Here at WatchGuard, we use best-in-class too in defining our UTM solution, but we do it based on its design. It’s actually how we built our UTM appliances. While the other UTM providers struggle to develop the many diverse security technologies in-house, we partner with the category leaders in each specialized technology sphere. This means that our customers get mature, highly vetted, best-in-class network security solutions from AVG, Websense, BroadWeb, MailShell, Kaspersky, and other leading technology specialists.

If you are going to consolidate a security feature typically provided by a point solution into a UTM appliance—we believe that the UTM security feature should be of comparable efficacy to truly deliver best-in-class network security solutions. We understand and accept that no single company will ever be able to adequately research and develop the best technology for each discrete security problem. A shortcoming of the homegrown approach to multilayered network security, is that these UTM vendors end up producing a watered down security solution at each layer. We believe this practice contributes to the reluctance of some organizations to choose UTM appliances for their security.

No other network security vendor incorporates the best-in-class mantra to the extent that WatchGuard does, nor does any other company match our effectiveness at seamlessly integrating the partner security service into the user interface (UI).

Our best-in-class approach means our customers do not have to make security tradeoffs in order to benefit from consolidating security services and management and reduced cost. Layer-by-layer, our XTM multi-function network security firewall provides superior security over what competitors’ combination of in-house technologies can possibly muster.

Does our best-in-class approach work? Well many vendors who freely tout their raw throughput numbers are not so quick to publicize their UTM throughput numbers— the performance of the firewall once all the UTM security services are turned on. Our UTM performance is up to 3 times faster than UTM appliance performance of corresponding models from the other guys. If you are using a network security firewall for security (as we expect most organizations are), UTM performance is the only firewall performance metric that matters.

This is why we use best-in-class to describe how our UTM appliance is built, and why we use The Smart Firewall to describe the actual UTM appliance itself.

Shadow IT has been around for quite some time, but BYOX adoption is exploding fast and permeating organizations to the point of no return.  In fact, PricewaterCoopers (PwC) estimates 15% – 30% of IT spending now occurs outside the IT department budget. Today’s workforce is imbued with the mindset that, for any task–“there is an app for that.” Illustrating this, Netflix recently found that its employees were using 496 smartphone apps, generally for data storage, communications, and collaboration; while Cisco Systems found that its employees were leveraging hundreds of apps, as well as services for shopping and personal scheduling.

It’s been argued that BYOD can increase employee productivity, and an iPass survey of 1,100 mobile workers suggested that employees who use mobile devices for both work and personal needs put in 240 more hours per year than those who do not. BYOD and BYOX can also result in higher employee satisfaction and greater worker collaboration. All these benefits aside, there still needs to be tools and processes in place for network security management and data security… and there are.

Embrace the benefits of BYOD and BYOX and consider these FIVE network security management protocols:

1. Establish full network visibility – Take a benchmark snapshot via firewall logs and reports for insight into what devices are actually connected to the network and what applications are being used. Continuously monitor for vulnerabilities, exploit attempts, misuse, and devices that have gone off-line.
2. Application Access Control is an essential technology – Application Access Control plays a pivotal role in making a BYOX policy secure and efficient. Get visibility and control over shadow IT apps running across your network by identifying specific applications and functions that are acceptable, as well as others that are not. With application access control in place, the network becomes agnostic to the device, and can enforce policies based on specific, acceptable applications.
3. Apply policy to a segmented network – Sensitive data should always reside on a different network than that which is open to guests, contractors, or other non-employees. With a segmented network, IT can apply one set of policies for employees and another set for guests.
4. Enforce strong access control passcodes – Far too often, businesses resort to user-generated passwords, which are more susceptible to compromise. Password policies for BYOD devices should be as robust as they are for traditional IT assets, such as laptops or desktop computers.
5. Establish a policy – We harp a lot about setting IT policy, but that’s because while simple in nature it’s often missing or lax. IT should focus on policy to “keep BYOD/BYOX simple.” Consider making a broad list (a meta-table) of acceptable devices that can access the corporate network and state which devices/operating systems that IT will and will not support. With device sprawl becoming a more palpable concern for IT departments, it makes sense to centrally manage policy per user, rather than having a separate policy per device each user may use. A device-agnostic policy approach makes the platform less important than the needs of the user—and makes network security management easier for IT. When employees access the corporate network on their own device, they should agree to adherence of company acceptable use policies, as well as IT monitoring and risk management tools. Make sure you have tools in place to measure compliance. Finally, your BYOD/BYOX policy should be regularly communicated to all employees.

