Next-Generation Security Architecture | datanets.ro

Next-Generation Security Architecture

CYBER SECURITY LANDSCAPE

Cyber attacks have become more and more sophisticated , leading towards APT (Advanced Persistent Threats). APT is a set of stealthy and continuous computer attacks processes , targeting a specific entity. Its purpose is to inject unknown malicious code on multiple computers and remain undetected for the longest possible period in order to steal data and exfiltrate it from victim’s network. The malicious codes are unique and thus developed in order to attack a well-defined target by exploiting specific vulnerabilities. Organizations face tens of thousands of new malware samples per hour.

For the attack to be successful, malware development requires highly skilled professionals. This is confirmed as malware and exploit development is rewarded on the black market with scores between $2500 and $300.000, leading to a total market estimated around $450B - $1T. Given the offer, clearly there is high demand for it.

In order to defend against today’s and tomorrow’s cyber-attacks, a security architecture needs to be build with integrated intelligence, by using security analytics and big data processing to gain deep insights into the organization’s security posture and the current state of the Internet insecurity.

 

 

SECURITY ARCHITECTURE APPROACH

Most security solutions today focus on visibility and blocking at the point of entry in order to protect systems. Security methods can’t just focus on detection but must also include the ability to mitigate the impact once an attacker gets in. Organizations need to look at their security model holistically and gain visibility and control across the extended network and the full attack continuum: before an attack happens, during the time it is in progress, and even after it begins to damage systems or steal information:

BEFORE

We need comprehensive awareness and visibility of what’s on the extended network in order to implement policies and controls to defend it. As a “standard”, Gartner describes these types of capabilities as “Predictive” and “Preventive".

Before an attack:
• You need to know what’s on your network in order to be able to defend it (devices, users, services, applications), and implement access controls, enforce policy and block applications and overall access to assets);
• However, policy and controls is just the starting point, just a small but important piece of what needs to happen. It will reduce the surface of the attack, but there will still be holes that the bad guys will find. Attackers will try to find any gap in defenses and exploit it to achieve their objective.
 
 

DURING

The ability to continuously detect malware and block it is critical. As a “standard” ,  Gartner describes these types of capabilities as “Preventive” and “Detective".

During the attack:
• Must have the best detection of unknown threats you can get;
• Once attack is detected, block it to protect your business.
 

AFTER

We need retrospective security in order to marginalize the impact of an attack by identifying point of entry, determining the scope, containing the threat, eliminating the risk of re-infection, and remediating. As a “standard”, Gartner describes these types of capabilities as “Detective” and “Response".

After the attack:
• Invariably some attacks will be successful, and you need to be able to determine the scope of damage, contain the event, remediate and bring operations back to normal. This needs to be performed as fast as possible, ideally automatically, as after the data has been stolen, it’s just a matter of minutes/hours before being leaked;
• Also need to address broad range of attack vectors, with solutions that operate everywhere the threat can manifest itself: on the network, endpoints, mobile devices, virtual environments.

With today’s threat landscape full of advanced malware and zero-day attacks, point in time technologies alone do not work. It only adds to the complexity problem, creates security gaps, not to mention making it much harder to scale in line with today’s new and changing business models.

Security Architecture requires a comprehensive advanced threat protection covering the entire attack continuum, and a broad set of enforcement and remediation options. All components of the architecture need to integrate with the access control solution, in order to dynamically and automatically change the authorization of a device or user based on its current, real-time security posture.

Datanet Systems is Cisco Gold and VMware Enterprise partner and its team of security experts is capable of designing, delivering, implementing and optimizing a comprehensive security architecture for medium and large companies and public sector organizations. In the following diagrams we will present the main components of a state of the art security architecture composed of Cisco and AirWatch products.

If you are interested to implement such a security architecture in your organization, you are kindly invited to send us an email at cybersecurity@datanets.ro or to fill-in and submit the contact form within this page. Our security experts  will contact you rapidly for answering to your requests.

 

 

CENTRALIZED NETWORK ACCESS CONTROL AND VISIBILITY

In traditional security, protection was aimed towards devices where data was located, like desktop/laptop and server operating systems. However, there are many more devices connected to the network, like Mobile Devices, IP Phones, Video Surveillance Cameras, Printers and none of them have an operating system designed with security in mind, but with usability.  Also, in the context of IoT (Internet of Things) and IoE (Internet of Everything), more and more such devices are connected to the network: smart watches, smart cars, smart lighting poles. All of these become attack vectors, being targeted because of their inherent insecurity, and used by attackers just to get inside access. Once they get access to the “trusted” side of the network, they will get their hands on the data.

Given this reality, it becomes critical to authenticate and authorize all access to the network, for all users and devices, regardless of their type or connection method: wired, wireless, VPN. This needs to be done at the network level, as the network is the enforcer, and only Cisco ISE (Identity Services Engine) can provide these capabilities:

•Scalable, flexible, and easy to deploy “Guest Access Management” with limited network access;
•Seamlessly and securely onboard BYOD devices with the right level of network access;
•Unified network access control policy for any device, from any point of access, with contextual and restricted network access;
•Centralized identity aware network-based segmentation, with security policies build upon applications and services in order to scale and secure.
 

 

 

SECURE THE MOBILE FLEET

All businesses are using mobile device platforms, mainly smartphones and tablets to be more productive and efficient. While this is no longer an option but a necessity, it also introduces a new attack vector, mobile malware increasing exponentially on a month-by-month basis. Two of the most widely deployed mobile platforms are the main malware targets, namely iOS and Android, where most free and paid applications are known to either contain malware or be vulnerable to exploits.

To remain secured, a leading Enterprise Mobility Management solution, like AirWatch, needs to be deployed, which covers all critical capabilities to stay protected:

• Basic device security, such as protection against jail breaking, PIN code policy, photo camera availability, remote wipe;
• Whitelist and Blacklisting of allowed applications to be installed on devices, reducing the footprint of malware;
• Integrate a secure container where all sensitive/corporate data is stored, encrypted and protected against unauthorized access from other applications or operating system components;
• Integrate a secure and containerized e-mail client to provide complete separation between enterprise and personal data;
• Per-application VPN in order to control which applications on the mobile device can send data through a VPN tunnel, thus allowing only clean applications to access the network.

 

 

SECURE THE GATES

Attackers need access to the network in order to inject their malicious exploits and steal data, but also in order to leak it out of the network. There are only three such gateways, which allow bidirectional access to and from the network, and where intelligent security needs to be integrated: firewall, web and e-mail.

A NG firewall needs to provide both classic firewall capabilities such as high-availability and clustering, routing/switching and VPN capabilities, but mostly importantly it needs to cover all three phases of the attack:

• Integrate NG Intrusion Prevention System which can correlate in real-time extensive amounts of events, protect against latest discovered threats and provide automated event impact assessment through network behavior analysis;
• Integrate URL Filtering to limit Internet access and reduce the attack range;
• Perform application visibility and control, as data is usually leaked through tunneling on TCP ports 80 and 443; firewall rules need to be created based on identity of users and applications being used;
• Discover endpoints, operating systems and running applications in order to eliminate false positives, block and eliminate threats, provide alerting and IoC (Indicators of Compromise);
• Integrate VPN access with Cisco ISE for centralized and unified network access control policy and real-time device security posture;
• Integrate Advanced Malware Protection with big data security analytics and sandboxing in order to discover and protect against unknown threats;
• Provide centralized management for all components and integrate with ISE for automatic remediation once endpoints have been discovered as being compromised.

 

Internet access needs to be centrally controlled and secured, regardless of the endpoint type (fixed or mobile) or its physical location (inside or outside the network). A next-generation web security platform it provides not only proxy services, but is able to transparently integrate at the same time a security model to cover all three phases of the attack:

• In the before phase, web access is controlled through user identity signaled from Cisco ISE and secured by using application based policies with restrictive access based on static URL filtering and dynamic reputation-based filtering;
• In the during phase, content is dynamically analyzed for suspicious behavior, inspected in parallel by multiple anti-malware engines for known attacks, while at the same time being given an initial verdict of clean or malicious through AMP (Advanced Malware Protection) which detects yet unknown attacks;
• In the after phase, AMP integrated with CTA (Cognitive Threat Analytics) in order to provide sandboxing, continuous file retrospection analysis and identify if actually the initial verdict of clean needs to be changed to malicious.

 

Email still remains a very efficient attack vector, as it’s easier to just deliver malware to the user this way, or launch targeted attacks by directing the user to a web resource which seems to contain interesting information which actually hides malware. A next-generation email gateway provides not only SMTP functionality and basic spam protection, but is able to cover all three attack phases successfully:

• In the before phase, email access is restricted based on user identity, dynamic SMTP gateway reputation and static filters;
• In the during phase, content is inspected in parallel by multiple anti-malware engines for known attacks, scanned through AMP for unknown attacks; email is quarantined if identified as malware or being suspect of malware, through dynamic outbreak filters;
• In the after phase, user click activity is monitored for phishing attacks, while AMP provides sandboxing and continuous file retrospection analysis to identify dormant malware.

 

SECURITY EVERYWHERE WITH ADVANCED MALWARE PROTECTION

Most security tools today focus on visibility and blocking at the point of entry in order to protect systems. They scan files once at an initial point in time to determine if they are malicious. But advanced attacks do not occur at a single point in time; they are ongoing and require continuous scrutiny. Adversaries now employ tactics such as port hopping, encapsulation, zero-day attacks, command and control (C&C) detection evasion, sleep techniques, lateral movement, encrypted traffic, blended threats and sandbox evasion to elude initial detection. If the file isn’t caught or if it evolves and becomes malicious after entering the environment, point-in-time detection technologies cease to be useful in identifying the unfolding follow-on activities of the attacker. Cisco’s Advanced Malware Protection offers this continuous monitoring and analysis and is able to detect malware when it becomes active, as initially it’s just deployed but looks clean.

AMP is required in several places in the network, based on the overall design:

• At the NGFW level, as all traffic from/to the Internet flows through;
• At the web gateway level, as it is the only device that can actively and transparently decrypt HTTPS traffic for inspection;
• At the email gateway level, as traffic between SMTP gateways may use TLS which means that only the SMTP gateway has access to clear-text email for inspection.

 

However, it is most important to deploy AMP at the endpoint level, for several reasons:

• While the objective of an attack is to steal and leak data, the endpoints/users are the attack target as it’s the only bridging point between the Internet and sensitive data;
• VPN traffic like IPsec or SSL, and some applications like Skype or other video telephony, is encrypted and can only be inspected at the endpoint, where it becomes clear-text;
• Being present on the endpoint, you can provide retrospective detection and continuous analysis to detect dormant and composite malware.

 

 

CENTRALIZED FIREWALL POLICY

Given the increasing number of per user devices connected to the network (desktop, laptop, smartphone, tablet) and the possibility of connecting from several places (inside or outside the network) via several methods (wired, wireless, VPN), it becomes challenging and very expensive o build and maintain an accurate security policy based on IP addresses. Likewise, in order to better and faster contain and isolate a compromised endpoint, lateral movement needs to be controlled, where a user/device is not implicitly allowed to access resources within the same trusted domain (like VLAN or network block).

As Cisco ISE controls all network access, it can also be used to centrally define network wide firewall and security policies which will be dynamically downloaded and enforced on specific checkpoints:

• A label named SGT (Security Group Tag) is assigned by ISE to each device given access to the network, once identified and profiled;
• Firewall policies and rules are thus build on user identity in ISE, regardless of the IP address being assigned, but considering device being used to access the network and access method;
• Access is being given to users based on applications being accessed, not based on IP addresses or port numbers;
• A user/device may get differentiated access based on its current security posture, which ISE identifies by itself or by integrating with security architecture components.

 

NETWORK SEES EVERYTHING

Given the complex and unique behavior of APT’s, it becomes mandatory to integrate in your security architecture a solution that provides network behavior analytics, threat visibility and security intelligence to protect against today’s top threats. Collecting netflow data from the network allows you to establish a baseline of the network functionality and dynamically build policies of sane network behavior, which is used to detect attacks through behavioral profiles and statistical modeling, including slow attacks that do not violate any policies.

Cisco’s Lancope solution provides all of these and manages to cover all three attack phases as well. Most importantly, once an endpoint has been detected as being compromised, Lancope provides immediate and automated response:

• Allows tracking the attack across the organization in order to have instant visibility into compromised areas;
• Creates a forensics trail of the network activity in order to identify how the attack happened and learn from it to better defend in future;
• It integrates with Cisco ISE to signal which endpoints have been compromised for immediate action and isolation.

 

ISE IS THE BRAIN

Within the security architecture, all components need to integrate with Cisco ISE, the centralized network access policy platform. As ISE identifies all devices and controls all network access, it shares contextual information with other security products in order to provide better visibility into who is doing what on the network. Also it collects the security state of connected devices in real-time from other architecture components and automatically changes the authorization of non-compliant or compromised devices in order to contain and eliminate the risk of data leaking. For example:

• It integrates with leading Enterprise Mobility Management platforms, in order to control mobile devices network access based on their current security state and security policy compliance;
• It integrates with Cisco’s Next Generation Firewall Management Platform, FireSIGHT, in order to change the network access of compromised endpoints as detected by AMP;
• It integrates with Cisco’s Lancope platform in order to change network authorization of compromised endpoints as detected by advanced security analytics;
• It integrates with classic SIEM (Security Information and Event Management) in order to to change network authorization of compromised endpoints as detected by SIEM and its data sources.

 

Datanet Systems is Cisco Gold and VMware Enterprise partner and its team of security experts is capable of designing, delivering, implementing and optimizing a comprehensive security architecture for medium and large companies and public sector organizations. In this page we presented the main components of a state of the art security architecture composed of Cisco and AirWatch products.

If you are interested to implement such a security architecture in your organization, you are kindly invited to send us an email at cybersecurity@datanets.ro or to fill-in and submit the contact form within this page.

Our security experts will contact you rapidly for answering to your requests.

Thank you for visiting www.datanets.ro !