sales@net-ctrl.com
01473 281 211

Net-Ctrl Blog

The Cost of a Data Breach

May 2nd, 2018

How much does a data breach cost? So far, $242.7 million and counting if your company happens to be Equifax. That is how much the company has spent since its data breach that exposed sensitive personal and financial information for nearly 148 million consumers, according to its latest SEC filing. All because it left consumer information unencrypted and in the clear, which was highlighted in testimony before for the U.S. Senate Commerce Committee last year (watch the video below).

To put the size and scope of Equifax’s remediation efforts in comparison, in just seven months Equifax has spent nearly what Target spent ($252 million) in two years after its 2013 data breach. Equifax will likely continue to spend millions for the next several quarters on the cleanup.

For many years analysts and security professionals have tried to estimate what a data breach can cost a company. From the expense of having to upgrade IT infrastructure and security to paying legal fees and government fines – there are a lot of costs that are both tangible and intangible. In addition, there are the impacts to a company’s stock price and the erosion of customer trust (“Will they come back?”). For management teams, it can also have a very real impact professionally. For example, the chairman and CEO of Target resigned months after the data breach, and the CEO resigned of Equifax resigned within weeks of its data breach.

Many studies have been done to calculate the cost of a data breach, including the annual Ponemon Institute’s Cost of a Data Breach report which calculates the cost down to the data record. According to the latest Ponemon annual report, the average cost of a data breach is currently $3.62 million globally, which comes to $141 a record. In the U.S., the cost is almost double that at $7.35 million. But do these research reports actually gauge what a data breach will cost a company? At the end of the day, equating data breach damages to a “per record” cost makes data breaches just an actuarial exercise of acceptable risk.

And this kind of goes with the prevailing sentiment that data breaches don’t cost companies that much. The thinking goes like this. For the breached company, the stock price will take a hit, customers will be enraged and money will be spent notifying customers and upgrading security. But, eventually the company recovers and it’s back to normal. After all, so the thinking goes, what is a couple million dollars in IT upgrades and fines to a company that worth $50 billion.

This type of thinking must change because we are at a tipping point on the implications of data breaches. The costs have become more real to companies and the boards who run them. CEOs and other members of the management team are now losing their jobs because data breaches now have more potential to be more life-threatening, if not killers, for companies. Take for example the TalkTalk data breach, which caused the company to lose more than 100,000 customers, and the fact that Yahoo! had to lower its purchase price by $350 million in its acquisition by Verizon. The last and most important factor is that governments are now taking notice and doing something about it. The European Union’s General Data Protection Regulation (GDPR) is a prime example of this, and countries around the world are looking at it as the model for their own regulations.

If costs and risks of data breaches are increasing (and they are), companies need a radical shift in their approach to data security if they are going to more successful in defending sensitive data they collect and store. With organizations extending their business to being cloud- and mobile-first, their attack surface and the likelihood of accidental data exposure continue to grow. These trends all point to a consistent theme – security needs to be attached to the data itself and the users accessing the data. Only then can companies maintain control of their data in the cloud, manage user access to cloud apps, and keep it secure when it falls into the hands of adversaries. By implementing a three-step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and managing and controlling user access – companies can effectively prepare for a breach. It’s being done by many companies today and is also a requirement for transitioning from a strategy optimized for breach prevention to a strategy optimized for a “Secure the Breach” strategy.

Download Gemalto’s Secure the Breach Manifesto to get your company prepared.

Also, download Gemalto’s 2017 Breach Level Index Report and get insights into data breach incidents by industry, source, type and region.

View the original article by Gemalto.

More than 2.5 billion records stolen or compromised in 2017

April 11th, 2018

Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, revealing that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase from 2016. While data breach incidents decreased by 11%, 2017 was the first year publicly disclosed breaches surpassed more than two billion compromised data records since the Breach Level Index began tracking data breaches in 2013.

To learn more about the 2017 statistics and trends, register for the upcoming webinar “New Data Breach Findings: The Year of Internal Threats and Misplaced data”

Over the past five years, nearly 10 billion records have been lost, stolen or exposed, with an average of five million records compromised every day. Of the 1,765 data breach incidents in 2017, identity theft represented the leading type of data breach, accounting for 69% of all data breaches. Malicious outsiders remained the number one cybersecurity threat last year at 72% of all breach incidents. Companies in the healthcare, financial services and retail sectors were the primary targets for breaches last year. However, government and educational institutions were not immune to cyber risks in 2017, making up 22% of all breaches.

The Breach Level Index* serves as a global database that tracks and analyzes data breaches, the type of data compromised and how it was accessed, lost or stolen. Based on data breach reports collected in the Breach Level Index, the major 2017 highlights include:

  • Human error a major risk management and security issue: Accidental loss, consisting of improper disposal of records, misconfigured databases and other unintended security issues, caused 1.9 billion records to be exposed. A dramatic 580% increase in the number of compromised records from 2016.
  • Identity theft is still the number one type of data breach: Identity theft was 69% of all data breach incidents. Over 600 million records were impacted resulting in a 73% increase from 2016.
    Internal threats are increasing: The number of malicious insider incidents decreased slightly. However, the amount of records stolen increased to 30 million, a 117% increase from 2016.
  • What a nuisance: The number of records breached in nuisance type attacks increased by 560% from 2016. The Breach Level Index defines a data breach as a nuisance when the compromised data includes basic information such as name, address and/or phone number. The larger ramification of this type of breach is often unknown, as hackers use this data to orchestrate other attacks.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organizations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. In the event that the confidentiality, or privacy, of the data is breached, an organization must have controls, such as encryption, key management and user access management, in place to ensure that integrity of the data isn’t tampered with and it can still be trusted. Regardless of any concerns around manipulation, these controls would protect the data in situ and render it useless the moment it’s stolen.”

Data Breaches by Type

Identity theft was the leading type of data breach, accounting for 69% of all incidents constituting 26% of breached data in 2017. The second most prevalent type of breach was access to financial data (16%). The number of lost, stolen or compromised records increased the most for nuisance type of data breaches (560%) which constituted 61% of all compromised data. Account access and existential type breaches decreased both in incidents and records from 2016.

Data Breaches by Industry

In 2017, the industries that experienced the largest number of data breach incidents were healthcare (27%), financial services (12%), education (11%) and government (11%). In terms of the amount of records lost, stolen or compromised, the most targeted sectors were government (18%), financial services (9.1%) and technology (16%).

Data Breaches by Source

Malicious outsiders were the leading source of data breaches, accounting for 72% of breaches, however making up only 23% of all compromised data. While accidental loss was the cause of 18% of data breaches, it accounted for 76% of all compromised records, an increase of 580% from 2016. Malicious insider breaches were 9% of the total number of incidents, however this breach source experienced a dramatic increase (117%) in the number of compromised or stolen records from 2016.

“Companies can mitigate the risks surrounding a breach through a ‘security by design’ approach, building in security protocols and architecture at the beginning,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “This will be especially important, considering in 2018 new government regulations like Europe’s General Data Protection Regulation (GDPR) and the Australian Privacy Act (APA) go into effect. These regulations require companies to adapt a new mindset towards security, protecting not only their sensitive data but the privacy of the customer data they store or manage.”

*The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10).

Breach Level Index Resources:

View the original post published by Gemalto.

Intelligent Security Considerations for Smarter Buildings

April 10th, 2018

In 2017 we saw a growing interest in ‘intelligent security systems’ and applications which add value beyond access control and video surveillance. As the industry continues to move towards preventative security measures (as opposed to just capturing an event after it has happened), the role of intelligent security systems and the gathering of data and analytics from multiple building systems is becoming increasingly profound.

These trends will continue in 2018 with building security deployments not only needing to pay for themselves but deliver much more than just physical security by adding measurable and strategic value to businesses. Many businesses will continue to ask, ’How can we use our access control system to reduce operational costs and improve business efficiencies?

One Albert Quay, Johnson Controls’ global headquarters in Cork, is an key example of how critical building systems including lighting, heating, power, access control, video, fire detection and fire suppression are utilized and connected to create one of Ireland’s smartest building.

One Albert Quay, one of Ireland’s smartest buildings deploys CEM Systems emerald intelligent access terminals in the reception area

Johnson Controls’ CEM Systems AC2000 security management solution supported by CEM Systems emerald intelligent access terminals provides One Albert Quay a solution that goes beyond access control to help improve operational efficiency. emerald provides a reader and controller in a single device to control access to doors and car parks with the added benefit of a built-in Voice over IP (VoIP) intercom and remote applications that enable additional functionality such as time and attendance, room booking, displaying company/site information, personalised messaging, entry checklists and more.

The smart lift system at One Albert Quay is centrally controlled with AC2000 access control and emerald terminals, and integrated with Schindler Lifts. When an employee or visitor swipes their access control card on the emerald terminal, this buttonless lift system uses automatic location choice depending on the users’ access control privileges. The smart lift system then automatically brings the card holder to the floor where they are working. This is a fast and efficient system, with zero latency between systems and enables energy harvesting for added efficiency.

For other organizations seeking to undertake a smart building development with an intelligent security system that goes beyond access control to reduce costs and enhance operations, the following should be considered:

1) Combine the use of several devices into one multi-functional unit
When deploying your security think about how you can take the functionality of typically numerous security devices and combine them into one powerful terminal for operational and cost savings. Choose intelligent card readers with reader and controller functionality combined into one device. Intelligent readers, such as the CEM Systems emerald intelligent access terminal, also have the added benefit of an internal database which ensure 24/7 access control and prevent throughput congestion and queues. Intelligent access terminals and combined solutions such as combining intercom functionality into the access control solution also take this multi-functional concept to a new level. CEM Systems emerald intelligent access terminals offers combined card reader and controller functionality, fully integrated Voice over IP intercom for bi-directional communication, on-board Power over Ethernet (PoE) technology and a range of remote server-based smart applications all in one single, powerful terminal.


CEM Systems emerald intelligent access terminal with in-built intercom

2) Intelligent smart applications
‘Smart applications’ that allow users to perform tasks such as accessing visitor information, card holder messages or integrated staff time and attendance, without the need for a dedicated client PC, brings intelligence which previously resided on the access control database closer to the door. Using a range of smart applications directly on the CEM Systems emerald terminal, users can perform what was historically client PC application functionality without the need to install dedicated PC software and licenses.

3) Smart room booking
An intelligent access terminal with a room booking interface that allows users to book a room, edit a booking and check room availability all at the door removes the need for a separate room booking interface. Using CEM Systems emerald intelligent access terminals you can conveniently book company meeting rooms at the door with a valid card swipe or through Microsoft Outlook® exchange calendar.


CEM Systems emerald room booking

4)Smart access administration
Applications that provide administrators the autonomy to locally change cardholder privileges at a door terminal, rather than at a workstation or central ID unit, can save time and costs. CEM Systems emerald provides a smart ‘Local Access’ application to solve the operational problem of last minute staff rescheduling and the need to urgently provide out-of-facility, temporary workers with access to restricted areas.

5) Smart operational modes
Intelligent access terminals that provide enhanced security checks such as displaying an image of the card holder on swipe allows for visual verification by security staff to limit card sharing. Terminals that also provide a checklist upon entry or exit can help ensure health and safety policies are adhered to. CEM Systems emerald intelligent terminals feature a range of sophisticated door modes such as an ‘image on swipe’ mode a building ‘entry/exit checklist’ mode that is particularly beneficial within the construction sector as it enables workers to answer a list of pre-defined questions (such as do you have the correct permits, clothing and training, etc.) before access is granted on site.


CEM Systems emerald intelligent terminal ‘entry/exit checklist’ door mode

6) Centralized gathering of building data and analytics
Intelligent security shouldn’t be about capturing the event after it has happened. Using collaborative building data and analytics you can pre-empt vulnerabilities before they happen and optimize total building performance. To enable the centralized gathering of building data and to manage the alarms of various building systems and multiple sites, use one unified security platform. For example the CEM Systems AC2000 Security Hub enables the centralised command and control of integrated building systems and wireless/offline locks via the AC2000 access control system. Using this platform systems can accurately share information and data, which can then be used to optimize total building performance.


CEM Systems AC2000 Security Hub – centralized security management for the real-time monitoring and control of alarms and events

7) Smart portable security
Portable card readers are a great example of a smart solution which continues to solve the customer problem of securing areas with no fixed wall barriers or gates. Harland & Wolff’s engineering facilities in Northern Ireland deployed CEM Systems S3040 portable hand-held card readers at dry dock areas which created measurable efficiency gains by successfully bringing their evacuation drill mustering time from 45 minutes down to 9 minutes.


CEM Systems S3040 portable handheld reader

8) Smart cards and mobile credentials
When choosing a card reader in 2018 opt for readers that offer the highest level of built-in smart card technology. For user convenience also check with your security supplier, if they offer pre-personalised smart cards with encrypted algorithms. Another growing trend in the industry and an example of the access control system is getting smarter for users is the use of mobile phone credentials. Smartphones as a form of credential is now a perfectly viable option. The benefit of the mobile credential is that it saves the operational time and cost of physically sending out an ID card, making it ideal for businesses with remote workers and numerous remote sites.

9) Integrated biometrics
Quite often the option to use biometrics with access control can mean two pieces of software being used in parallel, as well as two separate networks and two separate security devices at the door. When choosing biometrics opt for a fully integrated access control and biometric solution. CEM Systems emerald intelligent fingerprint access terminal AC2000 access control software removes the need for two separate pieces of software. Using one software, one network and one device, creates a quicker biometric read time, less errors at the door and ultimately less lines of throughput traffic at access control points.


CEM Systems emerald intelligent fingerprint terminal

Conclusion

When deploying your security system in 2018, think about your operational pain points and ask the question: “Can my security system be utilized beyond access control to either reduce costs, enhance site operations or to aid the gathering of smart building data and analytics?”

View the original blog at CEM Systems.

You Don’t Know What You’re Missing on Your Network

March 27th, 2018

Today’s cyber threats hide in plain sight amidst your network traffic, making them nearly impossible to defend against. These advanced threats use applications as their infiltration vector, exhibit application-like evasion tactics and they leverage commonly used network applications for exfiltration.

Legacy point products are blind to much of what goes on in the network. Hackers exploit this.

Net-Ctrl and Palo Alto Networks are offering an assessment that reveals the Unknown in your network.

Here is some of what you will see:

  • Malware and spyware on your network
  • Unauthorised applications
  • Violations of your security policies
  • Malicious websites employees are accessing
  • Non-work-related applications and activity
  • Shadow IT

How it works: We put the Palo Alto Networks® Next-Generation Security Platform on your network to passively monitor traffic for just one week.

We deliver to you the Security Lifecycle Review (SLR). The SLR reveals under-the-radar activity on your network and the risks to your business. We meet with you to explain the findings, answer your questions, and offer practical recommendations. The SLR is cost-free, risk-free and obligation-free.

To schedule or learn more about the SLR, please complete our Contact Form and we will schedule a call with one of our engineers.

Secure Wi-Fi Access Using Dynamic Pre-Shared Keys

March 7th, 2018

You’ve heard us talk a lot about digital certificates as a way to deliver secure onboarding and network authentication in support of Bring Your Own Device (BYOD) initiatives. Digital certificates provide a much higher level of security than conventional pre-shared keys, which are typically the default method of providing Wi-Fi network access for internal BYOD users. You may remember Ruckus’ previous blog about the security problems associated with conventional PSKs and MAC authentication.