BYOD, BYOX, shadow IT… these aren’t going away, and will likely only continue to proliferate your organization as more apps, devices, and cloud tools become available. These five network security management protocols can help get you started. For more information and five more tips, download the whitepaper – Illuminate Shadow IT and Securely Manage BYOX.

Today’s virtualization security solution needs to defend against botnets, Advanced Persistent Threats (APTs), and other attacks, while keeping your organization in control when using Web 2.0 applications. The architecture should consist of different security layers that work cooperatively with one another to dynamically detect, block, and report on malicious traffic while passing benign traffic through as efficiently as possible. It should be able to protect your organization from new, unknown threats – often called zero day threats.

1. As you explore your virtualization security options, here are six capabilities you’ll need to consider:A cloud-based URL reputation enabled defense that protects web users from malicious web pages, while dramatically improving web throughput
2. Ability to block unwanted email with 100% accuracy along with the viral payloads that spam often carries. Recognize spam regardless of the language, format, or content of the message – even image-based spam that anti-spam products often miss
3. A URL filtering service that blocks access to dangerous and inappropriate web sites in the workplace. Able to filter URLs on both HTTP and HTTPS to close the HTTPS loophole many web filters leave wide open
4. A powerful signature-based protection at the gateway against known viruses, trojans, worms, spyware, and rogueware
5. Ability to scan all ports and protocols to block attacks that comply with standard protocols but carry malicious content, including buffer overflows, SQL injections, and remote file inclusions
6. Ability to stay on top of the applications running on your network for tight security and high productivity and establish which applications can be used within your organization

If you’re attending Interop in Las Vegas this May, be sure to swing by booth 751 where we’ll be speaking on everything you need to know about virtualization security. Hope to see you there!

So now you’re in the market for a smart UTM system that can deliver broad protection, but what to look for… A UTM appliance can vary significantly from vendor-to-vendor, which can only make an accurate evaluation somewhat cloudy. While UTM security vendors may seem to offer a similar checklist of core technologies and features (firewalling, IPS, etc.), when evaluating vendors, recognize that there is enormous disparity between UTM solutions in the following five critical areas:

1. Quality of the features/capabilities. The most prevalent approach among UTM vendors is to rely primarily on homegrown technologies for their gateway AV, URL filtering, application control (if they have any), anti-spam, and other security services. However, we believe that no single company will ever be able to adequately research and develop the best technology for each discrete security problem. A shortcoming of the homegrown approach to multi-layered security, is that these UTM vendors end up producing a watered down security solution at each layer. We believe this practice contributes to the reluctance of some organizations to even choose a UTM solution for their security. It’s also why we here at WatchGuard use a best-in-class approach to delivering the smartest UTM appliances available; integrating the leading technology provider for each security layer – Websense for URL filtering, Mailshell for anti-spam, and so on.

You’ll also want to be sure that your account for security needs if you’re working in a virtualized environment. As Neil McDonald of Gartner said, “…Unless you put virtualized security controls—virtual sniffers, virtual firewalls, all the same controls you’d use on a physical server, inside that network, you don’t see what’s going on.”

2. Security performance or UTM performance. A high performance packet throughput device, even one with custom ASIC processors, can fail over when a full suite of unified threat management tools are enabled. Many security vendors who freely tout their raw throughput numbers are not so quick to publicize their UTM throughput numbers— the performance of the firewall once all the UTM security services are turned on. Once you activate the UTM security functions—such as those necessary for PCI DSS compliance (AV, IPS, etc.)— the performance evaporates in many competitor firewalls. By the way, our UTM performance is up to 3 times faster than UTM performance from most of the other vendors.

