Cybersecurity – Defend Your Network (6 part series)

A firewall and antivirus alone cannot defend your network from attackers; breaches are inevitable (eg. malware, unknown theft of information, denial of service). A “fence” based on rules and a signature-based catcher of threats can be defeated by a savvy attacker or a zero-day attack (eg. They attack with workaround engineering, exploit vulnerabilities that are not yet known and cured via a publicly published patch (aka zero-day attack), or use social engineering to gain access to your account.)

For SMB’s, Network Security is not as simple as a firewall, a spam blocker for email and antivirus; a layered approach matching your budget gives you more effective control over your network, managerial, operationally and technically.

Layers ought to include a) a NAT IP to shield your LAN IP’s from the Internet, b) a Nextgen Firewall to keep unwanted traffic out and unwanted websites from connecting to your endpoints, c) Cybersecurity monitoring and blocking appliances (IDS/IPS/Behavior) feeding a graphic dashboard SIEM, d) a DMZ (and proxy server) to separate public facing servers from the internal LAN, e) a NAC to keep unprotected devices from entering your network, f) managed switches to block compromised endpoints from talking to the network and create VLANs, g) DLP, h) a UTM appliance, i) SFW and Antivirus agents on all endpoints monitored and controlled from a central console, j) User education to teach and foster safe computing across devices used, k) scheduled reporting of device results.

This layered approach enables network administrators and cybersecurity program managers to maintain a small threat surface. This layered approach facilitates a best practice of spending time on threat prevention and remediation; leave the who/what of threats to cyber criminal specialists that publish their findings.

RiSe Solutions offers consulting services to assess your network status and user experience for gaps in defense-in-depth layers, then realigns your cybersecurity program (and tools) using ITILv3 concepts and processes to realize and maintain a small threat surface across your WAN. The line cards we rep may help to facilitate this goal.

= = = = =

NAT IP (Network Address Translation) is a one-to-many relationship leased from your telco carrier that allows your servers and computers to talk to a single public-facing IP address, masking your LAN IP’s from exposing themselves to the Internet. Your traffic volume will dictate how much bandwidth should be leased or if you’ll need more than 1 NAT IP to balance the traffic load. The NAT IP communicates with your proxy server and LAN endpoints to exchange data to/from the Internet.

NGFW (Next Generation Firewall) should reside before and after your DMZ to control what/who enters and exits your network. They can use a traditional whitelisting policy, yet are migrating toward a blacklisting policy. Security controls common to NGFW are a) controlling user access where ever staff makes their connection to the network, and b) controlling the applications allowed to exchange data through the network.

DMZ (De-Militarized Zone) and Proxy (Proxy Servers). Public facing servers (for websites, email, databases, extranet) are placed into a DMZ to stop external visitors from accessing your LAN. Proxy servers allow many LAN clients to use one public facing IP address to reach outside the LAN, creating an external shield barrier for each endpoint from direct exposure to outside threats. A best practice is to run monthly vulnerability scans of your public facing web pages, IP addresses and servers to identify vulnerabilities that may be attractive to attackers or allow threats to enter your LAN without authorization.

SIEM (Security Information and Event Management). Cybersecurity monitoring and blocking appliances should feed the graphic dashboard of a SIEM. The devices feeding the SIEM monitor and/or defend servers for email, e-commerce, extranet, network, database servers and user endpoints, from signature, behavior, or anomaly IoC (Indicator of Compromise) based attacks. A NIPS (Network Intrusion Prevention System) is configured “inline” to block malware to/from the network. Blocking triggers are controlled by policies and rule sets integrated with an on-board blacklist, updated remotely at scheduled intervals by the provider. The SIEM monitors traffic flow and alerts your SOC (Security Operations Center) analysts from a dashboard of which threats to focus on. Leading edge appliances have an add-on module to forward unknown threats to your AV vendor to create a new signature for updating to endpoint agents via a .dat file.

Managed Switches. This essential staple device enables the network administrator to control the flow of information through the network; they are installed + configured by a network engineer. It enables the admin to block MAC addresses of compromised clients from talking to the network until safe to re-enter the network. It also enables them to create VLANs (virtual LANs) to group endpoints within separate virtual networking environments.

NAC (Network Access Control). Used for VPN and with LAN clients to limit access to your network by healthy clients. The NAC scans each client (requesting access to the network) for its health. Unhealthy clients are blocked from entering the network and given suggestions via a screen banner to bring them to health to re-attempt access to the network. Unhealthy status includes vulnerable software (unpatched or dated version), unpatched software, outdated antivirus signatures.

Vulnerability Management and PCI Compliance. Vulnerability and PCI compliance scan programs are critical for the proactive identification of vulnerabilities within your DMZ and internal network. This is typically performed by your SOC Team Lead/Manager at scheduled intervals (i.e. monthly or bi-monthly). The report is viewed by your SOC team lead/manager to select the most threatening results to remediate timely; Server Administrators (SA’s) coordinate the remediation (ie. Patch software, close unused ports, and close unnecessary live processes).

DLP (Data Loss Prevention). For mid-size and large networks, this is a staple device that controls which content is allowed to flow through the network based on classification of data (sensitivity); data is monitored at-rest, in-motion and in-transit. The SOC team lead/manager of mid-tier enterprises can manage this device; large enterprises hire a SME to manage this device daily. Small enterprises can achieve DLP with BetterCloud of NYC.

UTM (Unified Threat Management). UTM combines features of multiple security solutions into a single appliance to filter unwanted websites, content and malware from affecting your network. It might include a software firewall for web filtering, antivirus protection, anti-spam protection. Some UTMs may have a VM feature to sandbox malware for viewing before they affect endpoints. Many UTM’s detect rootkits embedded in endpoints and removes the rootkit. (CTIA SYO-401 book.)

HIDS/HIPS (Host-Based Intrusion Detection or Prevention System). This appliance offers centralized control to monitor or defend highly valuable endpoints ((servers mostly), pc’s or laptops) via a host-based agent. It will detect or block potential attacks (beyond antivirus capabilities), server applications and defend critical operating system files via a blacklist that updates regularly from the vendor. Logs can be fed into the SIEM. (Note: The agent tends to noticeably slow performance of each endpoint.) (CTIA SYO-401 book.)

SFW and AV (Software Firewall and Antivirus agents). SFW’s and AV agents on all endpoints (servers, PC’s, laptops, tablets, smartphones) are controlled and monitored from a central console; scan results can be integrated with some SIEMs. Configure all agents to update signatures via a .dat file automatically as issued. Some leading edge AV apps have a SFW to filter unwanted content; it integrates with the AV scan engine to ID malware to cleanse from the endpoint (i.e. Eset). This essential staple is the last layer of defense and is used with endpoints. Naturally, it’s essential to scan servers with data (i.e email, databases, share drives of storage) as vigorously as endpoints. AV will scan for adware, spyware, malware and rootkits. Configure to notify the SIEM via logs, AV admin and response team via email, of any rogue url’s or malware it finds that cannot be identified. A daily report of scan activity should be reviewed by your AV admin and the SOC team lead/manager to select responses to be made. Review and response activities should be in written procedure document to follow. A 7 day weekly report should be assembled to monitor activity that’s unblocked, blocked and responded to, thereby monitoring SFW and AV’s performance.

MDM (Mobile Device Management). Current MDM tools manage all mobile devices (convertibles, tablets and handsets) authorized to connect to your network. Typical features include remote find, lock and wipe, encryption, SFW and AV.

User Education. Cyber events and incidents often stem from end-users, whether attacks are targeted or users made honest mistakes. An essential and critical component to the success of any cybersecurity program is how users are educated to compute safely and respond to threats. A small threat surface is facilitated if “all users” are educated to compute safely across all devices.

HelpDesk Ticketing for Cybersecurity. Vulnerabilities are exploited, and attacks are made, often silently, to achieve an attacker’s goals. Trends of consecutive events to endpoints can infer or express exposed vulnerabilities or compromise. Logging these events in support tickets, tagged for cybersecurity, is integral to helping the cybersecurity administrator identify endpoints needing attention, remediation or replacement. Your SOC team should have “least privilege” access to create and manage support tickets for cybersecurity; the team lead/manager generates reports. Trends of tickets for select users or departments found in scheduled digital reports can infer threat targeting to block and remediate. Support ticketing is typically a lagging indicator of threats, yet if used with savvy can be a proactive tool to stop threat targeting.

Reporting. On-board independent reports from defense-in-depth tools only offer a slice of how these tools are defending your WAN. RiSe Solutions recommends a consolidated view from all tools to assess their performance, posture against threats and the status of the threat surface.

Continual Service Improvement.  RiSe Solutions uses the CSI process of ITILv3 concepts and processes  to assess the performance  of your cybersecurity program.  KPI’s (key performance indicators) enable use to measure  strategic plans and design,  against results  to identify gaps  in performance; gaps may originate  from external or internal factors.

Thank you for giving this topic your time, attention and consideration; I trust there are takeaways for you to use. Look for post 2 in the future about Compliance and Operational Security. If you’re interested in implementing a cybersecurity program as outlined above, please click Request a Consultation at the upper right of the screen, fill out “Cybersecurity Program” in the subject line, include your email signature in the message body; I reply within 24hours to arrange a conference call.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s