Written by Srikant (Sri) Ramachandran
In the last article titled Who are you communicating with?, I talked about the importance of gaining visibility into traffic patterns across the enterprise to detect suspicious patterns. In this article, I present the argument for the vital importance of cybersecurity products deployed across the enterprise to exchange telemetry and threat intelligence among themselves. This is essential if they are to be effective in presenting a distributed, coordinated defense against the most sophisticated attacks. This is akin to teamwork in sports, where all the players have a common mission and strategy that they’ve practiced intensely for. We have all observed that any set of individually talented players cannot just come together as a group and automatically make a winning team. Why so? It is not because of lack of skill but because the players in a great team practice together so much that they intuitively know their teammate's next move and are prepared for it.
“Power comes not from knowledge kept but from knowledge shared” ― Bill Gates
Defense in cybersecurity isn’t much different. Products need to be developed and engineered to not only be the best at their game but also share relevant telemetry and threat intelligence with other products and leverage information from them. If they had been stitched together in a rush to the market in the current fast-paced environment, they cannot and will not be effective enough as a team.
There are at least three benefits in a team-based approach
1. You get a view of the end-to-end network topology and status of network devices, with the ability to drill down further
2. Products share threat intelligence across the attack surface regardless of the entry point thereby constantly defending and protecting the entire enterprise against the latest threat vectors
3. Customers gain the ability to drive automation leveraging visibility from one product to drive analytics in the next followed through with business policy enforcement in the third stage
In an architecture where products share telemetry among themselves, you get a view of the end-to-end topology including network switches, access points, web application firewalls, load balancers, endpoints and other devices across the network for a further drill down for status and statistics. Such a view such as the one shown below helps both the network and security operations team.
Tight Integration across products for effective Automation and Defense
Detection of an attack without the ability to quickly and automatically enforce protection will defeat most of the purpose of detection. The enforcement need not be as extreme as isolation from the network, but it could be a rate limit of packet flow or limiting communication with only a specific set of devices to reduce the blast radius. The dwell time of an attack between its beginnings to detection to enforcement is a major factor driving the extent of impact and damage. There have been several high-profile incidents that can be attributed to delayed detection and/or delayed enforcement resulting in extensive financial penalties and brand damage.
Here are some use cases that are made possible through an architectural thought process with tight integrations across products.
Use Case 1: End-point telemetry of web access history correlated for Indicators of Compromise (IOC) from threat intelligence feeds resulting in an enforcement action on the Firewall or Network infrastructure or even directly on the endpoint.
Use Case 2: Day-0 threat intelligence discovered on any part of the infrastructure shared across the enterprise for protection against the latest attack vectors. As an example, threat intelligence gleaned by the Web Application Firewall is shared with perimeter firewalls, internal segmentation firewalls, SIEM systems, endpoints and so on.
Use Case 3: Identity information seen on the Firewall and Endpoint Management System (EMS) shared with Network Admissions Control (NAC) responsible for endpoint posture assessments to enforce effective admission control of devices connecting to the network.
Use Case 4: Tagging of endpoints grouped by attributes such as Operating System type by the EMS or NAC for a policy enforcement on a Firewall that match a tag value removing the necessity to enforce policies by IP subnets.
Use Case 5: Connectors to third-party Software Defined Networking (SDN) solutions, private and public cloud providers to enforce business policy compliance throughout the enterprise.
Engineering the products and solutions that effectively inter-communicate with each other is not a trivial exercise. It starts with focus and prioritization from the executive levels of management followed through by the engineering teams for execution from design through to implementation. In the age of meeting aggressive Wall Street expectations on a quarterly basis, companies are forced to grow at speed. While tactical moves may give short-term results, the engineering robustness of a tight integration will simply not be possible. It will lack the effectiveness, as retrofitting the integration for inter-communication as an after-thought can only serve to a point.
Fortinet’s approach with a breadth of solution offers for protection across endpoints, networks, applications and third-party products across both on-prem and cloud with strong focus on inter-product communication helps achieve defense as teamwork, rather than as a group of products. We call it the Security Fabric.
What is your preference in your pick of products and solutions for cybersecurity defense? Teamwork or Group work?
Srikant Ramachandran is a Senior Systems Engineer at Fortinet who works with major enterprise customers to architect security solutions. Sri has been a technologist for over three decades and is an industry expert with extensive experience across multiple technology domains of Cybersecurity, Cloud, Collaboration, Machine Learning and Enterprise Networking spanning pre-sales, solutions architecture and implementation. Sri holds several vendor certifications including Fortinet NSE, Cisco CCIE, AWS Solutions Architect as well as industry-recognized certifications such as CISSP with a Master of Engineering degree in Computer Science from the Asian Institute of Technology.