STE WILLIAMS

Security has long been considered an afterthought in the software development process, with ad hoc measures typically tacked on just before release. This approach is no longer adequate in sustaining today’s expectations for rapid and reliable service.

DevSecOps is emerging as a superior way to integrate security throughout the DevOps cycles, using better intelligence, situational awareness, and enhanced collaboration. It entails a solid approach to change management, or standardizing specific processes that can help prevent problems downstream. Poor (or no) change management is the biggest culprit in preventing organizations from pinpointing the root cause of critical issues, thereby slowing down the entire business.

Security Incident and Event Management (SIEM)
The key to optimizing your business for DevSecOps is to build the necessary infrastructure to interact with your SIEM system, and enable rapid data collection, data analysis, and incident response. Your SIEM platform should act as the hub, around which you can customize the full workflow for managing incidents.

Having one absolute source of data is crucial; when you rely on spreadsheets that sit on people’s local computers or manual communication mechanisms such as email, information quickly gets old and out of sync. Plus, it’s too difficult to draw meaningful correlations across data sitting in silos. The best incident management solutions can automate moving data between tools, from incident ticketing systems to collaboration tools, system updates, chatbots, and more. Not only do these automation measures save time, they preserve the accuracy of information for all parties involved.

Through descriptive and predictive data mining, machine learning, and simulation, the advanced analytics of SIEM make it easy to visualize and correlate data by mapping previous or pre-categorized events against a cyber kill chain framework or past events to better support incident investigations.

Of course, not all incidents are equal; you’ll want an analytics-driven platform that gives you the flexibility to categorize the severity of potential threats, as well as provide your entire organization with a “single source of truth” and contextual insight to determine the appropriate response to any event. This includes integrating threat intelligence data, watch lists, correlation rules and queries, and the like.

Let’s take a look at three use cases that highlight the importance of DevSecOps.

1. Internal Communications
The security team for a multinational financial corporation takes down the company’s firewall as part of routine maintenance. In the middle of the night, the application team can see that changes have been made, but because there is no documented, standardized procedure for changing the firewall, they flag it as an anomaly and a possible threat. As they follow protocol to investigate the change, they’re unable to figure out the root cause of the issue, and end up gathering other groups and scrambling to diagnose and fix. By the time they figure out that it’s just a firewall change, the service has been down for more than 12 hours. The teams agree to create a new rule: no firewall changes should be made after hours.

2. Alert Fatigue
The service desk for a large retailer receives alerts of a data breach. Without filters or rules in place, these alerts get lost among the many thousands of notifications the group receives every hour. The major incident alerts go unnoticed, buried under false alarms, automated alerts, and other notifications, preventing teams from acting proactively. Instead, the unsuspecting teams discover the problem days later, and only through the reports of confused customers and partners — not to mention angry executives. The company then has to notify its customers that their personal information may have been compromised, and a protracted public scandal causes its teams to change its major incident processes.

3. Poor Fundamentals
A global credit monitoring agency suffers a data breach but does not realize it for months, and must awkwardly alert its customers long after the fact that their personal information may have been compromised. In the aftermath, the company promotes websites intended to allow users to see whether they are affected by the breach. The agency’s lack of preparation becomes obvious when the websites prove totally ineffective and affected by viruses, making matters worse and causing further embarrassment. The company resolves to completely revamp its approach to security and incident management.

