Blog posts by Warwick Ashford

Palo Alto Networks Continues to Bet on Security-as-a-Service

The market shift to cloud-based security services was highlighted at the Ignite Europe 2019 held by Palo Alto Networks in Barcelona, where the company announced a few product enhancements in an effort to round out its offerings to meet what it expects will be growing market demand.

A key element of its go-to market strategy is in response to market demand to reduce the complexity of security and to reduce the number of suppliers by adding cloud-delivered so Software-Defined Wide Area Network SD-WAN and DLP (data loss prevention) capabilities to its Prisma Access product.

The move not only removes the need for separate SD-WAN suppliers but also rounds out Prisma Access to deliver converged networking and security capabilities in the cloud to address the limitations of traditional architectures.

Palo Alto Networks is not alone in going after this market, but it is the latest player in the so-called Secure Access Service Edge (SASE) market to add SD-WAN capabilities to combine edge computing, security and wide-area networking (WAN) into a single cloud-managed platform.

The move builds on core company strengths and is therefore logical. Failure to have done so would have missed a market opportunity and would have been surprising.

Data drives better threat detection

In line with the company’s belief that threat intelligence should be shared, that security operations centers (SOCs) need to be more data-driven to support current and future threats, and the company’s drive to enable greater interoperability between security products, the second key announcement at Ignite Europe 2019 is the extension of its Cortex XDR detection and response application to third-party data sources.

In addition to data from Palo Alto Networks and other recognized industry sources, Cortex XDR 2.0 (which automates threat hunting and investigations, and consolidates alerts) is designed to consume logs from third-party security products for analytics and investigations, starting with logs from Check Point, soon to be followed by Cisco, Fortinet and Forcepoint.

SD-WAN market shakeup

The expansion by Palo Alto Networks into the SD-WAN market makes commercial sense to round out its Prisma Access offering to meet market demands for simpler, easier, consistent security with fewer suppliers and support the growing number of Managed Security Service providers.

However, it also signals a change in the relationship between Palo Alto Networks and its SD-WAN integration partners and in the market overall, although executives are downplaying the negative impact on SD-WAN partners, saying relationships are continually evolving and will inevitably change as market needs change.

The big takeaway from Ignite Europe 2019 is that Palo Alto Networks is broadening its brands and capabilities as a cloud-based security services company and that in future, selling through partners such as Managed Service Providers will be a critical part of its go-to market strategy.

It will be interesting to see whether the bet by Palo Alto Networks pays off to steal a march on competitors also rushing to the market with similar offerings such as SD-WAN firm Open Systems, networking firm Cato Networks, IT automation and security firm Infoblox, and virtualization firm VMware.

Authentication and Education High on CISO Agenda

Multifactor authentication and end-user education emerged as the most common themes at a CISO forum with analysts held under Chatham House Rules in London.

Chief information security officers across a wide range of industry sectors agree on the importance of multifactor authentication (MFA) to extending desktop-level security controls to an increasingly mobile workforce, with several indicating that MFA is among their key projects for 2020 to protect against credential stuffing attacks.

In highly-targeted industry sectors, CISOs said two-factor authentication (2FA) was mandated at the very least for mobile access to corporate resources, with special focus on privileged account access, especially to key databases.

Asked what IT suppliers could do to make life easier for security leaders, CISOs said providing MFA with everything was top of the list, along with full single sign on (SSO) capability, with some security leaders implementing or considering MFA for customer/consumer access to accounts and services.

The pursuit of improved user experience along with more secure access, appears to have led some security leaders to standardise on Microsoft products and services that enable collaboration, MFA and SSO, reducing the reliance on username/password combinations alone for access control.

Training end users

End user security education and training is another key area of attention for security leaders to increase the likelihood that any gaps in security controls will be bridged by well-informed users.

However, there also a clear understanding that end users cannot be held responsible as a front line of defense, that there needs to be a zero-blame policy to encourage engagement and participation of end users in security, that end users need to be supported by appropriate security controls and effective incident detection and response processes, and that communication is essential to ensure end users understand the cyber threats to them at home and at work as well as the importance of each security control.

Supporting end users

CISOs are helping to protect end users by implementing browser protections and URL filtering to prevent access to malicious sites, and improving email defenses to protect users from spoofing, phishing and spam, and by introducing tools that make it easy to report suspected phishing and conducting regular phishing simulation exercises to keep end users vigilant.

The implementation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol designed to help ensure the authenticity of the sender’s identity is also being used by some CISOs to drive user awareness by highlighting emails from an external source.

Some security leaders believe there should be a special focus on board member and other senior executives in terms of anti-phishing training and awareness because while this group is likely to be most-often targeted by phishing and spear phishing attacks, they are less likely to be attuned to the dangers and the warning signs.

Some CISOs have also provided password managers to help end users choose and maintain strong, unique passwords, reducing the number of passwords that each person is required to remember.

Encouraging trends

It is encouraging that security leaders are focusing on better authentication by moving to MFA and that they understand the need to support end users, not only with security awareness and education, but the necessary security controls, processes and capabilities, including effective email and web filtering, network monitoring, incident detection and response, and patch management.

If you want to deep dive into this topic, be sure to read our Leadership Compass Consumer Authentication. For unlimited access to all our research, buy your KC PLUS susbscription here.

Nok Nok Labs Extends FIDO-Based Authentication

Nok Nok Labs has made FIDO certified multi-factor authentication – which seeks to eliminate dependence on password-based security - available across all digital channels by adding a software development kit (SDK) for smart watches to the latest version of its digital authentication platform, the Nok Nok S3 Authentication Suite.

In truth, the SDK is only for the Apple watchOS, but it is the first - and currently only - SDK available to do all the heavy lifting for developers seeking to enable FIDO-certified authentication via smart watches that do not natively support FIDO, and is a logical starting point due to Apple’s strong position in the smart watch market (just over 50%), with SDKs for other smart watch operating systems expected to follow.

This means that business to consumer organizations can now use the Nok Nok S3 Authentication Suite to enable strong, FIDO-based authentication and access policy controls for Apple Watch apps as well as mobile apps, mobile web and desktop web applications.

The new SDK, like its companion SDKs from Nok Nok, provides a comprehensive set of libraries and application program interfaces (APIs) for software developers to enable FIDO certified multi-factor authentication that uses public and private key pairs, making it resistant to man-in-the-middle attacks because the private key never leaves the authenticator, or in this case, the smart watch.

As global smart watch sales continue to grow, the devices are becoming an increasingly important channel for digital engagement, particularly with 24 to 35-year-olds. At the same time, smart watch usage has grown beyond fitness applications to include banking, productivity apps such as Slack, ecommerce such as Apple Pay, and home security such as NEST.

A further driver for the use of smart watch applications is the fact that consumers often find it easier to access information on a watch without the need for passwords or one-time passcodes, especially smart watches like the Apple Watch that does not rely on having a smartphone nearby.

The move is a strategic one for Nok Nok because it not only satisfies customer requirements, but also fulfils one of the key goals for Nok Nok as a company and the FIDO Alliance as a whole.

From the point of view of S3 Authentication Suite end-user organizations, the new SDK will make it easier to make applications available to consumers on smart watches as a new client platform in its own right and meet the security and privacy requirements of both smart watch users and global, regional and industry-specific regulations, especially in highly-regulated industries such as telecommunications and financial services.

In addition, the SDK for smart watches enables end-user organisations an opportunity to simplify their backend infrastructure by having a single authentication method for all digital channels enabled by a unified backend authentication infrastructure, thereby reducing cost by reducing complexity and operational overhead.

From a Nok Nok point of view, the SDK delivers greater value to existing customers and is likely to win new customers as organisations, particularly in the financial services sector, seek to engage consumers across all available digital channels.

Enabling the same strong FIDO-backed authentication across all digital channels is also a key goal of Nok Nok, both as a company and as a founder member of the FIDO (Fast IDentity Online) Alliance.

The FIDO Alliance is a non-profit consortium of technology industry partners – including Amazon, Facebook, Google, Microsoft and Intel – working to establish standards for strong authentication to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords.

The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services via FIDO-enabled devices.

The new S3 SDK from Nok Nok for Apple watchOS offers a stronger authentication alternative to solutions that typically store OAuth tokens or other bearer tokens in their smart watch applications. These tokens provide relatively weak authentication and need to be renewed frequently because they can be stolen.

In contrast, FIDO-based authenticators provide strong device binding for credentials, providing greater ease of use as well as additional assurance that applications are being accessed only by the smart watch owner (authorized user).

While commercially a strategic move for Nok Nok to be the first mover in enabling strong FIDO-based authentication via its S3 Authentication Suite, the real significance of the new SDK for Apple Watches is that it moves forward the IT industry’s goal of achieving stronger authentication and reducing reliance on password-based security.

Akamai to Block Magecart-Style Attacks

Credit card data thieves, commonly known as Magecart groups, typically use JavaScript code injected into compromised third-party components of e-commerce websites to harvest data from shoppers to commit fraud.

A classic example was a Magecart group’s compromise of Inbenta Technologies’ natural language processing software used to answer user questions by UK-based ticketing website, Ticketmaster.

The Magecart group inserted malicious JavaScript into the Inbenta JavaScript code, enabling the cyber criminals to harvest all the customer credit card data submitted to the Ticketmaster website.  

As a result, Ticketmaster is facing a £5m lawsuit on behalf of Ticketmaster customers targeted by fraud as well as a potential GDPR fine by the Information Commissioner’s Office, which is yet to publish the findings of its investigation.

A data breach at British Airways linked to similar tactics potentially by a Magecart group resulted in the Information Commissioner’s Office announcing in July 2019 that they are considering a fine for the company of more than €200m.

According to security researchers, the breach of Ticketmaster customer data was part of a larger campaign that targeted at least 800 websites.

This is a major problem for retailers, with an Akamai tool called Request Map showing that more than 90% of content on most websites comes from third-party sources, over which website owners have little or no control.

These scripts effectively give attackers direct access to website users, and once they are loaded in the browser, they can link to other malicious content without the knowledge of website operators.

Current web security offerings are unable to address and manage this problem, and a Content Security Policy (CSP) alone is inadequate to deal with potentially thousands of scripts running on a website.  Akamai is therefore developing and bringing a new product to market that is dedicated to helping retailers reduce the risk posed by third-party links and elements of their websites for things like advertising, customer support and performance management.

The new service dubbed Page Integrity Manager has completed initial testing and is now entering the beta testing phase with up to 25 volunteer customers with a range of different data types.

The aim of Akamai Page Integrity Manager is to enable website operators to detect and stop third-party breaches before their users are impacted. The service is designed to discover and assess the risk of new or modified JavaScript, control third-party access to sensitive forms or data fields using machine learning to identify relevant information, enable automated mitigation using policy-based controls, and block bad actors using Akamai threat intelligence to improve accuracy.

The service works by inserting a JavaScript into customer web pages to analyze all content received by the browser from the host organization and third parties. This will identify and block any scripts trying to access and exfiltrate financial or other personal data (form-jacking) as well as notify the website operator.

Third-party JavaScripts massively increase the attack surface and ramp up the risk for website operators and visitors alike with no practical and effective way for website operators to detect the threat and mitigate the risk, but that is set to change with the commercial availability of Akamai’s Page Integrity Manager expected in early 2020.

Microsoft Partnership Enables Security at Firmware Level

Microsoft has partnered with Windows PC makers to add another level of cyber attack protection for users of Windows 10 to defend against threats targeting firmware and the operating system.

The move is in response to attackers developing threats that specifically target firmware as the IT industry has built more protections into operating systems and connected devices. A trend that appears to have been gaining popularity since Russian espionage group APT28 – also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and Strontium – was found to be exploiting firmware vulnerabilities in firmware to distribute the LoJax malware by security researchers at ESET.

The LoJax malware targeting European government organizations exploited a firmware vulnerability to effectively hide inside the computer's flash memory. As a result, malware was difficult to detect and able to persist even after an operating system reinstall because whenever the infected PC booted up, the malware would re-execute.

In a bid to gain more control over the hardware on which its Windows operating system runs like Apple, Microsoft has worked with PC and chip makers on an initiative dubbed “Secured-core PCs” to apply the security best practices of isolation and minimal trust to the firmware layer to protect Windows devices from attacks that exploit the fact that firmware has a higher level of access and higher privileges than the Windows kernel. This means attackers can undermine protections such as secure boot and other defenses implemented by the hypervisor or operating system.

The initiative appears to be aimed at industries that handle highly-sensitive data, including personal, financial and intellectual property data, such as financial services, government and healthcare rather than the consumer market. However, consumers using new high-end hardware like the Surface Pro X and HP's Dragonfly laptops will benefit from an extra layer of security that isolates encryption keys and identity material from Windows 10.