3. Manageability and ease of use. We see it all too often with competitor solutions–poorly integrated management processes needlessly introduce complexity to administration. Improperly configured gear undermines security. Why not just make a security solution that’s as easy as possible for administrators of all skill sets to manage. One that provides state-of-the-art centralized management capabilities and innovative ease-of-use technologies, features that help administrators:

• dramatically cut down on errors
• quickly hone in on problem areas
• save hours of time
• rapidly enact policy changes and firmware updates across hundreds of XTM appliances

Something to also consider when evaluating the manageability of your UTM is whether there are premium charges for certain functionality that should be provided as standard options. Look for simple, easy-to-use management in your UTM appliance.

4. Flexibility. Security vendors differ conspicuously in the flexibility of the solution they market to customers. For instance, some UTM products can only add security services by physically bolting on software cartridges, or blades. Such an architecture only provides a limited number of slots for which to add in security services, forcing you to tradeoff one security function for another when enabling UTM capabilities. We believe lack of flexibility is a serious shortcoming of many of the competitor firewall solutions on the market. Many UTM/NGFW vendors have taken a short-sighted route of designing a security appliances to tackle only the threats of the current day.

Flexibility should also extend to ownership. Through firmware updates and software upgrades, UTM customers should be able to boost security services, subscriptions, and capabilities on the fly, without ever having to swap out hardware—further extending the life of the appliance. UTM appliances should also have a high degree of network systems interoperability. This way, regardless of the network topology mix (Cisco, Juniper or other), your UTM appliances will provide maximum interoperability.

5. Reporting and Visibility. Network visibility and security go hand-in-hand—and when it comes to achieving regulatory compliance (PCI DSS, HIPAA, CIPA, etc.), auditability is required. So, why would a security vendor not include visibility and reporting tools? Yet, many vendors charge extra for these capabilities, often requiring purchase of a separate product just for reporting.

Network security poses one of the most preponderant challenges confronting organizations today. Spyware, spam, viruses, Trojans, web exploits, and blended threats evolve and spread with alarming speed and regularity. Moreover, the emergence of new business enablement technologies exposes new attack surfaces. We see it with the growth in IP networks and proliferation of web 2.0 applications, devices (BYOD), and web technologies in the workplace. We see it with increasing reliance on cloud-based infrastructures (SAAS, PAAS, IAAS). Along with the exciting potential to cultivate work efficiencies and business opportunities, these technologies also generate more potential headaches for IT administrators.

Boosting your network security solutions with a UTM appliance is smart! Ensuring these five UTM appliance traits are part of your UTM appliance selection is even smarter. Also be sure to check out our whitepaper – Defining, Evaluating, and Designing Best-In-Class Network Security.

The distributed retail environment presents a multitude of unique IT challenges that stand apart from a more pedestrian single-store infrastructure; business pressures are forcing retailers to be more agile, more aggressive, and more efficient. To remain competitive, retailers have to invest in IT systems that help retain and nurture customer and brand loyalty, as well as increase sales and, simultaneously, reduce operating costs. No easy task to be sure!

So what does it take to meet the PCI DSS protocol? Simple… you meet these 12 requirements:

Build and maintain a secure network:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data:

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program:

• Use and regularly update antivirus software or programs
• Develop and maintain secure systems and applications

Implement strong access and control measures:

• Restrict access to cardholder data by business need to know
• Assign unique IDs to each person with computer access
• Restrict physical access to cardholder data

Regularly monitor and test networks:

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

Maintain and information security policy:

• Maintain a policy that addresses information security protocol for all personnel

Any retailer found to be non-compliant may face substantive financial penalties, regardless of whether or not a breach has occurred. Typically, fines for non-compliance are levied based on the size of the retailer, but in some cases, a credit card provider reserves the right to expel a retailer from its program, thus effectively cutting off acceptance of that vendor’s credit card. Therefore, it is critical that a retailer maintain PCI DSS compliance.

