Archive | February, 2016

Network Security: Mining the Alphabet Soup for What Matters

The security industry likes to create acronyms – IAM, UTM, NGFW, MFA, EDR, etc. Perhaps it comes from the general human tendency of wanting to simply define complex topics. In an ever-changing industry, like information security, these acronyms and groupings create major challenges over time. Each year there are new threats, and with that comes more innovation and different approaches to security – all of which we try to initially force into predefined groupings – often diluting the value of the evolving technologies and confusing end-users. One such example is the ongoing attempt to force network security platforms into two distinct groups: Next-Generation Firewall (NGFW) and Unified Threat Management (UTM) appliances. The confusion between the two has become so apparent that analysts at last year’s Gartner’s Security and Risk Management Summit held a roundtable discussion on the very topic. The fact is that most end customers just want good security that solves their network security threats – they care less about NGFW and UTM. Today, I hope to both clear up some of that confusion, and share some data that quantitatively illustrates why UTM protections measurably increase your security efficacy.

UTM vs. NGFW; What’s the Difference?

At one point in time, when analysts first defined these two product segments, they had clear feature delineations in mind. At the highest level, NGFW appliances were firewalls with Intrusion prevention systems (IPS) and application control, whereas UTM appliances were firewalls with IPS, antivirus (AV), URL filtering, and anti-spam capabilities. However, over time both markets have organically evolved and changed. Now both solutions share a similar core set of capabilities. For instance, some NGFW solutions have added new security controls (like malware detection), which used to fall into the UTM camp. Meanwhile, UTMs have adopted all of the security features that helped define the NGFW market—such as application control—and have even added additional new security services to the mix.

This melding of feature sets between NGFW and UTM has made it a bit more difficult to differentiate products, but I think one high level description holds true. UTM solutions focus on unifying as many security controls as possible in one place, making them easier and more cost effective to manage, whereas NGFW solutions focus on only consolidating a limited subset of controls; specifically, ones that make the most sense in certain use cases, such as in a big data center environment. In plain English, UTM solutions tend to include more types of security controls than NGFWs.

How Layered UTM Security Improves Overall Defense

In essence, UTM’s core value proposition is that it combines many security controls in one place, increasing your overall security efficacy, and making layered security attainable for some organizations that couldn’t implement it otherwise. To really appreciate this, you need to understand why layered security improves your overall defense efficacy.

Ultimately, there are two reasons UTM layered security offers the best defense:

  1. No single security control is infallible – History has proven that information security is a constant arms race. The good guys invent a new security control that blocks an attack at first, but the bad guys react and find new ways to evade those defenses. Antivirus (AV) is a great example of this. The industry started with signature-based solutions that originally did a good job, but eventually the bad guys evolved, and reacted with new evasion techniques that bypassed reactive signature-based solutions. Today, we have more advanced, behavioral-based AV solutions, but already attackers are exploring ways to trick these new solutions. The point is, no matter how great a security control might seem, attackers will find ways around it, which is why it’s important to have the additional layers of security a UTM appliance provides to pick up the slack.
  2. There are different stages to a modern, blended attacks – You can break down modern network attacks into multiple stages. For example, the initial attack delivery, the exploit portion of the attack, the payload or malware delivery, the call home to the attacker, and so on. Security experts often refer to these stages as the Kill Chain. The importance of these stages is twofold; First, each stage is an additional opportunity for you to catch the attack. If you miss the first stage, you might still stop the second. Also, each of these stages requires a different type of defense. For instance, IPS isn’t intended to catch malware, but rather block software exploits. WatchGuard’s UTM appliances break the Kill Chain by incorporating all the different types of defenses necessary for each stage of an attack, and by layering them together so that a miss at one stage doesn’t rule out a block at another stage. Simply put, the more stages of an attack you protect against, the more effective your overall defense is, even when new threats bypass one defense.

At WatchGuard we care less about what you call what we do – UTM, multi-layered security, NGFW – we care more for the fact that we have created a mechanism to catch all the various stages of a modern network attack, and by layering these protections together, we give you multiple opportunities to block the threat even when one defense fails.


Don’t Just Take My Word for It!

On a theoretical level, it’s pretty easy to understand the value that WatchGuard’s layered UTM solutions provide, but analytical, scientific-minded people require quantifiable proof before they believe in any theory. Fortunately, NSS Labs, one of the world’s leading independent security product testing laboratories, has recently released a new threat warning service and testing methodology that proves the value of layered UTM security.

NSS Labs’ Cyber Advanced Warning System (CAWS)  enables vendors and end-users alike to view how effectively a variety of network security solutions are blocking real-time security threats. The system enables subscribers to view the efficacy of different solutions operating under different profiles: the base profile only enables specific so-called NGFW features as defined earlier in this blog, as well as the advanced profile, where a vendor can enable value-added UTM services such as I described in the example above, and which we provide at WatchGuard.