According to Microsoft, Secured-core PCs combine identity, virtualization, operating system, hardware and firmware protection to add another layer of security underneath the operating system to prevent firmware attacks by using new hardware Dynamic Root of Trust for Measurement (DRTM) capabilities from AMD, Intel and Qualcomm to implement Microsoft’s System Guard Secure Launch as part of Windows Defender in Windows 10.

This effectively removes trust from the firmware because although Microsoft introduced Secure Boot in Windows 8 to mitigate the risk posed by malicious bootloaders and rootkits that relied on Unified Extensible Firmware Interface (UEFI) firmware, the firmware is already trusted to verify the bootloaders, which means that Secure Boot on its own does not protect from threats that exploit vulnerabilities in the trusted firmware.

The DRTM capability also helps to protect the integrity of the virtualization-based security (VBS) functionality implemented by the hypervisor from firmware compromise. VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges, according to Microsoft, which adds that protecting VBS is critical because it is used as a building block for important operating system security capabilities like Windows Defender Credential Guard which protects against malware maliciously using OS credentials and Hypervisor-protected Code Integrity (HVCI) which ensures that a strict code integrity policy is enforced and that all kernel code is signed and verified.

It is worth noting that the Trusted Platform Module 2.0 (TPM) has been implemented as one of the device requirements for Secured-core PCs to measure the components that are used during the secure launch process, which Microsoft claims can help organisations enable zero-trust networks using System Guard runtime attestation.

Although ESET has responded to its researchers’ UEFI rootkit discovery by introducing a UEFI Scanner to detect malicious components in the firmware, and some chip manufacturers are aiming to do something similar with specific security chips, Microsoft’s Secured-core PC initiative is aimed at blocking firmware attacks rather than just detecting them and is cross-industry, involving a wide range of CPU architectures and Original Equipment Manufacturers (OEMs), which means that the firmware defence will be available to all Windows 10 users regardless of the PC maker and form factor they choose.

It will be interesting to see what effect this initiative has in reducing the number of successful ransomware and other BIOS/UEFI or firmware-based cyber attacks on critical industries. A high success rate is likely to see commoditization of the technology and result in availability for all PC users in all industries.

Leading IDaaS Supplier OneLogin Aiming for the Top

OneLogin is among the leading vendors in the overall, product, innovation and market leadership ratings in KuppingerCole’s latest Leadership Compass Report on IDaaS Access Management, but is aiming to move even further up the ranks.

In a media and analyst briefing, OneLogin representatives talked through key and recent product features and capabilities in an ongoing effort improve the completeness of products.

Innovation is a key capability in IT market segments, and unsurprisingly this is an important area for OneLogin.

The most recent innovations include Vigilance AI, the new artificial intelligence and machine learning (AI/ML) risk engine, and SmartFactor Authentication, a context-aware authentication methodology to help organizations move beyond text-based passwords.

Both these capabilities are in line with the trend towards using AI in the context of Identity and Access Management (IAM)  and are aimed at supporting OneLogin’s mission to enable enterprises to move beyond password-based authentication and improve their overall cyber defense capabilities in the light of the massive uptick in cyber attacks targeting credentials, including brute force and breach replay attacks.

OneLogin’s Vigilance AI is designed to use AI and ML to ingests and analyze data from a multiple of third-party sources to identify anomalies and communicate risk across OneLogin services.

Vigilance AI also applies User and Entity Behavior Analytics (UEBA) capabilities to build a profile of typical user behavior to identify anomalies in real-time to improve threat defense.

Other recent product innovations include:

  • Adaptive login flows functionality that uses Vigilance AI to restructure authentication flow automatically based on risk to include Multifactor Authentication (MFA) where appropriate;
  • Compromised credential check functionality to prevents users from using credentials that have been breached and posted on the dark web; and
  • Risk-aware access and adaptive deny functionality to block access to systems and applications when extreme risk is detected.

In these ways, OneLogin is striving to address its leadership challenges by increasing the range of authentication factors, increasing collaboration with third-party threat intelligence services, working towards providing support for IoT, and planning to enable more complex reporting capabilities.

The use of AI in the identity solutions market is likely to increase, with a growing number of vendors incorporating AI-driven capabilities such as OneLogin, SailPoint with its AI-driven Predictive Identity cloud identity platform, and others.

If you liked this text, feel free to browse our IAM focus area for more related content.

Discover KuppingerCole

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected



AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00