The Path to Integrated Network Security (Part II of II)
By Mitchell Ashley, CTO and VP Customer Experience, StillSecure
As we outlined in Part I of this article, ensuring that the IT business infrastructure is protected requires a defense in depth or layered strategy. 98 percent of organizations today have anti-virus and firewalls, however, they’re not enough against today’s sophisticated threats. Through the integration between additional technologies like vulnerability management, endpoint policy compliance, and intrusion prevention/detection, organizations achieve comprehensive protection from attack. In addition, data is correlated to better protect the network and simplify security management. The result is a highly protective, highly automated security environment.
Integration in action: The anatomy of an attack
Tracking the lifecycle of a well-known attack in a network protected by integrated, layered security demonstrates the efficacy of this approach. In the example that follows, we’ll examine how integrated security defends against a recent peer-to-peer (P2P) attack. The network in this example includes the following integrated technologies: firewall, AV, intrusion prevention system (IPS), an endpoint policy compliance solution, a vulnerability management system, and a patch manager.
In this scenario, a corporation’s Chief Operations Officer (COO) takes her company-owned laptop home on Friday evening. Over the weekend a family member uses the machine to share music files with others on the Internet using the latest music sharing program.
2. Policy compliance check, device quarantine
Upon returning to work Monday morning, the COO connects to the corporate network, at which point the company’s endpoint compliance solution tests the device for compliance against the organization’s established security access policies. The access policy dictates that:
Devices must have the latest IT-approved operating system patches
The corporate standard anti-virus protection is running and up-to-date
Corporate patch management client software is operational on the device.
Although the endpoint security system could check for other policy requirements, such as restricted programs or other security configurations, these were not part of the applied access policy tests. The COO’s laptop meets all the defined requirements and is allowed access into the network.
Within the integrated security environment, the endpoint compliance solution is able to inform the vulnerability management system (VMS) that this laptop, which is a corporate asset, has returned to the network after being disconnected for a few days. The VMS launches a full vulnerability scan of the device to ensure no new vulnerabilities are present.
The vulnerability scan detects that unauthorized TCP ports on the device are open and active. Because the laptop is assigned to an officer of the company, it is considered to be a high-importance device. As such, it is given a high repair priority within the vulnerability management system’s repair workflow. In this integrated security environment, the VMS coordinates this repair information with the IT trouble-ticketing system, where a high priority ticket is opened and assigned to the system administrator responsible for desktop maintenance. In parallel, the VMS informs the network intrusion prevention system (IPS) that this laptop device has potential vulnerabilities on the authorized ports identified during the vulnerability scan.
4. Shield the at-risk device from further impact
After connecting her laptop to the network, the COO heads off to a staff meeting. While she is away, the network perimeter intrusion prevention system (IPS) begins to detect a large number of inbound and outbound connections emanating from the IP address of the
COO’s laptop. These connections are oriented outside the corporate network using file sharing protocols and network ports typically used by peer-to-peer file-sharing programs. The IPS is configured to block any suspicious peer-to-peer traffic and drops all offending data packets to and from the laptop.
As part of the attack identification process, the IPS correlates the suspicious traffic with known device vulnerabilities, informs the VMS that attacks of this type are occurring on the device, and flags these attacks for special attention by the security staff. Because there is potential information loss, the IPS also informs the endpoint compliance system, which immediately places the laptop in quarantine.
5. Remediation and verification
The security staff has now been alerted to the situation and determines the best course of action. Through the VMS they instruct the patch management system to deliver a script to the laptop which will uninstall the offending P2P program. To prevent further similar problems on this device, the security team installs a personal firewall on the laptop. As part of the closed-loop vulnerability management process, the VMS then (1) rescans the laptop to verify the identified vulnerabilities have been removed and then (2) instructs the endpoint security system to release the device from quarantine and place it back onto the full network.
6. Policy Implementation
Because of this incident, the security team decides to accelerate the rollout of the personal firewall security program for all traveling laptop users and update the endpoint security policy to restrict the use of unauthorized P2P music and file-sharing programs.
The team begins the process by ‘pre-rolling’ policies in the endpoint security system to test, but not yet quarantine, devices for the required personal firewall program and any restricted P2P applications. The results from the policy pre-roll testing show that most laptops have the corporate-standard personal firewall installed, but a surprisingly large number of internal desktops and traveling laptops are running unauthorized P2P and instant messaging applications. The team immediately adds a new policy to the endpoint compliance system to require the use of the personal firewall on all corporate laptops.
Additionally, the security team immediately sends out a communiqué to all staff members re-enforcing restrictions about unauthorized applications, and then rolls out a script to remove them. Once the unauthorized applications have been removed, the security team adds checks to the endpoint security system to quarantine any non-compliant devices.
Beyond security applications: Integration within the IT environment
Integration is not only occurring among security applications; it is also occurring between security applications and other systems in the IT environment. The integration between the vulnerability management system and the trouble-ticketing system is one example of this wider integration. Other potentially integratable systems are shown in Table 1 (Below). Wider integration further enhances the key benefits of improved security, improved reporting and control, and improved administrative efficiencies.
Advantages of integration within the IT environment include:
Centralized management of security data
Security management across disparate systems
Leveraged IT investments – increases the value of existing IT systems and processes, streamlines security administration, and reduces training and management costs
Proactive risk mitigation – Integrated security requires less overhead and provides a repeatable means to continually mitigate the risk of an attack on the network.
Table 1. Integratable security-related IT systems:
Asset inventory systems:
• Vulnerability scanners
• Passive scanners
• Data from external security audits
• LDAP/AD directories
• Data from third-party security products (IDS/IPS, anti-virus etc.)
Remediation-related systems and processes:
• Automated repair/patch management systems
• Trouble ticketing systems
• Intrusion detection/prevention for attack correlation
• Change management systems
• Security portals
• Security information managers (SIMs)
• Third-party monitors of monitors (MOMs)
Sophisticated threats bombard your network continuously. Protecting your organization from attack, preventing your proprietary data from being compromised and achieving compliance with applicable data security regulations require more than a firewall and antivirus. Today, security-conscious organizations are adopting a layered approach to network security to mitigate their risk.
The current trend is building on the layered approach by integrating security technologies. The integrated approach enhances security, streamlines workflow and reporting, and dramatically improves the efficiency with which security is managed.
About the Author
Mitchell Ashley serves as Chief Technology Officer (CTO) and VP of Customer Experience at StillSecure. As CTO, Mr. Ashley is responsible for the product strategy and development of the StillSecure suite of network security products. As VP of Customer Experience, Mr. Ashley leads StillSecure in providing a 'best-in-class' experience throughout all customer interactions. The creator of StillSecure's endpoint security and vulnerability management products, Mr. Ashley has more than 20 years of industry experience.
StillSecure was founded in June of 2000 by an experienced management team that saw the need for affordable, scalable, and high-performance security solutions. The team recognized the market was saturated with complex products that were difficult to use and expensive to implement. They saw an opportunity to make effective security accessible and affordable for enterprises of all sizes.