Situational Awareness with Network Visibility
Illustration by Kekai Kotaki
Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.
Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.
Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)
Image Source: Cisco Identity Services Engine
Cisco Identity Services Engine provides true network identification, profiling, and access controls.
FEDERAL CYBER INITIATIVES
New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.
Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”
Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).
RSA NetWitness Logo
Image Source: RSA
HOW TO SOLVE THE PROBLEM
I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.
WHAT IS NETWORK VISIBILITY?
According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:
- Network reconnaissance
- Network interior malware proliferation
- Command and control traffic
- Data ex-filtration
Lancope Stealwatch provides network visibility
Understanding trends, anomalies, and threats of the network
Image Source: Lancope
Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like.
SECURITY LOGGING EVENTS AND ANALYTICS FRAMEWORK COMPONENT
McAfee states when discussing their Enterprise Security Manager, “true network monitoring and high performance security information and event management (SIEM) bring event, threat, and risk data together to provide strong security intelligence, rapid incident response, seamless log management, and extensible compliance reporting for a variety of multi-vendor connected solutions.”
McAfee ESM provides next-generation security monitoring threat analysis
McAfee states “advanced risk and threat detection monitoring connects evolving threat data with a real-time understanding of the risk, asset importance, and security posture throughout the enterprise. This dynamic context, combined with highly intelligent correlation engine, provides risk scoring and threat prioritization that continually adapt to the enterprise environment.” Detecting and stopping attacks is not about having the best logging solution, but how quickly and efficiently those logging solutions can get you analytical information on security events.
ENTERPRISE GRC SOLUTIONS
According to Thompson Reuters Accelus (source: http://accelus.thomsonreuters.com/), “Organizations on the leading edge of connected governance, risk, and compliance rely on comprehensive technology to meet the needs of all GRC stakeholders. Purpose-built to handle the diverse requirements of internal audit, internal controls management, risk management, policy management, legal, and compliance professionals, recommend solutions for documentation and workflow, regulatory news and information, global compliance screening, board management, and regulatory disclosure.”
Thompson Reuters Accelus eGRC solutions
Image Source: Thompson Reuters Accelus
I believe eGRC solutions help organizations break down the walls between audit, risk, and compliance groups – enabling them to concentrate on high-priority risk areas efficiently and effectively, with the goal of increasing business value while decreasing operating costs.
I recommend solutions and products that empower you to take a pragmatic approach to balancing risk exposure by eliminating overlaps, gaps, and redundant efforts, helping you create true business value.
As summarized on WikiPedia and clarified on Thompson Reuters Accelus website, enterprise (eGRC) provides a common point of entry for audit, risk management, and compliance process owners, enabling all assurance groups to leverage a common, shared data model. Through the sharing of common definitions and terms, organizational reporting structures, taxonomies and frameworks, organizations realize improved data accuracy, consistent collaboration, and a streamlined approach to GRC. When combining IT with business intelligence and really figuring out how IT systems effect the bottom line not only does an organization increase their business efficiency, they gain unprecedented understandings of their own risks.
Thompson Reuters Accelus (source: http://accelus.thomsonreuters.com/) continues to add, “enterprise GRC helps organizations gain a greater understanding of their risk position and control environment, enhancing (an organizations) ability to respond to unforeseen events and ultimately empowering you to take advantage of emerging opportunities.” Simply put: if you don’t know what your organization is worth how valuable your data is, how can possibly protect it?
Threat Defense Visibility and Awareness meets need to increase overall security posture of a business or defense ecosystem. It also allows administrators of a system to quickly and easily view attack and health information on systems and respond to them in a very timely and efficient manner.
Do not get hung up on making products fit and concentrate on building solutions. The framework did not purposely recommend products (although their were products and screen shots implied for the solution).
Although I do have bias towards some products and lean towards solutions I believe work work well (I personally believe solutions from vendors outlined here are one of the best solutions on the market for these types of problems), remember you need to pick the right tool for the right job. If you think other products are better suited in your environment, go for it – and I would also love to hear why.
This should be considered as a starting point for discussions around cyber defense and cyber awareness and be the foundation for building a highly adaptive and scalable secure infrastructure. It’s up to you to build a solution that works in your environment to address the threat and business concerns of your organization.
Cisco Cyber Threat Defense Solution White Paper:http://www.cisco.com/web/strategy/docs/gov/cyber_threat_defense_solution_ds.pdf
Cisco Cyber Threat Defense Overview:http://www.cisco.com/web/strategy/docs/gov/cyber_threat_defense_solution_aag.pdf
Lancope: What is Network Visibility: http://www.lancope.com/solutions/security-operations/network-visibility/
RSA NetWitness: http://www.emc.com/security/rsa-netwitness.htm
RSA Security Analytics: http://www.emc.com/security/security-analytics/security-analytics.htm
Thompson Reuters Accelus: http://accelus.thomsonreuters.com/
WikiQuotes (Sun Tzu): http://en.wikiquote.org/wiki/Sun_Tzu