WatchGuard has actively participated in the CAWS service for the past few months, and it not only has helped us increase our security efficacy, but has also provided a very quantifiably measure of why UTM defenses works. Here’s a chart showing WatchGuard’s “block rate” results for about a month of new CAWS attacks:

Figure 1: Image courtesy of NSS Labs CAWS system

Figure 1: Image courtesy of NSS Labs CAWS system

In the chart above, the lower, orange line represents a traditional NGFW, that primarily only uses IPS to catch threats. However, the upper, muddy-yellow line represents our product using the full UTM feature set, which includes antimalware services like GAV and APT Blocker, as well as all our URL filtering services.

What’s important to note is the drop in our IPS only block rate during January 31st. While there could be a few reasons for this, it’s typically indicative of a new attack that our IPS didn’t catch. So why would I highlight this IPS miss? Well, looks at the yellow, UTM line… its block rate stays relatively high, despite the fact that IPS might have temporarily missed something new. Whether or not our daily IPS efficacy goes up or down, our full UTM defenses still catch well over 90% of the new threats each day, this further reinforces the importance of a layered approach to security as dips in IPS efficacy is not unique to WatchGuard.

Some have claimed, defense-in-depth, or layered security is dead. They make this declaration out of frustration, because lately we’ve seen so many organizations get compromised despite some defenses. However, I believe layered security is still the most effective way to prevent the majority of attacks. Breaches will still happen because no defense is infallible, but WatchGuard’s NSS Labs’ CAWS testing proves that having the layered security of a UTM appliance increases your overall security efficacy, and can even successfully block an attack when one layer of security misses. — Corey Nachreiner, CISSP (@SecAdept)

Play-Doh Hacks iPhone – Daily Security Byte EP. 224

Some say passwords are dead, and offer solutions like biometrics to solve our authentication problems. However, if children’s Play-Doh can defeat fingerprint readers, are biometrics really that much better? Watch Friday’s episode to learn more about a new iPhone fingerprint reader hack, and why I think multi-factor authentication is the real solution.

(Episode Runtime: 2:18)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

MouseJack – Daily Security Byte EP. 223

Besides being 2016’s first set of vulnerabilities with a marketing name, MouseJack is a group of security flaws that might allow attackers to hijack your computer via a wireless mouse or keyboard. Watch today’s Byte to learn more about this flaw, and what you might do about it.

(Episode Runtime: 2:28)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

Locky Ransomware- Daily Security Byte EP. 222

If you only watch the Daily Security Bytes, but don’t read the blog, you may have missed our recent written post on the Locky ransomware. Today’s episode quickly summarizes this post and why you should read it to make sure you’ve configured the WatchGuard defenses that can keep this kind of threat off your network.

(Episode Runtime: 2:24)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

Kid Tracking Company Leaks Data – Daily Security Byte EP. 221

If you collect data to track children for parents, it’s probably a good idea to put a password on the database holding all that tracking data. In today’s episode I share a security industry drama around a researcher reporting just such a flaw, but not getting the best response. More importantly, I share resources you could leverage to make sure you don’t make the same mistakes this company did.

(Episode Runtime: 3:55)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

Firebox M4600 & M5600

Today WatchGuard is pleased to announce the new Firebox M4600 and M5600 models, completing the replacement of all of our older XTM appliances with a new generation of hardware. Now, from the smallest Firebox T10 to the top of the line Firebox M5600, there is a new Firebox appliance that provides critical network and security functions in a single, centrally managed UTM platform that is easy to set up, deploy and manage.m4600-f2-smallThe WatchGuard Firebox M4600 and Firebox M5600 appliances both provide two empty bays that can be used to add expandable network modules to meet the needs of a wide range of network configurations. Both models support three modular interface options that each add either four or eight interfaces to the Firebox:

  1. 8 x 1 Gb Fiber
  2. 4 x 10 Gb Fiber
  3. 8 x 1 Gb Copper

The picture above shows an M4600 with options 1 and 2 in the two expansion bays. Expandable network modules offer room to grow for the future. If the need for more network ports into the firewall grows, the business doesn’t have to do a costly rip out and replace. The network admin can simply add a new module to the existing appliance to add extra ports.

These exciting new products are Generally Available (GA) now. Learn more through some of the new resources that are available with today’s public launch:

The M4600 provides 8 Gbps UTM throughput, and the M5600 is the fastest Firebox ever with 11 Gbps UTM. Download the datasheet with the full technical specifications for the two new appliances.

Use our new interactive module selector on the web to explore the different network module options available for each model, and see how the firewall throughput can depend on module configuration.

We also have a new technical brief that explains in detail how the new network modularity concept works in WatchGuard appliances.


Linux Distro Backdoored – Daily Security Byte EP. 220

It would suck to have your website hacked, and your user database stolen by malicious attackers. However, can you imagine those attackers also creating a backdoored version of your software, and distributing it among your customer from your very own site? Unfortunately, that’s exactly what happened Linux Mint, the makers of a popular Linux distribution. Watch today’s episode to learn more, including what you should do if you downloaded Linux Mint recently.