What Should You Do?
The key to achieving a successful DevSecOps implementation is to tackle communication as a core tenet of operations and bring structure to collaboration so that your organization can remain proactive and keep the right people informed of truly relevant information. IT teams tend to be paralyzed with too many alerts and notifications that prevent them from identifying and quickly fixing the important issues. Artificial intelligence-driven event analytics can help turn this data into immediate action and help your business to prioritize the restoration of business-critical services based on real data and not a wild guess. This is the structure and standardization necessary to prevent outages, manage major incidents, and rapidly engage resolution when necessary.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

• 7 Ways to Maximize Your Security Dollars
• Ticking Time Bombs in Your Data Center
• AutoSploit: Mass Exploitation Just Got a Lot Easier

Robert Hawk is Privacy Security Lead at xMatters. He has extensive experience in information systems security, computer security, cybersecurity, information assurance, as well as governance, risk, and compliance (GRC) management. He specializes in frameworks and standards … View Full Bio

Article source: https://www.darkreading.com/application-security/from-devops-to-devsecops-structuring-communication-for-better-security/a/d-id/1331046?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Oracle has agreed to buy Zenedge to ramp up security for its subscription-based cloud infrastructure services, the company announced today. Terms of the deal were not disclosed.

Zenedge builds technology that aims to secure IT systems deployed via cloud, on-premise, or hybrid environments. and the company sells offers Web Application Firewall (WAF) and distributed denial-of-service (DDoS) products.

Oracle plans to leverage Zenedge’s technology to integrate WAF and DDoS protection into its Oracle Cloud infrastructure-as-a-service offering and Domain Name System capabilities. The company reports Zenedge will add both application and network protection as more businesses adopt cloud services.

Read more details here.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/oracle-buys-zenedge-for-cloud-security/d/d-id/1331069?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A code execution vulnerability on an Air Force Portal host system that would allow attackers to manipulate data on the system earned one bug bounty hunter $12,500 during the second Hack the Air Force bug bounty program, HackerOne announced today.

Hack the Air Force 2.0 was the latest installment of the US Department of Defense’s (DoD) “Hack the Pentagon” security initiative.

The 20-day project kicked off with a launch event Dec. 9 in New York City attended not only by vulnerability researchers hunting for bugs, but by DoD and US Air Force personnel conducting live remediation. At the launch, 55 vulns were discovered in nine hours; another 51 were found in the remaining weeks.

A total of $103,883 was paid out to participating hackers during the 20-day period. The $12,500 payment is the largest single bounty issued from any federal program to date.    

Over 3,000 total vulnerabilities have been resolved in government systems since the first federal vulnerability disclosure program was opened in 2016, according to HackerOne. Twenty-seven trusted researchers from the US, United Kingdom, Canada, Sweden, Netherlands, Belgium, and Latvia participated in Hack the Air Force 2.0.

For more info, view the video recap of the launch event 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/air-force-awards-$12500-for-one-bug/d/d-id/1331068?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

With the advent of the cloud and DevOps, the job of implementing security has been dispersed more widely across IT. This has led to significant gains in speed and agility, but it has also created unacceptable risk for the business. For security, the pendulum has swung too far toward democracy. We need to pull it back.

It’s easy to forget that as recently as a decade ago, IT in a pre-virtualization/pre-cloud world looked very different from today. Software projects were measured in months if not years, and security teams had control and visibility over all that went out the door. This ensured less risk, but as dev teams tried to move faster, security quickly became the infamous “department of no.” If CSOs weren’t banning projects outright, they were certainly holding them up to ensure every possible door to a vulnerability was closed.

DevOps is a great frontier by comparison. These days, software and infrastructure teams are implementing new features and services at a remarkable place, aided by higher-level tools and a myriad of third-party services in the cloud. Just this past year alone, swift advances in areas like containers and serverless computing have allowed dev teams to do far more with less.

It would be unfair to say developers aren’t attuned to the needs of security — the constant drumbeat of major breaches means that everyone is now aware of the need to lock down applications and data. And the major cloud providers have invested heavily to secure their infrastructure and provide built-in tools and protocols for securing data and connections.

But this is precisely the challenge. As DevOps turns to these off-the-shelf mechanisms to secure applications, they fall prey to an illusion of security. That’s not a criticism of cloud providers; it merely reflects the reality that security in the enterprise is highly complex. Organizations develop security policies for a reason. Not all data is equal, and highly sensitive information, such as customer or financial data, must be afforded higher levels of protection. 

Networks and systems are also complex, and potential attack vectors aren’t always apparent when applications are built quickly and modified frequently over time. Security experts need a front-row seat in the DevOps process, because they are the individuals uniquely trained to identify these vulnerabilities. But in the democratic model of security, their role is too often reduced.

Clearly, we do not want to roll back the advances of recent years and inhibit the ability of dev teams to innovate quickly. But developers, ops, and security teams must each acknowledge their respective areas of expertise and work together to ensure that the risks inherent to moving quickly without sufficient care are mitigated.

Security must not be a bottleneck, but the democratization of security through DevOps has been an overcorrection to the time when security had absolute control. If the right model for security is not a pure democracy, where everyone has an equal say in policy and no one is ultimately responsible, then we should think of it more as a representative democracy — where power resides in the people, but that power is exercised through elected representatives.

What does this imply for application development, IT operations, and security governance? That the elected security representative — the CSO — is accountable to the organization and therefore carries out its will (no more “department of no”). But the CSO also has authority to decide how that will should be implemented, because ultimately, it’s the CSO who is accountable for keeping the business secure. 

Getting to the model of a representative democracy requires a change in how security, dev, and ops teams work together today. Here are three best practices to help make this happen.

• Each team must recognize the knowledge the other teams bring to the table. While there needs to be a baseline understanding, no single constituent can be specialized in all aspects of application development, deployment, and security. Without respecting each other’s expertise, there’s no way to move fast and be secure at the same time.
• Consider new training to ensure teams know the limits of their knowledge and the needs of the other teams. For security professionals, this means keeping up to date with the latest development methodologies and services in the cloud. For developers, it means learning the limits of their security knowledge, and knowing when to ask a specialist for help.
• Teams need to meet regularly to review their shared understanding and raise needs for specialists on the projects they are working on. Cooperation happens only through proactive dialogue. Put a monthly meeting on the books today.

Automation, virtualization and the cloud have brought sweeping changes to how applications are developed and delivered. IT is a far more exciting and dynamic place to be than it was just a decade ago, and technologists have far more impact on the success or failure of business. But that also brings new levels of responsibility. A single security incident can affect the valuation of an entire company. Dev teams and security staff must work together to ensure this does not happen.

• ‘Shift Left’: Codifying Intuition into Secure DevOps
• How Containers Serverless Computing Transform Attacker Methodologies
• Vulnerability Management: The Most Important Security Issue the CISO Doesn’t Own

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio’s technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also … View Full Bio

Article source: https://www.darkreading.com/application-security/democracy-and-devops-what-is-the-proper-role-for-security--/a/d-id/1331060?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Mirai botnet is kind of like Madonna. They both were huge once. Then the adoring public shifted their attention to younger, newer acts, but they keep on performing anyway. We wrote about Mirai extensively after we predicted its construction in our first IoT report, DDoS’s Newest Minions: IoT Devices in 2016.

Mirai has been in the news again recently. In December, Brian Krebs reported that two men pleaded guilty as the co-authors of the IoT botnet. A new botnet, Satori (Japanese for “the awakening”) is a possible successor to Mirai. The source code for Satori was recently posted to Pastebin as a Christmas gift to the IoT hacker community. Like Reaper, Satori weaponizes exploits beyond simple brute-force default password guessing.

F5 Labs and our data partner, Loryka, still monitor Mirai (but not Madonna!). Even though Satori and Reaper might be the interesting new acts, Mirai and its children are still actively attacking from the Internet of Things. Our honeypots grab configurations from each botnet and we compile the list of command and control (CC, aka C2 or CNC) hostnames that are used to control each bot. Attacks from the CC host themselves are rare, but they make good indicators of compromise (IOC) because any requests for those hosts from inside a protected network can be traced back to the infected devices themselves.

