A Case for Host-based Information Security

Similar documents
Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Securing the Modern Data Center with Trend Micro Deep Security

Device Discovery for Vulnerability Assessment: Automating the Handoff

Carbon Black PCI Compliance Mapping Checklist

Threat Centric Vulnerability Management

How Breaches Really Happen

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

the SWIFT Customer Security

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

ANATOMY OF AN ATTACK!

The Convergence of Security and Compliance

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

RSA NetWitness Suite Respond in Minutes, Not Months

PROTECTING THE ENTERPRISE FROM BLUEBORNE

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Endpoint Security and Virtualization. Darren Niller Product Management Director May 2012

PRACTICAL NETWORK DEFENSE VERSION 1

Securing Your Most Sensitive Data

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Comprehensive Database Security

SYMANTEC DATA CENTER SECURITY

FireMon Security manager

PROFILE: ACCESS DATA

BUFFERZONE Advanced Endpoint Security

6 Tips to Help You Improve Configuration Management. by Stuart Rance

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Endpoint Security for DeltaV Systems

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Managed Security Services - Endpoint Managed Security on Cloud

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

External Supplier Control Obligations. Cyber Security

Hackproof Your Cloud Responding to 2016 Threats

ICS Security Monitoring

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

White Paper April McAfee Protection-in-Depth. The Risk Management Lifecycle Protecting Critical Business Assets.

Help Your Security Team Sleep at Night

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Automating the Top 20 CIS Critical Security Controls

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

Case Study. Top Financial Services Provider Ditches Detection for Isolation

COMPLETING THE PAYMENT SECURITY PUZZLE

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Vulnerability Management

Maximizing IT Security with Configuration Management WHITE PAPER

Vulnerability Assessments and Penetration Testing

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Trend Micro Deep Security

RSA INCIDENT RESPONSE SERVICES

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

ForeScout Extended Module for Carbon Black

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

BETTER Mobile Threat Defense (BMTD)

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Securing Today s Mobile Workforce

RSA INCIDENT RESPONSE SERVICES

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

ITSM SERVICES. Delivering Technology Solutions With Passion

Quantifying the Value of Firewall Management

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

FIREWALL BEST PRACTICES TO BLOCK

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Security Principles for Stratos. Part no. 667/UE/31701/004

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

A Practical Guide to Efficient Security Response

Seqrite Endpoint Security

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Reduce Your Network's Attack Surface

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Kaspersky Open Space Security

Five Essential Capabilities for Airtight Cloud Security

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Snort: The World s Most Widely Deployed IPS Technology

Speed Up Incident Response with Actionable Forensic Analytics

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Best Practices in Securing a Multicloud World

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

TRAPS ADVANCED ENDPOINT PROTECTION

Transcription:

Technology Concepts and Business Considerations Abstract This white paper considers the information security mindset from protecting the perimeter to redefining the IT ecosystem with the goal of attaining more granular control over more assets, which leads to more effective and efficient IT operations and compliance auditing. August 2009

Copyright 2009 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number h6501 Technology Concepts and Business Considerations 2

Table of Contents Executive summary...4 Introduction...4 Audience... 4 Defining perimeters and IT ecosystems...4 Examining computer attacks...7 Controlling and monitoring hosts...7 Conclusion...9 Technology Concepts and Business Considerations 3

Executive summary Most of today s IT environments contain a vast array of different technologies: server and workstation platforms (Microsoft Windows, UNIX, Linux), network devices such as routers and switches, securityspecific network devices like firewalls and intrusion-detection systems, and numerous applications and databases. From an information security perspective, what do we focus on protecting given that we have limited time and resources? The obvious answer is everything but that s not practical. The next-best answer is the most critical and sensitive resources. This is likely to be the right answer, but it only answers the what question. What about the how of getting this accomplished? There are a number of ways to approach the problem, but a shift in paradigm can help us to see things differently. First, consider computer-related attack scenarios. Except for denial-of-service (DoS) attacks that affect availability and passive attacks that include sniffing, passive scanning, or OS/application analysis and man-in-the-middle (MiTM) scenarios, every single computer-based attack targets something on a host platform. Whether the attack focuses on application vulnerabilities, database pilfering, flaws in a service or OS/add-on component that grants access, or any other chink in the armor, the ultimate goal is to gain access to a host and/or its data stores. Next, consider that the more control you have over the object of an attack, the higher the likelihood that you can directly prevent and detect the attacks by decreasing the attack surface through hardening, patching, and monitoring. Introduction This white paper considers the information security mindset from protecting the perimeter to redefining the IT ecosystem with the goal of attaining more granular control over more assets, which leads to more effective and efficient IT operations and compliance auditing. Audience This white paper addresses IT operations managers, IT security managers, and those with server configuration management responsibilities in large-scale IT environments. Defining perimeters and IT ecosystems Traditional security best practices specify that security teams should detect threats as far out as possible, toward the network perimeter. When the threat is detected closer to the host, the options for prevention and remediation are fewer since the enemy is at the gate. This is certainly a good approach by detecting and responding to threats as soon as possible, the likelihood of a successful compromise is reduced. However, there is another way to think about our IT environments: as ecosystems with varying degrees of control. The first type of ecosystem is the macro environment, or the IT infrastructure as a whole. This includes all components within IT desktops, servers, applications, network devices, and so on. Often, IT security tends to focus on protecting this by placing security monitoring and controls at strategic locations throughout the environment. Examples include firewalls at the perimeter and network segmentation points; intrusion-detection sensors at ingress points, DMZs, and other sensitive areas; and vulnerability scanning engines placed where they can assess major subnets. Technology Concepts and Business Considerations 4

