Calling in the security experts – your network engineers

I’ve talked about the need to consider your network as the key to improving cyber defenses.  Here’s why.

Today’s attacks are “system-level”, supplanting specific server or host exploitations.  Cybercriminals today develop sophisticated attack strategies by:

  1. Finding PATHWAYS INTO the network through phishing emails, third parties, or other creative ways.
  2. MOVING MALWARE AROUND the network while masquerading as legitimate traffic.
  3. Identifying legitimate PATHWAYS OUT.
  4. Exfiltrating company assets through these pathways.

Notice this is all about TRAFFIC and PATHWAYS, and who knows the most about these?   Your network team.

They know your network and why it is built the way it is.   What is their priority?    Performance and uptime.   They have a wealth of tools that already help them manage to these priorities.  So if a security solution gave them additional knowledge about their network that helped manage performance and uptime, they would likely embrace and use it.  Although they are now working with firewalls and other security devices by necessity, they still focus on performance.  They’ve segmented the network for management and performance reasons, but are now expected to further segment for security.

And they care about one other thing:  Access.   Access to data and applications by their end users.

Access?  Pathways?  This is EXACTLY what attackers are exploiting.

So your best bet to combat cybercrime?  Bring in the experts who know about access in your network, and leverage their knowledge and experience.

Securing Your Network, or Networking for Security?

Every day we hear about another breach, and most of the time the information we get is fairly consistent – the breach started and finished long before it was discovered.    It’s not always clear exactly how or where the attackers were able to get access because they’ve had ample time to cover their tracks.   Whatever log or history data we have is massive, and sifting through it to figure out anything about the attack is very difficult and time consuming.  We don’t quite know what we’re looking for and much of the evidence has come and gone.

As I survey the cybersecurity market and media coverage, I notice that:

  1.   We’ve thrown in the towel, it’s “not if, but when” you’ll be breached.
  2.   Many security vendors are now talking about analytics, dashboards, and big data instead of prevention.

person-thinking-networkNotably absent is the acknowledgement that the attack did not happen at a single point or computer, and that the actual theft of data was allowed because the data looked like legitimate network traffic using allowed routes through and out of the network.

We hear a lot about not having enough “security expertise”.  Is that really the problem?  Or is the problem that the security experts don’t really understand the full complexity of their networks?  The network experts understand.  These attacks are happening via network traffic – not on a device, nor with a known signature.   And what do networking professionals care about?  Traffic, and how it’s flowing.   I maintain that there’s a lot more expertise that could help in this breach analysis and prevention than we think – we’re just not asking the right people.

In subsequent posts I’ll talk about why the networking team is becoming vital to security efforts, and why understanding how a network is constructed and performs is the best chance we have of improving our defenses.

One Billion Dollars

Do I have your attention?

I was sitting in a hotel restaurant having breakfast overlooking the Sydney harbor the morning I read the story a couple weeks ago. While it’s half a world away and it may not have crossed your radar, the cost of the breach of the South Korean national identification database is expected to exceed a billion dollars.

I wonder if it’s enough.

As I have spoken with many who are responsible for the day-to-day activities involved in maintaining enterprise technology, I often hear that there isn’t enough impetus to invest in infrastructure security beyond the now-traditional firewalls and IPS/IDS technologies. They all recognize that such reactive tools are essential, but that they only enter the equation after the bad guys are already in the network.

What if they could actually keep them out?

Doing so requires more. It requires proactive cyber attack prevention. It requires getting your arms around everything that is possible on your network and not just what is currently happening or has happened in the past. The distinction is critical, and often missed because it is so difficult to understand the millions of potential paths, the implications of the compounding effects of routers, firewalls, and load balancers quickly become overwhelming. Many organizations punt on the overall picture and focus in on individual devices and cleaning up their configurations, and while such work is good and important, it ignores the bigger picture: if there are circumstances, however unlikely, that would allow packets to circumvent the controls or the intrusion systems, all the defenses in the world will fail to protect the organization.

Many of the breaches we are seeing these days are the result of these kinds of situations.

So, will a billion dollar bill be a sufficient wake up call for those responsible for investing in cyber security?

Top 5 Network Security Best Practices

As I sat in one of RedSeal’s headquarters conference rooms last week discussing with two customers their approach to securing their networks, I was reminded how, even in the midst of our diversity, there are some fundamental truths about security and best practices. eWe’ve come up with five of the top network security best practices.

topfiveFirst and ultimately, it’s about people. There is only so much that automation can do, and often we put it in place to discover, determine, or deconstruct the errors people make. One of the primary options we have in this area is to continuously educate and communicate wise choices to limit the potential security incidents. The ultimate best practice is prevention. Creating a security-sensitive business culture is therefore a prime best practice.

Second, identify your critical assets and rank all of your assets based on their importance to your business. This is part of knowing what you are protecting. Once you know what assets are important, you can determine whether or not you are appropriately defending them. If you don’t have them clearly identified, critical assets may remain unprotected and open for attack.

Third, create a zoned network security architecture to delineate between ranks of assets and communication between them, providing for buffer zones that can deflect attacks. The common DMZ network was the first of the general-purpose zones to come into widespread use, and recommendations like those in the PCI DSS add additional zones like Cardholder Data and Wireless to the mix. Having your own clear definitions is critical.

Fourth, being clear about the access that is generally allowed between those zones, that is forbidden, and that is approved for certain business reasons is the next step. Know what access you want to have available and what access you want to make sure isn’t possible. For example, it’s likely you’ll want to prohibit login protocols from any outside link into your network. Some access limitations are also created for you by external standards. For example, PCI DSS makes clear that access into Cardholder from the Internet is prohibited, and access from Cardholder outbound to the Internet is also forbidden.

And fifth, once you’ve defined all of these aspects of your network security, it is criticcal to use automation to make sure that your network correctly implements this design. I have seen many instances where networks are not doing what the design intended. Almost without fail, there are errors in configurations that cause unexpected access, or at least consequences that were not intended. The massive interconnectivity of the network often allows potential paths that can circumvent controls under circumstances that are uncommon but possible. All of these possibilities require the use of automation to continuously review and check the devices and the network for any potential consequence, to provide as much protection as possible.

While this isn’t easy to do by human analysis, RedSeal can model and analyze this kind of information for you every day. You can know what you don’t know. It’s worth it!

Anticipating attack: top 10 ways to prevent a breach

Last week, I spent most of my time in a conference room at RedSeal headquarters presenting our RedSeal Certification training to a mix of our customers and recent additions to the RedSeal team. Showing those in attendance the broad set of capabilities of the system reminded me how important it is to be very clear about the steps for anticipating attack and putting together automation and operations to protect your enterprise and its assets.

telescope-smaller_0Here is my top 10 list:

  1. Scan your hosts for vulnerabilities
  2. Prioritize and schedule patching
  3. Place modern security controls at all ingress and egress points
  4. Monitor all ingress and egress traffic, triggering alerts and interception of inappropriate traffic
  5. Standardize your device configurations
  6. Create a set of network security zones
  7. Review your network’s access paths
  8. Compare access to network security policy
  9. Track approvals of access between critical zones
  10. Monitor and report on access found each day

How does your approach compare to this list? What do you think I’m missing? Is there anything I included that you think shouldn’t be here?

How Does the Cloud and Mobility Change Things?

I remember sitting in a data center deep in an IBM facility in the early 1990s typing access control into a Proteon router that we had installed for our first commercial Internet link at that site. The controls were rudimentary, and severely limited access from outside. No one but I could access most of the connected systems, and very few people even knew that they existed. Few cared. Who wanted access from the Internet, anyway?

Fast forward to today when many people carry the Internet in their pocket. Computational and storage resources are available for pennies from many different cloud providers, and virtually everyone walking into an enterprise facility is carrying a powerful computer capable of connecting to both the Internet and any wireless network within the facility.

How does this change the game?

factoring-in-the-cloudFor one thing, it makes the overall attack surface much larger. That surface now includes all of the wireless networks within your network plus all of the various avenues into any of your public or hybrid cloud infrastructures. This means that knowing the attack surface is critical.

For another, the access controls created must take into account this new set of potential attacks, including source addresses–whether spoofed or not–that may include addresses that are legal within the organization.

Taking that entire set into account and following potential resulting access from outside the organization through all potential paths in the network (including any potential access that would result from legal changes to routing based on either load or lost interfaces) is challenging.

Making sure that necessary, business-critical access is open, while also making sure any unnecessary, potentially dangerous access is blocked, is just as challenging.

On top of this work, being sure that you’ve done all of this in the way you intend, that you maintain it over time with clean, current configurations and documentation, and that you are able to report and determine any changes, is one of the core aspects of managing this ever-more-complex situation going forward.

Testing the Policy

The day was already hot with the humidity rising as I entered the data center for our third day of consulting. The NOC was state-of-the-art, dimly lit, with displays showing network status, weather, and news. This was the day we would see the results of testing the network policy for the first time. I knew what to expect, and I knew the engineers would be surprised. It happens every time.

testingNetworks today are incredibly complex: from the more traditional routers with ACL s, and firewalls with their rules, to ever-more-sophisticated load balancers, application-layer firewalls, and virtual environments that comprise more functions than the entire enterprise had just a few years ago. The expansive organic and revolutionary growth of network functions has created an elaborate, interconnected, dynamic maze that is practically impossible for human beings to grasp, much less to determine every possible outcome of communication across it.

That is where automation steps in.

As I mentioned in previous posts, first, you identify zones and then you map them to your network. These two steps are essential to any reasonable security policy. However, that’s not enough. You have to know every day that your network enforces those zones and the inter-zone policies you worked so hard to create. The only way to do that is with automation.

As a guy who has built networks for a very long time, one of my primary reasons for using RedSeal on those networks is to abstract the complexity of all those network elements and show me the current state of the security policy: are there any violations to that policy on the network today?

Just like that hot day I spent in the cool confines of a modern data center, every network I have helped customers and prospects analyze — without exception — has had violations of their policy. Many were approved exceptions. Some were emergency changes. It’s also very common to discover completely unexpected violations. Frankly, you should expect that. The complexity and unexpected interactions are far too great to be able to anticipate all of them without automation like RedSeal.

How do you test your policy?

Mapping Policy to Your Network

A few years ago, I sat in an otherwise empty classroom inside the administration building of a children’s hospital with two members of their security team. We stared at a spreadsheet and a document that described the server and client zones of their network, displayed from a projector like a classroom project. For each zone, we dug into the details of allowed, forbidden, and approved access. This work was precise and detailed, requiring us to step through subnet addressing, host addresses, and the policy documentation over and over again.

mappingEventually, we had mapped the network security architecture policy to their network, though, and this was a critical next step in protecting kids and their families from the potential evil done by those who would attack the network of a children’s hospital.

The work to dig in and map every network to an appropriate zone is significant, but it’s critical. Regardless of your specific requirements, knowing the purpose of every subnet, each type of host collection you have, and mapping them to a reasonable network security architecture is a critical requirement allowing you to draw lines between parts of your network to avoid the situations that Target and Supervalu have found themselves facing.

As attackers and their attacks become ever more sophisticated and patient, your security zones and the implementation of security controls between them is your only real defense. Of course, using automation to monitor those controls and ensure that they are implemented correctly, consistently, and completely is equally vital. More on that in an upcoming post.

Staying on Top of Security

Wall Street values companies based on their performance over time.  That performance is measured in revenue growth and profit, but it is also measured by the reliability with which results can be predicted. Predictable results makes everyone happy.  Wall Street doesn’t like surprises, and neither does a CEO.  At some level, I suppose, the CEO’s job is to grow the business with as few moving parts as possible, eliminating potential surprises that could upset predictable results.

ray-staying-on-topThis becomes difficult when you realize that the very foundation of every modern business, the network, is full of moving parts and is anything but stable. Technology continues to evolve, new products are introduced, and companies are constantly changing their electronic infrastructure in hopes of improving operations and lowering costs.  This double whammy of new products and the desire to lower costs by changing the network brings complexity, potential vulnerabilities and unpredictability to the business. At the end of it all, one should always ask the question – are things getting better, or not?  Is my network improving or not?  And am I more secure or not? How can I know?

I recently met with the chief executive of a Fortune 20 company.  In our discussion I learned that this CEO gets a cyber report every Monday morning.  Not only does it include what attacks or threats his company witnessed, but it includes information on what is happening in the world as it applies to his business.  This sounds a lot like what the President of the United States gets in his daily briefings from the NSC!  I was totally surprised and delighted that he was taking security so seriously.

What does this mean for you, the CEO?  A cyber event is coming, whether you like it or not.  It doesn’t have to be scary or deadly.  Being prepared with a secure network is now the cost of doing business.  The sooner you start, the less impact it’ll have on your company when it happens to you.

Was It Something I Said?

I was in one of those small, interior conference rooms when it first happened. It was very hot outside, with an obvious threat of another day over 100°F and extreme humidity, as well. But, it felt even hotter in the room. I was there to provide insights to members of the network and security teams for a regional retailer, and only a few minutes into the training, it seemed like everything I said resulted in angry rebuttals. As a pretty easy-going guy, I couldn’t figure out how it was that I had offended the senior network engineer so completely. So, I asked her, “What has you so upset about this information?”

“Simple!” she hissed through clenched teeth pointing across the table, “They are going to just use this to beat me up!”

There, in a nutshell, is a fundamental problem with many IT organizations: different teams have different fundamental objectives and instead of working together and understanding the goals in a more holistic way, they end up in an adversarial relationship, something-i-saidfighting for resources and the favor of the CIO, CFO, and CEO.

It starts with the clear distinction between the role of network operations and security. The network team is responsible for making sure that packets get through. Their phone doesn’t ring as long as everyone gets access to what they need and there are no slowdowns. On the other hand, security is responsible for making sure that some packets do not arrive, protecting network assets from unauthorized access and from potential attacks of various kinds. As a result, the two teams often find themselves diametrically opposed to one another.

The solution to this rests with the CIO as typically the executive responsible for all aspects of the network infrastructure. As a result, the CIO is the place where these divergent objectives join to create a single strategy, and she is the one who can provide the context and vocabulary for unification.

How is this done in your organization? How have you seen it done, perhaps in organizations where it doesn’t work so well (since I’m sure your organization doesn’t have this issue!)? What do you need in order to make sure that the entire IT organization is aligned to the same goals?