Architecting a More Effective Enterprise Security Program WWW.NWNIT.COM
Architecting a More Efficient Enterprise Security Program As the threat matrix grows, securing IT infrastructures and digital assets has to be top priority. In this paper, we ll take a look at the types of threats companies are facing and what it takes to protect infrastructures today and the digital assets they support. The Growing Threat Matrix 3 Rising Costs 3 Increasing Ransomware Attacks Aimed at Enterprises 3 Phishing and Social Engineering Goes Corporate 4 Growing DDoS Threats 4 Expanding Insider Security Breaches Malicious and Benign 4 Preparing for More Sophisticated Attacks 4 Enterprise Protection Demands an Effective Security Strategy 5 End-to-end visibility 6 Analytics and modeling 6 Global control 6 Automation 6 Open APIs 6 Network Security 7 Fortifying Defenses 7 Unifying Access Control 7 Ensuring Uptime 7 Data Center Security 8 Mitigating Insider Threats 8 Optimizing Protection and Performance 8 Protecting Distributed Data Centers and Hybrid Environments 8 Endpoint Security 9 Managing BYOD 9 Meeting the IoT Challenge 9 Conclusion: Protection Starts with Assessment 10 2
The Growing Threat Matrix Cybercrime has become so lucrative and common that IT security professionals in companies of every size, in every industry need to understand what they are up against if they want to protect their customer information, intellectual property, financial processes and private communications. Rising Costs While bad actors are profiting tremendously from their exploits, the companies they attack are paying the price. The average cost of a security breach has reached $3.8 million, a 23% increase since 2013. Last year, 68% of companies were hacked so successfully that they were forced either to publicly report the incident or saw a negative impact on corporate finances. The average time between a system being compromised and a breach being detected is 146 days giving hackers ample time to exploit corporate assets. Increasing Ransomware Attacks Aimed at Enterprises Cyber criminals aren t relying solely on data theft to make their money. Now they can simply lock up a company s IT systems, shutting them down in order to hold them for ransom. The FBI reports that companies and individuals in the U.S. lost more than $24 million to ransomware attacks in 2015. Hollywood Presbyterian Medical Center was completely disabled with no access to electronic records until they agreed to pay off their attackers. SMBs are particularly vulnerable due to their lack of infrastructure and willingness to pay costing these companies an average of $10,000 per incident. 3
Phishing and Social Engineering Goes Corporate These attack vectors have become extremely successful. Authors of phishing schemes are now using them successfully to steal money, sensitive data and end-user credentials. CEO fraud that includes spoof messages to trick employees into wiring funds to fraudulent accounts has cost companies $2.3 billion in losses over the past three years. In Q1 of 2016, phishing attacks successfully stole W-2 data from 41 organizations. Regardless of the ultimate intent, 30% of phishing messages are successfully opened by the target across all campaigns. Preparing for More Sophisticated Attacks In its midyear security report, Cisco identified a set of highly sophisticated attack vectors designed to obfuscate hacker intentions and exploit specific weaknesses: Angler: Exploits flaws within Java, Flash, Silverlight and IE to throw out hooks to hijack online users by generating fake landing pages that mimic typical websites. Rombertik: Created to specifically to steal banking credentials, the Rombertik malware hooks into a users browser and sends sensitive information to an external server. Dridex: Exploits Microsoft Office to infect computers in order to steal credentials and deliver banking Trojans. Growing DDoS Threats DDoS attacks are also on the rise. While some activists use this attack vector to disable companies on principle, others use it as a smoke screen to launch more nefarious, sophisticated attacks. In 2015, DDoS attacks were up 148.85% over 2014 with a 168.82% increase in infrastructure layer (3 & 4) attacks. In Q1 of 2016, 34% of DDoS attacks were multi-vector. No company is immune, even Staminus Communications Inc., a specialist in protecting customers from massive DDoS attacks, was targeted and taken down by a DDoS attack for more than 20 hours Expanding Insider Security Breaches Malicious and Benign Internal threats are far more costly to companies as these users already have credentials to bypass perimeter-based defenses. Internal actors were responsible for 43% of data loss, one-half of which is intentional while the other half is accidental. Insider attacks were the most costly of all breach types in 2015. Employees at AT&T sold personal data associated with almost 280,000 U.S. customers, costing the company $25 million in civil penalties. 4
Enterprise Protection Demands an Effective Security Strategy Now that cyber criminals have become so sophisticated, they re not relying on data theft as their only path to profit. With so many cyber scams on the horizon (social engineering, ransoming, corporate espionage, etc.) no company should consider itself safe from attack. Today, it s not enough to simply drop in a firewall or deploy malware protection on endpoints companies need an enterprise-wide security strategy to effectively reduce risk. Being able to see the entire spectrum of threats aimed at your organization is the best way to protect your enterprise from threats.. When defenses are breached, you need to respond and move to remediation as quickly as possible. While the underlying technologies deployed will be unique for each organization, an effective enterprise security program requires. 5
