Monthly Archives: June 2016

  • 0

Extending AutoFocus Threat Intelligence With New Tag Types

Category : Palo Alto

This visibility into the threat landscape enables teams to move away from chasing alerts, instead prioritizing response activities for the most critical threats, and proactively implementing new defensive measures. The real power of AutoFocus is its ability to not only consolidate billions of indicators from WildFire customers around the globe, but more importantly to provide a platform for deriving intelligence and context around those indicators through crowd-sourced tags. AutoFocus customers can develop their own private tags for internal company use, or they can choose to share them publicly for the benefit of all AutoFocus users. And of course, all AutoFocus customers benefit from the expertise of Unit 42, our threat intelligence team, which is constantly monitoring the front lines and dark recesses of the web to identify new malware families and attack campaigns, publish research, and develop new tags.

Previously, AutoFocus tags were targeted in two areas:

  • Malware Family tags, based on any combination of behavioral and atomic characteristics of a malware family. These are highly durable, and allow security teams to detect and gain context on new variants and other tweaks the malware authors make to avoid detection.
  • Campaign tags, which provide a way to “bucketize” atomic indicators such as hashes and domains related to a threat campaign or Unit 42 report, providing responders with the additional context to know that an alert is not just bad but related to a known adversary or campaign. These Campaign tags can also be used proactively to implement defenses in advance of an actual attack on your company or industry.

AutoFocus is constantly evolving, and with the release of the 1.0.7 version of AutoFocus today, we have further enhanced our ability to provide context into events and facilitate speedy educated response. AutoFocus tags can now differentiate between tag classes, such as Malware Family and Campaigns (See Figure 1), which helps responders know immediately if an tagged event is based on internal intelligence or from Unit 42 researchers.

In this release of AutoFocus, Unit 42 researchers have also added an additional class of tag, Malicious Behavior, to provide additional insight into the capabilities or intent of a piece of malware. Even if a malware sample is unique enough that an existing Malware Family tag has not been developed, it very likely will match an existing Malicious Behavior tag that provides the responder immediate insight into what a piece of malware is trying to do. Additionally, because the Malicious Behavior tags are behavior-based, they can even apply to benign samples that may exhibit some questionable behavior, thus warranting further research.

mal behavior

Figure 1 Malicious Behavior and Malware Family tags represented in AutoFocus.

To showcase the power and flexibility of the Malicious Behavior tags, we have selected a range of new Malicious Behavior tags to help you visualize the wide range of capabilities this new tag class provides.

mal behav modify

Since malware normally has to communicate to an external server for command and control or to download additional malware, it frequently takes steps to lower the security posture of the affected system by modifying the Windows Firewall settings or even disabling it altogether. This tag detects a wide variety of mechanisms malware can utilize to modify the firewall, including the legitimate command line utilities and changes to the system registry.

mal behav access sms

A common goal of Android malware is to intercept, read, or delete SMS messages from an infected device. Not only are there privacy and data theft implications, but also this tactic can be used to prevent detection or hide ongoing activity. (Note that this behavior does not include sending SMS messages, which is a different tag.)

mal behav access digital

There are a wide variety of malware families that attempt to steal digital currency such as Bitcoin, and often this capability is bundled with other common malware families that may normally lack that “feature”. This tag highlights the common approaches taken to access or steal the most prevalent digital currencies.

mal behav powershell

PowerShell is a powerful command-line shell with an associated scripting language, commonly used for administrative activities and automation. Of course our adversaries also leverage this tool to perform a wide range of nefarious activities. One capability that PowerShell provides is the ability to query the system to identify installed Antivirus software, which obviously is useful information for avoiding detection, taking steps to disable AV, or otherwise gaining insight into the system or environment for reconnaissance purposes.

mal behav processinject

Malicious software is often injected into legitimate running processes on affected systems to make identification and recovery of the malware more difficult. There are a wide variety of mechanisms for injecting code, and more often than not this is indicative of malicious activity that warrants further investigation.

mal behav addbho

Browser Helper Objects (BHO) were designed by Microsoft to provide a way to add third-party extensions to Internet Explorer to enhance functionality, but BHO have also been leveraged for malicious intent. The addition of a BHO to a system could be a legitimate activity, or it could be more nefarious such as an adware toolbar or even malware designed to hijack or intercept internet browsing.

mal behav accesslocal

One of the primary goals of Advanced threat actors is credential theft, and normally this starts with the local system credentials which are then used to attempt to spread laterally across the network. Legitimate software should rarely, if ever, attempt to access the local SAM database.

mal behav disablefile

Microsoft Windows has security measures to prompt the user before executing files downloaded from the internet, and malware often tries to avoid this prompt, which would alert the user that something malicious was potentially happening and help prevent it. Unfortunately there are system changes that malware can implement to prevent the “Open File – Security Warning” dialog box from appearing.

mal behav deletevolume

The Volume Snapshot Service, also known as Shadow Copy, is a backup and recovery technology in Windows that can be used to restore a system to a previously “known good” state after a system crash or faulty software installation. Shadow copies can also be used to restore from malware infections, so malware, especially ransomware, will often attempt to delete these backups to prevent the user from being able to restore his or her system.

mal behav initalsystem

Attackers and malware authors often want to get a quick snapshot of a compromised system, or even a more complete local network recon, which is then uploaded to the command and control server. Usually this reconnaissance is performed with a variety of common built-in Windows commands, which while commonly used by Administrators are rarely executed by benign software.

Hopefully this introduction into Malicious Behavior tags gave you some insight into the power of this capability and its ability to provide as much context as possible to responders immediately. The goal of AutoFocus is to empower security teams to protect their organizations from unique and targeted attacks, and the use of real-time, full-context insight into the events happening not only on their network but across the Palo Alto Networks customer base is the first step in that process.


  • 0

Pulse Secure Aids PCI Compliance With Granular Cipher Enhancement

Category : Pulse Secure

Updated Pulse Connect Secure Offers Flexibility Over Specific Protocols and Cipher Suites as Organizations Transition Away From SSL

Pulse Secure, the leader in secure access solutions has announced an update to its Pulse Connect Secure product that helps customers meet the Payment Card Industry Security Standards Council (PCI SSC) mandated transition from SSL and TLS 1.0 to a secure version of TLS currently v1.1 or higher through a flexible cipher selection feature.

After the discovery of the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability and Heartbleed exploits; PCI downgraded the SSL protocol stating that it can no longer be used as a security control after 30 June 2016. Instead, organizations needing to stay compliant must switch ciphers to the newer TLS 1.1 and TLS 1.2 standards.

“The latest upgrade to Pulse Connect Secure provides a deeper level of control over the encryption ciphers and deployment parameters allowing administrators to create the most secure environments that meet industry best practice and stringent PCI compliance requirements,” explains Kevin Sapp, VP, Strategy for Pulse Secure. “The update has been built based on extensive feedback and guidance from a number of clients, particularly within financial services to ensure that the new features allow for a seamless and zero downtime transition as organizations aim to meet the end of June deadline.”

Pulse Connect Secure is an industry leading mobile VPN to enable secure access from any device to enterprise apps and services in the data center or cloud. The platform is used by 80% of the Fortune 50 and secures over 18 million endpoints.

“Building flexibility and ensuring that product updates are delivered in a timely fashion is vital in a world where even trusted standards such as SSL may need to be replaced due to unforeseen issues,” says Sapp. “The latest granular cipher update is part of a continual development roadmap that has recently added Secure Single Sign-On to Cloud Applications (SAML), proxy authentication for Java and support for RSA Authentication Manager Risk Based Authentication.”


  • 0

RIG Exploit Kit Makes A Sprash In Russia

Category : Forcepoint

The very popular Russian site Sprashivai[.]ru has been compromised and is silently redirecting users to the RIG Exploit Kit (EK). During our analysis we saw RIG EK drop the SmokeLoader (aka Dofoil) malware.

o2pblTt

Image above taken from the Sprashivai homepage

Compromised Site

Sprashivai[.]ru is a popular Russian Q&A and social networking site, receiving an estimated 20 million visitors per month according to SimilarWeb. The Russian word “sprashivai” means “ask” in English.

hOuK7OX

The site has been compromised by an actor attempting to redirect users to RIG EK via an injected iFrame:

gqJDIN2

The iFrame loads up the RIG EK landing page which then attempts to exploit the machine if it is using outdated browser components, such as an old Adobe Flash Player. If successfully exploited, RIG EK will drop and execute malware on the machine. All of this is done silently in the background without any user interaction necessary.

During our analysis RIG EK sent a CVE-2015-8651 Adobe Flash Player exploit. The SWF exploit contains debug strings suggesting a user named Владимир (“Vladimir”) compiled the exploit, although the ActionScript filenames appear to be somewhat randomized:

vv4w0wa

Sprashivai has been compromised since at least June 23 and was still compromised when we checked again on June 29. We notified Sprashivai of the compromise on June 27 but have not heard anything back.

June 23

hxxp://sprashivai[.]ru/ (Compromised Site)

–> hxxp://jy.raleighculturalresources[.]org/?xH**redacted** (RIG EK)

June 27

hxxp://sprashivai[.]ru/ (Compromised Site)

–> hxxp://sd.studio-aceti[.]com/?x3**redacted** (RIG EK)

June 29

hxxp://sprashivai[.]ru/ (Compromised Site)

–> hxxp://ht.navisage[.]com/?xX**redacted** (RIG EK)

SmokeLoader

During our analysis RIG EK dropped and executed the SmokeLoader (aka Dofoil) malware. The original executable that was dropped was a Nullsoft Installer System (NSIS) executable that decrypted and executed the SmokeLoader payload. This technique makes it difficult for anti-virus solutions to detect because NSIS files themselves are legitimate and the scripting ability makes them extremely versatile.

The NSIS installer dropped two important files, Aero.dll and Votary.C. The Aero.dll module is invoked from the NSIS script and is responsible for decrypting and loading the Votary.C SmokeLoader payload.

rg7CVc0

The SmokeLoader payload is then injected into explorer.exe and execution continues from there. The malware will attempt to reach out to its C&C (reamstat[.]link) among a sea of fake requests it generates to legitimate sites too. The fake requests are sent to URLs taken from the HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall registry sub-keys.

mBj7ZYK

SmokeLoader’s primary purpose is to download plug-ins which contain malicious functionality such as credential stealers, click fraud components, and more trojan downloaders like Win32/Recslurp.

According to a superb analysis by Stopmalvertising, SmokeLoader began to be sold to only Russian speaking individuals in March 2014. So it is interesting that we see SmokeLoader being dropped via a compromised Russian site, and therefore affecting Russian speaking individuals.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) – The injected code on the compromised site is detected and the site is blocked.
  • Stage 4 (Exploit Kit) – The RIG EK landing page is detected and blocked.
  • Stage 5 (Dropper File) – The malicious NSIS executable is detected by File Sandboxing.

Indicators of Compromise (IOCs)

Compromised Site

hxxp://sprashivai[.]ru

RIG Exploit Kit

hxxp://jy.raleighculturalresources[.]org

hxxp://sd.studio-aceti[.]com

hxxp://ht.navisage[.]com

SmokeLoader C&C

hxxp://reamstat[.]link

SmokeLoader Samples (SHA1)

9680e89c4a11aaee448b27d25a2342ebf9b5d367

fc8756b848262c237e1e7a6028ee97a70c7f0e1f

Summary

Actors continue to compromise popular sites and develop new and unique ways to try and stay undetected. These criminals do not always need to resort to malvertising to tap into a pool of millions of potential victims. And while crypto-ransomware remains one of the most popular weapons of choice, malware developers and distributors also continue to use backdoors like SmokeLoader.


  • 0

Vormetric and FireEye Strengthen Protection Against Data Breaches for Customers

Category : FireEye

Vormetric Adds Sensitive Data Access Monitoring information to the FireEye Threat Analytics Platform – Joins the FireEye Cyber Security Coalition

Vormetric, a Thales company, and a leader in enterprise data protection for physical, virtual, big data, and cloud environments, today announced that it has joined the FireEye Cyber Security Coalition and integrated detailed security intelligence information on file level access to sensitive data with the FireEye Threat Analytics Platform (TAP). When combined, Vormetric’s encryption, access control and security intelligence capabilities, plus the analytic capabilities of FireEye TAP, create a strong line of defense and threat detection when perimeter defenses have failed to stop external cyberattacks or malicious insiders.

The Vormetric Data Security Platform produces detailed security intelligence logs of file level access to sensitive data it protects. These logs produce an auditable trail of permitted and denied access attempts from users and processes, as well as privileged user escalation information, delivering unprecedented insight into file access activities. Logging occurs at the file system level, removing the opportunity of stealthy access to sensitive data. When integrated with FireEye TAP, it can inform of unusual or improper data access and accelerate the detection of insider threats, hackers, and the presence of advanced persistent threats (APT) that are past the perimeter security.

“The increasingly dangerous nature of cyber threats has made the work of security professionals even more difficult,” said Ed Barry, VP, Cyber Security Coalition, FireEye. “By teaming with Vormetric, our FireEye TAP customers gain access to the detailed data access information and pattern data that the Vormetric platform generates. The result is critical threat intelligence that allows organizations to detect, respond to and resolve threats, even when the attackers are inside enterprise and application perimeters.”

“FireEye TAP applies threat intelligence, expert rules and advanced security data analytics against the problems of revealing suspicious behavior and generating alerts that matter, so that organizations can shut down threats before they cause damage,” said Vice President of Business Development for Vormetric, Arun Gowda. “With Vormetric now partnering to add data threat intelligence to FireEye’s already powerful capabilities, customers gain even better protection for their critical information and environments.”


  • 0

Security Questions You Should Be Asking Your Cloud Service Provider

Category : McAfee

Delivering proactive and proven security solutions and services that help secure systems and networks around the world, Intel Security protects consumers and businesses of all sizes from the latest malware and emerging online threats.

Our solutions are designed to work together, integrating anti-malware, antispyware, and antivirus software with security management features that deliver unsurpassed real-time visibility and analytics, reduce risk, ensure compliance, improve Internet security, and help businesses achieve operational efficiencies.


  • 0

XenServer Health Check: From Enrollment to Diagnostic Results

Category : Citrix

XenServer 7 has been launched, and following on from the recent blog post announcing the XenServer Health Check feature, I want to get into more detail about the main aspects of this feature. Chiefly, how a XenServer pool can be enrolled into Health Check, how the Health Check upload is performed and how the Health Check analysis results are made available to the XenServer users.

Enrollment

This is an opt-in feature, with enrollment done from XenCenter. There are a few settings required for the enrollment:

  • Health Check upload schedule: the frequency, in weeks (defaulted to 2 weeks), day of the week and time when you prefer the Health Check report to be automatically uploaded to Citrix Insight Services (defaulted to a random day of the week and to a random time between 1AM and 5AM). This allows admins to schedule the Health Check uploads for different pools on different days of the week and at a time convenient to them.

UploadSchedule

  • XenServer credentials: these are the credentials that the XenServer Health Check Service will use to connect to the XenServer pool in order to collect the Health Check report.

XenServerCredentials

  • Authentication with Citrix Insight Services (CIS): on enrollment into Health Check, XenCenter requires the user’s Citrix credentials in order to obtain an authentication token from CIS. This token is then used to obtain a series of other tokens used by the Health Check Service in order to upload the Health Check reports (the upload token) and by XenCenter to obtain the results of the CIS analysis on these reports (the diagnostic token).

AuthenticationCIS

The Citrix credentials are not saved by XenCenter or XenServer, only the upload and the diagnostic tokens are saved in XenServer.

By using this token system, the Citrix credentials are only required once, and users can also enrol multiple servers / pools into Health Check using an existing token, because XenCenter can detect a previous authentication and offer to reuse it.

Upload

The Health Check Service is installed by default with each installation on XenCenter 7.0, and is responsible for collecting the XenServer Health Check reports and uploading them to the Citrix Insight Services (CIS).

Once installed, it runs as a background service on the XenCenter machine, under the name Citrix XenServer Health Check Service.

Tip: In this model, with XenCenter facilitating the enrollment and the Health Check Service performing the upload, XenCenter does not need to stay open for the Health Check to function.

The Health Check Service periodically (every 30 minutes) connects to the pools enrolled in Health Check and checks if an upload is due. If that’s the case, then it collects the Health Check report and uploads it to the CIS (also including the XenCenter logs). This report is a pre-defined server status report – in the same format as the one that XenCenter is generating in the Server Status Report wizard – containing XenServer logs and configuration files that are used by the CIS to identify problems in the XenServer system. A list describing the content of this report can be found here.

If an upload fails, it will be retried weekly until it succeeds or until another scheduled upload succeeds.

XenCenter displays the status of the scheduled Health Check uploads as the date and time of the last successful upload (or the last failed upload if that is most recent).

ASuccessfulUpload
AFailedUpload

Admins also have the option to do “on-demand” health checks, by requesting additional uploads for a pool already enrolled in Health Check. This upload is also performed by the Health Check service.

RequestAdditionalUpload
AdditionalUploadRequested

Tip: XenCenter and the Health Check Service can be installed on multiple machines that the IT admin uses to manage their XenServer pools. In this configuration any of these services can collect and upload the Health Check report for any of the pools managed on the respective machine. The Health Check Service uses a locking mechanism to ensure that only one service will process an upload for a given pool.

Analysis results

On the CIS side, there are more than one hundred plugins that analyse this report for Networking, Storage or Runtime errors, Security vulnerabilities, missing critical Hotfixes, etc. Each issue found by the CIS diagnostic plugins is given a severity ranging from low to severe.

Once a report is analysed by the CIS, XenCenter displays the number of issues found, their severity (highest severity among the issues found) as a Red-Amber-Green status and a link to the full analysis on the CIS website.

AnalysisResult

Following the link to the CIS analysis result, users can see more details for each issue, including a recommendation on how to fix the problem. This recommendation may also include a link to a KB article.

Diagnostic report

With the analysis results available in XenCenter and the CIS website, the loop is closed, the you can quickly check the state of your system in XenCenter from the same place where it all started by enrolling your XenServer pools into Health Check.

Try XenServer Health Check for yourself and see the added value it brings to supporting and maintaining your infrastructure!


  • 0

The most effective security architecture on the planet

Category : Cisco

We know what keeps you up at night. That’s why we created the most effective #security architecture on the planet.


  • 0

How Our Carrier Failover Kept Data Moving Last Week

Category : Imperva

Last Monday, web users in Europe saw their internet connections slow—some to a crawl. There were reports of connection lags with many popular sites. The connectivity issues were initially attributed to cable faults with Telia Carrier, one of the top two global IP transit providers carrying over 1 Exabyte of data per month.

The issues were big enough to lead some to speculate that a cable had been cut. Along with other service providers, we reported connectivity and packet loss issues as well. We identified the issue with our transit provider and took action to mitigate the effect on our clients.

The internet is amazing in its complexity. To make it work, it has to change—constantly. The heart of the internet is its routing system. While routers and cables move the data, it takes people to set it all up and make it all work. As a service provider, we can empathize that Telia had “one of those days”. Turns out the problem was caused by a human that had misconfigured a router causing Europe’s data to be sent to the Far East.

We understand that our clients expect the highest levels of response time and availability. So we built the Incapsula network with no single point of failure—not only within our data centers but among our upstream service providers. Consistent with this goal is our multi-carrier architecture that’s designed to insulate our clients from glitches among our carriers.

We choose our data center locations carefully. We’ve previously written about the importance of deploying our network points of presence (PoPs) at strategic internet hubs, such as Frankfurt and London, to take advantage of peering agreements with Tier 1 providers, other internet service providers (ISPs), leading hosting providers and large major network entities. We’ve also written about important nuts-and-bolts considerations for deciding when, where, and with whom to peer.

Incapsula works with regional peering providers such as AMS-IX, DE-CIX, HKIX, and others to minimize latency. These providers sit on the network backbone and enable our PoPs to benefit from direct connections to other CDNs and Tier 1 carriers. Our customers, as a result, enjoy the highest levels of network performance and provide their end users with the best possible experience.

The key to insulating the inevitable transit provider disruption from affecting our clients is carrier monitoring, redundancy and failover. Before understanding how our monitoring works, here’s an overview of how a connection to a provider works: When establishing a connection, our provider assigns one IP address to a port on their router and another IP address to a port on our router—these are known as the “endpoints”. A BGP peer is then established between these connections and the local endpoint on our side is defined as the next hop in the BGP announcement. When establishing a transit agreement, we also order multiple ports and use them as separate “pipes”, each with a separate /30 subnet. We can also bind them together using LACP or LAG in order to get larger pipes. With this architecture, we have a set of pipes in each PoP from different providers each with its own set of endpoints (/30).

Now for the monitoring part: We use a combination of Pingdom, ThousandEyes and also some internally developed monitoring services to monitor both endpoints described above. Our monitoring scheme also gives us a clear view of how traffic is flowing to different locations from multiple vendors and internal systems. From the inside, we use the monitoring services on our core routers (RPM in JuneOS or IPSLA in Cisco) to test the availability of internet resources—like Google’s 8.8.8.8 public DNS servers. Using multiple monitoring services allows us to direct the traffic through different interfaces and endpoints in order to test routing via different pipes and vendors. We then export the monitoring results using SNMP to our monitoring system.

The frequency of our network tests depends on the capabilities of the systems we use, but it can be every 30 seconds, every minute or more. All of these aggregate tests are running in parallel on a continuous basis allowing us to identify and start the investigation of issues within a few seconds after they start to occur. When we identify network issues, we use the information our monitoring systems have gathered to tell our Behemoth device in the PoP which pipes to use. We also can take the additional step of stopping the BGP publications through vendors that are suspected to have a major issue.

The human element

In some cases, the rerouting is done automatically. In all cases, the situation is being reported in real time to our NOC team. The Incapsula NOC engineer is being fed a lot of data including direct monitoring of every PoP, monitoring pseudo sites on the network, exercising CDN processes, monitoring the various providers and connections described above as well as monitoring bandwidth and potential attacks. An Incapsula NOC engineer, using the information provided by the monitoring system can change how BGP publication is done, divert traffic away from problematic pipes and keep traffic flowing. There is no substitute for the human eyes and brain when it comes to dealing with the unexpected.

In the stacked graphs below, you can see the traffic switchover from Telia to other carriers in our Zurich and Paris data centers, and then back to Telia when the incident was resolved.

Zurich GraphParis Graph

 

We understand the nature of the internet will lend itself to occasional hiccups—no service provider is immune. We’ll continue to build and manage our network to help keep our clients insulated from the inevitable glitch.


  • 0

SteelFusion: Release VDI from the DC

Category : Riverbed

Looking up virtual desktop infrastructure (VDI) and its roots there’s one thing that stuck out each time “…all components are essentially saved in the data center…” which is exactly what you want to improve disaster recovery (DR) capability, management, data security, and backup. But what about the remote office / branch offices (ROBOs) that are on a bit of string that’s lucky to be available for any of the working business day? With over 50% of users and 50% of data outside of the data center (DC), how does VDI scale to the ROBO? How do you secure the data and the desktop while still having a usable system? 

Typical remote site VDI implementations

Roughly speaking there are two solutions to VDI at the ROBO:

  • A WAN based solution with the infrastructure in the DC
  • A ROBO based solution with the infrastructure on site

The WAN based solution works on having the DC supply all the resources over the WAN to the ROBO, keeping centralized control and data secure in the DC. Lower ROBO infrastructure costs, lower remote management costs, and everything secure all under one roof makes for a compact deployment. However, the obvious weakness is the WAN and its ability to sustain boot storms and outages. Any irregular traffic movement over the WAN and an exponential data backlog starts to build on the WAN link with data competing to get over the line. User experience dips and support phone lines start to light up.

In a ROBO based solution the WAN limitation is all but negated by having the VDI infrastructure on site and always available to the users. This allows for a fully resilient deployment where users get the benefit of local resources, LAN speed access, and minimum dependency on the WAN and the DC. But the tradeoff is increased hardware management away from central management, disparate silos of hardware to support and maintain, and potentially no two sites alike.

SteelFusion and VDI

The VDI solution from Riverbed utilizes the SteelFusion technology and its ability to host a stateless VDI infrastructure at the ROBO. The SteelFusion hardware in the ROBO caches the VDI VM’s allowing for a space efficient desktop to be available over the WAN all controlled from the DC. And if the WAN become unavailable, the cached VM’s are still available to the users so production continues to run with no impact to users.


By having a stateless infrastructure onsite at the ROBO, SteelFusion delivers:

  • LAN speed user experience on applications
  • Negation of boot storms over the WAN
  • Centralized VDI management from the DC
  • Secure and encrypted data from DC to user
  • A high availability 4U hardware footprint on site
  • Data access during WAN outages

Safe and secure data

One of the big draws for VDI is to have the desktop and the data secure in the DC, so that if anything happens to affect access or availability, the data is safe and secure and the desktop can be spun up somewhere else. So how does SteelFusion deal with this?

SteelFusion projects the data from the DC out to the ROBO and by using this method the source data is safe and secure in the DC, while the authoritative working copy is being used in the ROBO. If the SteelFusion environment is made inaccessible for any reason then the data and desktops are still in the DC and can be made available.

The data that is cached by SteelFusion is also secure. Using 256-AES encryption for the data at rest and using data encryption over the WAN for data in transit, the SteelFusion VDI solution offers true end-to-end data security.

SteelFusion offers the best of both worlds by having the data available in the ROBO at LAN speeds for the users, but safe and secure back in the DC. SteelFusion truly extends the DC VDI environment out to the ROBO while maintaining the VDI principles.

Remove the ROBO uncertainty

With either a heavy dependency on the WAN for a DC based deployment or silos of infrastructure in a ROBO centric deployment, uncertainty around data access availability or the security of remote data and backups will be something that sits constantly with traditional ROBO VDI deployments.

SteelFusion removes the over dependency of the WAN by making VM’s and data available locally even during a WAN outage, and with a maximum 4U footprint for the hardware in a fully redundant High Availability installation, even the smallest site and IT cabinet can house SteelFusion.

A consistent hardware deployment model, industry standard management tools, fully secure data from DC to user, and still holding true to the VDI technology, SteelFusion can remove the level of uncertainty that plague ROBO VDI’s and extend usability outside of the DC.

Looking up virtual desktop infrastructure (VDI) and its roots there’s one thing that stuck out each time “…all components are essentially saved in the data center…” which is exactly what you want to improve disaster recovery (DR) capability, management, data security, and backup. But what about the remote office / branch offices (ROBOs) that are on a bit of string that’s lucky to be available for any of the working business day? With over 50% of users and 50% of data outside of the data center (DC), how does VDI scale to the ROBO? How do you secure the data and the desktop while still having a usable system? 

Typical remote site VDI implementations

Roughly speaking there are two solutions to VDI at the ROBO:

  • A WAN based solution with the infrastructure in the DC
  • A ROBO based solution with the infrastructure on site

The WAN based solution works on having the DC supply all the resources over the WAN to the ROBO, keeping centralized control and data secure in the DC. Lower ROBO infrastructure costs, lower remote management costs, and everything secure all under one roof makes for a compact deployment. However, the obvious weakness is the WAN and its ability to sustain boot storms and outages. Any irregular traffic movement over the WAN and an exponential data backlog starts to build on the WAN link with data competing to get over the line. User experience dips and support phone lines start to light up.

In a ROBO based solution the WAN limitation is all but negated by having the VDI infrastructure on site and always available to the users. This allows for a fully resilient deployment where users get the benefit of local resources, LAN speed access, and minimum dependency on the WAN and the DC. But the tradeoff is increased hardware management away from central management, disparate silos of hardware to support and maintain, and potentially no two sites alike.

SteelFusion and VDI

The VDI solution from Riverbed utilizes the SteelFusion technology and its ability to host a stateless VDI infrastructure at the ROBO. The SteelFusion hardware in the ROBO caches the VDI VM’s allowing for a space efficient desktop to be available over the WAN all controlled from the DC. And if the WAN become unavailable, the cached VM’s are still available to the users so production continues to run with no impact to users.


By having a stateless infrastructure onsite at the ROBO, SteelFusion delivers:

  • LAN speed user experience on applications
  • Negation of boot storms over the WAN
  • Centralized VDI management from the DC
  • Secure and encrypted data from DC to user
  • A high availability 4U hardware footprint on site
  • Data access during WAN outages

Safe and secure data

One of the big draws for VDI is to have the desktop and the data secure in the DC, so that if anything happens to affect access or availability, the data is safe and secure and the desktop can be spun up somewhere else. So how does SteelFusion deal with this?

SteelFusion projects the data from the DC out to the ROBO and by using this method the source data is safe and secure in the DC, while the authoritative working copy is being used in the ROBO. If the SteelFusion environment is made inaccessible for any reason then the data and desktops are still in the DC and can be made available.

The data that is cached by SteelFusion is also secure. Using 256-AES encryption for the data at rest and using data encryption over the WAN for data in transit, the SteelFusion VDI solution offers true end-to-end data security.

SteelFusion offers the best of both worlds by having the data available in the ROBO at LAN speeds for the users, but safe and secure back in the DC. SteelFusion truly extends the DC VDI environment out to the ROBO while maintaining the VDI principles.

Remove the ROBO uncertainty

With either a heavy dependency on the WAN for a DC based deployment or silos of infrastructure in a ROBO centric deployment, uncertainty around data access availability or the security of remote data and backups will be something that sits constantly with traditional ROBO VDI deployments.

SteelFusion removes the over dependency of the WAN by making VM’s and data available locally even during a WAN outage, and with a maximum 4U footprint for the hardware in a fully redundant High Availability installation, even the smallest site and IT cabinet can house SteelFusion.

A consistent hardware deployment model, industry standard management tools, fully secure data from DC to user, and still holding true to the VDI technology, SteelFusion can remove the level of uncertainty that plague ROBO VDI’s and extend usability outside of the DC.

SteelFusion makes ROBO VDI work

SteelFusion finally brings the dream of DC based VDI to the ROBO; LAN speed access to data secured in the DC, a removal of the WAN link dependency, and a user experience that the business can use.

While the DC keeps its reduced IT management, better resiliency, centralized backup, and secured data models, SteelFusion allows for this extension to become truly feasible at the ROBO resulting in increased productivity, location agnostic deployments, faster access to services, and most importantly of all, an excellent user experience.

SteelFusion finally brings the dream of DC based VDI to the ROBO; LAN speed access to data secured in the DC, a removal of the WAN link dependency, and a user experience that the business can use.

While the DC keeps its reduced IT management, better resiliency, centralized backup, and secured data models, SteelFusion allows for this extension to become truly feasible at the ROBO resulting in increased productivity, location agnostic deployments, faster access to services, and most importantly of all, an excellent user experience.


  • 0

Mitigate Cyber Threats in Industrial Control Systems with Application Whitelisting

Category : Cyber-Ark

The number of security incidents reported by organizations that operate Industrial Control Systems (ICS) has increased in recent years. Some of these incidents have impacted the operation of critical infrastructure. In a recent survey about cybersecurity and critical infrastructure, respondents indicated that 76% of attacks have grown in sophistication compared to previous years.

The use of malware (Dragonfly, Black Energy, Irongate etc.) to infiltrate organizations and compromise assets in ICS is a driving force in the increasing number of attacks. To mitigate the spread of malware, there are many security practices that industrial organizations should consider. One example is application whitelisting. This practice has been recommended by industry organizations, ICS security experts and government agencies to help mitigate the spread of malware into ICS environments. Application whitelisting enables organizations to:

  • Lock down specific ICS nodes allowing only approved files to run
  • Mitigate/contain the spread of malware to industrial control system assets
  • Enable users to seamlessly run whitelisted applications in critical systems

Another factor contributing to the increasing number of attacks is the interconnection between IT systems and the OT environment. The level of risk is increasing because ICS is now exposed to the Internet. The stakes are high for industrial organizations because a security breach can go well beyond data exfiltration. A security incident could disrupt operations and cause damage to personnel, property and the environment.

Organizations seek new ways to effectively and efficiently operate their industrial control systems in order to lower costs and mitigate potential security risks. Here are some practices to keep in mind when sourcing application whitelisting solutions for ICS:

  • Collaborate with solution providers and ICS vendors to baseline and calibrate application whitelisting solutions to mitigate technology interoperability issues and deploy the most reliable solution possible.
  • Consider a solution provider with a strong support organization and training program. This can help industrial organizations to mitigate a talent gap by helping them transfer and strengthen knowledge of ICS operations and security.
  • Investigate the ability to adopt a whitelisting “solution as a service”. This approach could help organizations to acquire the technology and expertise to support the cyber security requirements without forcing the undertaking of this project internally.

The infographic below illustrates the increase in frequency and sophistication of attacks, the connection to privileged accounts as a common denominator and important mitigation steps to help industrial organizations in the path to increase their security posture.

Read more about CyberArk’s new cyber security capabilities for Industrial Control Systems.

Cyber threats to ICS_FINAL 060216


Support