A Case for Host-based Information Security

Transcription

1 Technology Concepts and Business Considerations Abstract This white paper considers the information security mindset from protecting the perimeter to redefining the IT ecosystem with the goal of attaining more granular control over more assets, which leads to more effective and efficient IT operations and compliance auditing. August 2009

2 Copyright 2009 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number h6501 Technology Concepts and Business Considerations 2

3 Table of Contents Executive summary...4 Introduction...4 Audience... 4 Defining perimeters and IT ecosystems...4 Examining computer attacks...7 Controlling and monitoring hosts...7 Conclusion...9 Technology Concepts and Business Considerations 3

4 Executive summary Most of today s IT environments contain a vast array of different technologies: server and workstation platforms (Microsoft Windows, UNIX, Linux), network devices such as routers and switches, securityspecific network devices like firewalls and intrusion-detection systems, and numerous applications and databases. From an information security perspective, what do we focus on protecting given that we have limited time and resources? The obvious answer is everything but that s not practical. The next-best answer is the most critical and sensitive resources. This is likely to be the right answer, but it only answers the what question. What about the how of getting this accomplished? There are a number of ways to approach the problem, but a shift in paradigm can help us to see things differently. First, consider computer-related attack scenarios. Except for denial-of-service (DoS) attacks that affect availability and passive attacks that include sniffing, passive scanning, or OS/application analysis and man-in-the-middle (MiTM) scenarios, every single computer-based attack targets something on a host platform. Whether the attack focuses on application vulnerabilities, database pilfering, flaws in a service or OS/add-on component that grants access, or any other chink in the armor, the ultimate goal is to gain access to a host and/or its data stores. Next, consider that the more control you have over the object of an attack, the higher the likelihood that you can directly prevent and detect the attacks by decreasing the attack surface through hardening, patching, and monitoring. Introduction This white paper considers the information security mindset from protecting the perimeter to redefining the IT ecosystem with the goal of attaining more granular control over more assets, which leads to more effective and efficient IT operations and compliance auditing. Audience This white paper addresses IT operations managers, IT security managers, and those with server configuration management responsibilities in large-scale IT environments. Defining perimeters and IT ecosystems Traditional security best practices specify that security teams should detect threats as far out as possible, toward the network perimeter. When the threat is detected closer to the host, the options for prevention and remediation are fewer since the enemy is at the gate. This is certainly a good approach by detecting and responding to threats as soon as possible, the likelihood of a successful compromise is reduced. However, there is another way to think about our IT environments: as ecosystems with varying degrees of control. The first type of ecosystem is the macro environment, or the IT infrastructure as a whole. This includes all components within IT desktops, servers, applications, network devices, and so on. Often, IT security tends to focus on protecting this by placing security monitoring and controls at strategic locations throughout the environment. Examples include firewalls at the perimeter and network segmentation points; intrusion-detection sensors at ingress points, DMZs, and other sensitive areas; and vulnerability scanning engines placed where they can assess major subnets. Technology Concepts and Business Considerations 4

5 Figure 1. Macro IT ecosystem with controls This macro level of IT infrastructure is characterized by several major considerations for IT security professionals: Hosts: Each server and network device represents a system that must be configured, managed, and protected. Each of these systems may behave somewhat independently of the others. Networks: Networks need to be planned and designed to support the traffic volume within the infrastructure, and should be segregated to allow maximum control over major points of connectivity. Services and Applications: The services and applications that reside on the hosts will interact with other systems and applications in a variety of ways. Behavior: The sum total of all systems interacting within a network environment leads to behavioral patterns and trends that can and should be monitored. Although this is a simplified view of the environmental aspects to consider, it underscores the point that viewing information security at the macro level is difficult, with many different moving parts to protect. For this reason, it s beneficial to plan a security strategy at the micro level, where each host system is a miniature ecosystem unto itself and security professionals can exert a greater degree of control. In fact, although the response time may be reduced as attacks get closer to the host, the degree of control for protecting the system and its data actually goes up, as shown in Figure 2. Technology Concepts and Business Considerations 5

6 Figure 2. Security control increases closer to the host Most platforms and systems have a number of common attributes: Network connection(s) ingress/egress points File systems Users, groups, and roles/rights Services and/or applications that run on or within the system Platform components such as registry keys and kernel parameters and files Figure 3. Micro IT ecosystem (hosts) In addition, most large IT environments have some degree of homogeneity, or similarity across numbers of systems. There may be six different standard Windows desktop builds, but these six builds account for the Technology Concepts and Business Considerations 6

7 configuration of 30,000 workstations globally. There are likely some similar standards in place for Web servers, file servers, routers and switches, and so on. Examining computer attacks There are several major categories of attacks against computers and networks: Exploits of services and applications: Vulnerabilities in the code of platform services or applications that reside on the platforms are exploited locally or remotely. This grants attackers access to data and provides a pivot point from which to launch further attacks within the network. Denial-of-service (DoS): These can be localized or network-based. In the case of local DoS attacks, an attacker attempts to consume all available resources on a system, rendering it unavailable. In a network-based DoS attack, network capacity is reduced by large quantities of traffic. A related case is local or remote attacks specifically against network devices, causing the flow of traffic through them to be impeded. Passive attacks: Passive attacks are primarily focused on information gathering. Sniffing network traffic and routing communications through a man-in-the-middle (MiTM) are examples of passive attacks. These are then leveraged to execute additional attacks except in the case of purposeful data theft and interception in this case, a passive attack could satisfy the entire goal. Although there are certainly other types of attacks, most of them derive from one of the three listed here. In reviewing these attack types, most of them (not network-based DoS) have one thing in common: They focus on the host. The host is where data is stored, applications and services are running, and vulnerabilities are likely to occur. Manipulation of network traffic in transit is possible, but that simply implies that an attacker has too much access to network conduits, perhaps by gaining access to a switch or some other means. An attacker who has bypassed network access controls to gain entrance to a network ecosystem cannot hide on the network this simply isn t possible. There must be an endpoint that is compromised to provide shelter to an attacker. In addition, unless DoS is the intent, an attacker s goal will always be related to a host in some way: data in a database or stored in a file system, user accounts that provide access to hosts, application access, and so on. Controlling and monitoring hosts Given the types of perimeters defined earlier, as well as the proclivity for host-focused attacks, information security professionals should first attend to the micro ecosystems in their environments. By effectively securing and monitoring each host, security teams can be assured that systems, applications, and data are protected as close to the source as possible. This seems to fly in the face of tried-and-true security best practices, though shouldn t we focus on security measures as far away as possible, to provide maximum detection and reaction time? Although traditional network security measures are a vital component of any organization s overall security strategy, the answer is no. We should focus first and foremost on securing and monitoring hosts. As far back as 2004, Gartner s John Pescatore wrote that [b]usiness-critical platforms require host-based security to protect the expanding enterprise perimeter. 1 The perimeter is still expanding so why hasn t this become gospel? The main reason why effective host-based configuration, security, and monitoring practices aren t commonplace is simple: We think it s hard. It s much easier to place several firewalls and intrusiondetection sensors at points in our networks, make sure they can see traffic, tune their rulesets a bit, and then monitor a console. Securing tens of thousands of hosts? Much more difficult, we think. Additionally, the number of configuration items (CIs, in ITIL parlance) for a modern OS or application can be staggering. A single Windows server might have upward of 80,000 knobs that could be turned. How can we manage this many options? 1 It s Time for Host-Based Security Platforms, Technology Concepts and Business Considerations 7

8 The answer is configuration management. There are several key components to a sound configuration management strategy: A low-overhead agent on each system: Although no one likes agents, having unfettered local access to all resources within the host ecosystem is critical to visibility and control of each configuration item on the host. Standards: Trying to decide exactly how to configure each host and application can be daunting. For this reason, it s important to leverage existing best-practices standards such as those from the Center for Internet Security 2 and the Defense Information Systems Agency (DISA) 3, and vendor-specific guides from Microsoft, VMware, and others. Patching: A simple and automated patching mechanism is one of the cornerstones of vulnerability and configuration management disciplines. There are simply too many vulnerabilities in most modern software packages to leave this to chance. Discovery: The macro ecosystem is dynamic, constantly changing. To maintain a reasonable inventory of hosts, some sort of discovery/scanning mechanism is needed to ensure hosts are quickly identified and brought under centralized management as soon as possible. Change Management: The No. 1 cause of downtime and incidents within organizations is unplanned change. This could be due to malware infections, equipment failure, a deliberate malicious action, or simply someone in a hurry who circumvents approved change management processes. Whatever the case may be, integrating configuration management into a well-defined change management workflow will allow systems and security administrators to keep up with changes that are supposed to happen, while quickly disallowing and rolling back those that aren t supposed to happen. Centralized monitoring and control: Without the ability to centrally manage all the host configuration details, the question of how we ll effectively manage the micro ecosystems becomes problematic. Therefore, all local system agents should report to a central system where administrators can monitor host status, identify configuration items that are out of standard or don t match policies, and make those changes from within the console. This console should integrate with change management systems to ensure continuity of actions within the macro environment. There are many more aspects of configuration management that could be listed, but these are the primary ones that pertain to information security. For example, if a new exploit is released that compromises systems missing a certain Microsoft Windows patch, security teams are much better served by determining which systems aren t patched and configured properly in a console than waiting for exploit attempts to be detected on the network. With one query, all hosts could report whether a specific configuration item was properly instituted, allowing security professionals to implement those changes and defend all the hosts. By focusing further out at the network perimeter, you can detect and/or block these attack attempts, but what happens if the exploit keeps changing? Keeping up with network intrusion signatures is a much less effective approach than simply finding and fixing the problem at the host level. Again, this isn t intended to dissuade anyone from implementing network security measures however, focusing on these at the expense of the host is a losing battle Technology Concepts and Business Considerations 8

9 Conclusion As part of a complete infrastructure security strategy, it s important to realize that the ultimate goal of any security program is to protect sensitive data. This data, although possible to intercept or modify in transit, is largely maintained and accessed on host systems; thus, the need for a strong host-based configuration management and security program is paramount. The number of controls that can be implemented and modified on each host is steadily increasing as platforms grow in complexity. This flexibility also comes with a downside: Administrators and security professionals need to keep up with best practices on configuring and maintaining the myriad options available on each system. Once a strategy is in place for securing and configuring hosts, however, this focus on the micro IT ecosystems within the environment will pay dividends by allowing much more granular security controls to be implemented. Although response times to traditional attacks may decrease (assuming perimeter and network security tools fail), in most cases this won t matter if the systems are properly patched and configured. Technology Concepts and Business Considerations 9