Monthly Archives: June 2021

Getting SASE? Four Guidelines for Success

If you’re not considering a Secure Access Service Edge (SASE) strategy, you’re missing an opportunity to improve both IT and business agility as well as the security of your entire network. SASE provides secure connectivity for all the remote devices accessing your network and applications. Gartner wrote simply, “Security and risk management leaders should build a migration plan from legacy perimeter and hardware-based offerings to a SASE model.”

However, to ensure security and agility and reap the full benefits of SASE, you need to follow four key guidelines for success.

Guideline #1: When it comes to security, think beyond SASE  

While the scope of SASE is large and getting bigger, it is not comprehensive security. By design, it is limited to network-related security. For example, SASE does not include Endpoint Detection and Response (EDR), a key approach to battling ransomware, because EDR inspection for malicious activity happens within the operating system — not the network.

Similarly, SASE does not include Cloud Workload Protection (CWP), which keeps workloads in Infrastructure-as-a-Service secure. It’s excluded because it implements security controls outside the scope of the network. But counterintuitively, Cloud Access Security Broker (CASB), a technology solution that secures cloud applications and related data, is indeed a part of SASE. That’s because CASB is considered inside the scope of the network. It enforces security controls using the enabling network.

Remember that SASE is a technology strategy, not a complete security program with mature processes and much-needed expertise. It does not include 24/7 monitoring by an expert security team. Today, no matter how sophisticated the technology is, securing your cloud as well as your on-premises infrastructure requires security analysts who can understand what the technology is detecting and quickly respond with an effective defense, as illustrated by the widely adopted NIST Cyber Security Framework.

Guideline #2: Let use cases drive your technology selections (not the other way around)

While SASE’s cloud-centric architecture is increasingly the best choice for provisioning smaller offices that need to be up and running quickly, the cloud is not necessarily the best choice for large offices. This is particularly the case with firewalls. On-premises next-generation firewalls coupled with secure web gateway appliances often remain the best choice for situations where performance and cost of ownership are most important, as cloud firewalls have limitations in these areas. Therefore, don’t force a cloud-only strategy across the board. Instead, pick the best technologies for the use cases at hand.

For those who need to rely on on-premises firewalls, the good news is these appliances can still be part of your SASE strategy. Since they can be managed from the cloud, you can achieve the ease of management without a firewall-as-a-service performance hit or the higher cost. However, you must give up the agility advantages, which are typically not a problem for large offices. The real advantage here is the flexibility to use both cloud and on-premises firewalls and have both environments consistently managed for policy. In the end, look for a provider that offers both firewalls, but most importantly, one that can consistently manage policies across all. You want a solution at the intersection of flexibility and simplicity.

Guideline #3: Maintain a degree of vendor diversity despite SASE market consolidation

Gartner’s 2019 Hype Cycle for Enterprise Networking warns of this, saying, “Software architecture matters. . . Be wary of vendors that propose to deliver services by linking a large number of features via VM service chaining, especially when the products come from a number of acquisitions or partnerships.”

Gartner’s warning is valid. Daisy-chaining SASE capabilities can result in clunky, hard-to-manage, and underperforming services. But there is more to unpack. A SASE offering that has ZERO daisy chains creates security challenges. Taking Gartner’s advice too far will almost certainly result in replacing a myriad of best-of-breed security solutions with a tech stack of homegrown or acquired tools from a single technology provider. The drawback here is potentially less robust security when compared to a variety of market leaders. Plus, the components cannot be interchanged — solutions present all-or-nothing propositions.

A more advisable strategy is to have an optimal balance of minimal daisy chains and some degree of vendor flexibility. This allows SASE solutions to include industry-leading security technologies. This is best done via a service provider that can manage any extra complexity on your behalf but still deliver the benefits of such an approach. Furthermore, no single technology provider, especially a SASE startup, can deliver mature, best-of-breed solutions in the vast areas covered by SASE. Any smart provider will minimize daisy chains, partnering with no more than one or two external tech vendors and consolidating everything into a unified service with one dashboard. This is how customers are best protected from any additional complexity arising from a mix of tools and services while maintaining a more competitive SASE vendor ecosystem.

Guideline #4: Don’t ignore the importance of SD-WAN

The excitement of SASE is the ability to more effectively manage cyber risk. So, all too often, IT decision-makers overlook SD-WAN and the reliability and performance requirements that are at the heart of SASE solutions. It’s essential to ensure the network component of SASE can deliver on the demands of today’s increasingly distributed organizations. This includes evaluating performance, scalability, access flexibility, visibility, and control, as well as the ability to separate, prioritize, and secure bandwidth for remote employees. If you don’t get past a successful SD-WAN rollout, security won’t work. They go hand in hand.

If you’re just getting started with SASE, don’t fall prey to rigid thinking that can limit solution effectiveness and agility. The key is to be realistic about the power and limitations of SASE and then develop a pragmatic approach that works for your environment. Keep in mind that the larger and more diverse your infrastructure – or the more aggressive your growth plans – the more your SASE approach will need to deliver all the security you require now without limiting your options for the future.

Jay Barbour is Director of Security Product Management at Masergy.

Source link

CentOS Hyperscale Workstation Sees Experimental OS Builds, More Changes Coming


One of the exciting initiatives taking place recently within the CentOS camp has been the CentOS Hyperscale special interest group that is backed by engineers from Twitter and Facebook along with other organizations. They’ve been making more progress on offering their hyperscaler-focused packages/updates and even onto publishing a CentOS Hyperscale Workstation operating system image for testing.

The CentOS Hyperscaler effort has been working on better fitting CentOS Stream to modern enterprise needs and via their repository working on things like backporting newer systemd versions and other key packages either as upgrades or what isn’t currently found in CentOS/EPEL.

The CentOS Hyperscale SIG today published their Q2’2021 progress report where they noted their most recent backport of systemd 248, a non-modular build of LLVM 12 is available until a modular version is offered as a CentOS Stream, and there is a DNF/RPM setup with Btrfs copy-on-write support. On the kernel front, the Hyperscale SIG is currently tracking the Linux 5.12 kernel for use on CentOS. The group has also added a modified version of KPatch for live kernel patching.

Perhaps most exciting this quarter is the CentOS Hyperscale group now publishing experimental OS images / Live DVDs of their CentOS Hyperscale wares pre-installed. That OS image is still rather primitive but they are making progress.

Looking ahead the hyperscalers are looking at making their live media image ready for broader consumption, integrating Btrfs transactional updates as an optional feature, Hyperscale-enabled cloud images, and enabling FSVERITY support within RPM.

Find out more about this interesting CentOS effort via the project’s blog.

What Is OpenIDL, the Open Insurance Data Link platform?

OpenIDL is an open-source project created by the American Association of Insurance Services (AAIS) to reduce the cost of regulatory reporting for insurance carriers, provide a standardized data repository for analytics, and a connection point for third parties to deliver new applications to members. To learn more about the project, we sat down with Brian Behlendorf, General Manager for Blockchain, Healthcare and Identity at Linux Foundation, Joan Zerkovich, Senior Vice President, Operations at American Association of Insurance Services (AAIS) and Truman Esmond, Vice President, Membership & Solutions at AAIS.

System76 Releases Pop!_OS 21.04 With New COSMIC Desktop


Linux PC hardware manufacturer System76 has released Pop!_OS 21.04 as the newest version of their Ubuntu downstream that also features their new GNOME-based COSMIC desktop.

Pop!_OS 21.04 is based on Ubuntu 21.04 but headlined by their new COSMIC desktop as various customizations like different docking options, improved keyboard shortcut handling, a plug-in system for the launcher, and other configurable items.

More details on the COSMIC desktop via the System76 blog. The Denver-based company also published a separate blog post outlining how they worked on the COSMIC design.

COSMIC appears to have been the primary focus by System76 this development cycle besides re-basing against the Ubuntu 21.04 packages. Pop!_OS is available for both System76 and non-System76 hardware and this Linux distribution can be downloaded from

Introduction Into Insider Threat and Mitigation Best Practices

Let us assume you do your best to protect your business from security risks. But do you know that a good deal of the danger accounts for insiders? Dealing with insider threats is an awfully bad experience for too many businesses so far.

Let us define what the insider threat is

This is the risk that originates from current staff members, former staff members, corporate partners, and contracted parties. These people have access to lots of data associated with your business. Any non-compliance or intentional misdeed on their part exposes your company to severe security threats.

Spying, privacy violations, disabling security tools, waste, or unauthorized spending are the top offenses the people acting from within your company can do.

These occurrences are quite common. FBI security experts break them down like this:

Personal motivations

  • Seeking monetary benefits based on the belief that money is the ultimate power. Urgent need to cover borrowed funds or excessive spending.
  • Being angry with the company and seeking vengeance. Dissatisfaction strong enough to spawn a desire for revenge towards the company concerned.
  • Unhappy experience. Conflicts with colleagues or leadership, tedious work, the threat of dismissal.
  •  Self-esteem issues. This extends to breaking the rules to prove exceptional status and to improve the self-image. Falling for adulation or promotion to a higher position.
  • Various addictions like compulsive consumption of substances such as spirit drinks, drugs, etc.
  • Social issues like problems with a spouse or inadequate interaction with other family members.

Corporate motivations

  • Secret business data availability, its handling conditions are not strictly defined. Making such materials available to the persons who do not require using them.
  • Inappropriate marking of restricted access data or lack of such marking.
  • Persons leaving corporate areas (both online and offline) may easily retain restricted access data and materials without authorization.
  • Remote processing of restricted access data without specifying exact limitations on its use and disclosure.
  • Lack of instructions and training on how to handle restricted access data in a due way.

Types of dangerous insiders

Most of the observers distinguish two major types of insider threats. These are risks posed by malicious intent and risks posed by negligence or non-compliance. This classification is very general and straightforward. Often reality calls for more details. A more advanced classification splits the threats into four categories by type of actors involved.

1) Ordinary users: Ordinary users, or pawns, do not realize they do anything bad as they fall victim to phishing and different types of computer viruses sent via email. Staff members downloading malware, providing their sign-in info to strangers on the first request without verifying their legitimacy are typical scenarios in this category. Unwitting workers are common targets of hackers attacking a company.

2) No-ordinary, goofy users: Freedom is slavery, war is peace… No, their real motto is ‘Ignorance is Strength.’ These users believe they may go beyond any requirements. No-ordinary users may break the rules for the sake of convenience or out of incompetence. They may do it also just for fun.

3) Secret agents: These are collaborators who use their insider status to capture secret data and affect the performance of the organization they stay within. They do it as an agent of the third partн they work for. Examples of such third parties include intelligence gathering run by foreign governments, competitors attempting to undermine your operations.

4) Sole attackers: Sole attackers do not necessarily have any third-party support, but they do not collaborate explicitly and definitely do not work as agents of any third party. These insiders pose an extra threat to your business if they have high levels of access to company resources. Working as database or computer system admins, they can do the utmost damage.

Common indicators of insider threats

  • An employee copies material without a specific need, especially if it is proprietary or classified.
  • An employee without specific need remotely accesses the computer network while on vacation, sick leave, or at other odd times.
  • Employee disregards company computer policies, installs personal software or hardware, accesses restricted websites, conducts unauthorized searches, or downloads confidential information.
  • Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel.
  • Unexplained affluence: an employee is buying things that he cannot afford.
  • An employee is interested in things that lie outside the scope of his business duties.

Insider threat cases

Microsoft database goes public

This case exposed a vast list of Microsoft support records at the end of 2019. The scale was huge as the database contained approximately 250 million entries collected over 14 years. Attackers got a copy of IPs, locations, and remarks made by Microsoft support workers. The leakage lasted for one month.

The problem occurred because the Microsoft workers modified the privacy settings of the Azure system, failing to protect it with passwords or MFA.

Microsoft did not pay any penalties in this case as they proved the database contained no personal information and the problem was fixed once detected.

Marriott data breach

2020 started for Marriott with an attack on their records by stealing the credentials of two of their staff members. The attackers used the stolen credentials to access the third-party app used by the company to manage the records of their guests. The information contained reservation info, guests’ contact details, and account data.

The company security failed to detect the intervention until the early spring. The consequences are way much worse for Marriott than for Microsoft as the data stolen included personal details disclosing the guests’ identity.

Marriott’s Fines seem to be pending, and it is not the first time the company is facing penalties for security negligence.

Twitter got hacked

Quantity sometimes breeds quality, but this works both ways as compromising just 130 accounts of famous Twitter users cost the company million-dollar losses. These accounts, compromised in July 2020, included both private and corporate users. Apple, Uber, Bill Gates, and Barack Obama were among those notable victims. Malefactors used 45 of the hacked accounts in Bitcoin-based scams.

Twitter got compromised as a result of highly targeted phishing campaigns. The crooks did not target the account owners directly. Instead, the primary attack hit Twitter employees working remotely. The attackers contacted those persons as though they were Twitter IT staff and requested their corporate passwords and logins. They further made use of the accounts of Twitter employees to reset accounts of notable Twitter users.

During the Bitcoin scam that involved 45 Twitter accounts, fooled users sent over 180,000 USD to crooks. Meanwhile, Twitter lost 4% of its market value. That is a major loss incomparable to the hackers’ gain.

There are plenty of other insider threat cases faced by businesses and organizations with great actual or potential damages.

How to be safe from insider threats?

Malicious insiders are inherent in any business. Harm can be severe. However, there are plenty of methods to mitigate insider threats. Let us take a look.

Secure essential corporate assets

There are tangible and intangible assets. Simply put, tangible assets are physical things like human resources and buildings, while intangible assets are non-physical, for example, data of your clients, technology data, software, etc. In order to achieve the goal of securing resources in both of these categories, you would want to implement a reliable DiD (defense in depth) strategy and have an incident response plan.

IT assets require advanced tech solutions to be protected. These include:

  • DNS, URL filters blocking malicious access attempts.
  • Detecting and fixing security flaws with vulnerability management tools.
  • Identifying and disabling malware with an advanced antivirus.
  • Correct management of user privileges and access rights.
  • Software control, scam prevention, email protection.

Ensure SOP implementation and compliance

Standard operational procedures (SOP) enable your staff to understand what they need to do. Security procedures are their essential part. Employees must clearly realize your corporate security policies and how to comply with their requirements, in particular concerning intellectual property. Enforce the SOP compliance by adequate training.

Track and examine any unusual or suspicious events

Monitoring any suspicious or abnormal events is critical, even if they look totally safe. The points I listed above provide essential clues on the circumstances like entering the IT systems from an unrecognized location, unusual data transfers, etc.

Let your people go

Once your employee becomes your former employee, that person’s further actions might be of no interest to you. However, they may affect you badly unless you complete a proper post-employment routine. First off, ensure that your staff firing process is well-recorded. Terminate access of your former employees to company resources, including facilities and software. It is highly recommended to terminate access to various systems no later than on the day of dismissal.


Human factor poses the highest security risk for the network environment. Employees may severely affect your company image, performance, and assets both intentionally and unintentionally. Stay alert and beware that reducing insider threats is a must to ensure the IT security of your business.

Implementing security measures might be too tedious and resource-consuming for many businesses. That is why companies choose to subscribe to trusted third-party security providers, including personnel security training services.

David Balaban is a computer security researcher. He runs and

Source link