One way to protect yourself and your distributed retail environment is with a UTM system (preferably from WatchGuard). UTM systems provide unparalleled firewall protection to control data traffic in and out of a distributed network. Additionally, UTM systems protect against unauthorized access from the Internet and include integrated IPS to prevent hackers from gaining access to internal resources.

Specifically designed for distributed retail environments, our RapidDeploy solution is a unique cloud-based configuration utility that enables uniform, rapid deployment of UTM security appliances across a distributed environment. This eliminates the need for IT professionals to pre-configure devices or travel to deployment sites for installation, which significantly reduces total cost of ownership, while also reducing the risk of UTM misconfiguration.

UTMs also offer gateway antivirus protection, and with a security subscription it’s updated automatically and seamlessly. And at WatchGuard, our UTM security supports extensive policy controls. This way, distributed retailers can maintain and enforce uniform policies across a variety of geographic locations. With our LiveSecurity service, your UTM security solution provides best practices and related security updates for retailers to ensure they are up to speed on the latest security developments.

Today’s distributed retail environment architecture is one of the most challenging IT environments, rivaling that of banks and financial institutions. While the distributed retail environment offers substantive business advantages, such as increased sales, improved customer loyalty, and operational efficiencies, it also poses significant challenges. With a smart UTM in place, you can spend more time generating sales, and less time worrying about PCI DSS compliance.

Here are 5 BYOD device management strategies you can use to secure your corporate network and prevent data loss:

1. Create a policy. In an effort to make BYOD as simple as possible to manage, create a broad list of acceptable devices that can access your corporate network. The policy should also clearly outline which devices and operating systems the company will and will not support. In this way, your employees know what they will ultimately be responsible for.
2. Get insights before making decisions. One of the biggest mistakes we see in creating a BYOD strategy is the failure to know what employees are doing on the network. Take a benchmark snapshot via firewall logs and reports, so you can gain insight as to what devices are actually connected to the network, and perhaps more importantly, what applications are being used.
3. Manage passwords more effectively. Password management is something that most organizations do not do a good job with (read one of our previous blogs – We May Know Your Password). User generated passwords are traditionally weak, compromising network security. Make sure that any passwords used on mobile devices in the office environment follow the same rigor as required for office-owned technology.
4. Understand your own compliance needs. Is your organization subject to regulatory controls, such as HIPAA or PCI DSS? If so, be sure that damage controls are in place so that if an employee loses a smartphone or tablet, it can be wiped to avoid data loss.
5. Limit access via VPN technologies. For businesses that require higher degrees of protection, you may want to limit access controls to devices that support some level of VPN connectivity. This way a secure connection is required to access corporate data, regardless of where a consumer device is used.

With the future of computing swaying more and more toward mobile, you’ll face an uphill battle against BYOD adoption, so embrace it. But remember that communicating your BYOD policy, and updating it as needed, is critical.

For more information on BYOD device management and mobile device security solutions, check out our recent whitepaper – BYOD: Bring Your Own Device – or Bring Your Own Danger? You’ll also find 5 more strategies for managing BYOD effectively in your organization.

In many ways, BYOD started at the top. Senior executives who wanted to work from home and abroad were among the first to demand that IT enable access to corporate resources from their personal devices. Because these C-level exceptions were relatively infrequent, IT could manage risks associated with the requests.

The trickle down from this exception quickly escalated, and many organizations have been caught off guard without a BYOD policy in place. And, because consumer devices are so diverse in capability, form factor and function, IT departments can be frustrated with efforts to develop a scalable and manageable plan on how to allow or deny specific consumer devices into the organization.

Unquestionably, BYOD challenges long-standing IT controls to minimize and mitigate risk. And, as businesses explore how to adopt BYOD, the risks associated with it must be examined. Here are 4 risks and challenges inherent in BYOD device management.