End-to-end visibility Bad actors have learned that careful, step-wise maneuvering through your infrastructure is the best way avoid detection. These cunning criminals are patient, remaining hidden and slowing infiltrating a company for months at a time as they move toward their end-goal. These advanced, persistent threats are extremely costly as they target your most valuable assets sensitive data, intellectual property, private communications and more. To limit the risk of a high-profile breach, you need complete visibility across your networks, data center, cloud applications and all connected devices. Only by collecting data at all these points in your extended infrastructure, can you effectively detect, analyze and interpret indicators of compromise (IOCs) wherever they exist. Analytics and modeling With access to global threat intelligence, next-gen security solutions can shut down known attack vectors even if your company has never seen them before. However, the real value of security analytics lies in its ability to identify new types of malicious activity before, during and after an attack. By evaluating historical and current data on user behavior, network traffic flow, server behavior, application usage, attack telemetry, malware signatures and more, next-gen security solutions are better able to flag anomalies, characterize zero-day threats and predict problems before they lead to a full-blown breach. When systems are compromised, analytics can provide key forensic insights to determine exactly who did what. Global control Bringing all your security appliances and analytics tools under a centralized management system is critical for enacting and enforcing global policies. More importantly, it significantly cuts down on day-to-day administrative and change management work. Automation Automation ensures instant response and keeps administrators focused on the big picture. Without automated response, you cannot effectively mitigate risk. Therefore, if an employee laptop is infected by malware, you need to make sure it is blocked from compromising other devices on your network. If you have to manually react to specific alerts every time a potential threat is detected, you ll quickly fall prey to advanced, multi-vector attacks. Open APIs Threats are evolving so quickly that it s hard to predict exactly where your vulnerabilities exist. By choosing security solutions that adhere to industry-established standards such as ISO 177999 and Common Criteria for Information Technology Security Evaluation (CC), you ll be able to snap in next-gen solutions from any vendor when needed. This is particularly important for ensuring the efficacy of global policy enforcement, analytics models and simplified management of the security program as a whole. 6
Network Security As the gateway to corporate assets, networks have long been the target of extremely sophisticated, highly disruptive and quickly mutating attack vectors. Not only do security solutions have to block a growing set of malware and malicious inputs, they also have to ensure network uptime and enforce policies while being bombarded with DDoS attack traffic. All this has to be done as networks become more complex, virtualized, distributed and wireless. Fortifying Defenses To create a strong perimeter, you need visibility, analytics and vigilance. Simply installing a next-gen firewall where your private network meets the public Internet isn t enough. To gain visibility into the data needed to enhance analytics models, you need to place security appliances at key access points to collect, analyze and control the traffic flowing in and out of web servers, data centers, cloud applications, LAN/WAN connections, email servers, storage resources (arrays and switches) and more. Continuous analysis of these traffic flows will help you spot the anomalies and patterns indicative of a network compromise. This approach will significantly reduce risk before, during and after an attack and better protect your assets as your infrastructure evolves. Unifying Access Control Clearly, being able to tightly control how much access users have to the network is an important element of any security strategy. When implementing such a security system, choose one that can seamlessly manage settings for both wired and wireless networks. This will simplify the process and increase governance over a growing mobile workforce. Ensuring Uptime Today it is all too easy for bad actors to launch large scale, automated DDoS attacks. They can incapacitate companies and cost them dearly in lost productivity and customer revenue. The most effective way to avoid disruption is to clean packet traffic before it is allowed to enter the network. Next-gen firewall and intrusion prevention systems (IPS) can help, however, choosing a fabric built from the ground up to repel these attacks will add another layer of protection. NWN for Network Security Cisco FirePOWER NGFW: Next-gen appliances that combine firewall, IPS and advanced malware capabilities to deliver integrated threat defense across the entire attack continuum. Cisco Application Centric Infrastructure: A comprehensive SDN architecture with policy-based automation capabilities. Cisco AMP for Networks: Offers continuous visibility and control to protect against the largest set of sophisticated and targeted advanced malware attacks. Lancope StealthWATCH: Analyzes network flow records and application data to detect the stages of advanced attacks. Cisco Security Manager : Centralized management and policy control over the entire spectrum of security appliances deployed. 7
Data Center Security Whether you re being targeted for espionage or your store of personal information, the end goal of most advanced persistent threats lies in your data center. Protecting data center assets requires a specialized set of policies, technologies and implementation considerations. Taking the time to review to the security features of planned infrastructure upgrades will ensure that protections are built into the fabric of the data center as it evolves. Mitigating Insider Threats It may seem counter intuitive, but credentialed accounts actually pose a larger risk to companies because they are often overlooked as a possible vulnerability. Whether stolen or possessed by a disgruntled employee, they offer a chance to bypass standard security protocols and compromise files and data of interest. Clearly, establishing strong password policies and restricting global access will help reduce this risk. To effectively minimize risk, however, you need to continuously analyze usage patterns for anomalies including when specific users are online, where they re working from, what files they are accessing and what application features they are using. Monitoring data ingress/ egress patterns as a whole will speed the detection of malicious insider activity. Optimizing Protection and Performance Companies need speed in the data center to maximize customer satisfaction, revenue creation and workforce productivity. Therefore, it s extremely important to use security appliances optimized for these environments to ensure that performance doesn t degrade. Customizing security policies for the data center will also help eliminate latency as you strengthen protection in these environments. Protecting Distributed Data Centers and Hybrid Environments Data centers, workload management and applications access strategies are evolving quickly. Companies today are embracing virtualization to optimize resource allocation and cut costs. They re distributing data centers across the globe to improve performance regionally and to ensure disaster recovery protection. They re using cloud solutions to scale operations and to simplify access to critical business applications and storage resources. Each of these moves has security implications. Protecting the connections between public and private networks, users and applications, web servers and customers, cloud and storage, LANs and WANs and wired and wireless networks requires highly specialized technology and controls. Without a proper mapping of security solutions to infrastructure vulnerabilities, companies leave themselves open to attack. NWN for Data Center Security: Cisco FirePOWER: Firewall appliances that deliver integrated threat defense across the entire attack continuum. Cisco Application Centric Infrastructure: A comprehensive SDN architecture with policy-based automation capabilities. Cisco InterCloud: A fabric for cloud solutions that uses cryptographically isolated and encrypted tunnel to securely communicate between private and public clouds. Cisco Adaptive Security Appliances: High performance solutions designed specifically for mission critical data center environments. Lancope StealthWATCH: Analyzes network flow records and application data to detect the stages of advanced attacks. Cisco Web Security Application: Combines advanced threat protection (AMP), application visibility and control (AVC), policy control and secure mobility in a single platform. Cisco Email Security Application: Defends email systems from spam, malware and other threats while providing contextual analysis to protect against phishing attacks. 8
Endpoint Security The expanding attack surface created by the proliferation of personal and mobile devices connected to wired and wireless networks presents unique challenges for enterprise security teams. Managing BYOD Workforce mobility has changed traditional employee-network access patterns. More and more employees are using their favorite smartphones, tablets and laptops to access corporate networks, applications and files to be productive from the office, home, road or nearest coffee house. Bad actors are increasingly targeting these devices to steal credentials or directly infiltrate corporate systems. Securing these endpoints means protecting against man-inthe-middle and other hijacking attacks. At the same time, they need to guard against malware and attacks created to introduce exploitable vulnerabilities directly into the infrastructure. Strong authentication, VPNs, advanced malware protection and mobility management solutions will help reduce the risk that these attack vectors will succeed. The key is to quickly detect devices with files exhibiting malicious behavior and quarantine them by changing their access policies until they are remediated. Meeting the IoT Challenge Today more companies are looking to deploy smart appliances, such as printers or sensors, and transform operational networks used in robotics, utilities and manufacturing by bringing them online. This move from closed, serial communications to the Internet of Things has created a completely new set of vulnerabilities as these networks and the applications running on them become exposed via public Internet connections. Because these systems are mission critical, they must be secured. Ransoming or tampering with electrical grids or pharmaceutical manufacturing systems for example, could be disastrous. The key is first ensuring that the networks remain inaccessible and then addressing the vulnerabilities in programmable logic controllers (PLC) and sensor operating systems, software that was designed before companies had to worry about hardening software against hackers. NWN for Endpoint Security Cisco FirePOWER: Firewall appliances that deliver integrated threat defense across the entire attack continuum. Cisco AMP for Endpoints: Protects devices against the largest set of sophisticated and targeted advanced malware attacks. Cisco Application Centric Infrastructure: A comprehensive SDN architecture with policy-based automation capabilities. Cisco AnyConnect: More than a VPN, it increases visibility and control across extended networks and prevents compromised endpoints from gaining access to critical resources. Lancope StealthWATCH: Analyzes network flow records and application data to detect the stages of advanced attacks. Cisco Web Security Application: Combines advanced malware protection (AMP), application visibility and control (AVC), policy control and secure mobility into a single platform. Cisco Email Security Application: Defends email systems from spam, malware and other threats while providing contextual analysis to protect against phishing attacks. 9
Protection Starts with Assessment While little can be done by enterprise companies to stop cyber criminals from attempting an attack, there is much that can be done to safeguard enterprise assets. Taking a proactive approach to enterprise security isn t just a good idea it s a mandated requirement and part of the due diligence of doing business in today s digital age. Designing a more effective security program starts with an assessment of your current security posture you need to know where your strengths and weaknesses lie before you can mount your defense. With a complete understanding of your current and desired states, you can create a strategic map for bridging the gap and prioritize the work based on your current risk profile. As part of the process, you will need: Perimeter Assessment Wireless Assessment Device Security Assessment Data Center Assessment Penetration Tests & Vulnerability Assessments About NWN NWN is an IT solutions provider that helps customers solve business problems through technology. We design and deliver security solutions that protect your critical infrastructure, IT, communications and corporate assets. Our team of credentialed engineers has the expertise you need to decrypt the complexities of today s threat landscape so you can reduce risk across your organization and end-user ecosystem. As a Cisco Gold Partner, we can show you exactly which technologies will best protect your organization and its key assets. Our NPro Professional Services provide remote managed IT security expertise and IT staffing to fill in any gaps you may have in your enterprise security skill sets. Contact us for a free evaluation and start building a more effective security program today at 866.343.7668. 10