(Episode Runtime: 2:19)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

Locky – New Crypto Ransomware in the Wild

Last week,  a new ransomware variant called Locky began spreading in the wild.

Locky encrypts data on an infected system using AES encryption, and then leaves a blackmail letter (which is localized in several languages) asking for half a bitcoin to get your data back. More disturbingly, it also searches for any network share (not just mapped shares), and encrypts data on those remote shares as well. If you leverage cloud storage solutions, your backup may get infected as well when it synchronizes the encrypted files. Currently, researchers have not found a way to decrypt files Locky has locked.


Locky ransom warining

Figure 1: Example of Locky’s ransom warning.

Kevin Beaumont, one of the security researchers studying this ransomware, managed to intercept some of the domains Locky uses for its Command & Control (C&C) channel. This allowed him to estimate infection rates, and he found Locky seems to infect over 100,000 victims per day. Infection rates varied by country, lead by Germany with around 5000 new infections per hour at its peak.

In most cases, Locky arrives in an email that includes an Office document with a malicious macro. If you open the document, it tries to infect you with the ransomware. Other variants sometimes arrive as a .zip file, which contains some malicious Javascript. The emails are mainly fake invoices.

Last Thursday, I personally received a variant of Locky in an attachment called “Rechnung-263-0779.xls” (which is German for “invoice”) in a Spam inbox. I decided to use this file to analyze all the ways WatchGuard’s unified threat management (UTM) appliances could stop this brand new ransomware.

To start, I uploaded the infected file to to see which antivirus (AV) vendors had a signature available. As the email was already in my inbox for over 24 hours, 26 out of 55 AV scanners were able to detect it. AVG—the AV engine WatchGuard uses for Gateway AntiVirus (GAV)—was on that list. So right away, WatchGuard’s GAV service can block this particular variant from reaching our customers.

VirusTotal Results

Figure 2: VirusTotal results for my Locky variant

Nowadays, malware changes and evolves quickly, which is why signature-based AV often can’t keep up with the latest threats. To combat this problem, WatchGuard offers another layer of protection to detect brand new, never before seen malware files. We call this solution APT Blocker. I also ran this ransomware variant through our next-gen sandbox, to see whether or not APT Blocker detected the file’s bad behavior. It did! The malicious “invoice” file received a score of 99/100 which represents a high risk. It’s particularly important to understand the added benefit of the APT blocker solution. Even if the file used to deliver Locky changes, its behaviors won’t. That’s why this solution can catch new things signatures might miss.

APT Blocker

Figure 3: APT Blocker sandbox detects Locky


Another question came to my mind: What happens if the ransomware is already in place, or reaches the system from another source (e.g. USB drive)?

As I mentioned earlier, Kevin Beaumont managed to identify some of the domains Locky uses for its for C&C connections. WebBlocker, the URL categorization service in WatchGuard Fireware, treats them as subcategories of  “Security” or “Extended Protection”.  If you block these categories with WebBlocker, it prevents Locky from calling home, and also helps you identify systems that have gotten infected. To verify this, I entered one of Locky’s known C&C domains into our online tool to confirm that we indeed list it as a known bot network channel.


Figure 4: WatchGuard WebBlocker recognizes Locky domain as malicious

Once I verified that many of our UTM’s security services could detect Locky, I ran through one last test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail.

I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security scans even on encrypted web traffic, like the webmail I was using to download this ransomware. Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file with the GAV service. It was unable to reach my workstation.

As you can see, WatchGuard XTM and Firebox appliances have several features that can help prevent ransomware like Locky. However, these protections only work if you turn them on and configure them properly. If you want to keep Locky off your network , I highly recommend you read the Knowledgebase Article “How to prevent ransomware and other malicious malware with your Firebox” — Jonas Spieckermann


Reference Section:


Hospital Held Ransom – Daily Security Byte EP. 219

Crypto ransomware has plagued consumers and small business for a few years now, but when it affects hospitals things get dangerous. Watch Friday’s Byte to learn how ransomware forced a hospital in LA back to the paper age, and what you can do to prepare your organization from a digital disaster.

(Episode Runtime: 2:46)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

Apple vs.The FBI – Daily Security Byte EP. 218

This week, Apple’s CEO, Tim Cook, posted a public letter to his customers explaining why Apple intends to fight a court order demanding that they help crack the security of a dead terrorist’s iPhone. Hearing this, you might think, “I don’t use Apple stuff, so I don’t care,” or “this doesn’t affect me and I want them to catch terrorists.” The problem is, this issue could set a precedent that will affect all of us. Watch today’s Byte to learn more about this issue and why it could affect you, and check out the references belowespecially Cook’s Letterfor more details.

Show Note: Unfortunately, this episode is posting a few days late, and I missed a day of the Daily Byte. Technical issues forced me to re-shoot the content. 

(Episode Runtime: 8:01)

Direct YouTube Link:


— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: