Monthly Archives: June 2017

  • 0

Best Practice Security Policy Concepts and Methods for Your Data Center

Category : Palo Alto

A data center houses an enterprise’s most critical data, such as source code, financial and personal information, or designs for pharmaceutical drugs – the enterprise’s digital crown jewels.


Designing and deploying a best practice security policy to protect your valuable data means protecting not only the perimeter of your enterprise network; it means protecting the connections into and out of the data center perimeter, as well as the connections between servers and VMs inside the data center.

But how do you transition to a data center best practice security policy?

In “Data Center Best Practice Security Policy Part 1: Concepts,” you’ll be presented with ways to think about a best practice security policy strategy and how to design it for your particular business, with the goal of achieving positive security enforcement that allows only the users, applications and content that you explicitly permit on the network, and denies all other traffic. It addresses questions such as:

  • How do you create a transition strategy that aligns with your business goals?
  • How do you decide which assets to protect first?
  • What methods should you use to make the transition?
  • How will you protect your data center during the transition?

Coming Soon!

If you enjoyed part 1, look for “Data Center Best Practice Security Policy Part 2: Implementation” to learn the specific best practices to apply to traffic at the perimeter and inside the data center.


  • 0

The Cloud: A Growing Driver for SD-WAN

Category : Riverbed

Software-defined wide area networking (SD-WAN) has become one of the buzziest sectors in enterprise networking these days, promising agility and cost-savings. But a key driver of SD-WAN is that it can be used to intelligently optimize and secure connections to the cloud—including connecting users directly to cloud data centers—while offering centralized management across locations. Plus, it allows an application-aware approach to WAN, which IT managers see as an increasing imperative in an era where cloud services are becoming pervasive in the enterprise.

SD-WAN helps organizations overcome the complexity and rigidity of managing dynamic workloads, by providing automation and simplified management for cloud networking.

Overall, the SD-WAN sector is poised for mainstream adoption this year, with one in five U.S. respondents in a survey from 451 Research saying their companies are planning to deploy the technology in the next 12 months. An additional 30 percent of respondents reported that their companies are considering SD-WAN, pointing to additional future growth. One in 10 already have a solution deployed today.

Enterprise migration to the cloud meanwhile is happening independently of SD-WAN adoption, but it’s pulling along the SD-WAN market. Respondents in the 451 Research survey ranked improved cloud or internet performance as a top-three impetus for rolling out SD-WAN, right behind reducing deployment and reconfiguration times and MPLS replacement.

“Enterprise customers are using multiple cloud services and have multiple branches, and they need to make sure the performance for those services is acceptable,” said Mike Sapien, vice president and chief analyst US, Enterprise Services, Ovum, which also sees cloud enablement as a top-three use case. “They also need reliable connections to the main cloud resources, be it Amazon Web ServicesMicrosoft Azure, etc. That means implementing QoS, but also the ability to make changes in a network on the fly to improve performance or address increased usage, and using automatic traffic routing to create redundancy and diversity. SD-WAN fits that bill.”

SD-WAN: An Enterprise Game-Changer

In a traditional WAN configuration, satellite or branch locations are generally connected to a headquarters via MPLS or other dedicated circuits, which are all from the same service provider (thus limiting connectivity options). Each branch router acts independently, and traffic is switched based on static routing. Visibility into each connection is possible on a link-by-link basis, but taking a holistic view of the entire WAN has been the purview of very specialized software.

SD-WAN on the other hand abstracts the control plane from the physical devices at each location, allowing centralized visibility and management across everything in the WAN that’s forwarding traffic. Enterprises can “mix and match” the types of connectivity being used and the carriers that are delivering it, allowing for much greater flexibility and the capability for dynamic, automatic failover with no need to reprogram routers or call a provider to have one’s MPLS switched over to a new circuit.

And, because the WAN becomes programmable, IT admins can add analytics and app-aware policy engine control across the entire footprint, along with the ability to dynamically (and automatically) balance traffic across all of the links to enforce QoS thresholds for specific cloud applications.

“SD-WAN is a way to do away with the hub-and-spoke enterprise WAN architecture to instead allow branches to connect directly to the cloud or elsewhere, with QoS and the ability to centrally enforce policy,” said Cliff Grossner, senior research director and advisor for the Cloud & Data Center Research Practice at IHS Markit. “People first picked up on its ability to drive cost-savings through WAN optimization and the ability to reduce MPLS reliance with broadband links; but the cloud QoS story is now being spurred along by newer start-ups that have jumped into the market, and it’s an important use case for SDN in general.”

