Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

In Cybersecurity, the Network Doesn’t Lie

by

Network World -Networking Nuggets and Security Snippets

By

In a recent ESG research report, enterprise security professionals were asked to identify the primary objectives associated with their organization’s network security strategy (note: I am an ESG employee). It turns out that 40% of organizations plan to move toward continuous monitoring of all assets on the network, while 30% plan to capture more network traffic for security analytics.

This data supports a general trend – many organizations are rapidly increasing their activities around network security data collection, processing, and analysis. Of course, this isn’t exactly news. Many enterprises have used security analytics tools based upon NetFlow for many years. Security analysts also have a history of including full-packet capture (PCAP) tools for their investigations. Many use open source software like TCPdump or Wireshark. NetWitness astutely recognized this use case a few years ago, built a successful business around PCAP collection analysis, and ultimately cashed in when RSA Security came calling.

Why all the security focus on the network? As the old network security adage states, “the network doesn’t lie.” Yes, networks may hold secrets within encrypted traffic, but network traffic analysis can inevitably expose the Tactics, Techniques, and Procedures (TTPs) used in cyberattacks. If you look at network traffic from L2-7 and understand the connections, protocol, Meta data, and content contained in the packets, you have almost everything you need to detect and respond to cyberthreats.

Yup, organizations are already bolstering their network data collection, processing, and analysis, but in my humble opinion, we are just scratching the surface of this trend. I truly believe that network traffic analysis will increase precipitously over the next few years, driven by:

  • The use of packet-broker technology. Packet-broker technology from companies like Gigamon, Ixia, Netscout, and VSS Monitoring have become a staple within large enterprise and service provider networks. Security teams will likely take full advantage of packet brokers as this type of overlay network can capture and route network data to centralized security analytics engines – a much more efficiently method than installing probes, tapping into span ports, or analyzing network data on a segment-by-segment basis.
  • SDN. As SDN proliferates, networks will come with basic packet broker technology built in. This too will encourage greater collection, centralization, and analysis of network traffic. SDN may also accelerate the integration of security analytics and network security infrastructure to automate remediation actions.
  • Cloud visibility. Aside from internal network security data, large organizations need similar visibility as they move more and more workloads to the cloud. Startups like Evident IO, Netskope, Threat Stack, and vArmour are intent on monitoring cloud activity while IBM, McAfee and Trend Micro are extending current products to place security eyes and ears in the cloud.
  • NIC innovation. Vendors like Emulex and Solarflare can capture and process data at the NIC card level based upon rules and triggers. This capability can help security analysts filter through the noise at lightning speed so they can focus their investigations so it’s likely that this NIC card technology will gain traction – especially with cloud service providers.
  • Bundled offerings. IBM, Lancope and LogRhythm are already adding network forensics to their existing security analytics offerings while vendors like FireEye, Hexis Cyber Solutions, and RSA Security offer analytics solutions that dig into security data across endpoint forensics, network forensics, and external threat intelligence. Splunk is also more than willing to gather and examine network traffic for security and IT operations purposes.

It’s not likely that enterprises will copy and store every packet that ever crosses their network, but I have no doubt that they will collect, process, and analyze more and more network traffic each year. This will should help improve security analytics as it ignites new market opportunities for security analytics, network hardware/software, storage devices/services, network management vendors, and MSSPs.

HawkEye G Selected As Part of an Active Cyber Defense System to Protect Federal Networks from Advanced Cyber Attacks

by

HANOVER, Md., March 12, 2015 –Hexis Cyber Solutions (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (NASDAQ: KEYW) and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced that HawkEye G has been selected by key members of the United States Intelligence Community as part of an integrated Active Cyber Defense (ACD) solution, protecting federal agencies’ networks against nation-state adversaries. As a core component, HawkEye G provides the only automated advanced threat removal capability available today. The ACD solution, referred to by the name SHORTSTOP, is provided as a turn-key system or as a reference design to federal agencies seeking best in class cyber defense. SHORTSTOP facilitates a convergence of commercial security technologies including HawkEye G and products from Palo Alto Networks, FireEye, and Splunk.

“The Intelligence customers that built this system understand the capabilities of today’s best cyber security products, and how to combine them to find previously undetectable attacks and remove them at machine speed. They are taking advantage of HawkEye G to sense at the endpoints, provide threat detection, pinpoint attacks, reduce false positives, and use automation to remove the threats,” said Chris Fedde, President of Hexis Cyber Solutions. “The SHORTSTOP architecture is consistent with the capabilities developed over the last three years by our engineers. As a result, government and commercial organizations can execute policy-driven threat mitigation in real-time to combat against advanced cyberattacks.”

HawkEye G is a next-generation cyber security platform that provides advanced threat detection, investigation and automated response capabilities. Security teams can continuously detect, investigate and remove advanced threats from within the network before adversaries can steal sensitive data, compromise intellectual property or cause critical process disruption. HawkEye G provides endpoint and network sensing, threat detection analytics, automated countermeasures that remove network threats, and a flexible policy engine that enables users to govern actions using both micro and macro policy controls.

According to research published by leading industry analysts, current forms of advanced persistent threat (APT) malware can live on a network host undetected for months. During this time, organizations are losing billions of dollars and in the case of many government entities, exposing highly sensitive intellectual property and data. With it becoming increasingly clear that perimeter and traditional endpoint solutions are failing to keep up with threats and that manual responses allow threats to compromise networks, government and commercial organizations are recognizing the need to automate decision-making and response.

For more information on the Hawkeye G, contact us.

Hexis Cyber Solutions Launches Latest Version of HawkEye AP for Insider Threat Detection and Advanced Big Data Analytics

by

New User Interface and Data Modeling Module Among Features to Enable Proactive Approach to Cybersecurity -

HANOVER, Md., March 10, 2015 (GLOBE NEWSWIRE) — Hexis Cyber Solutions, Inc. (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (Nasdaq:KEYW), and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced the latest version of HawkEye AP, its highly scalable, log management solution that provides sophisticated analytics on high volumes of event data. With a new intuitive graphical user interface and an advanced analytics toolbox, HawkEye AP gives users a wide range of new capabilities to model and analyze data according to their specific needs. Included with this release is a new out-of-the-box model covering Insider Threat Detection.

Corporate and government IT security and incident response teams face a trifecta of challenges: cyber-attacks are becoming increasingly sophisticated, data sets are growing exponentially and compliance requirements are becoming more complex. Additionally, existing security technologies and approaches aren’t working, thereby leaving intellectual property at risk of damage or theft. While many organizations deploy a Security Information and Event Management (SIEM) solution for basic data protection, today’s threat landscape demands a more proactive approach to security investigation and discovery, compliance reporting and predictive analysis.

Pairing an open, flexible event data collection process with a high performance, clustered, columnar-based event data warehouse, HawkEye AP streamlines collection, storage and search functions. HawkEye AP’s next generation analytics tools, applied to Big Data, ensure security and corporate compliance, relevant across various industries especially those subject to federal regulations including healthcare and finance.

Enhancements include:

  • Insider Threat Detection: Perform advanced heuristics on user activity to spot deviations that are linked to destruction and/or theft of intellectual property.
  • Advanced Analytics Module: A new graphical-based analytics toolbox facilitates complex data modeling with a deep reporting capability. This enables thorough diagnostics, predictive and prescriptive analytics.
  • New User Interface: Built from the ground-up using HTML 5 and CSS 3, to deliver an intuitive user experience, HawkEye AP now makes it easy for a wide range of individuals, beyond Windows IT professionals and architects, to interact with data. New users could include security teams, mathematicians and analytics professionals.
  • Updated Installer: Extending the value of HawkEye AP for channel partners, the solution’s new installer streamlines the implementation and deployment processes while also offering monitoring capabilities for offsite deployments.

“Considering the prevalence of threats, unless companies and government organizations are using data to continuously improve and refine their cybersecurity strategies, they will find themselves at risk of being attacked,” said Chris Fedde, president of Hexis Cyber Solutions. “Data is often considered an organization’s greatest asset. HawkEye AP enables organizations to leverage that data and apply deep analytics to spot trends and anomalies while the forensics aid in the discovery and reporting on incidences, and enabling swift and thorough responses.”

For more information please click here, or contact us for more information.

The Internet of Things may be getting ahead of itself when it comes to security

by

hexiscyberImageBy Hexis Cyber Solutions

The Internet of Things has been touted as the centerpiece of many innovative devices as it grows to encompass nearly every type of product imaginable. Already, appliances, cars and even buildings are being equipped with the capability to access Wi-Fi and wired networks. This has led to new efficiencies and data-driven opportunities for enterprises across the board.

Even as the benefits of connectivity grow more apparent, enterprises mustn’t lose sight of their security objectives. Before IoT devices and equipment make their way into routine business operations, decision makers should ensure that they are adding the layers of security necessary to incorporate these products in a safe way.

Individual devices’ security not yet up to par
According to Network​ World, Earl Perkins, research vice president at Gartner, believes that manufacturers of IoT-connected devices have put their own business goals ahead of ensuring that their products are secure from cyberattacks.

Perkins stated that this will change for the better moving forward, citing the trend of IoT device manufacturers acquiring software security firms to help shore up their products’ defenses, the news source reported. He noted that because businesses are increasingly concerned about their own cybersecurity, they will prefer solutions that come equipped with pre-loaded software-defined security measures. Essentially, it’s in the manufacturers’ best business interests to meet these needs.

Until a time arises where IoT products’ security features come standard, however, enterprises will need to be very careful about what they let connect to their networks.

IoT breeds complexity, which makes security difficult
Beyond the individual devices’ shortcomings, the IoT introduces a lot of moving parts into the network, as each individual device becomes an endpoint unto itself. These devices will be generating, receiving and transmitting data in large quantities, and while that level of interconnectivity can be a boon for business efficiency, it can also be an opportunity for hackers to break in.

Unsecured devices that have network access are easy targets for hackers who can penetrate into enterprise networks through a device. As ZDNet explained, each device that gets added to the network makes the overall structure more complex, as an individual product has its own vulnerabilities that must be accounted for by another part of the structure.

In light of this, enterprises will come to depend on cybersecurity solutions that scale and offer automated, machine-speed detection and response tools to keep up with the deluge of data and increasingly complex structure of their networks.

Older Vulnerabilities Top Enabler of Breaches

by

SC Magazine - Adam Greenberg, Reporter

Organizations are not properly patching their systems and networks, according to the HP Cyber Risk Report 2015, which took a look back at the threat landscape in 2014 and noted that 44 percent of known breaches were possible due to vulnerabilities identified years ago.

Accounting for 33 percent of identified exploit samples in 2014 is CVE-2010-2568, a popular Microsoft Windows vulnerability that was used as one of the infection vectors for Stuxnet, Jewel Timpe, senior manager of threat research at HP Security Research, told SCMagazine.com on Monday.

The report shows that CVE-2010-0188, a vulnerability in Adobe Reader and Acrobat, accounted for 11 percent of exploit samples in 2014. Six Oracle Java bugs identified in 2012 and 2013 also made the top ten list, as well as two Microsoft Office flaws – one identified in 2009 and the other in 2012.

“Our biggest message here is that we have got to start learning from our past,” Timpe said, going on to add, “We know software has vulnerabilities and vendors patch them, and when those patches are made available, they need to be applied. The best patch in the world won’t help your software if you don’t apply it.”

Timpe admitted that patching everything is not easy.

Patch management is a challenge for organizations because it is expensive and resource intensive, she said, adding that launching new applications may negatively affect existing infrastructure and could even result in regression in other software – meaning previously patched vulnerabilities are possibly reintroduced.

Timpe suggested taking the stance of the “assumed breach,” and explained that organizations – big or small – should implement technologies that identify breaches quickly and shut incidents down. She added that companies should identify what assets are most valuable and assess how to protect it.

Another significant issue noted in the report is server misconfigurations.

“This year we saw the bulk of them are really misconfigurations that are allowing unnecessary access to files and directories that they should not be allowing access to,” Timpe said, going on to add, “These configurations are giving adversaries a new way to get in.”

According to the report, penetration testing coupled with internal and external analyses of configurations can help in identifying issues.

In 2015, Timpe said she expected to see more open source vulnerabilities, more SCADA attacks, and more of a focus on infrastructure. Additionally, she said that attackers will continue to have success by exploiting older bugs.

Timpe – who urged organizations to update if they are running older systems that have reached or are nearing end of support – said that cooperation and working together will help reduce the threat posed by attackers.

“If we talk more, share more, and gain a thorough understanding of imminent threats, it will continue to increase the cost the attacker has to spend to be successful,” Timpe said.