So, we were looking through last quarter’s list of Mirai spinoff bots and all of their command and control hostnames and had a bit of a laugh. Of course, we take this botnet stuff seriously, but we couldn’t help snickering a little at some of the domain names.

Of the 203 CC hostnames we sampled in the last quarter of 2017, about 70 are still active in DNS. And of that original 203, 71% were registered (and almost certainly hosted) by Freenom, Namecheap (an Enom reseller), or Cloudflare. If you were a cybercriminal, why not use “free” domain registration services like Freenom for your CC hosts? A simple Google search will tell you they care little about what you do with the domain as long as you use it (or they will eagerly park your domain and start collecting ad revenue).

When it comes to domain registrars like Enom that offer reseller services to companies like Namecheap, the layers of domain management and orchestration from the registrant to the controller can make it harder to track down and process abuse complaints. Because cyber criminals know this, they often favor resellers instead of direct registrars. A simple Google search for Namecheap will turn up a history of complaints alleging they do little about abuse complaints, so it’s not surprising cybercriminals would chose to use them. Cloudflare, on the other hand, has drawn fire from Brian Krebs for their continued hosting of obvious DDoS-for-hire services.

Sure, the CC list is a small sample size, and CC hosts come and go quickly. This list is in no way exhaustive — it’s just a snapshot in time from last quarter. But for a breakdown of the domain hosting services, see the end of this article.

Yes, I really am a CC server
A disturbing number of the CC servers brazenly scream out that they are, indeed, nefarious “cnc” servers. Check out this subset:

cnc.bigbandsinmyvault.tk
cnc.bigbotpein.ru
cncbot.cnbot.space
cncbot.ddns.net
cnc.changeme.com
cnc.linux.lol
cnc.nutsz.club
cnc.skidsec.org
cnc.spamtech.win
 
There’s a whole other category of hosts that identify not just as CC servers, but as Mirai CC servers. Thanks for the specificity, dudes! How much more obvious do you need to be?

cmdmirai.tk
cnc.mirai.com
iotmirai.tk
lolzsecsshittymirai.tk
miraibotnet.ml
miraibotnet.online
miraihoneypot.tk
mirainet.ml
mirainet.tk
 
For those of you security engineers out there, it’s probably not a terrible idea to flag any computer in your network that is looking up hosts that begin with “cnc” or “mirai.

And somebody really likes boats. (We like boats, too.)

bigboats.club
bigboatz.us
boatnet.xyz
boat.racoon.ml
gammaboat.us
ssh.gammaboat.us
www.trapboat.club
 
We’ve been saying that the Internet of Things is the attacker platform of the future. The world of IoT botnets is highly automated. And, of course, our defenses are getting more automated as well. It’s computers attacking and computers defending. But every now and then you get a glimpse of the humanity buried in the morass of digital data. Take these cnc hostnames for example:

cnc.tonguepunchfartbox.life
cnc.smokemethallday.tk
cnc.urgay.cf

Sure, they’re completely juvenile, but that’s how you know they’re human. And humans make mistakes. Sometimes those mistakes are other humans, and those humans end up building IoT botnets controlled by CC hosts whose names offend the senses or offer dubious advice.

What’s Up with all the .tk Domains?
In theory, the .tk top level domain (TLD) represents the Tokelau island chain of New Zealand, a place so small it doesn’t even have a regional airport. In reality, .tk domains are free and are used by the poor, as well as a huge number of spammers, phishers, and stressors. The .tk TLD is now, incredibly, the third most popular after .com and .net. That’s right, more popular than .uk, .org, and .sex. The massive popularity of .tk domains has increased the GDP of Tokelau by 10% and some of the increased revenue goes to provide the local poor their own Internet access. Such a strange, circular world we live in.

A complete list of these hosts are available on the F5 Labs site.

Get the latest application threat intelligence from F5 Labs.

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/the-mirai-botnet-is-attacking-again/a/d-id/1331031?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple