Virtual Private Networks (VPNs) allow secure connections through the open internet. With VPN authentication, encryption, availability, and speed, end-users can work from anywhere as if they were sitting within a millisecond’s ping from the server room. Remote branch offices are connected, cloud resources are securely available, and all is well. That is, if the VPN tunnel works as it should.

 

Colleagues not talking to each other? Could be a grudge, could be trouble joining the call because “that VPN tunneling thingy keeps timing out.” No traffic from the remote office? Could be just lunch break, could be that the site-to-site VPN tunnel is down. What if it really is the network this time?

 

Setting up a trusted tunnel between two endpoints is a multi-step process—this also means that troubleshooting requires knowledge of its complexity. See these handy VPN tunnel troubleshooting flowcharts for LAN-to-LAN and Remote Access VPNs for examples of a systematic approach to figuring out why the remote connection is flunking out.

 

In short, you need to:

  • Send packets that are recognized as initiating a VPN connection attempt.
  • “Phase 1” establishes a secure communication channel by generating a shared secret key to encrypt further communications. Troubleshooting this phase often deals with IP addressing, encryption config, or pre-shared keys.
  • Following the working secure channel, in “Phase 2,” you establish IPSec security associations and negotiate information needed for the IPSec tunnel—connection type, authentication method, and access lists—resulting in a crypto map.
  • On we go to the data transfer:  encrypted, authenticated, and secure.

 

When the VPN connection fails and it’s troubleshooting time, you want visibility into your VPN environment. We’ve come up with Network Insight for Cisco® ASA to help you with just that. One of the most popular security devices on the market meets the worldwide leader in network management software. Sounds promising, right?

In SolarWinds® Network Performance Monitor 12.2, your monitored ASA devices now show additional information beyond SMNP statistics.

 

Site-to-Site VPN shows you whether the tunnel is up, down, or inactive. See traffic ingress and egress, duration of the VPN tunnel uptime, encryption, and hashing info. If the tunnel is down, information about the last phase completed successfully is available. Search, filter, and favorite tunnels to quickly access them in the Node Details view. You can also select specific errors from Phase 1 or Phase 2 to be ignored.

 

Site-to-site VPN

 

 

The Remote Access VPN subview presents a list of remote access tunnels, with the username and tunnel duration details, as well as the amount of data downloaded and uploaded. For failed connections, you’ll see the time and reason why the connection was ended, IP address, and client used. As always, you can use tools to search and filter the sessions.

 

Remote access VPN tunnels

 

 

Several predefined reports and alerts are available to keep your finger on the VPN’s pulse. Tunnel down? You’ll know first. Reaching a threshold? Won’t catch you by surprise. And of course, you can customize your own advanced reports and alerts.

 

You can learn more about Network Insight for Cisco ASA or try it for yourself in the fully featured 30-day trial.

Like traditional kung fu, in Security Kung Fu, there are two schools of thought. On one side, there are those guided by the industry’s best practices for IT security. On the other side, there are those who use regulatory frameworks like PCI DSS, HIPAA, SOX, and more as the guiding principles for their IT security strategy.

 

In the fourth and final chapter of the Security Kung Fu Series, we discussed these opposing strategies and provided insight into why our Security Kung Fu Masters view them as complementary, but not commensurate with one another.

 

If this subject is of interest, I strongly suggest you watch the on-demand recording of this session for a much deeper dive. Continue onward for a brief recap along with some highlights from the discussion.

 

Watch the On-Demand Recording | Check out the SlideShare®

 

Meet Your Security Kung Fu Masters

For the fourth and final chapter of the Security Kung Fu series, we decided to mix things up a bit. In addition to welcoming Jamie Hynds, Senior Product Manager for SolarWinds Security Portfolio—a featured speaker in some of our previous sessions—we were joined by Destiny Bertucci, Head Geek at SolarWinds.

 

With over 15 years of network management experience spanning healthcare and application engineering (nine of which she served as SolarWinds Senior Application Engineer), @Dez boasts an ever-growing ensemble of degrees and certifications with a slant towards IT security. If it’s not apparent now, you’ll see from this session that she really knows her stuff.

 

Beyond this,  Destiny is a frequent presence on THWACK®, most recently launching a blog/social commentary series on Geek Speak titled “Shields Down.” I strongly encourage you to follow along in her series and get involved in the discussion. Whether you’re an experienced IT security professional or on the lighter side of these skillsets, there is something for everyone. But don’t sit on the sidelines—share your stories and insights for the collective good of us all.

 

Regulatory Compliance

 

Compliance, as it relates to IT, involves adhering to rules and regulations that are meant to protect various types of sensitive data. It can govern everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.

 

Rightfully so, many businesses are taking the obligation of compliance very seriously. After all, there is a lot at stake when fines and penalties can be levied against you (among other legal repercussions) for noncompliance.

 

Security vs. Compliance

Though, yes, compliance for many businesses is absolutely critical, it is not the end all be all. We contended throughout this session that taking a compliance-dominated approach to the way you secure your IT operations is not the way to go. In fact, with many of the examples we provided in this session, it can sometimes be a detriment to IT security.

 

On that note, we provided three really solid points to shape your mindset.

 

Compliance is more than a checkbox. Many view compliance as a “must have” to avoid the wrath of auditors. But, like I mentioned before, they let it dominate their IT strategy. Our tip is to not lose sight of the bigger picture. IT compliance should be seen as an opportunity to ensure the right controls are in place to actually keep your network and sensitive data secure.

As an example, it’s choosing between applying encryption for data in transit because it’s an IT best practice, instead of opting out of doing so because the regulations your business faces do not mandate it. If the end game is to ensure the confidentiality, integrity, and availability of sensitive data, you are doing yourself and your business a disservice and leaving yourself susceptible to attack without it.

 

“Compliant” does NOT equate to “secure.” Meeting regulatory compliance alone does not guarantee IT security. In some cases, it can lead you away from this objective. There are countless real-world examples of this, but it should be well-understood that in several cases, following compliance schemes strictly “by the book” can undercut your security responsibility. Why not go beyond what they dictate? For this, think of my earlier example involving encryption.

 

No one solution can make you compliant. The same too can be said for security in general, but simply applying one or more security solutions to your IT arsenal will not inherently make you compliant with any framework. Compliance involves many aspects outside of your software-purchasing decisions down to the very core of how your business operates.

 

In this session, we urged that for the sake of both these objectives, Defense in Depth strategies are applied. If you haven’t caught on yet, this was continually preached throughout the Security Kung Fu webinar series. 

 

According to the SANS Institute, Defense in Depth is “the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”

 

This approach has for a long time been a mainstay in the security realm, but it too should play into your approach to compliance.

 

Five Tips for Continuous Compliance (and Security)

 

As we called an end to the Security Kung Fu series, we left our viewers with some concluding thoughts on this subject. In no way does this cover all your needs, but they are all worth considering.

 

  1. Define policies and establish your network security baseline.
  2. Collect, correlate, and securely store all relevant and required log data.
  3. Actively monitor and analyze what’s going on within the IT infrastructure at all times.
  4. Run regularly scheduled compliance reports.
  5. Leverage regulatory requirements and audits as an opportunity to truly assess network risks and help ensure the security of your entire IT infrastructure—from perimeter to endpoint!

 

A final takeaway, however: no matter your objectives, there are a multitude of software offerings from SolarWinds that can assist your business and support an in-depth defense strategy. Visit the IT Security Software page to learn more.

 

Well, I hope you enjoyed not only the webinars that made up this series, but each recap I’ve provided as well. As always, I welcome your feedback or thoughts on any of this subject matter.

DO YOUR FIREWALLS HAVE ACCESS CONTROL LISTS OR OUT-OF-CONTROL LISTS?

 

Do you badge in and out of your office each day? That electronic lock should be doing two things: making sure you can get in (and get to work), and keeping people who shouldn’t be there out.  If the permissions aren’t right, you could be blocked from entering. Or, worse, people who aren’t authorized could walk right in. This is what happens if the Access Control Lists (ACLs) on your firewall aren’t properly configured. Valid traffic could be blocked, or unauthorized traffic could slip through. This can impact productivity and even be a security risk.