1. Data loss. Data loss can vary, and the consequences can be extreme. For example, a recent study by the  onemon Institute estimated that a data breach could cost a company about $200 per compromised record, based upon a variety of factors including the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses, such as new security technology and training. Additional costs can also hamper the bottom line… as an example, a retailer that experiences a data breach may have to pay for credit monitoring services for customers, payment of legal settlements, and PCI DSS information controls for up to 5 years.

2. Viruses entering the corporate network via consumer devices as well as intrusion attacks. Granted, the industry is at a nascent stage of targeted intrusion attacks via mobile devices, but the expectation is that hackers will be able to break out of device browser “sandboxes” and get access to other device functions. This could easily lead to directory harvest attacks or new types of BYOD-driven botnets.

We think Man-in-the-Browser (MitB) attacks will escalate. Traditional malware tends to infect the OS – typically, as an executable program that modifies various boot parameters so it runs every time a computing device is turned on. In contrast, MitB or browser zombies, arrive as malicious browser extensions, plugins, helper objects, or pieces of JavaScript. They do not infect the whole system; instead they take complete control of a device browser and run whenever the user surfs the web.

3. Policy enforcement. With so many devices available to the consumer, IT departments are simply ill equipped to create device-by-device BYOD device management policies. Due to the wide range of devices, it is critical for IT to be able to identify each device connecting to the corporate network, and be able to authenticate both the device and person using it.

4. Insufficient insight into what’s happening in their network. Without being able to see what is going on in the corporate network, IT is hindered in its ability to protect business and information assets. That lack of insight (both in terms of logging and reporting) supports the adage that “you can’t protect what you don’t know.”

There are a myriad of challenges that IT faces in order to deal with BYOD device management. Some of these are risk-management challenges; others are empowerment and usage challenges. Nonetheless, IT must expect to adopt and enforce a BYOD strategy as part of its services to the organization.

Endpoint Security

Endpoint protection and robust encryption are generally mandated on company-owned devices, but personal devices often lack these safeguards.  Moreover, devices used for personal computing and messaging, when off the company grid, lack the protections of the network firewall, leaving the entire organization exposed to hacker exploits, or malware infection, when the device re-connects to the network.

More than a quarter of companies reportedly lack security requirements for smartphones.¹ However, companies that do implement security policies for mobile devices still face the threat of employees trying to bypass these requirements. A Ponemon and Websense joint survey highlighted just that—59% of respondents claimed that employees circumvent or disengage security features such as passwords and key locks.²

Lost Personal Devices: A Data Minefield

In the case of a lost or stolen personal device that stores company-owned data, an employee may be unwilling to have their device data wiped remotely.  In fact, only 55% of mobile workers report having remote wipe enabled on their smartphones, and just 30% on their tablets.”² The inability to rapidly dispose of sensitive data, particularly unencrypted data, exposes organizations to considerable risk.

What You Can’t See, Can Byte You!

A Mobilisafe study encompassing 130 million device connection events reported that over a third of the devices with network access and/or corporate data went inactive for more than a month.³   The presence of so many personal devices used for work that are unaccounted for, and that may retain sensitive data and user credentials, poses a latent threat to organizations.

Outdated Firmware and Version Control

The sheer number and variety of personal devices and operating systems that may be in use across an enterprise poses daunting challenges for IT.  Mobilisafe found that 71% of mobile devices contained high severity operating system and application vulnerabilities. Mobilisafe theorizes that severe vulnerabilities could be reduced 4-fold simply by updating firmware.³

Malware Breeding Grounds

Smartphone users routinely download music and games, access applications, and execute files with minimal regard to file source or authenticity.  Ponemon and Websense reported that, in a one year period, 51% of surveyed organizations experienced data loss resulting from employee use of insecure mobile devices.²

With all the potential pitfalls, it’s easy to understand why some people more cynically refer to BYOD as “Bring Your Own Danger/Disaster.”

Taking BYOD Head-On

Organizations that try to ban personal devices outright, may repel productive and creative workers, or induce employees to work outside the rules.

