This week’s news of a major attack against networking’s premier vendor illustrates the critical importance of controlling user access appropriately, and reinforces CA Technologies’ recent acquisition of Xceedium. At least that’s the story according to Mordecai (Mo) Rosen, CA Technologies VP, Product Management and Strategy for Privileged Access Management, who joined the company a month ago when the Xceedium deal closed.
This all started on Tuesday when network security vendor FireEye announced it had discovered at least 14 Cisco router implants spread across four countries|: Ukraine, Philippines, Mexico and India. Called SYNful Knock, it is ‘a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network. It is customizable and modular in nature and thus can be updated once implanted.’
“If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye Chief Executive Dave DeWalt told Reuters of his company’s discovery. “This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool.” The attacks have hit multiple industries and government agencies, he said.
Cisco acknowledged the news the same day, saying it had recently alerted customers ‘around the evolution of attacks against Cisco IOS Software platforms.’ Cisco worked with Mandiant/FireEye and ‘confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device’, blogged Omar Santos, Incident Manager, Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations.
On Wednesday Cisco released a security advisory about multiple vulnerabilities in Cisco Prime Collaboration Assurance. It has released software updates that address these vulnerabilities, but noted that workarounds that mitigate these vulnerabilities are not available.
This attack reinforces CA’s identity-centric approach to breach prevention and detection, said Rosen. “The Cisco SYNful breach is a very common pattern familiar to all of us.” The breach is the norm, not the exception, and the linchpin was privileged account management, he said.
Rosen referred to the FireEye report that found breaches can go undetected for years. “The average gestation period from breach to discovery, was 9 months.”
He used the military term adopted by infosec, killchain, to describe the three-step process in cyber attacks: obtain access; elevate privilege; and wreak havoc. The industry’s traditional perimeter approach is largely to blame, he added.
“A tech refresh has to happen in security.” For most of the last 30 years, it’s been a case of building a perimeter and then letting everybody in. “Identity management… has to become an enormous priority”.
Protecting against attacks on privileged user credentials can be the difference between staying in business and going out of business. “I perceive a transition going on here… that there needs to be a security refresh… from perimeter… to identity… I see it going on now, and going on aggressively.”
According to Gartner’s Market Guide for Privileged Access Management, released in May and revised a month later:
-prevention of both breaches and insider attacks has become a major driver for the adoption of privileged access management (PAM) solutions, in addition to compliance and operational efficiency;
-the PAM market continues to see strong growth across the board, with new players entering the market; and,
-adoption of PAM products by organizations is often partial, leaving gaps that translate to risk.
The research company estimates the PAM market was worth just over $500 million last year, up a respectable 32%. A more recent study predicts that the Privileged Identity Management market will grow at a CAGR of 26.82% over the period 2014-2019. Along with CA, other key vendors identified were BeyondTrust Software, CyberArk Software, IBM and Lieberman Software.
Just throwing more money at security isn’t the answer: it’s still too easy for the bad guys to get in, according to last month’s survey at Black Hat 2015. It found that most hackers (75%) have not seen a fundamental change in the level of difficulty in compromising privileged account credentials, despite an overall increase in IT security spending over the past two years.
Rosen said CA will be making a number of exciting announcements at November’s CA World that will be “impressive and effective.” We separate identity from security… and see them “merging together, crashing together, by necessity, because there is no security without identity.”
He thinks the transition is going on everywhere. “Identity and security cannot be separated.”