 

ACLs can be hundreds or even thousands of lines long. They may have been set up years ago and been modified too many times to count. Are you confident that they are controlling the traffic the way you want? Do you need deeper network insights to see what is really going on?

 

Reviewing your Access Control Lists can be a tedious task, but the latest release of SolarWinds® Network Configuration Manager (NCM) makes it easy. This release introduces a new feature, Network Insight™ for Cisco® ASA, so you can easily review and audit ACLs for your Cisco ASA firewall.

 

  1. Review what ACLs are configured
    You can’t control it if you don’t know you have it. First, take a look to see what Access Control Lists are set up. The network insights you get with NCM will allow you to view all ACLs configured on the ASA. See if you have an ACL that was configured but never applied. Do you have ACLs that were set up so long ago that none of the original creators are still around?

  2. Audit where and how they are assigned
    An ACL may be configured correctly but assigned to the wrong zone, reducing its effectiveness. Are your ACLs assigned to the correct zones? What interfaces are assigned to those zones? Review where your Cisco ASA ACLs are assigned to maximize their strength.

  3. See what rules are being used
    Do you have rules in place that are never used, or rules that are getting hit all the time? Use NCM’s ACL Rule Browser to browse to object group definitions, search and filter within your ACLs, and view the hit count for individual rules to debug your access rules. Rules that are never hit may have been superseded by other policy changes. Rules that are getting hit all the time may indicate a need to refine the rule. With increased network insight you can optimize the ACL rules on your Cisco ASA.

  4. Detect shadow or redundant rules
    Access Control List rules are applied in the order they are listed. When a rule is overridden by a previous rule that does a different action, it is a shadow rule. A rule that is hidden because a previous rule does the same action is a redundant rule. For example, your office wants to let in anyone who is an employee, but not on the weekends. If the badge reader checks “let in all employees” first and then checks the day of the week, the weekend rule is a shadow rule. It will not matter because the door unlocked after confirming it was an employee who was trying to enter. You can reduce security risks and help ensure your ACLs are working as intended by identifying shadow or redundant rules.

  5. Compare ACLs for changes
    It can be difficult to troubleshoot ACL config issues. Network Configuration Manager helps make this process easier with side-by-side ACL config comparisons on your Cisco ASAs. You can compare an ACL to a previous version on the same node, or compare to other nodes, interfaces, or to a different ACL. Identify errors and verify consistency with Network Insights for Cisco ASA.

 

By working through this simple checklist, you can restore confidence that your firewalls are effectively managing the traffic flow in and out of your network. You can try Network Insight for Cisco ASA in the latest release of Network Configuration Manager. With a free, 30-day trial of NCM, you can see for yourself how easily you can bring your ACLs back under control. Look like a firewall expert without having to be a firewall expert!

While countless companies rely on Active Directory® (AD) to ensure only the right individuals have the right access, hackers still can penetrate, lie in wait, and jump at the next opportunity to elevate their permissions. Each move is calculated, and if undetected, earns them greater and greater access to data and systems to begin the slow siphoning of intelligence or suddenly launch IT security attacks.

 

How the bad guys get in can vary, but the who in this equation matters just as much. Not only do external parties pose a threat, there are also those coming from within your own ranks who can be just as dangerous, whether intentionally or not.

 

It can also be said that AD changes and events, such as unauthorized account provisioning, escalating of privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to compromises in the future.

 

When threats can manifest from both outside and inside the four walls of your businesses, any practitioner of IT security would agree that sometimes the best offense is a strong defense. In Part Three of the Security Kung Fu Webinar Series, we discuss how monitoring for Active Directory changes using security information and event management solutions (or SIEM) can help you do just that, all while helping you meet certain regulatory compliance requirements in the process.

 

Building on each of the subjects covered in our previous two Security Kung Fu events, we turned our focus inward to cover the IT security threats coming from within. Dive right into this subject using the resources below, or read along for a quick recap of this session to further whet your appetite for some security goodness.