Certificates ensure that every session is secure because data in transit is encrypted using WPA2-Enterprise, as well as providing a variety of other security measures. Certificate-based authentication also improves end-user and IT experience because as long as the certificate remains valid, users don’t have to enter login credentials again after initial onboarding.

Digital certs are often not appropriate for guest users though—in which case a technology called a dynamic pre-shared key (DPSK) can help optimise both security and usability.

Why Not Just Use Digital Certificates for Guest Wi-Fi Access?

Certificates work great for internal BYOD users, who need network access on an ongoing basis. However, they require the user to download and install the certificate on their device as part of the onboarding process. You could take this approach for guest users too—the up-front investment of time for the user is not onerous. But it probably does not make sense from a usability perspective for someone who will only be in your environment for an hour or a day. And yet you don’t want to revert to default measures such as conventional PSKs and MAC authentication due to the security issues mentioned previously. Ideally, you want to employ an alternative method that provides similar security benefits while not asking the guest user to download a certificate.

Why Dynamic Pre-Shared Keys Are the Answer for Guest Wi-Fi Access

Dynamic pre-shared keys are a Ruckus-patented technology found in Cloudpath Enrollment System, our software/SaaS platform for delivering secure network access for BYOD, guest users, and IT-owned devices (including IoT devices). DPSKs fit the guest access use case perfectly. With DPSKs, each user gets a unique access code for Wi-Fi access, which the Cloudpath system provides by SMS, email, or even printed voucher.

Organisations usually let guest users access only the internet—not internal network servers—over the wired/wireless connection. You still want to associate every device with a user, perform an up-front posture check during onboarding, and apply relevant policies. It’s also important to be able to revoke access at any time for specific users and devices. (Imagine if you became aware that a visitor was using that network connection to do something malicious such as sending spam emails linking to a phishing site. You’d want to revoke their access in a hurry. Now, we’re sure your guests would not do that, but better safe than sorry.) Encryption for data in transit may not be as critical for guest users, but it’s not a bad idea either.

The DPSK method for network authentication, in the context of Cloudpath Enrollment System, lets you do all of these things. Since it does not require the user to install a certificate, you increase security while also optimising usability for your visitors.

The “D” in DPSK Makes All the Difference for Secure Wi-Fi

DPSK and PSK can’t be that different right, since only a “D” separates them? Quite the opposite! Most of the security measures referenced above simply don’t exist with a conventional PSK. That’s why we are so careful to use the term “conventional” or “traditional” when we refer to the garden-variety PSK. Sure, it encrypts data between the device and the access point. But that’s where the similarity ends. Using conventional PSKs, you could potentially direct guests to a separate SSID with only internet access, supplying them with the relevant PSK. But they could share that PSK with anyone or use it past the time of their visit.

Remember, with traditional PSKs everyone accessing a given SSID uses the same key. With DPSKs, each guest user gets his or her own access key. That “D” in front of PSK makes all the difference because it provides much greater security for users, devices, and the network. Think of the DPSK as a precision surgical scalpel in comparison to the blunt instrument that is the PSK. Organisations often also use MAC authentication via captive portal for providing guest access—which also fails to provide adequate levels of protection. (Once more, refer to our previous blog to understand the shortcomings of the default methods, which the patented DPSK technology in Cloudpath software addresses.)

Digital Certificates and DPSKs—Secure Network Access for BYOD, Guest and Even IoT Devices

In summary, digital certificates and DPSKs are a great tandem. Cloudpath Enrollment System uses both technologies for streamlined secure onboarding and network authentication. It supports both internal users (with digital certificates) and guest users (typically with DPSKs). Cloudpath software also supports IT-owned devices. As IoT devices become more common in enterprise environments, schools, and institutions of higher education, certificates and DPSKs are also a great way to securely support those devices. DPSKs will be especially important for consumer IoT devices that make their way into enterprise environments because many of those devices are not equipped to accept certificates. But that’s a topic for another blog.

View the original post at The Ruckus Room.

Ruckus: Get Wired for Success!

March 5th, 2018

You’ve just bought a brand new sports car, one that can do zero to 60 in under four seconds and you are excited to try it out. But all you have to drive it on is a gnarly, rutted, steep and rocky dirt road. Good luck taking advantage of all that horsepower.

That’s the analogy Department of Health and Services CIO Beth Killoran used to describe the current challenge facing federal IT modernization initiatives. New technology, from cloud computing and mobility to big data and the Internet of Things, are promising increases in efficiency and the ability to increase mission success, but some organisations are still lacking the basic infrastructure investment to make full use of it. The old infrastructure put in place just wasn’t designed to handle today’s IT environment.

Wired Isn’t Dead

Increasingly, users are connected to networks via exclusively wireless means, whether from mobile phones, tablets and laptops. Yet, while fewer devices will be relying on a direct wired connection to the network, they are still out there: desktops, VoIP devices, even many IoT devices and network-connected operational technology. All of these devices remain central to agency missions and crucial to end-user satisfaction.

Wireless affords increased mobility, which enables increased efficiency and worker satisfaction. But behind every strong wireless deployment, there must exist an equally strong, wired network as well. It is the part that connects your wireless end-points to your datacenter and the outside world and many devices will continue to connect directly to it for some time. This means that as part of your network modernisation strategy, wired has to remain an important part of the mix.

The Benefits of Ruckus ICX Switches

In buildings with potentially thousands of active users and high density, networks must be able to scale to the increasing per capita bandwidth demand. Often that means squeezing more throughput into smaller spaces.

The Ruckus ICX line of campus switches gives networking capabilities that can grow to agency scale without hassle with their small form factors and high throughput. They are small, low profile and easily stack as network demands increase.

Most importantly, ICX switches allow organisations to manage their wired and wireless infrastructure using the same management tools, minimising software complexity and spending overhead.

Wireless Networks Are the Future. But So Are Wired.

Wireless is undoubtedly the future of IT, but the very convenience and ease at which wireless devices connect to the network is a threat if the wired infrastructure that supports it does not also keep pace.

With new waves of IT modernisation organisations need to ensure their wireless and wired infrastructure are keeping pace. Otherwise, what’s the point of that nice car?

For more information on Ruckus ICX Switches and how they can allow you to scale your networks, please visit https://www.ruckuswireless.com/products/campus-network-switches/ruckus-icx-family-switches

Announcing PAN-OS 8.1: Streamline SSL Decryption, Accelerate Adoption of Security Best Practices

February 23rd, 2018

Palo Alto Networks are pleased to announce PAN-OS 8.1, the latest version of the software that powers our next-generation firewalls. This release enables you to easily adopt application-based security, removes barriers to securing encrypted traffic, simplifies management of large networks and helps you quickly identify advanced threats in conjunction with Magnifier for behavioral analytics.

Let’s look at some of these enhancements in detail.

Simplified App-Based Security

App-ID classifies all traffic, including SaaS, traversing your network so you can safely enable desired applications and block unwanted ones. PAN-OS 8.1 makes it easier to adopt and maintain an application-based security policy.

  • Eliminate security risk: The new rule usage tracking tools empower organizations to review and confidently remove obsolete application-based policy rules as well as retire legacy rules – based on when a rule was last hit – to eliminate holes that create security risks.
  • Easily adopt new apps: Adopting new App-IDs, which used to be released weekly, usually requires a policy review. Now, new App-IDs are released on the third Tuesday of every month, giving you time to review the effect of the new App-ID and change policy if needed. New capabilities enable you to easily understand the impact of new and modified App-IDs on your traffic and policy.
  • Safely enable SaaS usage: SaaS applications host sensitive data, and you need to ensure data is stored in secure, compliant SaaS services. To add to existing capabilities, such as application filters, application characteristics and visibility, you can now use new SaaS application characteristics, such as lack of certifications, poor terms of service, history of data breaches and so on, to view and control their usage. In addition, the next-generation firewall can now add HTTP headers to SaaS app requests to granularly allow access to enterprise accounts while preventing access to free and consumer accounts.

Streamlined SSL Decryption

Decryption image 2Most enterprise web traffic is now encrypted, and attackers exploit this to hide threats from security devices. The new Decryption Broker feature removes all barriers to securing encrypted traffic. Our next-generation firewall now decrypts the traffic, applies security and load balances decrypted flows across multiple stacks of security devices for additional enforcement. This eliminates dedicated SSL off-loaders, reducing network complexity and making decryption simple to operate.

Performance Boost for Internet-Edge Security

  • Secure the high-speed internet edge: The Palo Alto Networks PA-3200 Series of next-generation firewalls comprises the PA-3260, PA-3250 and PA-3220. These appliances deliver up to five times the performance, up to seven times the decryption performance and up to 20 times greater decryption session capacity of existing hardware, making them ideal for securing all internet-bound traffic, including encrypted traffic.
  • Secure large data centers and high-performance mobile networks: The Palo Alto Networks PA-5280 is the latest addition to the PA-5200 Series appliances. It prevents threats, safely enables applications, and is suitable for mobile network environments as well as large enterprise datacenters. The PA-5280 offers security at throughput speed of 68 Gbps and session capacity of 64 million.
  • Secure industrial deployments: Palo Alto Networks PA-220R ruggedized appliance brings next-generation capabilities to industrial applications in harsh environments. Read the blog post for more information.

Improved Efficiency and Performance for Management

Panorama 8.1 provides greater efficiency for teams that manage physical and virtual appliances running PAN-OS. Using variables in templates, you can now leverage common configuration across many devices while substituting device-specific values in place of IP addresses, IP ranges, FQDNs and more. With device health monitoring, Panorama provides a deployment-wide view into the health and status of your next-generation firewalls. Trending of critical system resources up to 90 days helps you identify gradual changes in your environment. Proactive monitoring automatically creates alerts when substantial changes occur in the utilization of critical device resources, ensuring you’re the first to know.

In addition, new M-600 and M-200 appliances deliver high-performance management.

Advanced Threat Detection and Prevention

  • Advanced threat detection. Updates to WildFire include dynamic unpacking, which defeats packing techniques attackers use to evade detection.
  • Prevention everywhere. This update has improved detection of malware targeting Linux servers and IoT devices. Plus, you can detect and prevent malware moving freely inside the network with new SMB protocol support and find malware hiding in less common file archive formats, including RAR and 7z (from 7-Zip).
  • Rich data for analytics. Enhanced application logs evolve next-generation firewalls into advanced network sensors for analytics, including Application Framework apps. Magnifier uses this data to allow customers to identify advanced attacks, insider threats and malware with precision.

Palo Alto Networks Next-Generation Firewall provides effective protections you can use, automates tasks so you can focus on what matters and enables you to consume innovations quickly. The new capabilities in PAN-OS 8.1 allow you to accelerate the adoption of next-generation security best practices so you can prevent the most advanced threats and safely enable your business.

To learn more, visit the PAN-OS 8.1 security page.

View the original post by Palo Alto Networks.

Striking a Balance Between Education Technology and IT Control

February 22nd, 2018


K-12 education has a culture of teacher independence in the classroom meaning that as long as the teachers are covering their curriculum, they have the freedom to use the materials and methods they choose to augment the textbook and curriculum. In today’s technology-focused classrooms, this freedom comes with more risk than ever before. That is why it’s critical school districts balance the need for educational freedom with their responsibility of keeping students and teachers safe while accessing online educational services.

Early Adopters in the Classroom

Sometimes, when teachers deem a website important they will intentionally circumvent IT restrictions or become very vocal about having the right to use digital assets that improve instruction. Going beyond the merits of educational value, many teachers are paid based on performance and will view restrictions on educational content as a threat to their salary.

Technology-minded teachers are typically early adopters of new education technology. These are the people most critical to district-level IT teams, they provide valuable feedback and recommendations for district-wide technology deployments. However, they are also the most likely people to circumvent IT and deploy rogue software if they are unhappy with the approved (and supported) solutions.

Early adopters were the first people who started using freeware and classroom management software such as Dojo, Edmodo, and Google Works, many times without IT knowing. In an ideal world, IT would meet with these teachers ahead of time, deploy test solutions in a controlled environment, work through the kinks and then deploy the software at an enterprise level so every teacher could access the solution safely and efficiently.

While it is with good intentions, when teachers circumvent IT and choose their own software management tools, they tend to overlook many potential issues. Typically, when they deploy their own software, they don’t have the benefit of single sign-on and class rosters. This means that teachers must manage access themselves as students enter and leave throughout the year. Oftentimes, teachers overlook security concerns, potential issues with device operating systems, or even the origins of the software if they see a benefit for the students. While their heart is in the right place, this is why teachers are not given administrative access.

How to Strike a Balance

This is where a balance needs to be found between IT and teachers. Should school districts only allow teachers to use district prescribed software? Or should they allow them to continue testing and using these new solutions?

It is important to recognize the incredibly fast pace of classroom technology adoption over the past 30 years. Think about how fast education technology can become outdated? Just a few years ago classrooms with one shared computer were considered advanced but today many districts have devices for every student.

This pace puts tremendous pressure on school districts to stay current and adopt new solutions quickly. When I was the CIO of Miami Dade County Schools, I wanted to know what teachers were using outside of IT’s management in order to stay ahead of the trends. Grassroots adoption and word of mouth promotion can happen very quickly. Once a teacher promotes curriculum or classroom management software, other teachers will most likely follow. It’s critical that IT administrators do everything they can to work with teachers at a reasonable pace.

Like many large school districts around the country, our IT teams and teachers at Miami-Dade County Schools were constantly challenged by high mobility and turnover of staff and students. This could often lead to professional development and security concerns if we changed software solutions quickly. Situations like this are where allowing teachers to select their own solutions can become important.

One way for school districts to strike a balance is to get teachers more involved in technology decisions. Many successful districts have created committees made up of teachers, information technology, instructional technology, and curriculum experts who are tasked with quickly vetting a solution and deciding if it should be allowed or denied based on pre-established criteria.

The district requirements can be updated regularly and should be formatted into simple yes or no questions, so all committee members can easily evaluate. Keeping the number of evaluation criteria to 10 or less would make the process quick and easy. Once vetted and approved technicians would be able to download the software to teacher and student devices or network security would open the software to the teachers and or students.

To learn more about cybersecurity in K-12 schools read our latest whitepaper: K-12 Cybersecurity Involves More Than Just CIPA Compliance

View the original press release by iboss.

Ruckus Introduces IOT Suite to Enable Secure IOT Access Networks

February 22nd, 2018

Suite Consolidates Disparate IoT Networks to Deliver Secure IoT Deployments to Enterprises and Organisations, Speeding Time-to-ROI and Reducing Deployment Costs

Ruckus Networks, an ARRIS company, today announced the Ruckus IoT Suite, which enables organisations to readily construct a secure IoT access network that consolidates multiple physical-layer IoT networks into a single network. The Ruckus IoT Suite further speeds time-to-return-on-investment (ROI) and reduces deployment cost by allowing for the use of common infrastructure between the wireless local area network (WLAN) and the IoT access network.

According to market research firm IDC, IoT edge infrastructure is emerging as a key growth domain and an enterprise priority to support the burgeoning IoT applications space. Within the IoT edge infrastructure market— expected to reach nearly $3.4B by 2021— network equipment is the fastest-growing segment, with compound annual growth (CAGR) in excess of 30%, driven by the need for application continuity and high performance coupled with reliable and secure connectivity.

“Secure IoT network deployments in the enterprise have not yet taken off due to a fragmented market with point solutions serving one-off applications or use cases,” said Rohit Mehra, vice president, network infrastructure, IDC. “A multi-standard IoT access network that leverages existing hardware, software and security capabilities at the edge is a must for most organisations to deploy IoT. The Ruckus IoT Suite addresses these specifics and is a good first step to enabling broader multi-mode IoT network rollouts.”

“Organisations are looking to the IoT to help improve operational efficiencies, increase revenue and enhance the customer experience, but their ability to do so is constrained by today’s siloed IoT networks,” said Dan Rabinovitsj, president, Ruckus Networks. “Ruckus is addressing the market by providing the critical ‘glue’ between the world of sensors, cameras and things with the world of big data and analytics. Not only have we addressed the fragmentation at the PHY layer, we have created an open API to both public and private clouds which permits easy and secure integration with a variety of partners.”

Building a Consolidated IoT Access Network

An IoT access network must consolidate multiple access technologies while delivering the provisioning, management and security capabilities found in modern IP-based networks. Such a network must facilitate inter-endpoint communication and provide integration with analytics software and services. The Ruckus IoT Suite consists of:

  • Ruckus IoT-ready access points (APs)—APs that accommodate Ruckus IoT modules to establish multi-standards wireless access for Wi-Fi and non-Wi-Fi IoT endpoints; and translate non-Internet protocol (IP) endpoint communications into IP.
  • Ruckus IoT Modules—Radio or radio-and-sensor devices that connect to a Ruckus IoT-ready AP to enable endpoint connectivity based on standards such as Bluetooth Low Energy (BLE), Zigbee and LoRa protocols.
  • Ruckus SmartZone™ Controller—A WLAN controller that provides a single management interface for both the WLAN and the IoT access network.
  • Ruckus IoT Controller—A virtual controller, deployed in tandem with a Ruckus SmartZone OS-based controller, that performs connectivity, device and security management functions for non-Wi-Fi devices; facilitates endpoint co-ordination, and provides APIs for northbound integration with analytics software and IoT cloud services.

Securing the IoT Access Network and IoT Endpoints

Security concerns top the list of factors that contribute to IoT solution deployment delays. The Ruckus IoT Suite addresses such concerns through a multi-layered approach, including digital certificates, traffic isolation, physical security and encryption.

Enabling the IoT Solution Ecosystem

Enterprises and organisations implementing IoT must reduce payback period and increase ROI in order to justify deployments. By establishing inter-IoT solution policies with industry-leading operational technology and customer technology, solution providers’ organisations can more quickly realise IoT investment gains. Using a Ruckus IoT access network and solutions from Ruckus IoT ecosystem partners offer benefits to hotels, schools and universities, and smart cities by improving end user experiences.

The Ruckus IoT Suite will be generally available in the second quarter of 2018. To learn more, visit Ruckus Networks.

Ecosystem Partner Quotes

“As the world’s leading lock manufacturer for enabling smart, connected locks for hoteliers, which seamlessly allow guests to unlock a room with a quick swipe of a keycard or mobile device, we deliver network-based locks with online capabilities that maximise operations, guest services and security,” said Cris Davidson, vice president of key accounts, ASSA ABLOY Hospitality. “The company is able to continue its mission of providing enhanced security solutions to the hospitality industry by partnering with like-minded businesses that strive to continuously enhance and streamline the technologies for increasing hotel security. We are excited to team with Ruckus Networks to enable this secure, online connectivity for our door locks over the new Ruckus IoT Suite.”

“The IoT enables cities and businesses to operate more efficiently, deliver innovative services and enable new business models,” said Von Cameron, vice president, Americas, Actility. “Our collaboration with Ruckus Networks, bringing together our ThingPark IoT connectivity platform and their new IoT Suite, provides an easy-to-use platform that allows organisations of all sizes to connect smart, cost-effective devices with a LoRaWAN network. We are excited to collaborate with Ruckus and enable an innovative and cost-effective new deployment model, which will accelerate deployments for the large and fast-growing customer ecosystem developing around Actility LoRaWAN solutions.”

“Our collaboration allows IoT users to experience a seamless integration between IBM’s IoT and analytics platform and edge devices supported by Ruckus’ IoT suite,” said Bernard Kufluk, Watson IoT platform product manager, IBM. “Users can now capture data from various edge devices, running on the Ruckus IoT network. Data can then be analysed at the edge using IBM Watson’s IoT Edge Analytics, which is integrated with the Ruckus IoT Suite and in the cloud. We look forward to continuing this strong collaboration.”

“Our collaboration with Ruckus Networks enables our users to locate their items more rapidly, regardless of their location,” said Ravi Adusumilli, vice president of business development, Tile. “Our portfolio of Tile devices works flawlessly with the Ruckus IoT Suite to deliver a unique experience for our customers around the globe. Customers will now be able to track their things anywhere.”

“We are collaborating with Ruckus Networks to develop new innovative applications in key vertical markets for the Internet of Things,” said Philipp von Gilsa, CEO, Kontakt.io. “Our next-generation (sensor enriched) products promise to reduce the overall costs for asset tracking and location-based services without the need for costly radio networks and power-hungry GPS tracking solutions. We look forward to bringing these new innovations to market with Ruckus.”

“TrackR helps businesses locate assets tagged with TrackR devices anywhere in a building by leveraging the Ruckus IoT Suite,” said Christian Johan Smith, president & co-founder, TrackR. “Ruckus ecosystem partners can leverage TrackR in the Ruckus IoT environment to improve operational efficiency and engage customers like never before. Partnering with Ruckus Networks will provide our customers with a stronger, more robust Crowd Locate network, so finding things outside the home will be even faster and easier.”

To view the original Press Release by Ruckus Wireless. Click here.

Palo Alto Networks Adds to Its Next-Generation Firewall Lineup With New Hardware That Speeds Decryption and Improves Performance

February 22nd, 2018

New PAN-OS Release Simplifies Decryption and Helps Organizations Use Best Practices to Improve Security Posture

Palo Alto Networks®, the next-generation security company, today announced new hardware and updates to its PAN-OS® operating system that further enable organizations to easily implement and automate best practices for application-based controls that strengthen security. With today’s announcement, Palo Alto Networks introduces PAN-OS version 8.1, the PA-3200 Series, the PA-5280, the ruggedized PA-220R and two new models in the M-Series management appliances.

Every organization requires visibility into network traffic in order to prevent successful cyberattacks, but the proliferation of encryption has obstructed the view security teams once had into the data traversing their networks. Gartner predicts that “Through 2019, more than 80 percent of enterprises’ web traffic will be encrypted.”1 Gartner also predicts that “During 2019, more than fifty percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.”1

According to Palo Alto Networks, many organizations have not yet addressed the lack of visibility associated with encrypted traffic due to the complexity and performance impact of decryption, leaving those that do not decrypt network traffic without the ability to find and prevent over half of malware campaigns.

The new Palo Alto Networks PAN-OS operating system, version 8.1, reduces the complexity surrounding the implementation of cybersecurity best practices, including those associated with SSL-decryption within multi-vendor environments. New next-generation firewall models improve overall performance and enable customers to decrypt traffic at high speeds. Enhanced application logging adds additional richness to log data to improve the precision of Magnifier’s behavioural analytics with which customers rapidly hunt down and stop advanced threats.

Key benefits of the capabilities announced today include:

  • Easier adoption of SSL-decryption in multi-vendor environments: Streamlined SSL decryption provides high-throughput decryption on the next-generation firewall and enables sharing of cleartext traffic with chains of devices for additional enforcement, such as DLP. This further eliminates the need for dedicated SSL offloaders, simplifying deployment, network architecture and operations.
  • 20X decryption sessions capacity boost at internet edge: With 20 times more SSL-decryption sessions capacity compared to its predecessor, the new PA-3200 Series appliances deliver high-performance decryption at the internet edge. The new PA-5280 appliance brings higher performance and doubles the session capacity for securing large data centers and mobile network operators, or MNO, infrastructures.
  • Efficient adoption of best practices: App-ID™ technology-based security can now be achieved with even simpler workflows and policy review tools, allowing administrators to more effectively and confidently enforce best practices for application controls. Further, administrators can maintain a tight and effective app-based security policy with enhanced rule usage tracking.
  • Management at scale: New capabilities simplify the management and operational complexities of large, distributed deployments. The proactive device monitoring feature in Panorama™ management alerts the administrator if device behaviour is deviating from the norm. With little manual effort, the feature can be integrated into an automated workflow to enable operations teams to quickly perform remediation actions. New M-600 and M-200 management appliances deliver high-performance, with log ingestion rates up to two times compared to their predecessors, and double the log storage capacities.
  • Advanced threat detection and prevention: Updates to the WildFire® cloud-based threat analysis service enable customers to detect zero-day malware using evasive packing techniques, spot malware targeting Linux servers and IoT devices, and find malicious files hiding in less common file archive formats, such as 7-Zip and RAR.
  • Quick detection of targeted attacks: The next-generation firewall evolves to become an advanced network sensor that collects rich data for analytics, which can be easily expanded with content-based updates. As part of the Application Framework, Magnifier uses this data to enable customers to identify advanced attacks, insider threats and malware, with precision.

QUOTES
“The increasing volume of encrypted traffic means that visibility is now more important than ever. Buyers are rolling out tightly integrated security solutions, and are looking for network traffic decryption that’s built into existing cybersecurity infrastructure because it removes complexity, allowing security to function as a business enabler, rather than an inhibitor.”
– Jeff Wilson, senior research director, Cybersecurity Technology, IHS Markit

“PAN-OS version 8.1 introduces many new features to help organizations improve their security and manageability in easy-to-implement ways. The new next-generation firewall and management appliances allow for significantly greater throughput, especially for encrypted traffic, and greater scale. The combined capabilities of our next-generation firewalls and PAN-OS version 8.1 are a major step forward in our mission to help organizations prevent successful cyberattacks.”
– Lee Klarich, chief product officer, Palo Alto Networks

PRICING AND AVAILABILITY

PAN-OS 8.1 will be available to all current customers of Palo Alto Networks with valid support contracts in March. The PA-220R, PA-3200 Series, PA-5280, M-200 and M-600 are orderable on February 26, starting from $2,900 up to $200,000.

LEARN MORE:

1 Gartner, “Predicts 2017: Network and Gateway Security,” Lawrence Orans et al, 13 December 2016

View the original press release by Palo Alto Networks.

Net-Ctrl Blog - mobile

The Cost of a Data Breach

May 2nd, 2018

How much does a data breach cost? So far, $242.7 million and counting if your company happens to be Equifax. That is how much the company has spent since its data breach that exposed sensitive personal and financial information for nearly 148 million consumers, according to its latest SEC filing. All because it left consumer information unencrypted and in the clear, which was highlighted in testimony before for the U.S. Senate Commerce Committee last year (watch the video below).

To put the size and scope of Equifax’s remediation efforts in comparison, in just seven months Equifax has spent nearly what Target spent ($252 million) in two years after its 2013 data breach. Equifax will likely continue to spend millions for the next several quarters on the cleanup.

For many years analysts and security professionals have tried to estimate what a data breach can cost a company. From the expense of having to upgrade IT infrastructure and security to paying legal fees and government fines – there are a lot of costs that are both tangible and intangible. In addition, there are the impacts to a company’s stock price and the erosion of customer trust (“Will they come back?”). For management teams, it can also have a very real impact professionally. For example, the chairman and CEO of Target resigned months after the data breach, and the CEO resigned of Equifax resigned within weeks of its data breach.

Many studies have been done to calculate the cost of a data breach, including the annual Ponemon Institute’s Cost of a Data Breach report which calculates the cost down to the data record. According to the latest Ponemon annual report, the average cost of a data breach is currently $3.62 million globally, which comes to $141 a record. In the U.S., the cost is almost double that at $7.35 million. But do these research reports actually gauge what a data breach will cost a company? At the end of the day, equating data breach damages to a “per record” cost makes data breaches just an actuarial exercise of acceptable risk.

And this kind of goes with the prevailing sentiment that data breaches don’t cost companies that much. The thinking goes like this. For the breached company, the stock price will take a hit, customers will be enraged and money will be spent notifying customers and upgrading security. But, eventually the company recovers and it’s back to normal. After all, so the thinking goes, what is a couple million dollars in IT upgrades and fines to a company that worth $50 billion.

This type of thinking must change because we are at a tipping point on the implications of data breaches. The costs have become more real to companies and the boards who run them. CEOs and other members of the management team are now losing their jobs because data breaches now have more potential to be more life-threatening, if not killers, for companies. Take for example the TalkTalk data breach, which caused the company to lose more than 100,000 customers, and the fact that Yahoo! had to lower its purchase price by $350 million in its acquisition by Verizon. The last and most important factor is that governments are now taking notice and doing something about it. The European Union’s General Data Protection Regulation (GDPR) is a prime example of this, and countries around the world are looking at it as the model for their own regulations.

If costs and risks of data breaches are increasing (and they are), companies need a radical shift in their approach to data security if they are going to more successful in defending sensitive data they collect and store. With organizations extending their business to being cloud- and mobile-first, their attack surface and the likelihood of accidental data exposure continue to grow. These trends all point to a consistent theme – security needs to be attached to the data itself and the users accessing the data. Only then can companies maintain control of their data in the cloud, manage user access to cloud apps, and keep it secure when it falls into the hands of adversaries. By implementing a three-step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and managing and controlling user access – companies can effectively prepare for a breach. It’s being done by many companies today and is also a requirement for transitioning from a strategy optimized for breach prevention to a strategy optimized for a “Secure the Breach” strategy.

Download Gemalto’s Secure the Breach Manifesto to get your company prepared.

Also, download Gemalto’s 2017 Breach Level Index Report and get insights into data breach incidents by industry, source, type and region.

View the original article by Gemalto.

More than 2.5 billion records stolen or compromised in 2017

April 11th, 2018

Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, revealing that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase from 2016. While data breach incidents decreased by 11%, 2017 was the first year publicly disclosed breaches surpassed more than two billion compromised data records since the Breach Level Index began tracking data breaches in 2013.

To learn more about the 2017 statistics and trends, register for the upcoming webinar “New Data Breach Findings: The Year of Internal Threats and Misplaced data”

Over the past five years, nearly 10 billion records have been lost, stolen or exposed, with an average of five million records compromised every day. Of the 1,765 data breach incidents in 2017, identity theft represented the leading type of data breach, accounting for 69% of all data breaches. Malicious outsiders remained the number one cybersecurity threat last year at 72% of all breach incidents. Companies in the healthcare, financial services and retail sectors were the primary targets for breaches last year. However, government and educational institutions were not immune to cyber risks in 2017, making up 22% of all breaches.

The Breach Level Index* serves as a global database that tracks and analyzes data breaches, the type of data compromised and how it was accessed, lost or stolen. Based on data breach reports collected in the Breach Level Index, the major 2017 highlights include:

  • Human error a major risk management and security issue: Accidental loss, consisting of improper disposal of records, misconfigured databases and other unintended security issues, caused 1.9 billion records to be exposed. A dramatic 580% increase in the number of compromised records from 2016.
  • Identity theft is still the number one type of data breach: Identity theft was 69% of all data breach incidents. Over 600 million records were impacted resulting in a 73% increase from 2016.
    Internal threats are increasing: The number of malicious insider incidents decreased slightly. However, the amount of records stolen increased to 30 million, a 117% increase from 2016.
  • What a nuisance: The number of records breached in nuisance type attacks increased by 560% from 2016. The Breach Level Index defines a data breach as a nuisance when the compromised data includes basic information such as name, address and/or phone number. The larger ramification of this type of breach is often unknown, as hackers use this data to orchestrate other attacks.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organizations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. In the event that the confidentiality, or privacy, of the data is breached, an organization must have controls, such as encryption, key management and user access management, in place to ensure that integrity of the data isn’t tampered with and it can still be trusted. Regardless of any concerns around manipulation, these controls would protect the data in situ and render it useless the moment it’s stolen.”