This is only going to get bigger as a market: Enterprises this year expect growth in their hosting and cloud services spending to outpace growth in overall IT spending by 25.8 percent to 12 percent, according to 451 Research. Among large businesses (1,000-9,999 employees), an average of 33.3 percent growth is expected in hosting and cloud services spending.

A full 88 percent of all respondents said they expect to increase their hosting and cloud services budgets in 2017 versus 2016, compared to 70 percent that expect to increase total IT budgets year over year.

Future Development

There are some lingering challenges to the SD-WAN market, despite the stars aligning for triple-digit growth this year. The top three barriers to deployment, according to 451 Research, are the cost of new equipment services (63 percent); worries about the maturity of existing SD-WAN offerings (53%); internet performance (52 percent); and security gaps created in the network (50 percent). To the latter point, half of respondents who have already deployed SD-WAN (53 percent) having increased their investment in security following the rollout.

“The SD-WAN market is poised for major growth over the coming years, which will be accompanied by growing pains,” said Jim Duffy, senior networking analyst at 451 Research, which is projecting a 200 percent year-over-year increase in the adoption rate for 2017. “IT practitioners are still ironing out the wrinkles when it comes to SD-WAN. The technology offers streamlined management and increased network agility, but its cost reduction impact is constrained by the need for increased security and the continued reliance on MPLS. The scope of SD-WAN is likely to expand to address these constraints and enhance customers’ return on investment.”

Sapien predicts that cloud providers will soon begin integrating SD-WAN service directly. In fact, cloud service brokers are already starting to offer a set of third-party resources from their own platforms to

stitch solutions together with a range of network offers (including SD-WAN), cloud connections and a variety of cloud services.

“Down the line, I can see, say, Microsoft bundling SD-WAN with Office 365 service. It’s a good marriage,” he said. “These are early days for SD-WAN implementation, and there will be changes and new versions coming along,” said Sapien. “We’re seeing a new iteration of these services every six months, because the technology, service providers offering it and adoption interest are all new things. It’s so rare to have this amount of dynamic growth for any technology.”



  • 0

Don’t Let Hackers Hold Your Enterprise Ransom

Category : Pulse Secure

While most enterprises are still recovering from WannaCry, the world has now been hit yet again with a large-scale ransomware attack. On June 27, many businesses and end-users woke up to Petya taking control of their devices.

With the Digital Age comes a new weapon, cyberattacks!

Critical Questions Every Enterprise Should Ask

  1. How should enterprises prepare against cyberattacks?
  2. What can we learn from previous cyberattacks to implement a strategy to better protect ourselves, our interests, and take control of our fate?
  3. How does ransomware take hold of enterprises so quickly and easily?
  4. How can businesses protect data if users won’t upgrade their machines?

Petya is an example that we can learn from and prevent by first understanding its anatomy. How does this attack work? It might sound like a broken record but these types of attacks exploit vulnerabilities in software systems, in this case within an older release of Windows known as “EternalBlue.” You might be asking yourself: If this is a known vulnerability, why hasn’t it been addressed by Microsoft? Guess what – it has been and for quite some time.

It turns out, that making security patches / updates available does not necessarily translate into those patches getting installed on machines.

If You Avoid Change, You Invite Cyberattacks
Specifically in the enterprise world, where every change is best avoided, patches are slow with their uptake and not always implemented. Even when businesses decide to deploy a security patch, it does not translate into users actually accepting and installing those patches. In the case of Petya, it’s not just about patching alone. It’s about a strategic combination of security practices and solutions that seamlessly deliver accessibility of resources. This continues to remain a challenge within the growing landscape of other technologies like BYOD and IoT, adding more to the layer of challenges IT  teams are presented with each year.

Meet the Secure Access Suite, from Pulse Secure.

Pulse Secure solutions are built with the notion of ‘WHO’ gets access, from ‘WHAT’ device, to ‘WHICH’ resources. In our world, we don’t rely on the ‘authenticated’ user but we go a step further and define our authentication as a mix of User Identity + Device Compliance. A valid user coming from a ‘Compliant’ device gets access to resources. A valid user coming from a ‘Non-Compliant’ device can get limited or no access while a valid user coming from a ‘Partially compliant’ device gets access to limited resources.

Pulse Secure solutions are built with a component called ‘Host Checker’. Host Checker is the ability to scan a connecting end point, assess its security posture, and uses that to define the level of access to enterprise resources.

So how could this have protected you against Petya? Admins can setup a policy requiring minimum security patch versions to be installed on connecting devices. If not found, there is limited to no access. This would encourage users to apply the needed patches to their machine, without which they wouldn’t get access to anything.

Ransomware is here to stay, evolve, and attack again. Let’s stand up to ransomware together and strategize on the right solution for your enterprise.