 

Watch the On-Demand Recording | Check out the SlideShare®

 

Meet Your Security Kung Fu Masters

Returning for this session are both Jamie Hynds and Ian Trump, featured speakers from Security Kung Fu: Playing with Fire(wall) Logs. If you missed the recap on this or any of the previous Security Kung Fu webinar sessions, be sure to check them out! And if you want to get deep in the weeds on certain IT security or compliance topics, I strongly encourage you to follow Jamie (@jhynds) on THWACK®. He’s published quite a few articles that are worth a read.

 

The Threats From Within

Though the lion’s share of media attention is placed on external hackers finding an “in,” numerous roads lead to IT security compromise. Insiders remain a very real and substantial threat. Whether by purposefully acting out of malice or enabling external threats through their own negligent actions (or simple inaction), there’s much to consider when turning your IT security focus inward. Here are some examples we highlighted as part of this session that you should definitely consider:

 

  • Malicious intent – Though touched on above, this speaks to the purposeful action on the part of trusted insiders to act in opposition to the interests of an organization. Common IT threats include fraud, sabotage, and theft or loss of confidential information.
  • Not following policies or procedures – Sometimes purposeful, sometimes not, this IT security threat involves acting out of accordance with internal guidelines regarding the use of technology or the handling, disposing, and disclosing of sensitive information to unauthorized parties.
  • Negligent behavior – Whether these actions violate clearly written and enforced policies or procedures, or plainly defy basic logic, this involves your own employees or individuals from the businesses you represent unknowingly putting your IT operations in harm’s way. As simple as falling prey to phishing attacks or some other mode of social engineering, their actions may not have been explicitly forbidden, but they still result in compromise.
  • Integrity of the AD Domain – Though Active Directory is in place to ensure many of the above forms of threats do not either take a foothold or spread, simple actions on the AD Domain can give rise to security issues as well. Despite being a fundamental practice for an IT organization, potential Active Directory security vulnerabilities can be cause for concern when hackers are looking for the keys to the kingdom. If you give them an inch, they’ll take a mile.

 

I should temper this in saying that in no way is this any exhaustive list. In fact, we go into greater detail about other possible internally-caused IT security issues on the webinar itself. The point here is that there are numerous ways a trusted insider can become your weakest link or gravest threat.

 

The Necessity of Monitoring Active Directory

We cover each of these modes of insider threats and signs of abuse with purpose. It highlights the very important need for monitoring and auditing Active Directory changes to at least identify the signs that something has gone awry.

 

A SIEM tool is perfect for that. Not only can you use one to keep close watch of things, but it can also issue alerts when an anomaly is spotted. Further, this software can help enable real-time active responses, such as logging off users, blocking IP addresses, killing processes, and adjusting Active Directory settings at the first sign of threat. SIEM solutions can not only contribute to improving IT security, but also compliance.

 

So, what are among the most pertinent items to look out for when monitoring Active Directory changes? Here are some of the standouts:

 

  • User events
  • Authentication events
  • Group changes
  • Policy changes
  • Password resets

 

Though seemingly harmless, these actions should be reviewed for authenticity. There’s simply too much at stake.

 

Pro Tip: Users of Log & Event Manager (LEM), SolarWinds’ own SIEM solution, should check out this video in the SolarWinds Success Center for guidance on how to leverage LEM to detect privilege changes in Active Directory.

 

A Nod to Compliance

The ability to monitor and respond to threats is so critical to a business’ IT security, and the ultimate goal of maintaining the confidentiality, integrity, and availability of sensitive data, that it’s no wonder many of the top compliance frameworks include provisions that cite the need for monitoring for such Active Directory changes. We spoke about this in depth during an Ultimate Window Security Event we participated in, titled “Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean.” SOX, HIPAA, PCI DSS, FISMA, NIST, GLBA—you name any compliance law or standard—all cover, in some way, the need for tracking such actions. There are even certain AD events that can be mapped directly to these frameworks to assist in meeting certain objectives and demonstrate potential IT security vulnerabilities to auditors.

 

Though we only touched on the subject briefly as part of this and our other Security Kung Fu webinars, the fourth and final event in the series covers the topic of compliance in-depth. There, we discussed the two prevailing “schools of thought,” or drivers of IT decision-making and practice: security vs. compliance.

 

I hope you’re finding these session recaps helpful. Stay tuned for my recap of the final session from the Security Kung Fu series.

 

Firewalls are an important first line of defense against a range of security threats. But outside of brute force hacks, countless a firewall has fallen to more sophisticated modes of attack, if not circumvented altogether. The consequence of which means hackers gain access to the network and trouble ensues.

 

Part Two of the Security Kung Fu Webinar Series built upon our previous discussions (check out the Security Kung Fu: SIEM Solutions blog for a recap) to highlight the important role firewalls play in network security and how log messages generated from these devices can provide meaningful insights to either thwart a security incident altogether, or assist in stopping one in its tracks. That is, assuming you’re armed with the right tools.

 

As important as it is to collect logs from these (and other) network devices, just as important is what you do with the data you collect. That’s where SIEM solutions come in. Beyond this, we discussed how NCCM solutions contribute to deeper security and what for many companies is an end-all, be-all: helping them handle a variety of regulatory compliance objectives.

 

If this piques your interest, I encourage you to dive into the resources below or read along to find out all this event had to offer!

 

Watch the On-Demand Recording | Check out the SlideShare®

 

Meet the Security Kung Fu Masters

In addition to Ian Trump, a featured speaker in the first installment of the Security Kung Fu series, we welcomed Jamie Hynds, Senior Product Manager for SolarWinds® Security Portfolio. Jamie has years of experience in a variety of roles such as Sales Engineer for SolarWinds, IT Auditor and Security Consultant for Deloitte®, among others. In each capacity, he has assisted businesses in adopting technologies to enhance security, meet regulatory IT compliance, and pass audits for a broad array of compliance frameworks.

 

Be sure to check out Jamie’s often security-centric posts on THWACK® as well. He posts under the handle @jhynds.

 

Anatomy of an Attack

Once again referencing the Lockheed Martin Cyber Kill Chain®, we reviewed how firewalls protect against outside threats at the “Delivery” stage of this model by enabling certain defensible strategies. But despite the presence of physical/virtual barriers to a network, perimeter defenses are not enough. They can, however, further aid in the detection of threats. As we say in the series “the devil is in the details”… details found in your log data.

 

The Detection Deficit

Avid readers of security reports, like myself, may have grown fond of the Verizon® Data Breach Investigations Report (DBIR). Each year, analysts from Verizon publish the results of the miles of anonymous data they gather on actual security incidents (and breaches) from the prior year.

 

What was once a mainstay of this report tracked an important statistic dubbed the “detection deficit.” The detection deficit refers to the gap between an attacker’s “time to compromise” and the defender’s “time to discover.” Pretty important stuff, huh? Well, in an unfortunate turn of events, this measure was dropped from the 2017 Verizon DBIR that published shortly after the Security Kung Fu: Playing with Fire(wall) Logs webcast took place. Given that all the data collected for the DBIR is based on breaches that actually occurred, there wasn’t a logical need to track this measure moving forward, as it was “unlikely to ever show any improvement.”

 

Still, it’s an important subject. The more time it takes to discover threats on your network, the more damage can be done. Lowering your “mean time to detection” for security incidents is absolutely critical. As we contended in this session, with help from SIEM and NCCM solutions, your firewalls can play a big part in doing so.

 

The Role of SIEM and NCCM Solutions

A lot can be said about SIEM and NCCM solutions outright, but working in tandem with your firewalls, they have the potential for some really neat use cases. @Dez sums it up nicely in this post, which served as a reflection of this Security Kung Fu event. On one hand, a SIEM can help you spot malicious behavior on a firewall, including: malformed packets, unusual traffic patterns, unauthorized access, and unauthorized changes. On the back half (so to speak), using an NCCM solution, you can recover even if unauthorized changes disrupt operations or have some sort of greater impact. (Ringing any bells from Part One of the Security Kung Fu Series?)

 

When it’s all said and done, our Security Kung Fu Masters advised that when it comes to firewalls, you must be able to:

  • Monitor for abnormal activity, unexpected access attempts, and potential threats
  • Eliminate downtime due to misconfigurations—know what changed and when, and have the ability to back up to last known good configuration
  • Automate security audits and reports to not only verify security, but also compliance

 

Just a reminder: in no way is this an exhaustive list. Luckily for you, with a couple of products added to your arsenal, you can cover the bulk of these needs.

 

For more tips on how to improve your IT security posture, check out the entire Security Kung Fu webinar series, now available on-demand.

brad.hale

Cover Your ASA

Posted by brad.hale Sep 13, 2017

Monitoring Your Cisco ASA with Network Insight

 

Firewalls have a unique place in the network topology. Found at the perimeter, they control network traffic, connect branch offices, and provide remote access to business services. You don’t any network component to go down or cause problems, but this is especially true of firewalls.

Some mishaps can cost you hours of troubleshooting time, and others will make you sweat while you’re trying to put out the fire on your firewall. Consider these critical failures as situations you want to avoid at all costs.

 

  • No entry/exit allowed – When the firewall goes down, traffic cannot enter or exit—or worse, any traffic can get into your network.
  • High availability (HA) or no availability – If you’ve set up your firewalls correctly, you’ve designed in high availability. Correct HA configuration requires that your firewalls are synchronized. If they aren’t, then a failover situation may result in no availability.
  • Failure to communicate – Connectivity to your remote locations is dependent on VPN tunnels. Tunnel down = bad, tunnel up = good.
  • No worker is an island – Unless, of course, they cannot connect remotely.
  • The shadow knows – But unless you want to dig through your ACLs, you’ll never know if you have shadowed or redundant rules.
  • Needle in a haystack – Something changed in your ACLs, but finding the changes in hundreds of lines of configurations and rules is like… well, it goes without saying.

 

Given the criticality of your firewalls, it’s obvious that monitoring said firewalls is equally, if not more so, important as any other piece of network equipment. Good old SNMP might not always give you enough information for a complete picture of your appliance's health. Plus, let’s face it: using each vendor’s own toolset for troubleshooting and combining the data into a complete picture gets old, fast.

 

We’ve tackled this and are proud to present the latest of our Network Insight features—this time, for Cisco® ASA. Thanks to CLI polling, you can now get enhanced insight into your Cisco ASA firewalls directly within Network Performance Monitor (NPM) and Network Configuration Manager (NCM).

 

In Network Performance Monitor 12.2 you can get visibility into the health and performance of your Cisco ASA infrastructure in a single pane of glass.

  • See the health and availability of your LAN-to-LAN VPN tunnels. Remote access VPN shows you details about connected users, tunnel duration, and more.
  • Monitor your ASA's High Availability sync status, type, and overall health for reassurance that you are prepared for a failover event.

 

Network Configuration Manager 7.7 automates the monitoring and management of ACLs and configurations.

  • The new ACL Rule Browser enables you to filter, search, snapshot, and compare ACL versions.
  • Identify shadow rule redundancies and rules that are configured but not pushed out.
  • Contexts are a great way to segment your ASA as independent virtual devices. With Network Insight for Cisco ASA, you can dig into each of your contexts. Update firmware using NCM’s firmware update tool, both in multi- and single-context modes.

 

Network Insight for Cisco ASA might just be one of the “can’t go back now” features for monitoring your firewalls. See for yourself with our free, fully featured 30-day trials of Network Performance Monitor and Network Configuration Manager, and cover your ASA!

 

To try Network Insight for Cisco ASA you can download a free 30-day trial of NPM, NCM or download both.

With a 24-hour news cycle, we are constantly bombarded with headlines detailing the latest data breach, malware infection, email phishing scam, or high-profile compliance violation. Although the source of these incidents often varies, the consequences for businesses of all sizes remain relatively the same: hefty fines, brand damage, loss of customer loyalty, and in more severe cases, criminal penalties and lawsuits.


It’s no wonder nowadays we no longer consider IT security a “nice-to-have,” but a matter of your company’s survival.

 

In each of the Security Kung Fu webcasts, we dedicate at least a portion of the session to discussing the “cyber threatscape” and its impact on business. In many cases, this can be profound, especially if breaches of sensitive information are involved. Be sure to check out the  Security Kung Fu: The Saga Begins blog, where I summarized the perspectives of my colleagues on this very subject. But, enough with the doom and gloom. I’m sure with all this in mind, it begs the question, “What are businesses doing to protect themselves?” For starters, as we learned in Part One of the Security Kung Fu Webinar Series, they’re applying several “security stances” (as we’ve dubbed them) to help the situation.

 

As part of this session, we discussed these security stances in-full and take a deeper look at the role of Security Information and Event Management (SIEM) solutions in assisting with this approach. I encourage you to dive into the resources below to learn more or read along to find out what all this event had to offer!

 

Watch the On-Demand Recording | Check out the SlideShare

 

Meet the Security Kung Fu Masters

For this inaugural session of the Security Kung Fu Series, I welcomed SolarWinds Sales Engineer, Curtis Ingram. You may recognize him under his THWACK® handle (@curtisi), but in case you don’t, Curtis possesses a deep knowledge of IT security, compliance, and the role of SIEM solutions in meeting these important business objectives, which he often shares on THWACK.

 

Along with Curtis, we were joined by Ian Trump, a cybersecurity strategist with over 20 years of experience that all began with a stint in the Canadian Forces, Military Intelligence Branch. Ian’s 2016 in-depth analysis of cybercrime and threats of the future was featured in industry publications, such as SC Magazine®, Infosecurity®, IDG Connect®, CBR, The Times, USA Today®, and The Sunday Herald. He continues to be a well sought-after resource on the topic of cybersecurity, as a thought leader on the subject.

 

Three Security Stances

As noted above, our Security Kung Fu Masters set out to describe the various ways businesses are arming themselves to combat cybersecurity threats. These security strategies classified into three distinct groupings: proactive, detective, and reactive-recovery. Here’s a taste of what we learned.

 

Proactive Security

Proactive security is generally preventative. It involves hardening endpoints, applying things like antivirus software or patch management software, and conducting user awareness training. These are all methods of preventing bad guys from getting on the network.

 

The subject of taking preventative measures has been around in the security industry for ages, and a strong majority of solutions in the security space align with this stance. However, we contend that taking this approach alone is simply not enough. Furthermore, these proactive measures can sometimes give you a sense of over-confidence, which in many cases, is downright dangerous.

 

Detective Security

Due to the growing sophistication of hackers and their ability to identify and bypass common means of defense, detective security is becoming increasingly important. Detective security applies the use of SIEM solutions to help you establish what is “normal” activity and distinguish it from the abnormal. Not all anomalies on the network correspond to security incidents, but having a means of determining the difference is critical. More on the SIEM solutions piece in a bit.

 

Reactive-Recovery Security

The reactive-recovery stance fills an important gap not fully addressed in the previous stances. It involves responding to and recovering from compromise. This often takes the form of a backup service offering, which provides the ability to restore business operations to normal and maintain the availability of data. The most widely understood example of this involves the threat of ransomware. Rather than fronting the bill for recovering an encryption key to unlock their data, businesses will simply restore from backup to minimize its impact and keep IT operations up and running.

 

The Role of SIEM Solutions

As you might have gathered, businesses must do a lot to fully prepare for and guard against the multitude of threats they face. In the absence of time, we honed in on one such solution that contributes to this goal and is the sole-supporter of the detective stance as we described it: SIEM solutions. Here is what we’ve picked up:

 

SIEM solutions have evolved to play a much more critical part in improving a business’ IT security posture and helping to usher in a state of compliance. Looking to the Lockheed Martin Cyber Kill Chain® as a teaching aid, we understand the anatomy of a cyberattack and its various stages. From this, a SIEM solution’s contributions become clear.

 

  • Gives you visibility in an area that is critical to your business “Threat Hunting”
  • Only solution with forensic feature to go back in time to review incidents
  • Assists with compliance and providing evidence for IT security audits
  • Uncovers unauthorized changes in the environment
  • Detects insider threats such as data ex-filtration
  • Provides a record of network layer activity, correlated with machine data and ultimately user behavior

 

Which Security Stance is Best?

