With greater visibility comes increased response

As our manager tests an advanced firewall, several events that would have gone undetected come to light.

I mentioned in a previous article that we are using a "loaner" Palo Alto Networks firewall, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.

Not wanting to disrupt business operations, I tested the device on a SPAN port that monitors traffic in and out of our network and in between. When I say "in between" I'm referring to a SPAN port that monitors traffic between the corporate network and our data center. That placement gave us visibility into attacks originating internally against our internal data center resources. (If we decide to purchase the PAN firewall or something similar, we'll move it in-line and replace our current firewall.)

Lacking a 24/7 security operations center (someday maybe?), I set up the firewall to forward email alerts for events that I think are indicative of compromise. One thing I was very interested in was detecting threats against our source code repository, which I consider one of the five most critical assets in our organization. Sure enough, earlier this week I received an alert that an SSH brute-force attack against the server containing our source code had been detected. This alert triggers when more than 20 login attempts are made within 60 seconds.

We tracked down the source of this attack and learned that it wasn't really an attack at all. Rather, one of our software engineers had recently changed his Windows domain password, which is used to log into our source code repository, but never changed some scripts he had in PhpStorm, a utility to edit PHP code. One script kept trying to log into the repository with his previous credentials, which of course didn't work, and the multiple attempts appeared to be a brute-force attempt from his PC. Although this was a false positive, I'd still prefer to know when this sort of thing is happening. And it seems clear that if we do get hit with a real brute-force attack, the firewall will let us know about it.

I also like that the firewall can easily detect BitTorrent traffic, which carries all sorts of security and legal problems but is also a prodigious consumer of bandwidth. We got a ping about this as well, and once again we traced the problem to a software engineer's PC. He swore he wasn't using BitTorrent, but a review of his PC turned up an installation of Popcorn Time, which is an open-source BitTorrent client that serves as a cost-free alternative to services such as Netflix. The engineer likes to stream movies during late-night product releases. He just hadn't thought of it as BitTorrent. After I recited our objections to such software, he promised to stop using Popcorn Time. Then I figured that if a software engineer could make that mistake, I should do a little companywide education. I will include a warning in my next quarterly security awareness email to remind employees of the policy against using apps such as Torrents, remote control software such as LogMeIn and hacking software, which I've also received alerts about, when someone downloaded Nessus and decided to scan our data center.

Next up was something more serious, a critical alert regarding Rig Exploit Kit detection. The Rig Exploit Kit has been around for a little over a year and is a highly configurable piece of malware able to deliver various types of attacks, including Cryptolocker, which encrypts data on a PC and can't be undone without paying a ransom. We ran our antivirus client and an independent malware detection tool on the PC in question, but neither came up with anything. Still, though, the firewall was flagging the PC as infected. We couldn't risk it, and we didn't have the time to conduct a deep forensic analysis of the PC, so I had our IT department wipe the PC and reimage. Naturally, the user was upset about the inconvenience, but after I explained the potential for harm, she understood. Was this another false positive? I don't know, but all in all I'd rather play it safe. And I'm glad we had a tool that could warn us about the problem.

Other events amounted to little more than noise, since they were all things that we really can't do anything about: SQL injection attempts, cross-site scripting, efforts to obtain the /etc/passwd file, port scans, and multiple authentication attempts against applications that we expose to the Internet. Those are things that I consider the cost of doing business on the Internet, where the entire world could be an adversary. We don't really need a new-generation firewall to tell us about them, but I don't object to having the reminders.

But the other alerts, even the false positives, affirm my defense-in-depth strategy and my focus on hardening our outer shell and inner core. I think a new firewall is in my future.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags palo alto networkssecurityfirewall

More about 24/7ClickLogMeInNetflixPalo Alto NetworksSPANSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place