Figure 1. Macro IT ecosystem with controls This macro level of IT infrastructure is characterized by several major considerations for IT security professionals: Hosts: Each server and network device represents a system that must be configured, managed, and protected. Each of these systems may behave somewhat independently of the others. Networks: Networks need to be planned and designed to support the traffic volume within the infrastructure, and should be segregated to allow maximum control over major points of connectivity. Services and Applications: The services and applications that reside on the hosts will interact with other systems and applications in a variety of ways. Behavior: The sum total of all systems interacting within a network environment leads to behavioral patterns and trends that can and should be monitored. Although this is a simplified view of the environmental aspects to consider, it underscores the point that viewing information security at the macro level is difficult, with many different moving parts to protect. For this reason, it s beneficial to plan a security strategy at the micro level, where each host system is a miniature ecosystem unto itself and security professionals can exert a greater degree of control. In fact, although the response time may be reduced as attacks get closer to the host, the degree of control for protecting the system and its data actually goes up, as shown in Figure 2. Technology Concepts and Business Considerations 5

Figure 2. Security control increases closer to the host Most platforms and systems have a number of common attributes: Network connection(s) ingress/egress points File systems Users, groups, and roles/rights Services and/or applications that run on or within the system Platform components such as registry keys and kernel parameters and files Figure 3. Micro IT ecosystem (hosts) In addition, most large IT environments have some degree of homogeneity, or similarity across numbers of systems. There may be six different standard Windows desktop builds, but these six builds account for the Technology Concepts and Business Considerations 6

configuration of 30,000 workstations globally. There are likely some similar standards in place for Web servers, file servers, routers and switches, and so on. Examining computer attacks There are several major categories of attacks against computers and networks: Exploits of services and applications: Vulnerabilities in the code of platform services or applications that reside on the platforms are exploited locally or remotely. This grants attackers access to data and provides a pivot point from which to launch further attacks within the network. Denial-of-service (DoS): These can be localized or network-based. In the case of local DoS attacks, an attacker attempts to consume all available resources on a system, rendering it unavailable. In a network-based DoS attack, network capacity is reduced by large quantities of traffic. A related case is local or remote attacks specifically against network devices, causing the flow of traffic through them to be impeded. Passive attacks: Passive attacks are primarily focused on information gathering. Sniffing network traffic and routing communications through a man-in-the-middle (MiTM) are examples of passive attacks. These are then leveraged to execute additional attacks except in the case of purposeful data theft and interception in this case, a passive attack could satisfy the entire goal. Although there are certainly other types of attacks, most of them derive from one of the three listed here. In reviewing these attack types, most of them (not network-based DoS) have one thing in common: They focus on the host. The host is where data is stored, applications and services are running, and vulnerabilities are likely to occur. Manipulation of network traffic in transit is possible, but that simply implies that an attacker has too much access to network conduits, perhaps by gaining access to a switch or some other means. An attacker who has bypassed network access controls to gain entrance to a network ecosystem cannot hide on the network this simply isn t possible. There must be an endpoint that is compromised to provide shelter to an attacker. In addition, unless DoS is the intent, an attacker s goal will always be related to a host in some way: data in a database or stored in a file system, user accounts that provide access to hosts, application access, and so on. Controlling and monitoring hosts Given the types of perimeters defined earlier, as well as the proclivity for host-focused attacks, information security professionals should first attend to the micro ecosystems in their environments. By effectively securing and monitoring each host, security teams can be assured that systems, applications, and data are protected as close to the source as possible. This seems to fly in the face of tried-and-true security best practices, though shouldn t we focus on security measures as far away as possible, to provide maximum detection and reaction time? Although traditional network security measures are a vital component of any organization s overall security strategy, the answer is no. We should focus first and foremost on securing and monitoring hosts. As far back as 2004, Gartner s John Pescatore wrote that [b]usiness-critical platforms require host-based security to protect the expanding enterprise perimeter. 1 The perimeter is still expanding so why hasn t this become gospel? The main reason why effective host-based configuration, security, and monitoring practices aren t commonplace is simple: We think it s hard. It s much easier to place several firewalls and intrusiondetection sensors at points in our networks, make sure they can see traffic, tune their rulesets a bit, and then monitor a console. Securing tens of thousands of hosts? Much more difficult, we think. Additionally, the number of configuration items (CIs, in ITIL parlance) for a modern OS or application can be staggering. A single Windows server might have upward of 80,000 knobs that could be turned. How can we manage this many options? 1 It s Time for Host-Based Security Platforms, http://www.gartner.com/displaydocument?doc_cd=119940 Technology Concepts and Business Considerations 7

The answer is configuration management. There are several key components to a sound configuration management strategy: A low-overhead agent on each system: Although no one likes agents, having unfettered local access to all resources within the host ecosystem is critical to visibility and control of each configuration item on the host. Standards: Trying to decide exactly how to configure each host and application can be daunting. For this reason, it s important to leverage existing best-practices standards such as those from the Center for Internet Security 2 and the Defense Information Systems Agency (DISA) 3, and vendor-specific guides from Microsoft, VMware, and others. Patching: A simple and automated patching mechanism is one of the cornerstones of vulnerability and configuration management disciplines. There are simply too many vulnerabilities in most modern software packages to leave this to chance. Discovery: The macro ecosystem is dynamic, constantly changing. To maintain a reasonable inventory of hosts, some sort of discovery/scanning mechanism is needed to ensure hosts are quickly identified and brought under centralized management as soon as possible. Change Management: The No. 1 cause of downtime and incidents within organizations is unplanned change. This could be due to malware infections, equipment failure, a deliberate malicious action, or simply someone in a hurry who circumvents approved change management processes. Whatever the case may be, integrating configuration management into a well-defined change management workflow will allow systems and security administrators to keep up with changes that are supposed to happen, while quickly disallowing and rolling back those that aren t supposed to happen. Centralized monitoring and control: Without the ability to centrally manage all the host configuration details, the question of how we ll effectively manage the micro ecosystems becomes problematic. Therefore, all local system agents should report to a central system where administrators can monitor host status, identify configuration items that are out of standard or don t match policies, and make those changes from within the console. This console should integrate with change management systems to ensure continuity of actions within the macro environment. There are many more aspects of configuration management that could be listed, but these are the primary ones that pertain to information security. For example, if a new exploit is released that compromises systems missing a certain Microsoft Windows patch, security teams are much better served by determining which systems aren t patched and configured properly in a console than waiting for exploit attempts to be detected on the network. With one query, all hosts could report whether a specific configuration item was properly instituted, allowing security professionals to implement those changes and defend all the hosts. By focusing further out at the network perimeter, you can detect and/or block these attack attempts, but what happens if the exploit keeps changing? Keeping up with network intrusion signatures is a much less effective approach than simply finding and fixing the problem at the host level. Again, this isn t intended to dissuade anyone from implementing network security measures however, focusing on these at the expense of the host is a losing battle. 2 http://www.cisecurity.org 3 http://www.disa.mil/ Technology Concepts and Business Considerations 8

Conclusion As part of a complete infrastructure security strategy, it s important to realize that the ultimate goal of any security program is to protect sensitive data. This data, although possible to intercept or modify in transit, is largely maintained and accessed on host systems; thus, the need for a strong host-based configuration management and security program is paramount. The number of controls that can be implemented and modified on each host is steadily increasing as platforms grow in complexity. This flexibility also comes with a downside: Administrators and security professionals need to keep up with best practices on configuring and maintaining the myriad options available on each system. Once a strategy is in place for securing and configuring hosts, however, this focus on the micro IT ecosystems within the environment will pay dividends by allowing much more granular security controls to be implemented. Although response times to traditional attacks may decrease (assuming perimeter and network security tools fail), in most cases this won t matter if the systems are properly patched and configured. Technology Concepts and Business Considerations 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback