.
We should hold those causing accidents accountable, too, but it's a different accountability. The U.S. has caused more civilian deaths in its War on Terror than the terrorists caused triggering that war. But we hold these to be morally different: the terrorists targeted the innocent, whereas the U.S. takes great pains to avoid civilian casualties.
Since we are talking about blaming those responsible for accidents, we also must include the NSA in that mix. The NSA created, then allowed the release of, weaponized exploits. That's Continue reading
Apstra Adds Intent-Based Analytics to Its Operating System
It uses the same device agents for its intent-based networking.
Limited Time Only: Read our Springer/Nature Paper on Healthcare, Security, and Privacy
Last year, I was invited to contribute a paper to a special edition of the Health and Technology Journal published by Springer/Nature. The special issue addressed privacy and security, with a particular focus on healthcare and medical data. I’m happy to announce that now, for four weeks only, the publishers have made the whole issue available free.
From our accompanying blog post last July:
“The paper, “Trust and ethical data handling in the healthcare context” examines the issues associated with healthcare data in terms of ethics, privacy, and trust, and makes recommendations about what we, as individuals, should ask for and expect from the organisations we entrust with our most sensitive personal data.”
Although we can find several comprehensive and mature data protection frameworks around the world, current legal safeguards to not seem to prevent data controllers from indulging in:
- over collection
- insufficient care of personal data
- unexpected or unwelcome use
- excessive sharing
In my paper, I argue that a narrow focus on regulatory compliance can lead to a “checklist” mentality, obscure the real reasons why organisations should treat data with care and respect, and lead to poor outcomes for both the organisation and the individual. I Continue reading
Alphabet Unveils Cybersecurity Business Called Chronicle
Chronicle will use machine learning to help enterprises manage their data.
Palo Alto Networks Finds Attackers Who Dwell in Networks
A new application tracks a number of user and device behaviors to identify attackers.
Cisco Acquires HCI Company Skyport Systems
It sounds as if Cisco won't be using Skyport's hardware.
CenturyLink Secures Public WiFi Through Security Gateways
The company has 31 security gateways around the globe.
Amazon Web Services Scoops Up Security Startup Sqrrl
The startup spun out of the U.S. National Security Agency.
“Skyfall attack” was attention seeking
After the Meltdown/Spectre attacks, somebody created a website promising related "Skyfall/Solace" attacks. They revealed today that it was a "hoax".It was a bad hoax. It wasn't a clever troll, parody, or commentary. It was childish behavior seeking attention.
For all you hate naming of security vulnerabilities, Meltdown/Spectre was important enough to deserve a name. Sure, from an infosec perspective, it was minor, we just patch and move on. But from an operating-system and CPU design perspective, these things where huge.
Page table isolation to fix Meltdown is a fundamental redesign of the operating system. What you learned in college about how Solaris, Windows, Linux, and BSD were designed is now out-of-date. It's on the same scale of change as address space randomization.
The same is true of Spectre. It changes what capabilities are given to JavaScript (buffers and high resolution timers). It dramatically increases the paranoia we have of running untrusted code from the Internet. We've been cleansing JavaScript of things like buffer-overflows and type confusion errors, now we have to cleanse it of branch prediction issues.
Moreover, not only do we need to change software, we need to change the CPU. No, we won't get rid of branch-prediction Continue reading
Moreover, not only do we need to change software, we need to change the CPU. No, we won't get rid of branch-prediction Continue reading
5 Danger Points for Container Security
Because containers often exist for only a brief period of time, this reduces the “attack vector.”
Palo Alto Networks: IoT, 5G, & NFV Are Vulnerable to Security Threats
Check out the new Palo Alto Networks channel on SDxCentral for the latest in next-gen security for IoT, 5G, Cloud, and NFV.
IBM Finally Grows Revenue, Celebrates by ‘Marrying’ Salesforce
IBM’s cloud business brought in $17 billion in annual revenue in 2017.
Web Cache Deception Attack revisited
In April, we wrote about Web Cache Deception attacks, and how our customers can avoid them using origin configuration.
Read that blog post to learn about how to configure your website, and for those who are not able to do that, how to disable caching for certain URIs to prevent this type of attacks. Since our previous blog post, we have looked for but have not seen any large scale attacks like this in the wild.
Today, we have released a tool to help our customers make sure only assets that should be cached are being cached.
A brief re-introduction to Web Cache Deception attack
Recall that the Web Cache Deception attack happens when an attacker tricks a user into clicking a link in the format of http://www.example.com/newsfeed/foo.jpg, when http://www.example.com/newsfeed is the location of a dynamic script that returns different content for different users. For some website configurations (default in Apache but not in nginx), this would invoke /newsfeed with PATH_INFO set to /foo.jpg. If http://www.example.com/newsfeed/foo.jpg does not return the proper Cache-Control headers to tell a web cache not to cache the content, web caches may decide to cache Continue reading
SDxCentral’s Weekly Roundup — January 19, 2018
Comcast chooses AWS; Qualcomm puts up a fight against Broadcom; Maersk and IBM work with blockchain.