Though much can be said for taking a proactive stance, this alone does not allow you the flexibility you need to meet modern IT security threats. If not backed by the detective stance, in particular, you’re in for a hard ride. But the fact of the matter is that you really need them all to complete a well-rounded approach. This means, the application of a variety of security solutions, the training of your employees, and so much more all needs to be present in your security strategy, lest risk security holes that can lead to compromise.

 

Like what you’re reading so far? Be sure to check out the entire Security Kung Fu webinar series on-demand and stay tuned for my next blog recapping Part Two of this series.

I know what you’re thinking… why “kung fu?” and “What does martial arts have to do with IT security and how I protect my network?” Well, kung fu is a Chinese term referring to any study, learning, or practice that requires patience, energy, hard work, discipline, and time to complete. So, really, it’s not just martial arts. Perhaps, by this definition, you’re starting to see the parallels we’ve identified with IT security.

 

Today’s Cybersecurity Climate

According to Forbes®, the cybersecurity marketplace is predicted to be worth $170 billion by 2020—that’s over double its reported size in 2015. But, perhaps most telling of the threats business truly face is the fact that the costs associated with cybercrime are projected to exceed $2 trillion by 2019.

 

What’s fueling this growth? Well, there are certainly a number of factors, but what’s clear is that hacker motives have strongly shifted towards “financial gains,” at least according to SolarWinds Head Geek, Destiny Bertucci. While shock-value/notoriety/entertainment supported hacking in its early rise, money has been a major influence in its more recent uptick. Hackers have a lot to gain, and we all have a lot to lose.

 

Another issue at the root of this rise in cybercrime costs (and the cybersecurity market’s corresponding growth) is the pervasiveness of these crimes. Gone are the days where these modes of attack were reserved for top-notch, tech savvy, and highly motivated individuals. Today, Crime-as-a-Service underpins cybercrime and the technical layman is now being armed with the ability to launch an attack.

 

Whether or not you’re explicitly tasked with upholding IT security for your business, given the current outlook, it is now everyone’s responsibility. It is no longer a matter of if you’ll get hacked, but when. IT security solutions today are about limiting the attack surface, applying defense in-depth strategies, and leveraging a multitude of tools (not just one or a few) to do so.

 

We recently opened our cyber-dojo to allow our very own Security Kung Fu Masters to bestow their wisdom and teachings unto the larger IT community. Black belts in white hat hacking, industry mavens, scholars of security, and even former compliance auditors joined ranks to discuss these very subjects in a four-part webinar series aptly named “Security Kung Fu.” If you missed the live versions of these sessions, no need to worry—we have made them all available on-demand for your viewing pleasure. Read along to see what each stage in this journey had to offer.

 

Watch the Security Kung Fu Series On-Demand

 

SIEM Solutions

In Part 1, we took an in-depth look at the cybersecurity climate businesses are currently facing and educated ourselves on the cybercrime industry as a whole. Using the Lockheed Martin Cyber Kill Chain® as an example, we discussed the role SIEM solutions play in identifying security threats and discussed the unique capabilities of such solutions to allow users to go back in time to conduct forensic analysis of security incidents and verified threats.

 

Playing With Fire(wall) Logs

Part 2 of the series turned our attention to the periphery of a network to focus on how firewalls serve as a first line of defense against security threats. In addition to discussing the patterns of attack that have been demonstrated countless times by hackers, we showed how firewall log data can give notice of network infiltration attempts, data exfiltration, and more. Beyond that, we discussed how Network Configuration and Change Management (NCCM) solutions can contribute to a deeper IT security solution by helping to alert you to config changes on firewalls (and other network devices), in addition to a host of other capabilities.

 

The Security Threats From Within

In Part 3, we took an introspective look to discuss the threats coming from within, or at least identified from within a business' own network. We looked at how Active Directory® changes such as adding users to privileged groups, escalating privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to future compromises. We discussed the need to track these changes appropriately in order to give critical insight into anomalous activity and promote the long-term security health of an IT operation.

 

Two Schools of Thought: Security vs. Compliance

Part 4, the final chapter of the Security Kung Fu Series, we covered a subject that had only served as an undertone in our previous sessions: compliance. We discussed why letting compliance rule the security strategy for a business can ultimately lead to pitfalls that compromise both objectives.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.