Data Breaches by Type

Identity theft was the leading type of data breach, accounting for 69% of all incidents constituting 26% of breached data in 2017. The second most prevalent type of breach was access to financial data (16%). The number of lost, stolen or compromised records increased the most for nuisance type of data breaches (560%) which constituted 61% of all compromised data. Account access and existential type breaches decreased both in incidents and records from 2016.

Data Breaches by Industry

In 2017, the industries that experienced the largest number of data breach incidents were healthcare (27%), financial services (12%), education (11%) and government (11%). In terms of the amount of records lost, stolen or compromised, the most targeted sectors were government (18%), financial services (9.1%) and technology (16%).

Data Breaches by Source

Malicious outsiders were the leading source of data breaches, accounting for 72% of breaches, however making up only 23% of all compromised data. While accidental loss was the cause of 18% of data breaches, it accounted for 76% of all compromised records, an increase of 580% from 2016. Malicious insider breaches were 9% of the total number of incidents, however this breach source experienced a dramatic increase (117%) in the number of compromised or stolen records from 2016.

“Companies can mitigate the risks surrounding a breach through a ‘security by design’ approach, building in security protocols and architecture at the beginning,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “This will be especially important, considering in 2018 new government regulations like Europe’s General Data Protection Regulation (GDPR) and the Australian Privacy Act (APA) go into effect. These regulations require companies to adapt a new mindset towards security, protecting not only their sensitive data but the privacy of the customer data they store or manage.”

*The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10).

Breach Level Index Resources:

View the original post published by Gemalto.

Intelligent Security Considerations for Smarter Buildings

April 10th, 2018

In 2017 we saw a growing interest in ‘intelligent security systems’ and applications which add value beyond access control and video surveillance. As the industry continues to move towards preventative security measures (as opposed to just capturing an event after it has happened), the role of intelligent security systems and the gathering of data and analytics from multiple building systems is becoming increasingly profound.

These trends will continue in 2018 with building security deployments not only needing to pay for themselves but deliver much more than just physical security by adding measurable and strategic value to businesses. Many businesses will continue to ask, ’How can we use our access control system to reduce operational costs and improve business efficiencies?

One Albert Quay, Johnson Controls’ global headquarters in Cork, is an key example of how critical building systems including lighting, heating, power, access control, video, fire detection and fire suppression are utilized and connected to create one of Ireland’s smartest building.

One Albert Quay, one of Ireland’s smartest buildings deploys CEM Systems emerald intelligent access terminals in the reception area

Johnson Controls’ CEM Systems AC2000 security management solution supported by CEM Systems emerald intelligent access terminals provides One Albert Quay a solution that goes beyond access control to help improve operational efficiency. emerald provides a reader and controller in a single device to control access to doors and car parks with the added benefit of a built-in Voice over IP (VoIP) intercom and remote applications that enable additional functionality such as time and attendance, room booking, displaying company/site information, personalised messaging, entry checklists and more.

The smart lift system at One Albert Quay is centrally controlled with AC2000 access control and emerald terminals, and integrated with Schindler Lifts. When an employee or visitor swipes their access control card on the emerald terminal, this buttonless lift system uses automatic location choice depending on the users’ access control privileges. The smart lift system then automatically brings the card holder to the floor where they are working. This is a fast and efficient system, with zero latency between systems and enables energy harvesting for added efficiency.

For other organizations seeking to undertake a smart building development with an intelligent security system that goes beyond access control to reduce costs and enhance operations, the following should be considered:

1) Combine the use of several devices into one multi-functional unit
When deploying your security think about how you can take the functionality of typically numerous security devices and combine them into one powerful terminal for operational and cost savings. Choose intelligent card readers with reader and controller functionality combined into one device. Intelligent readers, such as the CEM Systems emerald intelligent access terminal, also have the added benefit of an internal database which ensure 24/7 access control and prevent throughput congestion and queues. Intelligent access terminals and combined solutions such as combining intercom functionality into the access control solution also take this multi-functional concept to a new level. CEM Systems emerald intelligent access terminals offers combined card reader and controller functionality, fully integrated Voice over IP intercom for bi-directional communication, on-board Power over Ethernet (PoE) technology and a range of remote server-based smart applications all in one single, powerful terminal.


CEM Systems emerald intelligent access terminal with in-built intercom

2) Intelligent smart applications
‘Smart applications’ that allow users to perform tasks such as accessing visitor information, card holder messages or integrated staff time and attendance, without the need for a dedicated client PC, brings intelligence which previously resided on the access control database closer to the door. Using a range of smart applications directly on the CEM Systems emerald terminal, users can perform what was historically client PC application functionality without the need to install dedicated PC software and licenses.

3) Smart room booking
An intelligent access terminal with a room booking interface that allows users to book a room, edit a booking and check room availability all at the door removes the need for a separate room booking interface. Using CEM Systems emerald intelligent access terminals you can conveniently book company meeting rooms at the door with a valid card swipe or through Microsoft Outlook® exchange calendar.


CEM Systems emerald room booking

4)Smart access administration
Applications that provide administrators the autonomy to locally change cardholder privileges at a door terminal, rather than at a workstation or central ID unit, can save time and costs. CEM Systems emerald provides a smart ‘Local Access’ application to solve the operational problem of last minute staff rescheduling and the need to urgently provide out-of-facility, temporary workers with access to restricted areas.

5) Smart operational modes
Intelligent access terminals that provide enhanced security checks such as displaying an image of the card holder on swipe allows for visual verification by security staff to limit card sharing. Terminals that also provide a checklist upon entry or exit can help ensure health and safety policies are adhered to. CEM Systems emerald intelligent terminals feature a range of sophisticated door modes such as an ‘image on swipe’ mode a building ‘entry/exit checklist’ mode that is particularly beneficial within the construction sector as it enables workers to answer a list of pre-defined questions (such as do you have the correct permits, clothing and training, etc.) before access is granted on site.


CEM Systems emerald intelligent terminal ‘entry/exit checklist’ door mode

6) Centralized gathering of building data and analytics
Intelligent security shouldn’t be about capturing the event after it has happened. Using collaborative building data and analytics you can pre-empt vulnerabilities before they happen and optimize total building performance. To enable the centralized gathering of building data and to manage the alarms of various building systems and multiple sites, use one unified security platform. For example the CEM Systems AC2000 Security Hub enables the centralised command and control of integrated building systems and wireless/offline locks via the AC2000 access control system. Using this platform systems can accurately share information and data, which can then be used to optimize total building performance.


CEM Systems AC2000 Security Hub – centralized security management for the real-time monitoring and control of alarms and events

7) Smart portable security
Portable card readers are a great example of a smart solution which continues to solve the customer problem of securing areas with no fixed wall barriers or gates. Harland & Wolff’s engineering facilities in Northern Ireland deployed CEM Systems S3040 portable hand-held card readers at dry dock areas which created measurable efficiency gains by successfully bringing their evacuation drill mustering time from 45 minutes down to 9 minutes.


CEM Systems S3040 portable handheld reader

8) Smart cards and mobile credentials
When choosing a card reader in 2018 opt for readers that offer the highest level of built-in smart card technology. For user convenience also check with your security supplier, if they offer pre-personalised smart cards with encrypted algorithms. Another growing trend in the industry and an example of the access control system is getting smarter for users is the use of mobile phone credentials. Smartphones as a form of credential is now a perfectly viable option. The benefit of the mobile credential is that it saves the operational time and cost of physically sending out an ID card, making it ideal for businesses with remote workers and numerous remote sites.

9) Integrated biometrics
Quite often the option to use biometrics with access control can mean two pieces of software being used in parallel, as well as two separate networks and two separate security devices at the door. When choosing biometrics opt for a fully integrated access control and biometric solution. CEM Systems emerald intelligent fingerprint access terminal AC2000 access control software removes the need for two separate pieces of software. Using one software, one network and one device, creates a quicker biometric read time, less errors at the door and ultimately less lines of throughput traffic at access control points.


CEM Systems emerald intelligent fingerprint terminal

Conclusion

When deploying your security system in 2018, think about your operational pain points and ask the question: “Can my security system be utilized beyond access control to either reduce costs, enhance site operations or to aid the gathering of smart building data and analytics?”

View the original blog at CEM Systems.

You Don’t Know What You’re Missing on Your Network

March 27th, 2018

Today’s cyber threats hide in plain sight amidst your network traffic, making them nearly impossible to defend against. These advanced threats use applications as their infiltration vector, exhibit application-like evasion tactics and they leverage commonly used network applications for exfiltration.

Legacy point products are blind to much of what goes on in the network. Hackers exploit this.

Net-Ctrl and Palo Alto Networks are offering an assessment that reveals the Unknown in your network.

Here is some of what you will see:

  • Malware and spyware on your network
  • Unauthorised applications
  • Violations of your security policies
  • Malicious websites employees are accessing
  • Non-work-related applications and activity
  • Shadow IT

How it works: We put the Palo Alto Networks® Next-Generation Security Platform on your network to passively monitor traffic for just one week.

We deliver to you the Security Lifecycle Review (SLR). The SLR reveals under-the-radar activity on your network and the risks to your business. We meet with you to explain the findings, answer your questions, and offer practical recommendations. The SLR is cost-free, risk-free and obligation-free.

To schedule or learn more about the SLR, please complete our Contact Form and we will schedule a call with one of our engineers.

Secure Wi-Fi Access Using Dynamic Pre-Shared Keys

March 7th, 2018

You’ve heard us talk a lot about digital certificates as a way to deliver secure onboarding and network authentication in support of Bring Your Own Device (BYOD) initiatives. Digital certificates provide a much higher level of security than conventional pre-shared keys, which are typically the default method of providing Wi-Fi network access for internal BYOD users. You may remember Ruckus’ previous blog about the security problems associated with conventional PSKs and MAC authentication.

Certificates ensure that every session is secure because data in transit is encrypted using WPA2-Enterprise, as well as providing a variety of other security measures. Certificate-based authentication also improves end-user and IT experience because as long as the certificate remains valid, users don’t have to enter login credentials again after initial onboarding.

Digital certs are often not appropriate for guest users though—in which case a technology called a dynamic pre-shared key (DPSK) can help optimise both security and usability.

Why Not Just Use Digital Certificates for Guest Wi-Fi Access?

Certificates work great for internal BYOD users, who need network access on an ongoing basis. However, they require the user to download and install the certificate on their device as part of the onboarding process. You could take this approach for guest users too—the up-front investment of time for the user is not onerous. But it probably does not make sense from a usability perspective for someone who will only be in your environment for an hour or a day. And yet you don’t want to revert to default measures such as conventional PSKs and MAC authentication due to the security issues mentioned previously. Ideally, you want to employ an alternative method that provides similar security benefits while not asking the guest user to download a certificate.

Why Dynamic Pre-Shared Keys Are the Answer for Guest Wi-Fi Access

Dynamic pre-shared keys are a Ruckus-patented technology found in Cloudpath Enrollment System, our software/SaaS platform for delivering secure network access for BYOD, guest users, and IT-owned devices (including IoT devices). DPSKs fit the guest access use case perfectly. With DPSKs, each user gets a unique access code for Wi-Fi access, which the Cloudpath system provides by SMS, email, or even printed voucher.

Organisations usually let guest users access only the internet—not internal network servers—over the wired/wireless connection. You still want to associate every device with a user, perform an up-front posture check during onboarding, and apply relevant policies. It’s also important to be able to revoke access at any time for specific users and devices. (Imagine if you became aware that a visitor was using that network connection to do something malicious such as sending spam emails linking to a phishing site. You’d want to revoke their access in a hurry. Now, we’re sure your guests would not do that, but better safe than sorry.) Encryption for data in transit may not be as critical for guest users, but it’s not a bad idea either.

The DPSK method for network authentication, in the context of Cloudpath Enrollment System, lets you do all of these things. Since it does not require the user to install a certificate, you increase security while also optimising usability for your visitors.

The “D” in DPSK Makes All the Difference for Secure Wi-Fi

DPSK and PSK can’t be that different right, since only a “D” separates them? Quite the opposite! Most of the security measures referenced above simply don’t exist with a conventional PSK. That’s why we are so careful to use the term “conventional” or “traditional” when we refer to the garden-variety PSK. Sure, it encrypts data between the device and the access point. But that’s where the similarity ends. Using conventional PSKs, you could potentially direct guests to a separate SSID with only internet access, supplying them with the relevant PSK. But they could share that PSK with anyone or use it past the time of their visit.

Remember, with traditional PSKs everyone accessing a given SSID uses the same key. With DPSKs, each guest user gets his or her own access key. That “D” in front of PSK makes all the difference because it provides much greater security for users, devices, and the network. Think of the DPSK as a precision surgical scalpel in comparison to the blunt instrument that is the PSK. Organisations often also use MAC authentication via captive portal for providing guest access—which also fails to provide adequate levels of protection. (Once more, refer to our previous blog to understand the shortcomings of the default methods, which the patented DPSK technology in Cloudpath software addresses.)

Digital Certificates and DPSKs—Secure Network Access for BYOD, Guest and Even IoT Devices

In summary, digital certificates and DPSKs are a great tandem. Cloudpath Enrollment System uses both technologies for streamlined secure onboarding and network authentication. It supports both internal users (with digital certificates) and guest users (typically with DPSKs). Cloudpath software also supports IT-owned devices. As IoT devices become more common in enterprise environments, schools, and institutions of higher education, certificates and DPSKs are also a great way to securely support those devices. DPSKs will be especially important for consumer IoT devices that make their way into enterprise environments because many of those devices are not equipped to accept certificates. But that’s a topic for another blog.

View the original post at The Ruckus Room.

Ruckus: Get Wired for Success!

March 5th, 2018

You’ve just bought a brand new sports car, one that can do zero to 60 in under four seconds and you are excited to try it out. But all you have to drive it on is a gnarly, rutted, steep and rocky dirt road. Good luck taking advantage of all that horsepower.

That’s the analogy Department of Health and Services CIO Beth Killoran used to describe the current challenge facing federal IT modernization initiatives. New technology, from cloud computing and mobility to big data and the Internet of Things, are promising increases in efficiency and the ability to increase mission success, but some organisations are still lacking the basic infrastructure investment to make full use of it. The old infrastructure put in place just wasn’t designed to handle today’s IT environment.

Wired Isn’t Dead

Increasingly, users are connected to networks via exclusively wireless means, whether from mobile phones, tablets and laptops. Yet, while fewer devices will be relying on a direct wired connection to the network, they are still out there: desktops, VoIP devices, even many IoT devices and network-connected operational technology. All of these devices remain central to agency missions and crucial to end-user satisfaction.

Wireless affords increased mobility, which enables increased efficiency and worker satisfaction. But behind every strong wireless deployment, there must exist an equally strong, wired network as well. It is the part that connects your wireless end-points to your datacenter and the outside world and many devices will continue to connect directly to it for some time. This means that as part of your network modernisation strategy, wired has to remain an important part of the mix.

The Benefits of Ruckus ICX Switches

In buildings with potentially thousands of active users and high density, networks must be able to scale to the increasing per capita bandwidth demand. Often that means squeezing more throughput into smaller spaces.

The Ruckus ICX line of campus switches gives networking capabilities that can grow to agency scale without hassle with their small form factors and high throughput. They are small, low profile and easily stack as network demands increase.

Most importantly, ICX switches allow organisations to manage their wired and wireless infrastructure using the same management tools, minimising software complexity and spending overhead.

Wireless Networks Are the Future. But So Are Wired.

Wireless is undoubtedly the future of IT, but the very convenience and ease at which wireless devices connect to the network is a threat if the wired infrastructure that supports it does not also keep pace.

With new waves of IT modernisation organisations need to ensure their wireless and wired infrastructure are keeping pace. Otherwise, what’s the point of that nice car?

For more information on Ruckus ICX Switches and how they can allow you to scale your networks, please visit https://www.ruckuswireless.com/products/campus-network-switches/ruckus-icx-family-switches

Announcing PAN-OS 8.1: Streamline SSL Decryption, Accelerate Adoption of Security Best Practices

February 23rd, 2018

Palo Alto Networks are pleased to announce PAN-OS 8.1, the latest version of the software that powers our next-generation firewalls. This release enables you to easily adopt application-based security, removes barriers to securing encrypted traffic, simplifies management of large networks and helps you quickly identify advanced threats in conjunction with Magnifier for behavioral analytics.

Let’s look at some of these enhancements in detail.

Simplified App-Based Security

App-ID classifies all traffic, including SaaS, traversing your network so you can safely enable desired applications and block unwanted ones. PAN-OS 8.1 makes it easier to adopt and maintain an application-based security policy.

  • Eliminate security risk: The new rule usage tracking tools empower organizations to review and confidently remove obsolete application-based policy rules as well as retire legacy rules – based on when a rule was last hit – to eliminate holes that create security risks.
  • Easily adopt new apps: Adopting new App-IDs, which used to be released weekly, usually requires a policy review. Now, new App-IDs are released on the third Tuesday of every month, giving you time to review the effect of the new App-ID and change policy if needed. New capabilities enable you to easily understand the impact of new and modified App-IDs on your traffic and policy.
  • Safely enable SaaS usage: SaaS applications host sensitive data, and you need to ensure data is stored in secure, compliant SaaS services. To add to existing capabilities, such as application filters, application characteristics and visibility, you can now use new SaaS application characteristics, such as lack of certifications, poor terms of service, history of data breaches and so on, to view and control their usage. In addition, the next-generation firewall can now add HTTP headers to SaaS app requests to granularly allow access to enterprise accounts while preventing access to free and consumer accounts.

Streamlined SSL Decryption

Decryption image 2Most enterprise web traffic is now encrypted, and attackers exploit this to hide threats from security devices. The new Decryption Broker feature removes all barriers to securing encrypted traffic. Our next-generation firewall now decrypts the traffic, applies security and load balances decrypted flows across multiple stacks of security devices for additional enforcement. This eliminates dedicated SSL off-loaders, reducing network complexity and making decryption simple to operate.

Performance Boost for Internet-Edge Security

  • Secure the high-speed internet edge: The Palo Alto Networks PA-3200 Series of next-generation firewalls comprises the PA-3260, PA-3250 and PA-3220. These appliances deliver up to five times the performance, up to seven times the decryption performance and up to 20 times greater decryption session capacity of existing hardware, making them ideal for securing all internet-bound traffic, including encrypted traffic.
  • Secure large data centers and high-performance mobile networks: The Palo Alto Networks PA-5280 is the latest addition to the PA-5200 Series appliances. It prevents threats, safely enables applications, and is suitable for mobile network environments as well as large enterprise datacenters. The PA-5280 offers security at throughput speed of 68 Gbps and session capacity of 64 million.
  • Secure industrial deployments: Palo Alto Networks PA-220R ruggedized appliance brings next-generation capabilities to industrial applications in harsh environments. Read the blog post for more information.

Improved Efficiency and Performance for Management

Panorama 8.1 provides greater efficiency for teams that manage physical and virtual appliances running PAN-OS. Using variables in templates, you can now leverage common configuration across many devices while substituting device-specific values in place of IP addresses, IP ranges, FQDNs and more. With device health monitoring, Panorama provides a deployment-wide view into the health and status of your next-generation firewalls. Trending of critical system resources up to 90 days helps you identify gradual changes in your environment. Proactive monitoring automatically creates alerts when substantial changes occur in the utilization of critical device resources, ensuring you’re the first to know.

In addition, new M-600 and M-200 appliances deliver high-performance management.

Advanced Threat Detection and Prevention

  • Advanced threat detection. Updates to WildFire include dynamic unpacking, which defeats packing techniques attackers use to evade detection.
  • Prevention everywhere. This update has improved detection of malware targeting Linux servers and IoT devices. Plus, you can detect and prevent malware moving freely inside the network with new SMB protocol support and find malware hiding in less common file archive formats, including RAR and 7z (from 7-Zip).
  • Rich data for analytics. Enhanced application logs evolve next-generation firewalls into advanced network sensors for analytics, including Application Framework apps. Magnifier uses this data to allow customers to identify advanced attacks, insider threats and malware with precision.

Palo Alto Networks Next-Generation Firewall provides effective protections you can use, automates tasks so you can focus on what matters and enables you to consume innovations quickly. The new capabilities in PAN-OS 8.1 allow you to accelerate the adoption of next-generation security best practices so you can prevent the most advanced threats and safely enable your business.

To learn more, visit the PAN-OS 8.1 security page.

View the original post by Palo Alto Networks.

Striking a Balance Between Education Technology and IT Control

February 22nd, 2018


K-12 education has a culture of teacher independence in the classroom meaning that as long as the teachers are covering their curriculum, they have the freedom to use the materials and methods they choose to augment the textbook and curriculum. In today’s technology-focused classrooms, this freedom comes with more risk than ever before. That is why it’s critical school districts balance the need for educational freedom with their responsibility of keeping students and teachers safe while accessing online educational services.

Early Adopters in the Classroom

Sometimes, when teachers deem a website important they will intentionally circumvent IT restrictions or become very vocal about having the right to use digital assets that improve instruction. Going beyond the merits of educational value, many teachers are paid based on performance and will view restrictions on educational content as a threat to their salary.

Technology-minded teachers are typically early adopters of new education technology. These are the people most critical to district-level IT teams, they provide valuable feedback and recommendations for district-wide technology deployments. However, they are also the most likely people to circumvent IT and deploy rogue software if they are unhappy with the approved (and supported) solutions.

Early adopters were the first people who started using freeware and classroom management software such as Dojo, Edmodo, and Google Works, many times without IT knowing. In an ideal world, IT would meet with these teachers ahead of time, deploy test solutions in a controlled environment, work through the kinks and then deploy the software at an enterprise level so every teacher could access the solution safely and efficiently.

While it is with good intentions, when teachers circumvent IT and choose their own software management tools, they tend to overlook many potential issues. Typically, when they deploy their own software, they don’t have the benefit of single sign-on and class rosters. This means that teachers must manage access themselves as students enter and leave throughout the year. Oftentimes, teachers overlook security concerns, potential issues with device operating systems, or even the origins of the software if they see a benefit for the students. While their heart is in the right place, this is why teachers are not given administrative access.

How to Strike a Balance

This is where a balance needs to be found between IT and teachers. Should school districts only allow teachers to use district prescribed software? Or should they allow them to continue testing and using these new solutions?

It is important to recognize the incredibly fast pace of classroom technology adoption over the past 30 years. Think about how fast education technology can become outdated? Just a few years ago classrooms with one shared computer were considered advanced but today many districts have devices for every student.

This pace puts tremendous pressure on school districts to stay current and adopt new solutions quickly. When I was the CIO of Miami Dade County Schools, I wanted to know what teachers were using outside of IT’s management in order to stay ahead of the trends. Grassroots adoption and word of mouth promotion can happen very quickly. Once a teacher promotes curriculum or classroom management software, other teachers will most likely follow. It’s critical that IT administrators do everything they can to work with teachers at a reasonable pace.

Like many large school districts around the country, our IT teams and teachers at Miami-Dade County Schools were constantly challenged by high mobility and turnover of staff and students. This could often lead to professional development and security concerns if we changed software solutions quickly. Situations like this are where allowing teachers to select their own solutions can become important.

One way for school districts to strike a balance is to get teachers more involved in technology decisions. Many successful districts have created committees made up of teachers, information technology, instructional technology, and curriculum experts who are tasked with quickly vetting a solution and deciding if it should be allowed or denied based on pre-established criteria.

The district requirements can be updated regularly and should be formatted into simple yes or no questions, so all committee members can easily evaluate. Keeping the number of evaluation criteria to 10 or less would make the process quick and easy. Once vetted and approved technicians would be able to download the software to teacher and student devices or network security would open the software to the teachers and or students.

To learn more about cybersecurity in K-12 schools read our latest whitepaper: K-12 Cybersecurity Involves More Than Just CIPA Compliance

View the original press release by iboss.

Ruckus Introduces IOT Suite to Enable Secure IOT Access Networks

February 22nd, 2018

Suite Consolidates Disparate IoT Networks to Deliver Secure IoT Deployments to Enterprises and Organisations, Speeding Time-to-ROI and Reducing Deployment Costs

Ruckus Networks, an ARRIS company, today announced the Ruckus IoT Suite, which enables organisations to readily construct a secure IoT access network that consolidates multiple physical-layer IoT networks into a single network. The Ruckus IoT Suite further speeds time-to-return-on-investment (ROI) and reduces deployment cost by allowing for the use of common infrastructure between the wireless local area network (WLAN) and the IoT access network.

According to market research firm IDC, IoT edge infrastructure is emerging as a key growth domain and an enterprise priority to support the burgeoning IoT applications space. Within the IoT edge infrastructure market— expected to reach nearly $3.4B by 2021— network equipment is the fastest-growing segment, with compound annual growth (CAGR) in excess of 30%, driven by the need for application continuity and high performance coupled with reliable and secure connectivity.

“Secure IoT network deployments in the enterprise have not yet taken off due to a fragmented market with point solutions serving one-off applications or use cases,” said Rohit Mehra, vice president, network infrastructure, IDC. “A multi-standard IoT access network that leverages existing hardware, software and security capabilities at the edge is a must for most organisations to deploy IoT. The Ruckus IoT Suite addresses these specifics and is a good first step to enabling broader multi-mode IoT network rollouts.”

“Organisations are looking to the IoT to help improve operational efficiencies, increase revenue and enhance the customer experience, but their ability to do so is constrained by today’s siloed IoT networks,” said Dan Rabinovitsj, president, Ruckus Networks. “Ruckus is addressing the market by providing the critical ‘glue’ between the world of sensors, cameras and things with the world of big data and analytics. Not only have we addressed the fragmentation at the PHY layer, we have created an open API to both public and private clouds which permits easy and secure integration with a variety of partners.”

Building a Consolidated IoT Access Network

An IoT access network must consolidate multiple access technologies while delivering the provisioning, management and security capabilities found in modern IP-based networks. Such a network must facilitate inter-endpoint communication and provide integration with analytics software and services. The Ruckus IoT Suite consists of:

  • Ruckus IoT-ready access points (APs)—APs that accommodate Ruckus IoT modules to establish multi-standards wireless access for Wi-Fi and non-Wi-Fi IoT endpoints; and translate non-Internet protocol (IP) endpoint communications into IP.
  • Ruckus IoT Modules—Radio or radio-and-sensor devices that connect to a Ruckus IoT-ready AP to enable endpoint connectivity based on standards such as Bluetooth Low Energy (BLE), Zigbee and LoRa protocols.
  • Ruckus SmartZone™ Controller—A WLAN controller that provides a single management interface for both the WLAN and the IoT access network.
  • Ruckus IoT Controller—A virtual controller, deployed in tandem with a Ruckus SmartZone OS-based controller, that performs connectivity, device and security management functions for non-Wi-Fi devices; facilitates endpoint co-ordination, and provides APIs for northbound integration with analytics software and IoT cloud services.

Securing the IoT Access Network and IoT Endpoints

Security concerns top the list of factors that contribute to IoT solution deployment delays. The Ruckus IoT Suite addresses such concerns through a multi-layered approach, including digital certificates, traffic isolation, physical security and encryption.

Enabling the IoT Solution Ecosystem

Enterprises and organisations implementing IoT must reduce payback period and increase ROI in order to justify deployments. By establishing inter-IoT solution policies with industry-leading operational technology and customer technology, solution providers’ organisations can more quickly realise IoT investment gains. Using a Ruckus IoT access network and solutions from Ruckus IoT ecosystem partners offer benefits to hotels, schools and universities, and smart cities by improving end user experiences.

The Ruckus IoT Suite will be generally available in the second quarter of 2018. To learn more, visit Ruckus Networks.

Ecosystem Partner Quotes

“As the world’s leading lock manufacturer for enabling smart, connected locks for hoteliers, which seamlessly allow guests to unlock a room with a quick swipe of a keycard or mobile device, we deliver network-based locks with online capabilities that maximise operations, guest services and security,” said Cris Davidson, vice president of key accounts, ASSA ABLOY Hospitality. “The company is able to continue its mission of providing enhanced security solutions to the hospitality industry by partnering with like-minded businesses that strive to continuously enhance and streamline the technologies for increasing hotel security. We are excited to team with Ruckus Networks to enable this secure, online connectivity for our door locks over the new Ruckus IoT Suite.”

“The IoT enables cities and businesses to operate more efficiently, deliver innovative services and enable new business models,” said Von Cameron, vice president, Americas, Actility. “Our collaboration with Ruckus Networks, bringing together our ThingPark IoT connectivity platform and their new IoT Suite, provides an easy-to-use platform that allows organisations of all sizes to connect smart, cost-effective devices with a LoRaWAN network. We are excited to collaborate with Ruckus and enable an innovative and cost-effective new deployment model, which will accelerate deployments for the large and fast-growing customer ecosystem developing around Actility LoRaWAN solutions.”

“Our collaboration allows IoT users to experience a seamless integration between IBM’s IoT and analytics platform and edge devices supported by Ruckus’ IoT suite,” said Bernard Kufluk, Watson IoT platform product manager, IBM. “Users can now capture data from various edge devices, running on the Ruckus IoT network. Data can then be analysed at the edge using IBM Watson’s IoT Edge Analytics, which is integrated with the Ruckus IoT Suite and in the cloud. We look forward to continuing this strong collaboration.”

“Our collaboration with Ruckus Networks enables our users to locate their items more rapidly, regardless of their location,” said Ravi Adusumilli, vice president of business development, Tile. “Our portfolio of Tile devices works flawlessly with the Ruckus IoT Suite to deliver a unique experience for our customers around the globe. Customers will now be able to track their things anywhere.”

“We are collaborating with Ruckus Networks to develop new innovative applications in key vertical markets for the Internet of Things,” said Philipp von Gilsa, CEO, Kontakt.io. “Our next-generation (sensor enriched) products promise to reduce the overall costs for asset tracking and location-based services without the need for costly radio networks and power-hungry GPS tracking solutions. We look forward to bringing these new innovations to market with Ruckus.”

“TrackR helps businesses locate assets tagged with TrackR devices anywhere in a building by leveraging the Ruckus IoT Suite,” said Christian Johan Smith, president & co-founder, TrackR. “Ruckus ecosystem partners can leverage TrackR in the Ruckus IoT environment to improve operational efficiency and engage customers like never before. Partnering with Ruckus Networks will provide our customers with a stronger, more robust Crowd Locate network, so finding things outside the home will be even faster and easier.”

To view the original Press Release by Ruckus Wireless. Click here.

Palo Alto Networks Adds to Its Next-Generation Firewall Lineup With New Hardware That Speeds Decryption and Improves Performance

February 22nd, 2018

New PAN-OS Release Simplifies Decryption and Helps Organizations Use Best Practices to Improve Security Posture

Palo Alto Networks®, the next-generation security company, today announced new hardware and updates to its PAN-OS® operating system that further enable organizations to easily implement and automate best practices for application-based controls that strengthen security. With today’s announcement, Palo Alto Networks introduces PAN-OS version 8.1, the PA-3200 Series, the PA-5280, the ruggedized PA-220R and two new models in the M-Series management appliances.

Every organization requires visibility into network traffic in order to prevent successful cyberattacks, but the proliferation of encryption has obstructed the view security teams once had into the data traversing their networks. Gartner predicts that “Through 2019, more than 80 percent of enterprises’ web traffic will be encrypted.”1 Gartner also predicts that “During 2019, more than fifty percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.”1

According to Palo Alto Networks, many organizations have not yet addressed the lack of visibility associated with encrypted traffic due to the complexity and performance impact of decryption, leaving those that do not decrypt network traffic without the ability to find and prevent over half of malware campaigns.

The new Palo Alto Networks PAN-OS operating system, version 8.1, reduces the complexity surrounding the implementation of cybersecurity best practices, including those associated with SSL-decryption within multi-vendor environments. New next-generation firewall models improve overall performance and enable customers to decrypt traffic at high speeds. Enhanced application logging adds additional richness to log data to improve the precision of Magnifier’s behavioural analytics with which customers rapidly hunt down and stop advanced threats.

Key benefits of the capabilities announced today include:

  • Easier adoption of SSL-decryption in multi-vendor environments: Streamlined SSL decryption provides high-throughput decryption on the next-generation firewall and enables sharing of cleartext traffic with chains of devices for additional enforcement, such as DLP. This further eliminates the need for dedicated SSL offloaders, simplifying deployment, network architecture and operations.
  • 20X decryption sessions capacity boost at internet edge: With 20 times more SSL-decryption sessions capacity compared to its predecessor, the new PA-3200 Series appliances deliver high-performance decryption at the internet edge. The new PA-5280 appliance brings higher performance and doubles the session capacity for securing large data centers and mobile network operators, or MNO, infrastructures.
  • Efficient adoption of best practices: App-ID™ technology-based security can now be achieved with even simpler workflows and policy review tools, allowing administrators to more effectively and confidently enforce best practices for application controls. Further, administrators can maintain a tight and effective app-based security policy with enhanced rule usage tracking.
  • Management at scale: New capabilities simplify the management and operational complexities of large, distributed deployments. The proactive device monitoring feature in Panorama™ management alerts the administrator if device behaviour is deviating from the norm. With little manual effort, the feature can be integrated into an automated workflow to enable operations teams to quickly perform remediation actions. New M-600 and M-200 management appliances deliver high-performance, with log ingestion rates up to two times compared to their predecessors, and double the log storage capacities.
  • Advanced threat detection and prevention: Updates to the WildFire® cloud-based threat analysis service enable customers to detect zero-day malware using evasive packing techniques, spot malware targeting Linux servers and IoT devices, and find malicious files hiding in less common file archive formats, such as 7-Zip and RAR.
  • Quick detection of targeted attacks: The next-generation firewall evolves to become an advanced network sensor that collects rich data for analytics, which can be easily expanded with content-based updates. As part of the Application Framework, Magnifier uses this data to enable customers to identify advanced attacks, insider threats and malware, with precision.

QUOTES
“The increasing volume of encrypted traffic means that visibility is now more important than ever. Buyers are rolling out tightly integrated security solutions, and are looking for network traffic decryption that’s built into existing cybersecurity infrastructure because it removes complexity, allowing security to function as a business enabler, rather than an inhibitor.”
– Jeff Wilson, senior research director, Cybersecurity Technology, IHS Markit

“PAN-OS version 8.1 introduces many new features to help organizations improve their security and manageability in easy-to-implement ways. The new next-generation firewall and management appliances allow for significantly greater throughput, especially for encrypted traffic, and greater scale. The combined capabilities of our next-generation firewalls and PAN-OS version 8.1 are a major step forward in our mission to help organizations prevent successful cyberattacks.”
– Lee Klarich, chief product officer, Palo Alto Networks

PRICING AND AVAILABILITY

PAN-OS 8.1 will be available to all current customers of Palo Alto Networks with valid support contracts in March. The PA-220R, PA-3200 Series, PA-5280, M-200 and M-600 are orderable on February 26, starting from $2,900 up to $200,000.

LEARN MORE:

1 Gartner, “Predicts 2017: Network and Gateway Security,” Lawrence Orans et al, 13 December 2016

View the original press release by Palo Alto Networks.

Net-Ctrl Blog

The Cost of a Data Breach

May 2nd, 2018

How much does a data breach cost? So far, $242.7 million and counting if your company happens to be Equifax. That is how much the company has spent since its data breach that exposed sensitive personal and financial information for nearly 148 million consumers, according to its latest SEC filing. All because it left consumer information unencrypted and in the clear, which was highlighted in testimony before for the U.S. Senate Commerce Committee last year (watch the video below).

To put the size and scope of Equifax’s remediation efforts in comparison, in just seven months Equifax has spent nearly what Target spent ($252 million) in two years after its 2013 data breach. Equifax will likely continue to spend millions for the next several quarters on the cleanup.

For many years analysts and security professionals have tried to estimate what a data breach can cost a company. From the expense of having to upgrade IT infrastructure and security to paying legal fees and government fines – there are a lot of costs that are both tangible and intangible. In addition, there are the impacts to a company’s stock price and the erosion of customer trust (“Will they come back?”). For management teams, it can also have a very real impact professionally. For example, the chairman and CEO of Target resigned months after the data breach, and the CEO resigned of Equifax resigned within weeks of its data breach.

Many studies have been done to calculate the cost of a data breach, including the annual Ponemon Institute’s Cost of a Data Breach report which calculates the cost down to the data record. According to the latest Ponemon annual report, the average cost of a data breach is currently $3.62 million globally, which comes to $141 a record. In the U.S., the cost is almost double that at $7.35 million. But do these research reports actually gauge what a data breach will cost a company? At the end of the day, equating data breach damages to a “per record” cost makes data breaches just an actuarial exercise of acceptable risk.

And this kind of goes with the prevailing sentiment that data breaches don’t cost companies that much. The thinking goes like this. For the breached company, the stock price will take a hit, customers will be enraged and money will be spent notifying customers and upgrading security. But, eventually the company recovers and it’s back to normal. After all, so the thinking goes, what is a couple million dollars in IT upgrades and fines to a company that worth $50 billion.

This type of thinking must change because we are at a tipping point on the implications of data breaches. The costs have become more real to companies and the boards who run them. CEOs and other members of the management team are now losing their jobs because data breaches now have more potential to be more life-threatening, if not killers, for companies. Take for example the TalkTalk data breach, which caused the company to lose more than 100,000 customers, and the fact that Yahoo! had to lower its purchase price by $350 million in its acquisition by Verizon. The last and most important factor is that governments are now taking notice and doing something about it. The European Union’s General Data Protection Regulation (GDPR) is a prime example of this, and countries around the world are looking at it as the model for their own regulations.

If costs and risks of data breaches are increasing (and they are), companies need a radical shift in their approach to data security if they are going to more successful in defending sensitive data they collect and store. With organizations extending their business to being cloud- and mobile-first, their attack surface and the likelihood of accidental data exposure continue to grow. These trends all point to a consistent theme – security needs to be attached to the data itself and the users accessing the data. Only then can companies maintain control of their data in the cloud, manage user access to cloud apps, and keep it secure when it falls into the hands of adversaries. By implementing a three-step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and managing and controlling user access – companies can effectively prepare for a breach. It’s being done by many companies today and is also a requirement for transitioning from a strategy optimized for breach prevention to a strategy optimized for a “Secure the Breach” strategy.

Download Gemalto’s Secure the Breach Manifesto to get your company prepared.

Also, download Gemalto’s 2017 Breach Level Index Report and get insights into data breach incidents by industry, source, type and region.

View the original article by Gemalto.

More than 2.5 billion records stolen or compromised in 2017

April 11th, 2018

Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, revealing that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase from 2016. While data breach incidents decreased by 11%, 2017 was the first year publicly disclosed breaches surpassed more than two billion compromised data records since the Breach Level Index began tracking data breaches in 2013.

To learn more about the 2017 statistics and trends, register for the upcoming webinar “New Data Breach Findings: The Year of Internal Threats and Misplaced data”

Over the past five years, nearly 10 billion records have been lost, stolen or exposed, with an average of five million records compromised every day. Of the 1,765 data breach incidents in 2017, identity theft represented the leading type of data breach, accounting for 69% of all data breaches. Malicious outsiders remained the number one cybersecurity threat last year at 72% of all breach incidents. Companies in the healthcare, financial services and retail sectors were the primary targets for breaches last year. However, government and educational institutions were not immune to cyber risks in 2017, making up 22% of all breaches.

The Breach Level Index* serves as a global database that tracks and analyzes data breaches, the type of data compromised and how it was accessed, lost or stolen. Based on data breach reports collected in the Breach Level Index, the major 2017 highlights include:

  • Human error a major risk management and security issue: Accidental loss, consisting of improper disposal of records, misconfigured databases and other unintended security issues, caused 1.9 billion records to be exposed. A dramatic 580% increase in the number of compromised records from 2016.
  • Identity theft is still the number one type of data breach: Identity theft was 69% of all data breach incidents. Over 600 million records were impacted resulting in a 73% increase from 2016.
    Internal threats are increasing: The number of malicious insider incidents decreased slightly. However, the amount of records stolen increased to 30 million, a 117% increase from 2016.
  • What a nuisance: The number of records breached in nuisance type attacks increased by 560% from 2016. The Breach Level Index defines a data breach as a nuisance when the compromised data includes basic information such as name, address and/or phone number. The larger ramification of this type of breach is often unknown, as hackers use this data to orchestrate other attacks.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organizations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. In the event that the confidentiality, or privacy, of the data is breached, an organization must have controls, such as encryption, key management and user access management, in place to ensure that integrity of the data isn’t tampered with and it can still be trusted. Regardless of any concerns around manipulation, these controls would protect the data in situ and render it useless the moment it’s stolen.”

Data Breaches by Type

Identity theft was the leading type of data breach, accounting for 69% of all incidents constituting 26% of breached data in 2017. The second most prevalent type of breach was access to financial data (16%). The number of lost, stolen or compromised records increased the most for nuisance type of data breaches (560%) which constituted 61% of all compromised data. Account access and existential type breaches decreased both in incidents and records from 2016.

Data Breaches by Industry

In 2017, the industries that experienced the largest number of data breach incidents were healthcare (27%), financial services (12%), education (11%) and government (11%). In terms of the amount of records lost, stolen or compromised, the most targeted sectors were government (18%), financial services (9.1%) and technology (16%).

Data Breaches by Source

Malicious outsiders were the leading source of data breaches, accounting for 72% of breaches, however making up only 23% of all compromised data. While accidental loss was the cause of 18% of data breaches, it accounted for 76% of all compromised records, an increase of 580% from 2016. Malicious insider breaches were 9% of the total number of incidents, however this breach source experienced a dramatic increase (117%) in the number of compromised or stolen records from 2016.

“Companies can mitigate the risks surrounding a breach through a ‘security by design’ approach, building in security protocols and architecture at the beginning,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “This will be especially important, considering in 2018 new government regulations like Europe’s General Data Protection Regulation (GDPR) and the Australian Privacy Act (APA) go into effect. These regulations require companies to adapt a new mindset towards security, protecting not only their sensitive data but the privacy of the customer data they store or manage.”

*The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10).

Breach Level Index Resources:

View the original post published by Gemalto.

Intelligent Security Considerations for Smarter Buildings

April 10th, 2018

In 2017 we saw a growing interest in ‘intelligent security systems’ and applications which add value beyond access control and video surveillance. As the industry continues to move towards preventative security measures (as opposed to just capturing an event after it has happened), the role of intelligent security systems and the gathering of data and analytics from multiple building systems is becoming increasingly profound.

These trends will continue in 2018 with building security deployments not only needing to pay for themselves but deliver much more than just physical security by adding measurable and strategic value to businesses. Many businesses will continue to ask, ’How can we use our access control system to reduce operational costs and improve business efficiencies?

One Albert Quay, Johnson Controls’ global headquarters in Cork, is an key example of how critical building systems including lighting, heating, power, access control, video, fire detection and fire suppression are utilized and connected to create one of Ireland’s smartest building.

One Albert Quay, one of Ireland’s smartest buildings deploys CEM Systems emerald intelligent access terminals in the reception area

Johnson Controls’ CEM Systems AC2000 security management solution supported by CEM Systems emerald intelligent access terminals provides One Albert Quay a solution that goes beyond access control to help improve operational efficiency. emerald provides a reader and controller in a single device to control access to doors and car parks with the added benefit of a built-in Voice over IP (VoIP) intercom and remote applications that enable additional functionality such as time and attendance, room booking, displaying company/site information, personalised messaging, entry checklists and more.

The smart lift system at One Albert Quay is centrally controlled with AC2000 access control and emerald terminals, and integrated with Schindler Lifts. When an employee or visitor swipes their access control card on the emerald terminal, this buttonless lift system uses automatic location choice depending on the users’ access control privileges. The smart lift system then automatically brings the card holder to the floor where they are working. This is a fast and efficient system, with zero latency between systems and enables energy harvesting for added efficiency.

For other organizations seeking to undertake a smart building development with an intelligent security system that goes beyond access control to reduce costs and enhance operations, the following should be considered:

1) Combine the use of several devices into one multi-functional unit
When deploying your security think about how you can take the functionality of typically numerous security devices and combine them into one powerful terminal for operational and cost savings. Choose intelligent card readers with reader and controller functionality combined into one device. Intelligent readers, such as the CEM Systems emerald intelligent access terminal, also have the added benefit of an internal database which ensure 24/7 access control and prevent throughput congestion and queues. Intelligent access terminals and combined solutions such as combining intercom functionality into the access control solution also take this multi-functional concept to a new level. CEM Systems emerald intelligent access terminals offers combined card reader and controller functionality, fully integrated Voice over IP intercom for bi-directional communication, on-board Power over Ethernet (PoE) technology and a range of remote server-based smart applications all in one single, powerful terminal.


CEM Systems emerald intelligent access terminal with in-built intercom

2) Intelligent smart applications
‘Smart applications’ that allow users to perform tasks such as accessing visitor information, card holder messages or integrated staff time and attendance, without the need for a dedicated client PC, brings intelligence which previously resided on the access control database closer to the door. Using a range of smart applications directly on the CEM Systems emerald terminal, users can perform what was historically client PC application functionality without the need to install dedicated PC software and licenses.

3) Smart room booking
An intelligent access terminal with a room booking interface that allows users to book a room, edit a booking and check room availability all at the door removes the need for a separate room booking interface. Using CEM Systems emerald intelligent access terminals you can conveniently book company meeting rooms at the door with a valid card swipe or through Microsoft Outlook® exchange calendar.


CEM Systems emerald room booking

4)Smart access administration
Applications that provide administrators the autonomy to locally change cardholder privileges at a door terminal, rather than at a workstation or central ID unit, can save time and costs. CEM Systems emerald provides a smart ‘Local Access’ application to solve the operational problem of last minute staff rescheduling and the need to urgently provide out-of-facility, temporary workers with access to restricted areas.

5) Smart operational modes
Intelligent access terminals that provide enhanced security checks such as displaying an image of the card holder on swipe allows for visual verification by security staff to limit card sharing. Terminals that also provide a checklist upon entry or exit can help ensure health and safety policies are adhered to. CEM Systems emerald intelligent terminals feature a range of sophisticated door modes such as an ‘image on swipe’ mode a building ‘entry/exit checklist’ mode that is particularly beneficial within the construction sector as it enables workers to answer a list of pre-defined questions (such as do you have the correct permits, clothing and training, etc.) before access is granted on site.


CEM Systems emerald intelligent terminal ‘entry/exit checklist’ door mode

6) Centralized gathering of building data and analytics
Intelligent security shouldn’t be about capturing the event after it has happened. Using collaborative building data and analytics you can pre-empt vulnerabilities before they happen and optimize total building performance. To enable the centralized gathering of building data and to manage the alarms of various building systems and multiple sites, use one unified security platform. For example the CEM Systems AC2000 Security Hub enables the centralised command and control of integrated building systems and wireless/offline locks via the AC2000 access control system. Using this platform systems can accurately share information and data, which can then be used to optimize total building performance.


CEM Systems AC2000 Security Hub – centralized security management for the real-time monitoring and control of alarms and events

7) Smart portable security
Portable card readers are a great example of a smart solution which continues to solve the customer problem of securing areas with no fixed wall barriers or gates. Harland & Wolff’s engineering facilities in Northern Ireland deployed CEM Systems S3040 portable hand-held card readers at dry dock areas which created measurable efficiency gains by successfully bringing their evacuation drill mustering time from 45 minutes down to 9 minutes.


CEM Systems S3040 portable handheld reader

8) Smart cards and mobile credentials
When choosing a card reader in 2018 opt for readers that offer the highest level of built-in smart card technology. For user convenience also check with your security supplier, if they offer pre-personalised smart cards with encrypted algorithms. Another growing trend in the industry and an example of the access control system is getting smarter for users is the use of mobile phone credentials. Smartphones as a form of credential is now a perfectly viable option. The benefit of the mobile credential is that it saves the operational time and cost of physically sending out an ID card, making it ideal for businesses with remote workers and numerous remote sites.

9) Integrated biometrics
Quite often the option to use biometrics with access control can mean two pieces of software being used in parallel, as well as two separate networks and two separate security devices at the door. When choosing biometrics opt for a fully integrated access control and biometric solution. CEM Systems emerald intelligent fingerprint access terminal AC2000 access control software removes the need for two separate pieces of software. Using one software, one network and one device, creates a quicker biometric read time, less errors at the door and ultimately less lines of throughput traffic at access control points.


CEM Systems emerald intelligent fingerprint terminal

Conclusion

When deploying your security system in 2018, think about your operational pain points and ask the question: “Can my security system be utilized beyond access control to either reduce costs, enhance site operations or to aid the gathering of smart building data and analytics?”

View the original blog at CEM Systems.

You Don’t Know What You’re Missing on Your Network

March 27th, 2018

Today’s cyber threats hide in plain sight amidst your network traffic, making them nearly impossible to defend against. These advanced threats use applications as their infiltration vector, exhibit application-like evasion tactics and they leverage commonly used network applications for exfiltration.

Legacy point products are blind to much of what goes on in the network. Hackers exploit this.

Net-Ctrl and Palo Alto Networks are offering an assessment that reveals the Unknown in your network.

Here is some of what you will see:

  • Malware and spyware on your network
  • Unauthorised applications
  • Violations of your security policies
  • Malicious websites employees are accessing
  • Non-work-related applications and activity
  • Shadow IT

How it works: We put the Palo Alto Networks® Next-Generation Security Platform on your network to passively monitor traffic for just one week.

We deliver to you the Security Lifecycle Review (SLR). The SLR reveals under-the-radar activity on your network and the risks to your business. We meet with you to explain the findings, answer your questions, and offer practical recommendations. The SLR is cost-free, risk-free and obligation-free.

To schedule or learn more about the SLR, please complete our Contact Form and we will schedule a call with one of our engineers.

Secure Wi-Fi Access Using Dynamic Pre-Shared Keys

March 7th, 2018

You’ve heard us talk a lot about digital certificates as a way to deliver secure onboarding and network authentication in support of Bring Your Own Device (BYOD) initiatives. Digital certificates provide a much higher level of security than conventional pre-shared keys, which are typically the default method of providing Wi-Fi network access for internal BYOD users. You may remember Ruckus’ previous blog about the security problems associated with conventional PSKs and MAC authentication.

Certificates ensure that every session is secure because data in transit is encrypted using WPA2-Enterprise, as well as providing a variety of other security measures. Certificate-based authentication also improves end-user and IT experience because as long as the certificate remains valid, users don’t have to enter login credentials again after initial onboarding.

Digital certs are often not appropriate for guest users though—in which case a technology called a dynamic pre-shared key (DPSK) can help optimise both security and usability.

Why Not Just Use Digital Certificates for Guest Wi-Fi Access?

Certificates work great for internal BYOD users, who need network access on an ongoing basis. However, they require the user to download and install the certificate on their device as part of the onboarding process. You could take this approach for guest users too—the up-front investment of time for the user is not onerous. But it probably does not make sense from a usability perspective for someone who will only be in your environment for an hour or a day. And yet you don’t want to revert to default measures such as conventional PSKs and MAC authentication due to the security issues mentioned previously. Ideally, you want to employ an alternative method that provides similar security benefits while not asking the guest user to download a certificate.

Why Dynamic Pre-Shared Keys Are the Answer for Guest Wi-Fi Access

Dynamic pre-shared keys are a Ruckus-patented technology found in Cloudpath Enrollment System, our software/SaaS platform for delivering secure network access for BYOD, guest users, and IT-owned devices (including IoT devices). DPSKs fit the guest access use case perfectly. With DPSKs, each user gets a unique access code for Wi-Fi access, which the Cloudpath system provides by SMS, email, or even printed voucher.

Organisations usually let guest users access only the internet—not internal network servers—over the wired/wireless connection. You still want to associate every device with a user, perform an up-front posture check during onboarding, and apply relevant policies. It’s also important to be able to revoke access at any time for specific users and devices. (Imagine if you became aware that a visitor was using that network connection to do something malicious such as sending spam emails linking to a phishing site. You’d want to revoke their access in a hurry. Now, we’re sure your guests would not do that, but better safe than sorry.) Encryption for data in transit may not be as critical for guest users, but it’s not a bad idea either.

The DPSK method for network authentication, in the context of Cloudpath Enrollment System, lets you do all of these things. Since it does not require the user to install a certificate, you increase security while also optimising usability for your visitors.

The “D” in DPSK Makes All the Difference for Secure Wi-Fi

DPSK and PSK can’t be that different right, since only a “D” separates them? Quite the opposite! Most of the security measures referenced above simply don’t exist with a conventional PSK. That’s why we are so careful to use the term “conventional” or “traditional” when we refer to the garden-variety PSK. Sure, it encrypts data between the device and the access point. But that’s where the similarity ends. Using conventional PSKs, you could potentially direct guests to a separate SSID with only internet access, supplying them with the relevant PSK. But they could share that PSK with anyone or use it past the time of their visit.

Remember, with traditional PSKs everyone accessing a given SSID uses the same key. With DPSKs, each guest user gets his or her own access key. That “D” in front of PSK makes all the difference because it provides much greater security for users, devices, and the network. Think of the DPSK as a precision surgical scalpel in comparison to the blunt instrument that is the PSK. Organisations often also use MAC authentication via captive portal for providing guest access—which also fails to provide adequate levels of protection. (Once more, refer to our previous blog to understand the shortcomings of the default methods, which the patented DPSK technology in Cloudpath software addresses.)

Digital Certificates and DPSKs—Secure Network Access for BYOD, Guest and Even IoT Devices

In summary, digital certificates and DPSKs are a great tandem. Cloudpath Enrollment System uses both technologies for streamlined secure onboarding and network authentication. It supports both internal users (with digital certificates) and guest users (typically with DPSKs). Cloudpath software also supports IT-owned devices. As IoT devices become more common in enterprise environments, schools, and institutions of higher education, certificates and DPSKs are also a great way to securely support those devices. DPSKs will be especially important for consumer IoT devices that make their way into enterprise environments because many of those devices are not equipped to accept certificates. But that’s a topic for another blog.

View the original post at The Ruckus Room.

Ruckus: Get Wired for Success!

March 5th, 2018

You’ve just bought a brand new sports car, one that can do zero to 60 in under four seconds and you are excited to try it out. But all you have to drive it on is a gnarly, rutted, steep and rocky dirt road. Good luck taking advantage of all that horsepower.

That’s the analogy Department of Health and Services CIO Beth Killoran used to describe the current challenge facing federal IT modernization initiatives. New technology, from cloud computing and mobility to big data and the Internet of Things, are promising increases in efficiency and the ability to increase mission success, but some organisations are still lacking the basic infrastructure investment to make full use of it. The old infrastructure put in place just wasn’t designed to handle today’s IT environment.

Wired Isn’t Dead

Increasingly, users are connected to networks via exclusively wireless means, whether from mobile phones, tablets and laptops. Yet, while fewer devices will be relying on a direct wired connection to the network, they are still out there: desktops, VoIP devices, even many IoT devices and network-connected operational technology. All of these devices remain central to agency missions and crucial to end-user satisfaction.

Wireless affords increased mobility, which enables increased efficiency and worker satisfaction. But behind every strong wireless deployment, there must exist an equally strong, wired network as well. It is the part that connects your wireless end-points to your datacenter and the outside world and many devices will continue to connect directly to it for some time. This means that as part of your network modernisation strategy, wired has to remain an important part of the mix.

The Benefits of Ruckus ICX Switches

In buildings with potentially thousands of active users and high density, networks must be able to scale to the increasing per capita bandwidth demand. Often that means squeezing more throughput into smaller spaces.

The Ruckus ICX line of campus switches gives networking capabilities that can grow to agency scale without hassle with their small form factors and high throughput. They are small, low profile and easily stack as network demands increase.

Most importantly, ICX switches allow organisations to manage their wired and wireless infrastructure using the same management tools, minimising software complexity and spending overhead.

Wireless Networks Are the Future. But So Are Wired.

Wireless is undoubtedly the future of IT, but the very convenience and ease at which wireless devices connect to the network is a threat if the wired infrastructure that supports it does not also keep pace.

With new waves of IT modernisation organisations need to ensure their wireless and wired infrastructure are keeping pace. Otherwise, what’s the point of that nice car?

For more information on Ruckus ICX Switches and how they can allow you to scale your networks, please visit https://www.ruckuswireless.com/products/campus-network-switches/ruckus-icx-family-switches

Announcing PAN-OS 8.1: Streamline SSL Decryption, Accelerate Adoption of Security Best Practices

February 23rd, 2018

Palo Alto Networks are pleased to announce PAN-OS 8.1, the latest version of the software that powers our next-generation firewalls. This release enables you to easily adopt application-based security, removes barriers to securing encrypted traffic, simplifies management of large networks and helps you quickly identify advanced threats in conjunction with Magnifier for behavioral analytics.

Let’s look at some of these enhancements in detail.

Simplified App-Based Security

App-ID classifies all traffic, including SaaS, traversing your network so you can safely enable desired applications and block unwanted ones. PAN-OS 8.1 makes it easier to adopt and maintain an application-based security policy.

  • Eliminate security risk: The new rule usage tracking tools empower organizations to review and confidently remove obsolete application-based policy rules as well as retire legacy rules – based on when a rule was last hit – to eliminate holes that create security risks.
  • Easily adopt new apps: Adopting new App-IDs, which used to be released weekly, usually requires a policy review. Now, new App-IDs are released on the third Tuesday of every month, giving you time to review the effect of the new App-ID and change policy if needed. New capabilities enable you to easily understand the impact of new and modified App-IDs on your traffic and policy.
  • Safely enable SaaS usage: SaaS applications host sensitive data, and you need to ensure data is stored in secure, compliant SaaS services. To add to existing capabilities, such as application filters, application characteristics and visibility, you can now use new SaaS application characteristics, such as lack of certifications, poor terms of service, history of data breaches and so on, to view and control their usage. In addition, the next-generation firewall can now add HTTP headers to SaaS app requests to granularly allow access to enterprise accounts while preventing access to free and consumer accounts.

Streamlined SSL Decryption

Decryption image 2Most enterprise web traffic is now encrypted, and attackers exploit this to hide threats from security devices. The new Decryption Broker feature removes all barriers to securing encrypted traffic. Our next-generation firewall now decrypts the traffic, applies security and load balances decrypted flows across multiple stacks of security devices for additional enforcement. This eliminates dedicated SSL off-loaders, reducing network complexity and making decryption simple to operate.

Performance Boost for Internet-Edge Security

  • Secure the high-speed internet edge: The Palo Alto Networks PA-3200 Series of next-generation firewalls comprises the PA-3260, PA-3250 and PA-3220. These appliances deliver up to five times the performance, up to seven times the decryption performance and up to 20 times greater decryption session capacity of existing hardware, making them ideal for securing all internet-bound traffic, including encrypted traffic.
  • Secure large data centers and high-performance mobile networks: The Palo Alto Networks PA-5280 is the latest addition to the PA-5200 Series appliances. It prevents threats, safely enables applications, and is suitable for mobile network environments as well as large enterprise datacenters. The PA-5280 offers security at throughput speed of 68 Gbps and session capacity of 64 million.
  • Secure industrial deployments: Palo Alto Networks PA-220R ruggedized appliance brings next-generation capabilities to industrial applications in harsh environments. Read the blog post for more information.

Improved Efficiency and Performance for Management

Panorama 8.1 provides greater efficiency for teams that manage physical and virtual appliances running PAN-OS. Using variables in templates, you can now leverage common configuration across many devices while substituting device-specific values in place of IP addresses, IP ranges, FQDNs and more. With device health monitoring, Panorama provides a deployment-wide view into the health and status of your next-generation firewalls. Trending of critical system resources up to 90 days helps you identify gradual changes in your environment. Proactive monitoring automatically creates alerts when substantial changes occur in the utilization of critical device resources, ensuring you’re the first to know.

In addition, new M-600 and M-200 appliances deliver high-performance management.

Advanced Threat Detection and Prevention

  • Advanced threat detection. Updates to WildFire include dynamic unpacking, which defeats packing techniques attackers use to evade detection.
  • Prevention everywhere. This update has improved detection of malware targeting Linux servers and IoT devices. Plus, you can detect and prevent malware moving freely inside the network with new SMB protocol support and find malware hiding in less common file archive formats, including RAR and 7z (from 7-Zip).
  • Rich data for analytics. Enhanced application logs evolve next-generation firewalls into advanced network sensors for analytics, including Application Framework apps. Magnifier uses this data to allow customers to identify advanced attacks, insider threats and malware with precision.

Palo Alto Networks Next-Generation Firewall provides effective protections you can use, automates tasks so you can focus on what matters and enables you to consume innovations quickly. The new capabilities in PAN-OS 8.1 allow you to accelerate the adoption of next-generation security best practices so you can prevent the most advanced threats and safely enable your business.

To learn more, visit the PAN-OS 8.1 security page.

View the original post by Palo Alto Networks.

Striking a Balance Between Education Technology and IT Control

February 22nd, 2018


K-12 education has a culture of teacher independence in the classroom meaning that as long as the teachers are covering their curriculum, they have the freedom to use the materials and methods they choose to augment the textbook and curriculum. In today’s technology-focused classrooms, this freedom comes with more risk than ever before. That is why it’s critical school districts balance the need for educational freedom with their responsibility of keeping students and teachers safe while accessing online educational services.

Early Adopters in the Classroom

Sometimes, when teachers deem a website important they will intentionally circumvent IT restrictions or become very vocal about having the right to use digital assets that improve instruction. Going beyond the merits of educational value, many teachers are paid based on performance and will view restrictions on educational content as a threat to their salary.

Technology-minded teachers are typically early adopters of new education technology. These are the people most critical to district-level IT teams, they provide valuable feedback and recommendations for district-wide technology deployments. However, they are also the most likely people to circumvent IT and deploy rogue software if they are unhappy with the approved (and supported) solutions.

Early adopters were the first people who started using freeware and classroom management software such as Dojo, Edmodo, and Google Works, many times without IT knowing. In an ideal world, IT would meet with these teachers ahead of time, deploy test solutions in a controlled environment, work through the kinks and then deploy the software at an enterprise level so every teacher could access the solution safely and efficiently.

While it is with good intentions, when teachers circumvent IT and choose their own software management tools, they tend to overlook many potential issues. Typically, when they deploy their own software, they don’t have the benefit of single sign-on and class rosters. This means that teachers must manage access themselves as students enter and leave throughout the year. Oftentimes, teachers overlook security concerns, potential issues with device operating systems, or even the origins of the software if they see a benefit for the students. While their heart is in the right place, this is why teachers are not given administrative access.

How to Strike a Balance

This is where a balance needs to be found between IT and teachers. Should school districts only allow teachers to use district prescribed software? Or should they allow them to continue testing and using these new solutions?

It is important to recognize the incredibly fast pace of classroom technology adoption over the past 30 years. Think about how fast education technology can become outdated? Just a few years ago classrooms with one shared computer were considered advanced but today many districts have devices for every student.

This pace puts tremendous pressure on school districts to stay current and adopt new solutions quickly. When I was the CIO of Miami Dade County Schools, I wanted to know what teachers were using outside of IT’s management in order to stay ahead of the trends. Grassroots adoption and word of mouth promotion can happen very quickly. Once a teacher promotes curriculum or classroom management software, other teachers will most likely follow. It’s critical that IT administrators do everything they can to work with teachers at a reasonable pace.

Like many large school districts around the country, our IT teams and teachers at Miami-Dade County Schools were constantly challenged by high mobility and turnover of staff and students. This could often lead to professional development and security concerns if we changed software solutions quickly. Situations like this are where allowing teachers to select their own solutions can become important.

One way for school districts to strike a balance is to get teachers more involved in technology decisions. Many successful districts have created committees made up of teachers, information technology, instructional technology, and curriculum experts who are tasked with quickly vetting a solution and deciding if it should be allowed or denied based on pre-established criteria.

The district requirements can be updated regularly and should be formatted into simple yes or no questions, so all committee members can easily evaluate. Keeping the number of evaluation criteria to 10 or less would make the process quick and easy. Once vetted and approved technicians would be able to download the software to teacher and student devices or network security would open the software to the teachers and or students.

To learn more about cybersecurity in K-12 schools read our latest whitepaper: K-12 Cybersecurity Involves More Than Just CIPA Compliance

View the original press release by iboss.

Ruckus Introduces IOT Suite to Enable Secure IOT Access Networks

February 22nd, 2018

Suite Consolidates Disparate IoT Networks to Deliver Secure IoT Deployments to Enterprises and Organisations, Speeding Time-to-ROI and Reducing Deployment Costs

Ruckus Networks, an ARRIS company, today announced the Ruckus IoT Suite, which enables organisations to readily construct a secure IoT access network that consolidates multiple physical-layer IoT networks into a single network. The Ruckus IoT Suite further speeds time-to-return-on-investment (ROI) and reduces deployment cost by allowing for the use of common infrastructure between the wireless local area network (WLAN) and the IoT access network.

According to market research firm IDC, IoT edge infrastructure is emerging as a key growth domain and an enterprise priority to support the burgeoning IoT applications space. Within the IoT edge infrastructure market— expected to reach nearly $3.4B by 2021— network equipment is the fastest-growing segment, with compound annual growth (CAGR) in excess of 30%, driven by the need for application continuity and high performance coupled with reliable and secure connectivity.

“Secure IoT network deployments in the enterprise have not yet taken off due to a fragmented market with point solutions serving one-off applications or use cases,” said Rohit Mehra, vice president, network infrastructure, IDC. “A multi-standard IoT access network that leverages existing hardware, software and security capabilities at the edge is a must for most organisations to deploy IoT. The Ruckus IoT Suite addresses these specifics and is a good first step to enabling broader multi-mode IoT network rollouts.”

“Organisations are looking to the IoT to help improve operational efficiencies, increase revenue and enhance the customer experience, but their ability to do so is constrained by today’s siloed IoT networks,” said Dan Rabinovitsj, president, Ruckus Networks. “Ruckus is addressing the market by providing the critical ‘glue’ between the world of sensors, cameras and things with the world of big data and analytics. Not only have we addressed the fragmentation at the PHY layer, we have created an open API to both public and private clouds which permits easy and secure integration with a variety of partners.”

Building a Consolidated IoT Access Network

An IoT access network must consolidate multiple access technologies while delivering the provisioning, management and security capabilities found in modern IP-based networks. Such a network must facilitate inter-endpoint communication and provide integration with analytics software and services. The Ruckus IoT Suite consists of:

  • Ruckus IoT-ready access points (APs)—APs that accommodate Ruckus IoT modules to establish multi-standards wireless access for Wi-Fi and non-Wi-Fi IoT endpoints; and translate non-Internet protocol (IP) endpoint communications into IP.
  • Ruckus IoT Modules—Radio or radio-and-sensor devices that connect to a Ruckus IoT-ready AP to enable endpoint connectivity based on standards such as Bluetooth Low Energy (BLE), Zigbee and LoRa protocols.
  • Ruckus SmartZone™ Controller—A WLAN controller that provides a single management interface for both the WLAN and the IoT access network.
  • Ruckus IoT Controller—A virtual controller, deployed in tandem with a Ruckus SmartZone OS-based controller, that performs connectivity, device and security management functions for non-Wi-Fi devices; facilitates endpoint co-ordination, and provides APIs for northbound integration with analytics software and IoT cloud services.

Securing the IoT Access Network and IoT Endpoints

Security concerns top the list of factors that contribute to IoT solution deployment delays. The Ruckus IoT Suite addresses such concerns through a multi-layered approach, including digital certificates, traffic isolation, physical security and encryption.

Enabling the IoT Solution Ecosystem

Enterprises and organisations implementing IoT must reduce payback period and increase ROI in order to justify deployments. By establishing inter-IoT solution policies with industry-leading operational technology and customer technology, solution providers’ organisations can more quickly realise IoT investment gains. Using a Ruckus IoT access network and solutions from Ruckus IoT ecosystem partners offer benefits to hotels, schools and universities, and smart cities by improving end user experiences.

The Ruckus IoT Suite will be generally available in the second quarter of 2018. To learn more, visit Ruckus Networks.

Ecosystem Partner Quotes

“As the world’s leading lock manufacturer for enabling smart, connected locks for hoteliers, which seamlessly allow guests to unlock a room with a quick swipe of a keycard or mobile device, we deliver network-based locks with online capabilities that maximise operations, guest services and security,” said Cris Davidson, vice president of key accounts, ASSA ABLOY Hospitality. “The company is able to continue its mission of providing enhanced security solutions to the hospitality industry by partnering with like-minded businesses that strive to continuously enhance and streamline the technologies for increasing hotel security. We are excited to team with Ruckus Networks to enable this secure, online connectivity for our door locks over the new Ruckus IoT Suite.”

“The IoT enables cities and businesses to operate more efficiently, deliver innovative services and enable new business models,” said Von Cameron, vice president, Americas, Actility. “Our collaboration with Ruckus Networks, bringing together our ThingPark IoT connectivity platform and their new IoT Suite, provides an easy-to-use platform that allows organisations of all sizes to connect smart, cost-effective devices with a LoRaWAN network. We are excited to collaborate with Ruckus and enable an innovative and cost-effective new deployment model, which will accelerate deployments for the large and fast-growing customer ecosystem developing around Actility LoRaWAN solutions.”

“Our collaboration allows IoT users to experience a seamless integration between IBM’s IoT and analytics platform and edge devices supported by Ruckus’ IoT suite,” said Bernard Kufluk, Watson IoT platform product manager, IBM. “Users can now capture data from various edge devices, running on the Ruckus IoT network. Data can then be analysed at the edge using IBM Watson’s IoT Edge Analytics, which is integrated with the Ruckus IoT Suite and in the cloud. We look forward to continuing this strong collaboration.”

“Our collaboration with Ruckus Networks enables our users to locate their items more rapidly, regardless of their location,” said Ravi Adusumilli, vice president of business development, Tile. “Our portfolio of Tile devices works flawlessly with the Ruckus IoT Suite to deliver a unique experience for our customers around the globe. Customers will now be able to track their things anywhere.”

“We are collaborating with Ruckus Networks to develop new innovative applications in key vertical markets for the Internet of Things,” said Philipp von Gilsa, CEO, Kontakt.io. “Our next-generation (sensor enriched) products promise to reduce the overall costs for asset tracking and location-based services without the need for costly radio networks and power-hungry GPS tracking solutions. We look forward to bringing these new innovations to market with Ruckus.”

“TrackR helps businesses locate assets tagged with TrackR devices anywhere in a building by leveraging the Ruckus IoT Suite,” said Christian Johan Smith, president & co-founder, TrackR. “Ruckus ecosystem partners can leverage TrackR in the Ruckus IoT environment to improve operational efficiency and engage customers like never before. Partnering with Ruckus Networks will provide our customers with a stronger, more robust Crowd Locate network, so finding things outside the home will be even faster and easier.”

To view the original Press Release by Ruckus Wireless. Click here.

Palo Alto Networks Adds to Its Next-Generation Firewall Lineup With New Hardware That Speeds Decryption and Improves Performance

February 22nd, 2018

New PAN-OS Release Simplifies Decryption and Helps Organizations Use Best Practices to Improve Security Posture

Palo Alto Networks®, the next-generation security company, today announced new hardware and updates to its PAN-OS® operating system that further enable organizations to easily implement and automate best practices for application-based controls that strengthen security. With today’s announcement, Palo Alto Networks introduces PAN-OS version 8.1, the PA-3200 Series, the PA-5280, the ruggedized PA-220R and two new models in the M-Series management appliances.

Every organization requires visibility into network traffic in order to prevent successful cyberattacks, but the proliferation of encryption has obstructed the view security teams once had into the data traversing their networks. Gartner predicts that “Through 2019, more than 80 percent of enterprises’ web traffic will be encrypted.”1 Gartner also predicts that “During 2019, more than fifty percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.”1

According to Palo Alto Networks, many organizations have not yet addressed the lack of visibility associated with encrypted traffic due to the complexity and performance impact of decryption, leaving those that do not decrypt network traffic without the ability to find and prevent over half of malware campaigns.

The new Palo Alto Networks PAN-OS operating system, version 8.1, reduces the complexity surrounding the implementation of cybersecurity best practices, including those associated with SSL-decryption within multi-vendor environments. New next-generation firewall models improve overall performance and enable customers to decrypt traffic at high speeds. Enhanced application logging adds additional richness to log data to improve the precision of Magnifier’s behavioural analytics with which customers rapidly hunt down and stop advanced threats.

Key benefits of the capabilities announced today include:

  • Easier adoption of SSL-decryption in multi-vendor environments: Streamlined SSL decryption provides high-throughput decryption on the next-generation firewall and enables sharing of cleartext traffic with chains of devices for additional enforcement, such as DLP. This further eliminates the need for dedicated SSL offloaders, simplifying deployment, network architecture and operations.
  • 20X decryption sessions capacity boost at internet edge: With 20 times more SSL-decryption sessions capacity compared to its predecessor, the new PA-3200 Series appliances deliver high-performance decryption at the internet edge. The new PA-5280 appliance brings higher performance and doubles the session capacity for securing large data centers and mobile network operators, or MNO, infrastructures.
  • Efficient adoption of best practices: App-ID™ technology-based security can now be achieved with even simpler workflows and policy review tools, allowing administrators to more effectively and confidently enforce best practices for application controls. Further, administrators can maintain a tight and effective app-based security policy with enhanced rule usage tracking.
  • Management at scale: New capabilities simplify the management and operational complexities of large, distributed deployments. The proactive device monitoring feature in Panorama™ management alerts the administrator if device behaviour is deviating from the norm. With little manual effort, the feature can be integrated into an automated workflow to enable operations teams to quickly perform remediation actions. New M-600 and M-200 management appliances deliver high-performance, with log ingestion rates up to two times compared to their predecessors, and double the log storage capacities.
  • Advanced threat detection and prevention: Updates to the WildFire® cloud-based threat analysis service enable customers to detect zero-day malware using evasive packing techniques, spot malware targeting Linux servers and IoT devices, and find malicious files hiding in less common file archive formats, such as 7-Zip and RAR.
  • Quick detection of targeted attacks: The next-generation firewall evolves to become an advanced network sensor that collects rich data for analytics, which can be easily expanded with content-based updates. As part of the Application Framework, Magnifier uses this data to enable customers to identify advanced attacks, insider threats and malware, with precision.

QUOTES
“The increasing volume of encrypted traffic means that visibility is now more important than ever. Buyers are rolling out tightly integrated security solutions, and are looking for network traffic decryption that’s built into existing cybersecurity infrastructure because it removes complexity, allowing security to function as a business enabler, rather than an inhibitor.”
– Jeff Wilson, senior research director, Cybersecurity Technology, IHS Markit

“PAN-OS version 8.1 introduces many new features to help organizations improve their security and manageability in easy-to-implement ways. The new next-generation firewall and management appliances allow for significantly greater throughput, especially for encrypted traffic, and greater scale. The combined capabilities of our next-generation firewalls and PAN-OS version 8.1 are a major step forward in our mission to help organizations prevent successful cyberattacks.”
– Lee Klarich, chief product officer, Palo Alto Networks

PRICING AND AVAILABILITY

PAN-OS 8.1 will be available to all current customers of Palo Alto Networks with valid support contracts in March. The PA-220R, PA-3200 Series, PA-5280, M-200 and M-600 are orderable on February 26, starting from $2,900 up to $200,000.

LEARN MORE:

1 Gartner, “Predicts 2017: Network and Gateway Security,” Lawrence Orans et al, 13 December 2016

View the original press release by Palo Alto Networks.

Keep up-to-date with Net-Ctrl

Simply fill in the fields below to sign up for the Net-Ctrl Newsletter.

Don't worry we only send it once a month.

  • New Solution Announcements
  • Latest Promotions
  • Links to some great content.