Author: Prashant Batra

  • 0

Petya/NotPetya Ransomware: What you need to know

Category : Sentinel One

Our SentinelOne research team is actively monitoring the Petya/NotPetya ransomware outbreak and we will update this blog post as more technical information about this attack is discovered. SentinelOne is proactively protecting customers against this latest strain. All SentinelOne customers using SentinelOne Enterprise Protection Platform are proactively protected against this outbreak.* Customers should also ensure that all machines have installed the latest Windows updates.

As with all cyber attacks that spread as quickly as what we have seen today, there is always much speculation in the initial phases of the attack as researchers quickly come up to speed on the technical nuance of what the attack is and how it is spreading.

What we know right now:

  • We have found that the outbreak is using the EternalBlue exploit to spread laterally.
  • We have also confirmed that it spreads through SMB using the psexec tool.
  • This attack does appear to be using a similar method of collecting Bitcoin ransom that WannaCry had used, using only a small number of wallet address. The ransom demand is ~$300 USD.
  • The email address used in the ransom request has since been shut down. This means that anyone that chooses to pay the ransom, may have difficulty retrieving their decryption key.
  • Unlike WannaCry, we have yet to see if this outbreak has a kill switch, though we have found that once executed, it overwrites the Master Boot Record and is then allowed to spread for an hour before forcing the machine to reboot.
  • In addition, this outbreak has similar characteristics as Petya, such as infecting the MBR and encrypting files on the drive;** however, it is not clear yet that this is a Petya variant. Some reports are indicating that this is an entirely new form of ransomware, hence NotPetya.

Please stay tuned for more information as it becomes available.

*UPDATE: 6/28/17 – 07:05 PDT: Removed “version .8.2.2570 and later are protected” from an earlier draft; all customers are proactively protected.

**UPDATE: 6/27/17 – 15:20 PDT: An earlier draft indicated that Petya could infect the MBR and encrypt the entire drive; in fact, it encrypts files on the drive.


  • 0

Cryptography for Mere Mortals #15

Category : HP Security

An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

Phil Smith III, Senior Architect & Product Manager, Mainframe & Enterprise Distinguished Technologist and Dave Mulligan, Chief Services Strategist, HPE Security – Data Security

Q: I heard that National Institute of Standards and Technology (NIST) just repudiated the format-preserving encryption (FPE) standard—should we be concerned about that?

A: Maybe. Let’s talk some more about standards. In installment 14, we talked about why standards are important.

Since that post, NIST released Special Publication 800-38G, “Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption”. This included two new modes of AES, FF1 and FF3; FF1 is the Format-Preserving Encryptionincluded in HPE SecureData, proven through almost a decade of real-world use. (For those who are wondering: FF2 was another approach, which was discarded partway through the standards process due to weaknesses found by the standards body’s analysis.)

Great! A new standard, with two choices that achieve similar results! Vendors leapt on the FPE bandwagon and started implementing these new modes in their products. Many of them chose to implement the FF3 mode, and have products available now.

Now comes the bad news: as discussed in April, a problem was found with FF3 that makes it vulnerable to attack. O noes! Standards fail! Maybe standards aren’t so wonderful after all?!

Not so fast. Yes, FF3 has a weakness, and yes, vendors and customers who chose that route have a problem. But it falls in the category of “an honest mistake”, and is one that can be rectified without embarrassment or arguing. Contrast that with having chosen an encryption algorithm not blessed by any standards body: if a weakness is discovered, there’s no good excuse for having chosen it. Worse, without a neutral third party saying “Hey, there’s a problem”, a sleazy vendor could just say “We don’t think this matters, move along, nothing to see here.”

Besides, this weakness was discovered because it was a standard: the cryptographic community tends to focus its analysis efforts on standard-based algorithms. There is a positive feedback loop here: the focus is on standards-blessed algorithms, which encourages customers to use those, which encourages more analysis… The alternative is security by obscurity: a non-standard, untested algorithm might be secure, but nobody knows. Which is hardly a solid basis for a security posture.

Bottom line is, the exception does not invalidate the value of standards, and enterprises examining their choices for data protection would be foolish to select approaches that are not at least on a standards track.

HPE SecureData, of course, has offered FF1 for almost a decade, on a variety of platforms, and is not subject to the weakness that FF3 suffers from. We take a conservative approach in designing our solutions, and FF1 includes extra internal “rounds” (iterations) that increase its security, helping to guard against new attacks such as the one that makes FF3 vulnerable. This is just one reason enterprises that have done the analysis consistently choose HPE SecureData to protect their information.

Meanwhile, companies using an FF3-based approach must act, as discussed in the April post here. If data protected using FF3 is breached, the data will of course still be less vulnerable than if it were not protected at all, but the organization will not be able to claim exemption from data breach disclosure rules. This means they must take the same steps as if the data were not protected at all: suffer disclosure, fines, etc. Considering the full costs of this remediation, it is clear that taking security shortcuts carries significant risk; The 2016 Ponemon Cost of Cyber Crime Studyreported that the total average cost for a breach is now $7 million!




  • 0

How to Protect Against Petya Ransomware in a McAfee Environment

Category : McAfee

A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.

The initial attack vector is unclear, but aggressive worm-like behavior helps spread the ransomware. (Read McAfee’s detailed technical analysis of the Petya ransomware.)

Microsoft released a set of critical patches on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations may not yet have applied these patches.

How McAfee products can protect against Petya ransomware

As with WannaCry and other similar attacks, a layered, integrated cyber defense system that combines advanced analytics, threat intelligence, signatures, and human expertise is the best way to protect your business against emerging threats. McAfee’s collaborative cyber defense system leads the way for enterprises to protect against emerging threats such as Petya ransomware, remediate complex security issues, and enable business resilience. By empowering integrated security platforms with advanced malware analytics and threat intelligence, our system provides adaptable and continuous protection as a part of the threat defense life cycle.

Attacks like Petya and its future variants cannot win against a collaborative cybersecurity ecosystem that works as a team and empowers protective tools to make better decisions at the point of attack.

McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the brand-new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). ATD 4.0 introduced a new detection capability using a multilayered, back-propagation neural network (DNN) leveraging semisupervised learning. DNN looks at certain features exercised by a malware to come up with a positive or negative verdict to determine whether the code is malicious.

Whether in standalone mode or connected to McAfee endpoint or network sensors, ATD combines threat intelligence with sandbox behavior analysis and advanced machine learning to provide zero-day, adaptable protection. Real Protect, part of the Dynamic Endpoint solution, also uses machine learning and link analysis to protect against malware without signatures and provide rich intelligence to the Dynamic Endpoint and the rest of the McAfee ecosystem. Real Protect combined with Dynamic Application Containment provided early protection against Petya.

Multiple McAfee products provide additional protection to either contain the attack or prevent further execution. This post provides an overview of those protections with the following products:

McAfee Endpoint Security

Threat Prevention

Thus systems using McAfee ENS 10 are protected from known samples and variants with both signatures and Threat Intelligence.

Adaptive Threat Protection

  • Adaptive Threat Protection (ATP), with rule assignment configured in *Balanced mode” (Default in ATP\Options\Rule Assignment setting), will protect against both known and unknown variants of the Petya ransomware.
  • The ATP module protects against this unknown threat with several layers of advanced protection and containment:
    • ATP Real Protect Static uses client-side pre-execution behavioral analysis to monitor unknown malicious threats before they launch.
    • ATP Real Protect Cloud uses cloud-assisted machine learning to identify and clean the threat, as shown below:

  • ATP Dynamic Application Containment (DAC) successfully contains the threat and prevents any potential damage from occurring (DAC events noted below):

Advanced Threat Defense

  • McAfee Advanced Threat Defense (ATD) 4.0 with Deep Neural Network and Dynamic Sandbox identified the threat and proactively updated the cyber defense ecosystem:

McAfee Enterprise Security Manager 

McAfee Enterprise Security Manager (ESM) is a security information and event management solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats. The Suspicious Activity Content Pack and Exploit Content Pack for McAfee ESM have been updated with WannaCry-specific rules, alarms, and watchlists so you can find and identify possible infections. These updates will also help protect against Petya. Both packs are available for download in the McAfee ESM console at no cost. Default correlation rules in McAfee ESM can also alert users of increased levels of horizontal SMB scans.

Similar to WannaCry, the Petya attack presents a learning opportunity for security operations center analysts. Understanding and automating these best practices will help you handle the next fast-moving attack.

McAfee Web Gateway

McAfee Web Gateway (MWG) is a product family (appliance, cloud, and hybrid) of web proxies that provides another potential layer of protection against Petya variants delivered through the web (HTTP/HTTPS) using multiple real-time scanning engines. Known variants will be blocked by GTI reputation and antimalware scanning as web traffic is processed through the proxy.

The Gateway Anti-Malware (GAM) engine within MWG provides effective prevention of “zero-day” variants that have not yet been identified with a signature through GAM’s process of behavior emulation, conducted on files, HTML, and JavaScript. Emulators are regularly fed intelligence by machine learning models. GAM runs alongside GTI reputation and antimalware scanning as traffic is processed.

Coupling MWG with ATD allows for further inspection and an effective prevention and detection approach.

McAfee products using DAT files

McAfee released an Extra.DAT to include coverage for Petya. McAfee also released an emergency DAT to include coverage for this threat. Subsequent DATs will include coverage. The latest DAT files are available via Knowledge Center article KB89540.



  • 0

Detect Suspicious File Access with Dynamic Peer Groups

Category : Imperva

In a previous post, we shared three primary reasons why the traditional, static approach to file security no longer works for today’s modern enterprises. Working groups are formed organically and are cross-functional by nature, making a black and white approach to file access control outdated—it can’t keep pace with a constantly changing environment and creates security gaps. Files can be lost, stolen or misused by malicious, careless, or compromised users.

We also introduced a new file security approach—one that leverages machine learning to build dynamic peer groups within an organization based on how users actually access files. By automatically identifying groups based on behavior, file access permissions can be accurately defined for each user and dynamically removed based on changes in user interaction with enterprise files over time.

In this post, we’ll review the algorithms used to create dynamic peer groups that identify suspicious file access activity and help solve the traditional access control problem.

Building Dynamic Peer Groups to Detect Suspicious File Access

Several steps are required to dynamically place users in virtual peer groups according to how they access data (see Figure 1).

First, granular file access data is collected and processed. Next, a behavioral baseline is established that accounts for every file and folder accessed by each user. Based on how they access enterprise files, the dynamic peer group algorithm assigns users who may belong to different Active Directory (AD) groups into virtual peer groups. If the algorithm does not have enough information to associate a user with a specific peer group, the user is placed in a new peer group in which they are the sole member. Once virtual peer groups are established, access to resources by unrelated users can be flagged; this enables IT personnel to immediately follow up on such incidents.

dynamic peer groups_suspicious file access

Figure 1 – Overview of suspicious file access detection process

Granular data inputs

Algorithm input comes from Imperva SecureSphere audit logs. These contain access activity that provides full visibility regarding which files users access over time. Each event contains the following fields:

Date and Time Date and time of file request
User Name Username used to identify requesting user
User Department Department to which user belongs (as registered in Active Directory)
User Domain Domain in which the user is a member
Source IP IP that initiated the file request
Destination IP IP to which the file request was sent
File Path Path of requested file
File Name Requested file name
File Extension Requested file extension
Operation Requested file operation (e.g., create, delete)


The behavioral models are created daily and simulate a sliding window on the audit data. This lets the profile dynamically learn new behavioral patterns and ignore old and irrelevant ones. Additionally, the audit files are periodically transferred to a behavior analytics engine. This improves existing behavioral models and reports suspicious incidents.

The behavior analytics engine is divided into two components:

  • Learning process (profilers) – Initially run over a baseline period, profilers are algorithms that profile the objects and activity in the file ecosystem and relate it to normal user behavior. These include users, peer groups, and folders, as well as the correlation between the objects. Profilers are activated daily afterward, both to enhance the profile as more data becomes available, and to keep pace with environmental changes (e.g., when new users are introduced).
  • Detection (detectors) – Audit data is usually aggregated over a short period (less than one day) before being processed by the detector. Activated when new data is received, detectors pass file access data from the profiler through predefined rules to identify anomalies. They then classify suspicious requests, reporting each as an incident.

Create peer groups using machine learning algorithms

To build peer groups, data must first be cleansed of irrelevant information—including files accessed by automatic processes, those that are accessed by a single user, and popular files frequently opened by many users in the organization.

Now with clean data, Imperva builds a matrix of the different users (rows) and folders accessed over time (columns). Each entry contains the number of times a user has accessed a given folder in the input data time frame.

The matrix is very sparse because the majority of users do not access most folders; therefore, dimensionality reduction is performed on that matrix to reduce both the scarcity and noise in the data. This leaves meaningful data access patterns which become the clustering algorithm input.

density-based clustering algorithm is used to divide the different peer groups within the organization into homogeneous groups called clusters. Members of a given cluster have all accessed similar folders, with a typical cluster containing about four to nine users. The process also makes certain that users in different clusters are unique.

Define virtual permissions to enterprise files

The notion of “close” and “far” clusters are used to define the virtual permissions model of each user. For every cluster, the algorithm determines which peer groups are close and far based on the similarity between it and the other clusters. Distances are partitioned into two groups using a k-means algorithm; a smaller distance designates a closer cluster.

Each user is permitted access to folders accessed by others within their own cluster, or by users belonging to close clusters.

Detect suspicious file access

The detector aspect of the algorithm identifies suspicious folder access. Within a profiling period, for example, user John’s access to a given folder is considered suspicious if the folder is only accessed by users belonging to clusters far from his.

Dynamic Peer Groups_peer groups_file access
Imperva CounterBreach automatically determines the “true” peer groups in the organization and then detects unauthorized access from unauthorized users.

Incident severity (e.g., high, medium or low) is a function of the number of users and clusters having accessed the folder during the learning period. The ratio between the first and second quantities implies severity; higher values indicate higher severity (many users grouped in a small number of clusters). Lower values (close to 1) indicate reduced confidence, as the number of users equals or approaches the number of clusters. Personal folders and files are given careful consideration when ranking severity.

Adding context to accessed files with dynamic labels

With the goal of providing sufficient context to security teams so they can understand and validate each incident, Imperva presents typical behavior of the user who performed the suspicious file access activity. In addition, a label is applied to each folder accessed during the incident; this helps SOC teams evaluate the content or relevance of the files in question.

In assigning a label to a folder, the algorithm assesses the users who accessed it during the profiling period, as well as those from their peer groups. It then looks for the group (or groups) in Active Directory (AD) that best fits this set of users. This has two relevance aspects: the first, called precision, is how many users in the set are also in the AD group; the second is recall, the number of users in the AD group also contained in the user set. The best AD group (or groups) becomes the folder label—for example, Finance-Users, EnterpriseManagementTeam, or G&A-Administration. The label provides security teams with more context about the nature of the files pertaining to an incident.

Up Next: Examples from Customer Data

To validate the algorithms explained above, several Imperva customers allowed us to leverage production data from their SecureSphere audit logs. Containing highly granular data access activity, the log data provided full visibility into which files users accessed over a given duration—we saw the algorithms identify some very interesting real-life file access examples.

In our next post in this series we’ll review those examples and demonstrate the effectiveness of this automated approach to file access security.

For additional information on detecting suspicious file access with dynamic peer groups read the full Imperva Hacker Intelligence Initiative (HII) report: Today’s File Security is So ‘80s.

Learn more about dynamic peer group functionality available in Imperva CounterBreach.

Other Posts in the Series

Today’s File Security is So ’80s, Part 1:  Why the Traditional Approach to File Security is Broken

Today’s File Security is So ’80s, Part 3:  Dynamic Peer Groups– 3 Examples from Customer Data


Author: Larissa Gaston, Shiri Margel, Guy Shtar

  • 0

Doddle Increases Speed of Rollout with Appurity and MobileIron Cloud

Category : Mobile Iron

MobileIron and Appurity make it easy to improve the efficiency of our customer service across our entire network. We have confidence knowing that we have a 360 degree view of all our mobile devices, where they are and what data they hold, so that we can redeploy them quickly and without any hassle.

Doddle are the click & collect experts and offer consumers the easiest way to collect and return online shopping. Since its launch in 2014, the company has formed partnerships with more than 100 retail partners such as Amazon, ASOS, Missguided, River Island, and New Look. Doddle has a growing network of 80 stores around the United Kingdom and to date, has handled over two million parcel pickups and returns.

Doddle is an extremely fast-growing company that puts customer service at the core of all its business operations. Central to being able to offer a consistently high level of customer service is mobility. This mobile first company runs the majority of its front-of-house business on mobile devices and apps. To stay competitive and manage rapid growth, the company needed an enterprise mobility management (EMM) solution to help them quickly deploy secure mobile devices and apps.

Since Doddle bases all of its core operations and apps in the cloud, managing its mobile fleet required a cloud-based EMM solution. As a result, the company selected MobileIron and its technology partner, Appurity, to help them deploy and manage employee devices and develop key line-of-business (LOB) apps. The company currently manages a mix of mobile devices, including Samsung Galaxy Xcover 3 for delivery drivers and rugged Zebra devices in their stores. Doddle also supports a small BYOD deployment for business operations and office workers.

Great Service Delivery Relies on Speed and Convenience

Doddle’s focus on providing fast and convenient customer service has been a big factor in the company’s success and rapid store expansion. Most recently, Doddle launched a new service, ‘Powered by Doddle’, whereby it licenses its technology to other retailers to deploy seamless click and collect services in their own stores.

For retail partners, ‘Powered by Doddle’ means better customer satisfaction, greater foot traffic and ultimately, more revenue. Retailers using the service have reported an average of 32 percent reduction in daily staff hours required and a 30 percent increase in stockroom parcel capacity.

With a Net Promoter Score of 82, Doddle’s highly efficient customer service and parcel services are made possible with a mix of mobile devices managed and secured by MobileIron and critical logistics apps developed by Appurity. In addition to logistics, Doddle deploys and regularly updates other apps, such as mapping and in-store apps, to all the devices in their fleet, including its new retail partners. This is made possible with MobileIron Cloud, which enables Doddle to seamlessly install new apps and app versions, update policies, and ensure only approved apps are installed on corporate devices.

“MobileIron and Appurity have been important partners in supporting our expansion,” said Gary O’Connor, CTO at Doddle. “MobileIron enables us to easily deploy apps and weekly updates to all our mobile devices. Appurity has developed and supports our core logistics app as well as ensuring our MobileIron deployment is configured and optimized using best practices,” he said.

Designing for Scalability, Efficiency, and Ease-of-Use

To support its expansion into other retailers’ stores, Doddle redesigned its system to have a lighter footprint so it can run efficiently on handheld Android devices. This allows employees to securely access core business apps and process transactions on their devices — even in environments with intermittent connectivity.

Doddle allows consumers to choose Doddle as their delivery address at the checkout of major retailers including Amazon and ASOS, to avoid the inconvenience of a missed delivery. When the parcel arrives at the selected Doddle store, a Doddle employee uses the Appurity logistics app to scan the receiving information and shelf location, and the customer is automatically notified via email and text message. If the customer decides to return the item, the same process is used to ship the item back to the retailer.

“MobileIron and Appurity make it easy to improve the efficiency of our customer service across our entire network,” said O’Connor. “We have confidence knowing that we have a 360 degree view of all our mobile devices, where they are and what data they hold, so that we can redeploy them quickly and without any hassle.”

A Partnership for Improving Scalability and Productivity

Doddle is planning to grow from 80 stores to several hundred in 2017. Key to that goal is the ability to scale device and app deployment and keep their mobile fleet updated and secure with MobileIron Cloud.

“We have ambitious growth plans for 2017 and will be increasing the reach of our services throughout the UK,” said O’Connor. “Ensuring we have efficient processes for updating our technology while keeping an inventory of all our mobile devices across a growing store estate is operationally imperative and MobileIron and Appurity are key partners in helping us manage this.”


  • 0

AWS Public Sector Summit Attendees Want Better Visibility into Cloud Traffic

Category : Gigamon

From June 12-14, Gigamon exhibited at the AWS Public Sector Summit in Washington, D.C., where more than 10,000 government, education and nonprofit technology leaders gathered to discuss the latest in cloud innovations for public sector. The demand for AWS GovCloud—Amazon’s public cloud solution built specifically for government organizations and their unique requirements—continues to skyrocket. Its current customer base includes 2,300 government agencies, 7,000 education institutions and 22,000 nonprofit agencies.

Over the course of the three-day event, we had numerous conversations with IT heads at these organizations about the top challenges they face as they shift workloads towards the cloud. The number one concern we heard from them was the blind spots in their network infrastructure (physical, virtual or cloud) and lack of insight into cloud traffic.

We explained how Gigamon solves this challenge by providing our first-to-market solution that provides pervasive, secure and compliant network visibility into AWS GovCloud for the U.S. region. With it, public sector organizations gain deeper and more pervasive visibility to manage, secure and understand sensitive data and regulated workloads running in AWS, as well as to facilitate compliance with stringent federal operational requirements.

The other big challenge these IT leaders currently face centers around meeting the requirements laid out in the recent Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The new mandate requires them to put together a plan, mapped to the NIST Framework, that addresses cyber gaps and risks and, again, the related ability to secure the cloud was their primary concern. Read the AWS-authored blog and paper on aligning to the NIST Framework in the AWS Cloud to learn more about protecting data across AWS.

In our conversations, we shared with them the Gartner Adaptive Security Architecture, how continuous visibility is the core of the NIST Framework and how Gigamon fulfills this need. To learn more, read our point of view on the Executive Order: “Aligning Agency Cybersecurity Practices with the Cybersecurity Framework.”

After many good meetings, we walked away with all smiles knowing we’re able to help address the key concerns these IT leaders have around network visibility for GovCloud. To date, Gigamon is the market leader in network visibility, with 59 percent market share in the government vertical.[1]


Author:  Jennifer Ciavattone

  • 0

Petya Ransomware Spreading Via EternalBlue Exploit

Category : FireEye

On June 27, 2017, multiple organizations – many in Europe – reported significant disruptionsthey are attributing to Petya ransomware. Based on initial information, this variant of the Petya ransomware may be spreading via the EternalBlue exploit used in the WannaCry attack from last month.

Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: “On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!”

Our initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems. Analysis of the artifacts associated with this campaign is still ongoing and we will update this blog as new information come available.

FireEye has confirmed the following two samples related to this attack:

  • 71b6a493388e7d0b40c83ce903bc6b04
  • e285b6ce047015943e685e6638bd837e

FireEye has mobilized a Community Protection Event and is continuing to investigate these reports and the threat activity involved in these disruptive incidents. FireEye as a Service (FaaS) is actively engaged in monitoring customer environments.

While FireEye detection leverages behavioral analysis of malicious techniques, our team has created a YARA rule to assist organizations in retroactively searching their environments for this malware, as well as detecting future activity. Our team has focused on the malicious attacker techniques that are core to the operation of the malware: SMB drive usage, ransom demand language, the underlying functions and APIs, and the system utilities used for lateral movement. The thresholds can be modified in the condition section that follows.

author=” @TekDefense,”
description=”Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec”
$dmap01 = “\\\\.\\PhysicalDrive” nocase ascii wide
$dmap02 = “\\\\.\\PhysicalDrive0” nocase ascii wide
$dmap03 = “\\\\.\\C:” nocase ascii wide
$dmap04 = “TERMSRV” nocase ascii wide
$dmap05 = “\\admin$” nocase ascii wide
$dmap06 = “GetLogicalDrives” nocase ascii wide
$dmap07 = “GetDriveTypeW” nocase ascii wide

$msg01 = “WARNING: DO NOT TURN OFF YOUR PC!” nocase ascii wide
$msg02 = “IF YOU ABORT THIS PROCESS” nocase ascii wide
$msg03 = “DESTROY ALL OF YOUR DATA!” nocase ascii wide
$msg05 = “your important files are encrypted” ascii wide
$msg06 = “Your personal installation key” nocase ascii wide
$msg07 = “worth of Bitcoin to following address” nocase ascii wide
$msg08 = “CHKDSK is repairing sector” nocase ascii wide
$msg09 = “Repairing file system on ” nocase ascii wide
$msg10 = “Bitcoin wallet ID” nocase ascii wide
$msg11 = “” nocase ascii wide
$msg12 = “1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX” nocase ascii wide
$msg_pcre = /(en|de)crypt(ion|ed\.)/

$functions01 = “need dictionary” nocase ascii wide
$functions02 = “comspec” nocase ascii wide
$functions03 = “OpenProcessToken” nocase ascii wide
$functions04 = “CloseHandle” nocase ascii wide
$functions05 = “EnterCriticalSection” nocase ascii wide
$functions06 = “ExitProcess” nocase ascii wide
$functions07 = “GetCurrentProcess” nocase ascii wide
$functions08 = “GetProcAddress” nocase ascii wide
$functions09 = “LeaveCriticalSection” nocase ascii wide
$functions10 = “MultiByteToWideChar” nocase ascii wide
$functions11 = “WideCharToMultiByte” nocase ascii wide
$functions12 = “WriteFile” nocase ascii wide
$functions13 = “CoTaskMemFree” nocase ascii wide
$functions14 = “NamedPipe” nocase ascii wide
$functions15 = “Sleep” nocase ascii wide // imported, not in strings

//  — Clearing event logs & USNJrnl
$cmd01 = “wevtutil cl Setup” ascii wide nocase
$cmd02 = “wevtutil cl System” ascii wide nocase
$cmd03 = “wevtutil cl Security” ascii wide nocase
$cmd04 = “wevtutil cl Application” ascii wide nocase
$cmd05 = “fsutil usn deletejournal” ascii wide nocase
// — Scheduled task
$cmd06 = “schtasks ” nocase ascii wide
$cmd07 = “/Create /SC ” nocase ascii wide
$cmd08 = ” /TN ” nocase ascii wide
$cmd09 = “at %02d:%02d %ws” nocase ascii wide
$cmd10 = “shutdown.exe /r /f” nocase ascii wide
// — Sysinternals/PsExec and WMIC
$cmd11 = “-accepteula -s” nocase ascii wide
$cmd12 = “wmic”
$cmd13 = “/node:” nocase ascii wide
$cmd14 = “process call create” nocase ascii wide

// (uint16(0) == 0x5A4D)
3 of ($dmap*)
and 2 of ($msg*)
and 9 of ($functions*)
and 7 of ($cmd*)

FireEye has read reports that the malware is spread by an email lure containing a malicious Office document attachment or links to infected documents exploiting CVE-2017-0199. We are confident that this document is unrelated to the current outbreak of activity, and we have seen no other indicators that CVE-2017-0199 is related. While FireEye detects these campaigns, we have not observed any correlation with known victims of the Petya attacks.


This activity highlights the importance of organizations securing their systems against the EternalBlue exploit and ransomware infections. Microsoft has provided a guide for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organizations defend against ransomware distribution operations and quickly remediate infections.


Author:  John Miller, Matt Allen, Christopher Glyer, Ian Ahl, Nick Carr