BYOD – Risks and Mitigations

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. This attracts and helps keep employees happy. At the same time, it saves a few bucks to the company as they may not need to procure new hardware. But BYOD implies that an employee can use his own device to access and use corporate resources.

This brings security risks to an organisation:

  • People outside the company can get access.  Access by company outsiders can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment.  Devices brought outside the company offices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be updated with the latest security patches.  BYOD devices might not be protected as extensively as the devices that are under direct control by the companies IT department.

 To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it.  A well thought out policy about BYOD allows an organisation to set rules that everyone understands including the reasoning behind them, that is why they are needed.
  • Have an active mobile device management solution.  Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods.  Strong authentication enables an organisation to identify and hold accountable the owners of stolen devices. Encryption can also keep communications and data safe from prying eyes.

BYOD allows a more fluid and flexible working environment. At the same time, it pokes the perimeter of a company with new security risks. In mitigating these, a strong cybersecurity policy and clear security controls must be implemented as we touched on in this article.


IT Practices That Put Enterprises at Risk

Many IT organizations are leaving their enterprises vulnerable to cybersecurity attacks because they overlook a number of simple tasks. Although no single solution or approach will keep organizations completely protected, there are some things to avoid so that IT teams can shore up their security posture and ensure continual improvement to match the advancing threat.

1. Using Old Printers: Surprisingly, office printers present three threat vectors. First, printers store images of documents. In addition, IT staffers often miss updates or news of exploitable office vulnerabilities. Tracking firmware updates and doing routine update checks is a great idea. If you can’t keep up with multiple vendor patches, make sure that you at least isolate printers on a separate VLAN with access limited to core protocols for printing. Finally, third-party vendor access can cause issues. Managed providers often have VPN credentials for enterprises to allow them access to perform maintenance and inventory. This is another gateway into your environment and is a third-party exposure that must be monitored. Limit their access as much as possible and require that access be handled via least privileged means.

2. Disregarding Alerts: The average enterprise generates nearly 2.7 billion actions from its security tools per month, according to a recent study from the Cloud Security Alliance (CSA). A tiny fraction of these are actual threats — less than 1 in a 100. Too many incoming alerts are creating a general sense of overload for anyone in IT. Cybersecurity practitioners must implement a better means of filtering, prioritizing, and correlating incidents. Executives should have a single platform for collecting data, identifying cyber attacks and tracking the resolution. This is the concept of active response — not only identifying threats, but being able to immediately respond to them as well.

3. Giving Away Admin Rights: Administrative rights arm malware and other unwanted applications with the authority needed to inflict damage to an enterprise. Forcing users to provide administrator credentials to deploy new applications tremendously cuts down threat exposure. This also creates an audit trail that lets security analysts rapidly identify issues, especially those that present signs of intrusion. Any form of administrator rights must come with a degree of risk analysis on behalf of the IT department. IT executives should consider what damage is possible if a user account is compromised, and what ripple effect would administrative rights have on secondary systems. Administrator access should be the exception, not the norm.

4. Ignoring Employee Apps: Do you really know what cloud services are being actively used in your network? Many organizations look the other direction when employees use social media and cloud services on their own. But the potential for an IT crisis can be quietly brewing as internal business users create their own IT infrastructure without any adherence to corporate policy. Monitoring cloud application connections can create increased visibility into unapproved software-as-a-service use, and limit the potential for a loss of intellectual property or sensitive information. Cloud access security broker solutions proxy outbound traffic to cloud applications and offer a detailed view into user behaviors.

5. Being Unprepared for Device Loss: Road warriors often fall victim to theft or accidentally leave a laptop or smartphone in a taxi, never to be seen again. This can be a non-event if the device is remotely managed and encrypted, but a major threat if the device contains unsecured sensitive data. IT administrators need to understand what data is being stored where. If it is anything sensitive, they should ensure that devices are properly encrypted and that remote access tools such as VPNs are in use and disabled in the event of a loss. Documenting that devices are encrypted and properly locked down will go a long way in the event of a data leak as well.

As cyberthreats have evolved, so has incident management. What hasn’t changed, unfortunately, is the need to address the simple and often tedious IT practices that, when ignored, can threaten enterprise security. From forgetting to revoke administrative privileges to providing third-party access to printers, the common cybersecurity challenges that enterprises face can be fixed, putting enterprises in the best position to address the current and evolving cyberthreat.

Protecting your online privacy

In recent years, products intended to deliver conveniences directly to our doorsteps have begun to present tacit privacy intrusions into the modern home. Always-on smart speakers, e.g. Amazon Echo, from online retailers make it easier than ever to order products, but they also enable those companies to listen to our every word. Those same companies are monitoring our behaviours across the  Internet.

“Google knows quite a lot about all of us,” said cybersecurity expert Bruce Schneier in a recent interview with the Harvard Gazette. “No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”

Giant corporations like Google aren’t the only ones intruding into our daily lives to collect our personal data for financial gain—cybercriminals are intent on doing the same. Crimes such as identity theft and extortion can be carried out with stealthy malware, such as remote access tools (RATs) used to spy on users via laptop webcams.

Until there’s a major shift in our society’s attitudes (and public policies) toward Internet privacy, the duty falls on individual users to safeguard their own private data, identities, and other sensitive information. Here are some tips to take back control over your privacy:

Configure your web browser to delete cookies after closing. You can also take control of other advanced privacy features in your web browser to have greater control of what you’re sharing with websites you visit.

Cover your webcam with tape, a sticker, or something else that can block the camera lens and also be easily removed when you need to use it.

Don’t share sensitive information on social media. Check your privacy settings on sites like Facebook and Twitter and make sure only your trusted followers can see your complete profile. For instance, do your Facebook friends really need to know your real birthday? Deliberately sharing a fake birthday on social media can be a crafty way to enhance your privacy.

Lock your screens. All of them. Losing a device like your laptop or smartphone could spell disaster if they were to end up in the wrong hands. Strong, uncommon PINs and passwords can lock down your devices from would-be thieves.

Use fake answers for password security questions. Honest answers to security questions can often be found with just a little online digging. Why can’t your mother’s maiden name be “7O7F1@!3kgBj”? This brings us to our next tip…

Use a password manager app to generate and store strong, unique passwords for all of your accounts. (A password manager can also safely store those fake security answers mentioned above.)

Use security software to monitor and protect your digital devices from threats like malware, spyware, and phishing attacks, which can steal your private data.

Cloud Recon

These days many organizations have migrated at least some of their IT services to a cloud environment. Cloud adaptation could be as basic as the use of Microsoft Office 365 on some workstations, or it could be much more comprehensive, such as the use of a fully integrated Azure or Amazon AWS infrastructure. With this increased importance comes an increased level of risk as well, which needs to be taken into account when allocating resources to security tasks. This is especially when it comes to regular penetration testing and vulnerability scanning of cloud services.

Reconnaissance and enumeration: When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier and further the system can be compromised. From a defensive perspective, the more information an entity has  about the network; the better an organization can protect and monitor it. There are many ways to gather this required information, both passively (reconnaissance) and actively (enumeration).

DNS Records: The first step in (public) cloud reconnaissance is to identify whether the target is using any cloud services and if so, which services they are. The best way to do this is to query specific DNS records. DNS MX Records are used to direct email to a company’s e-mail servers for processing, which means they hold important information. If the records point to for instance, the target is likely using Office 365 for e-mail services. Many other service providers require the same type of authentication. If there is a DNS TXT record named amazonses for instance, the target is likely to use Amazon Simple Email Service. More information is available as well via CNAME, SPF and DFS records. There are a lot of tools available that can easily extract the required DNS information. Nmap, DNSEnum, and DIG are some of the tools that come pre-installed with Kali Linux .

Network and Application Scanning:  Traditional tools such as Nmap and Kismet scan the cloud perimeter without any issues. What is new, however, is that a cloud target is located within a shared network, owned by the Cloud Service Provider (CSP). To avoid any impact on other customers and any defensive or legal action from the CSP, always ask (you should always do this!) for written approval before starting scans, both to and from a cloud instance.

Cloud Specialized Tools: Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized in targeting public cloud providers has been limited. However, there are a few useful cloud specific reconnaissance tools though. For instance, Azurite is a reconnaissance and visualization tool that gives a good understanding of which Azure services are in use and how they are connected. An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access (API) keys.

Vulnerability scanning:  Finally, the most comprehensive, but the noisiest method or network reconnaissance is the use of a vulnerability scanner. Such a scanner simply runs through a standard or customized profile of passive and active scans and lists the detected vulnerabilities, sometimes alongside remediation actions. Such a scanner could be placed inside the cloud instance, such as the Qualys Virtual Scanner Appliance for Amazon AWS. Another option is to use the security services of the Cloud Service Provider, for instance in the form of Amazon Inspector. As with network scanning, prior written authorization from the Cloud Service Provider is required.

It is increasingly important for any company to know what network and security information is publicly accessible via the Internet. After proactively gathering this information, actions can be taken to limit the exposure and with that, the security risks. Regular scans of the perimeter, analysis, and clean-up of DNS records, taking obsolete services and cloud instances offline; there is much an organization could do to be proactive from a security perspective. In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.


Protect Your Customers and Prevent Against CNP Fraud


Research conducted by AXA in 2016 found that in the previous year, 7 in 8 purchases in Europe were made online, and with phone payments and ecommerce on the up, the threat of Card-not-present (CNP) fraud will continue to rise. According to the Nilson Report , in 2015, fraud losses to merchants occurred overwhelmingly from CNP transactions, and the problem is only getting worse. Worldwide losses from card fraud are predicted to reach and eye watering $31 billion by 2020.

With this in mind, there are some key practices that businesses should be relying on, to protect their customers from CNP fraud. Here are our top six pieces of advice:

1. Use fraud detection software: There are a number of fraud prevention tools that merchants can use to pick up on fraudulent activity, including 3D secure payments and Web Application Firewalls. These can supplement your payment systems and help keep your customers’ data safe by detecting if any illicit activity is taking place.

2. Hide your data:  Holding some customer data, however, is sometimes unavoidable. To protect customer information from being hacked when it’s not in use, make sure it is obscured and encrypted. This means that any hacker trying to access personally identifiable information (PII) won’t be able to read it or use it for fraudulent activity.

3. Keep your employees informed: One common way that fraudsters can do a lot of damage is through the use of phishing emails. These emails may ask your employees to move money into a different account, enter their password, or send a customers’ personal details. It’s important to keep your employees informed about these sorts of risks, so they can always be on the lookout for fraudulent activity – and know when they need to report suspicious emails.

4. Be on guard against insider threats: While a hacker can do serious damage, the threats that sit inside your company can’t be ignored. Pause and Resume call recording, also known as stop/start, is a common data security solution used by contact centres. The technology works by pausing the call recording when your customer is reading payment card details out loud. The recording is then resumed once the sensitive information has been taken. But this practice means that employees could easily write down your customer data to use for their own fraudulent purposes, or even sell it to the highest bidder.

5. Stay on top of regulations: The Payment Card Industry Data Security Standard (PCI DSS) was created to offer increased protection to customers against card fraud. Compliance with this standard is not only compulsory for all organisations that take card payments, but many of its requirements are designed to help safeguard your customers’ card details. With the ever-changing regulatory landscape – the EU GDPR and UK Data Protection Bill are just around the corner – it’s important to stay on top of these regulations to keep customer data safe, and ensure your company doesn’t find itself facing a hefty fine.

6. Protect your contact centre: With more customers turning to the phone when it comes to making a purchase, your contact centre remains an integral part of your business. Therefore, making sure it has adopts a stringent approach to data security is extremely important. Companies can invest in technologies like Semafone Cardprotect, which reduces the risk of fraud by allowing customers to type their card details directly into their telephone keypad while staying on the line with the agent instead of reading them out loud.

To ensure your company is fully protected against the potential damage of CNP fraud – whether that’s reputational or financial – you need to have the right data security in place. Implementing these steps will help reduce the risk to your organisation.


Three Criteria for Evaluating Public Cloud Storage Providers

Prior to selecting a public cloud service provider, it is essential that you understand what each vendor offers and how their services can best meet your organization’s needs. A move to the public cloud is a major shift in an organization’s architecture, and it provides many computing and performance benefits that are not available from a locally installed storage network. But before selecting a public cloud storage provider, you must ensure its offerings are a good fit for your organization. Some factors to consider:

Cost.  In many cases, monthly billing may be the least expensive option. However, understanding how much public cloud storage your company needs upfront will make cost guidance with vendors easier.  Especially, knowing the types of applications that will be hosted in the cloud will also affect the total cost. Knowing how these applications work will enable you to determine if storage will go up slightly based on transactions and the amount of bandwidth (upload/download) used.

Architecture services. Providers offer different storage replication options. For example, some services replicate your data to multiple data centers that are geographically distributed. You should review these in detail to determine how each one could potentially affect your architecture and compliance, especially for storage of sensitive financial and personal data. Another consideration is how public cloud storage providers will back up data or have storage moved from less redundant disks to more redundant storage . Be sure to ask what type of hardware the provider uses, as well as the speed and IOPS of the storage.  Lastly, each cloud storage service provider offers certain unique services. Examples include cloud storage gateways, API management and long-term data storage. Review these to see which ones could help you manage your storage more efficiently.

Sovereignty and security. There are two major considerations when dealing with public cloud storage providers. Questions to ask include the following:

  • How does the provider handle ownership of your data?
  • How is data segmented in a public tenant space?
  • How is the data encrypted, and who has access to it?
  • In which region will your data be stored?
  • How is the data terminated if your organization decides to leave the public cloud service provider?

Failure to ask these questions could leave your organization feeling trapped by a provider.

When vetting public cloud storage providers, the security of its systems should be reviewed to see where it matches and, in many cases, possibly exceeds the security of your company’s internal storage network. Organizations in industries such as finance and healthcare must meet compliance standards for data that’s stored in the cloud. A cloud provider should have the appropriate documentation for meeting these standards. When making the move to public cloud storage, remember to include the security team and auditors in the decision-making process especially to help determine which compliance considerations are most important for your industry.

Are You Ready for Your Pen Test?

It is day three of a five-day penetration test engagement and we still don’t have all the information we need to proceed with the test. This particular test was scoped to focus on internal applications and we were to gain access to those applications through the client’s VPN solution. But instead we find ourselves waiting on the process to get VPN credentials. This probably means we have some late nights ahead so we can catch up.

This and many similar scenarios are unfortunately all too familiar to third-party penetration testing teams. Below are a few things companies should consider when engaging a third party for penetration testing or other security testing. All of these tips assume gray-box testing, where the security testers are provided with some information in order to expedite the test and make better use of time and money:

User Accounts. For applications, the rule of thumb is a minimum of two accounts per major role. In the simplest of applications this usually means two user accounts and two administrative accounts. In more complex applications six or eight or even ten accounts may be needed. Without these tests for vertical and horizontal escalation of privileges cannot be implemented.

Code Stability. Ensure that by the time your security testers are looking at it, the code is more than half-baked. Much of the security testing you do too early will become invalid if your developers are still in the middle of building out features. If the code can’t pass your QA team, then it isn’t ready for third-party security testing.

Whitelist. Beware of what is your primary goal of the test. It is often a waste of your time and money to spend half the penetration test circumventing a WAF or firewall rules. If the emphasis is to specifically focus on the host or application security on your network, then it will be much more efficient to whitelist these controls. Additional tests, towards the end of the testing window can be performed with the WAF in place.

Testing Assets. For mobile applications, security testers may need access to the binaries, so if the test is on a pre-production build they will need access accordingly. If you have implemented certificate pinning in your mobile application, it is most efficient to provide security testers with a version of the app minus the certificate pinning. For web services, most likely your goal is to determine if your developers are implementing their code in a secure fashion. This can be done by running sample HTTP requests for valid web service calls, or valid requests saved in tool projects (such as SoapUI or Postman).

Other Administrative Headaches. A number of additional things can go wrong when preparing for security testing. Perhaps you need your third party to connect in through a VPN. Perhaps you have to open a change window to start the test. Perhaps your dev team runs an automatic deployment in the environment being tested at 10am every day, taking the server offline for an hour and creating a moving target for the testing team.

It is ultimately in the client’s best interest to start on schedule. If a client’s delay at the beginning of the week results in testers having to work extra hours late into the night or over a weekend, their fatigue could impact the quality of the test and report. And that is assuming the testers will work the necessary hours to complete the test. In many cases the SoW includes a clause that places the responsibility for these types of delays into the hands of the client and does not require the testing team to work past the end of the scheduled test, even if testing tasks are incomplete.

Seven Cyberactions for States

Nuclear site hackings, ransomware, and wiper attacks, along with other cyberstories from 2017 like ongoing attacks against the power grid, there are definitely some wider messages for all of organizations regarding needed protective actions.  What lessons can the public and private sector learn from recent events and to prepare for the future? Most experts believe that the worst is yet to come in cyberspace, so after providing a brief recap of top stories, I want to focus on seven actions that state and local governments need to be addressing right now.

1) Back to Basics  The government reports on recent cyberattacks described hackers writing targeted email messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers. The fake resumes were Microsoft Word documents that were laced with malicious code to steal credentials and access. Also, the hackers compromised legitimate websites that they knew their victims frequented with malware — called a watering hole attack. In other cases, they deployed what are known as man-in-the-middle attacks in which they redirected their victims’ Internet traffic through their own machines. Security needs to be back to basics of “security blocking and tackling” for many, and consider even traditional cyberthreats, attacks that have been occurring for many years.

2) Do Your Homework — After understanding what threats are happening in these high-profile online attacks like WannaCry and NotPetya, we should ask ourselves what network alert tools we have to tell us about ongoing attacks? What cybermetrics are we compiling ? Do we have a dashboard? Also, do we have contacts with law enforcement and the Information Sharing & Analysis Centers (ISACs) in your industry?

3) Re-examine Critical Infrastructure Is Protected — Many of the recent attacks are specifically going after critical infrastructure. Do we know what data is most critical? Are you working with private-sector partners in these areas? Many industrial control systems are vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks. The first step we need to take is to review one of the available ICS Cyber Security Frameworks, e.g. the, ‘NIST Guide to Industrial Control Systems (ICS) Security’ or ‘CPNI — Security for Industrial Control Systems Framework.’ to assist in better understanding the challenges, requirements and responsibilities with regards to Governance, Risk, Managing ICS Life Cycle, Education and Skills, etc.

4) Cyber Assessments and Audits — One good place to start is with current audit findings and known security vulnerabilities, especially in areas such as patching known cybervulnerabilities for critical systems. Instead of fighting the auditors to win points, it is suggested to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make your case. The framework includes five core functions: identify, protect, detect , respond and recover.

5) Partnerships — The theme of partnerships, especially in gaining actionable threat intelligence, is a constant theme but has never been more important than now with foreign nation-state attacks and the need for help rising globally. One of the new priorities in 2017 is addressing vulnerabilities in voting machines and registration databases. We should ask who are our partners in the public and private sector? Have we practiced responding to incidents together in cybertabletops? Who can you rely on in federal, state and local governments — including law enforcement? What vendors do you rely on?

6) Prepare for Ransomware or Not? — Addressing ransomware needs to be a priority, and the same cyberdefense tactics that are general best practices can help with ransomware. These actions include ensuring backups are performed and tested and other good cyberhygiene is applied enterprisewide. You should ask: What is your incident management plan? Are you ready for ongoing attacks, with clear levels of response? Also, examine your current plans for cyberpriorities and potential federal funding .

7) Cybertraining — Health IT News highlighted the importance of end-user training again this week . New attacks keep popping up using legacy apps. One of these is exploiting Powershell, or .LNK files to run malicious code and serve up ransomware including Locky. Then there’s the newfound threat inherent to PowerPoint that may run malicious code merely by hovering over a malicious URL with one’s mouse pointer. End users may not be thinking about background checks for detecting insider threats during the hiring process or even checking for resumes that are infected with malware. However, updated training can help in these related areas. Keep in mind that phishing and other social media attacks are evolving, so improved end user awareness training is a quick win — like in Missouri.

Amid all of these ongoing cyberheadaches, I never cease to be amazed by companies and governments that still say, “It won’t happen to us.” Or “We’re all set, we have a cyberprogram.” Yes, there have been many calls to government action on cybersecurity over the past decade, but the first half of 2017 shows that those calls were definitely needed. We need to walk away saying that it is time to act now on cyber, whatever their role.

Information Assets: An Essential Ingredient of Threat Modelling

Threat models are a way of looking at risks in order to identify the most likely threats to your organisation’s security. The first step in the threat modelling process is concerned with gaining an understanding of the application and how it interacts with external entities. This involves creating use-cases to understand how the application is used, identifying entry points to see where a potential attacker could interact with the application, identifying assets, and more. In this post, we focus on identifying information assets.

Assets are essentially threat targets, i.e. they are the reason threats will exist. Assets can be both physical assets and abstract assets. For example, an asset of an application might be a list of clients and their personal information; this is a physical asset. An abstract asset might be the reputation of an organisation. Hereunder, we identify some key informational assets that your organisation or information system might have or process:

  • Credit card data: yours, or (if you sell stuff) a customer’s.
  • Banking data: account numbers, routing numbers, e-banking usernames and passwords.
  • Personally identifying information: Social Security number, date of birth, income data, W-2s, passport numbers, drivers’ license or national ID numbers.
  • Intellectual property: like source code or software documentation.
  • Sensitive personal or business information and communications: e-mails and texts that could be used to embarrass, blackmail, or imprison you.
  • Politically sensitive information or activities that could get you in trouble with your employer, the government, law enforcement, or other interested parties.
  • Travel plans that could be used to target you or others for fraud or other forms of attack.
  • Other business or personal data that are financially or emotionally essential (family digital photos, for example).
  • Your identity itself, if you are trying to stay anonymous online for your protection.

When it comes to protecting the assets pieces of information that could be used to expose your assets are just as essential. Personal biographical and background data might be used for social engineering against you, your friends, or a service provider. Keys, passwords, and PIN codes should also be considered as valuable as the things that they provide access to.

Other operational information about your activities that could be exploited should also be considered, including the name of your bank or other financial services provider. For instance, a spear-phishing attack on the Pentagon used a fake e-mail from USAA, a bank and insurance company that serves many members of the military and their families.

Firewall as a Service

For more than 20 years, companies either managed their edge firewall appliances or had service providers rack-and-stack appliances in their data centers and did it for them. This was called a managed firewall — an appliance wrapped with a managed service, often from a carrier or managed security service provider. The provider assumed the management of the firewall box, its software, and even its policy. But customers ended up paying for the inefficiency of dealing with appliances (i.e. “grunt work”).

A new architecture was thus needed – a transformation that shifted the focus from an appliance form factor towards a true cloud service. This is the Firewall as a Service (FWaaS). The promise of FWaaS is to provide simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure. Some of its elements are discussed in more detail below:

Single, global firewall instance. With FWaaS every organizational resource (data center, branch, cloud infrastructure or a mobile user) plugs into the FWaaS global service and leverages all of its security capabilities (application control, URL filtering, IPS, etc).

Seamlessly scales to address inspection workload. FWaaS provides the necessary compute resources to perform all security processing on all traffic. It can scale to accommodate increasing needs (e.g. growing SSL traffic volume) without disrupting the customer’s business operations.

Enforcing a unified policy. In heterogenous firewall environments security policy is hard to configure and enforce increasing exposure to hackers and web-borne threats. Contrast that with a single cloud-based firewall that uniformly applies the security policy on all traffic, for all locations and users.

Self-maintained.  Because the cloud-based firewall software is maintained by the FWaaS provider, the firewall is kept up to date by quickly fixing vulnerabilities and bugs, and rapidly evolving with new features and capabilities that the customers can immediately access.

FWaaS is a viable alternative for IT teams that waste time and money to sustain their distributed edge firewall environments — the so-called appliance sprawl. With FWaaS, they can now reduce the operational and capital expense of upgrading and refreshing appliances as well as the attack surface resulting from delayed patches and unmitigated vulnerabilities. By simplifying the network security architecture, FWaaS makes IT more productive and the business secure.