A successful BYOD security policy should strive to:

• Establish full visibility of all devices connected to the network
• Enforce strong access control passcodes on all devices
• Mandate minimum system and device requirements
• Continuously monitor for vulnerabilities, exploit attempts, misuse, and devices that have gone off-line
• Encrypt all company data on personal devices
• Enforce use of antivirus, data loss prevention, and application control
• Allow company access to the device for forensics, or to wipe company data
• Measure compliance

As a leader in network security, WatchGuard Technologies develops solutions to make your BYOD environment a safe and productive ecosystem.  By enforcing a practical policy, we believe that organizations can enable workforce productivity, foster goodwill and trust across the organization, achieve compliance demands, and maintain strong security–without sacrificing flexibility.

Check out WatchGuard’s white paper on how to create a secure BYOD policy for your network.

Sources:

1. iPass. “The iPass Global Mobile Workforce Report: Q3 2012: Understanding Global Mobility Trends and Mobile Device Usage Among Business Users”.  August 2012.
2. Ponemon Research Institute (sponsored by Websense). “Global Study on Mobility Risks: Survey of IT & IT Security Practitioners”. February, 2012.
3. Mobilisafe. “Four Steps To Mitigate Mobile Security Risks”. White Paper.

So with the NRF just around the corner, here are three network security roadblocks that threaten the success of online retail organizations of all types:

1. Giving all employees access to the same websites and applications. While it might seem like the fair, and certainly easy, thing to do is to allow all employees at all levels access to the Internet carte blanche, it can expose your company network to unnecessary risk. Part of IT security’s job is to balance the threat management with risk management, and this means determining which employees need access to what in order to effectively and efficiently do their job. Interview employees and departments and set up policies that allow you to manage Internet and application access control.
2. Only focusing on ingress and not egress. Monitoring inbound Internet traffic is certainly critical for data security protection, but with drive-by downloads and increased redirection capabilities hackers can easily manipulate your outbound traffic to gain network access. We recommend road blocking your business to all outbound traffic as a starting point. Then add back in ports 443 and 80 so you have some web based capabilities and then add back DNS traffic so you have some name resolution. While not an easy thing to do, tools like our ReputationAuthority – part of our XTM network security solution – can make this task easier to manage.
3. Not updating security to account for server virtualization. Virtualizing your IT infrastructure can be a great thing; it saves time in provisioning, saves money in hardware requirements and cooling, and provides IT scalability. But as Neil MacDonald at Gartner says, “Unless you put virtualized security controls – virtual sniffers, virtual firewalls, all the same controls you’d use on a physical server – inside that network, you don’t see what’s going on.” In fact, 84 percent of our customers are proceeding slower than they’d like into virtualization simply because of the security concern. Make sure you consider virtualization security solutions as part of your overall network security plan.

There are many other roadblocks that can hinder growth and expose data, and we’ll certainly be blogging about them in the days and weeks ahead, but these three are certainly important and worth consideration. For online retailers, customer data security is the foundation for success.

If you’re at the NRF Show in New York, swing by booth # 1681 and say hello. We’d love to see you!

At the tail-end of a busy year for network security workers, Corey had this to say about 2013…

This is a year (2013) where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys.

 Read the release for more detail, but here’s what he thinks might be in store for 2013:

• A cyber-attack results in a human death
• Malware enters the matrix through a virtual door
• It’s the browser – not your system – that malware is targeting
• The idea of ‘striking back’ gets a lot of lip-service, but does little good
• We’ll pay for our lack of IPv6 expertise
• Android pick-pockets try to empty mobile wallets
• An exploit sold on the ‘vulnerability market’ becomes the next APT
• Important cyber security-related legislation finally becomes law

If attacks such as these happen in 2013 as Corey predicts, then losses stemming from them will ultimately continue to rise and take their toll on not only small businesses, but enterprises as well.  Organizations that are serious about network security – protecting data, intellectual property (IP), and their reputation – are increasingly demanding best-in-class, multilayered solutions. These solutions centralize security controls in a single device, improving the IT organization’s control and simplifying management of network security.

Be sure to have the latest network security solutions in place as you head into 2013. These predictions are scary!