Geek Speak

6 Posts authored by: chrisgrundemann

We made it! This is the final post in this six-part series mapping the cybersecurity landscape through a new reference model for IT infrastructure security. Thank you for coming along on this journey with me. Now it’s time to take a look at where we’ve been, review the map itself, and discuss how to put it to work in your own environment.

 

We started the series by reviewing some of the most popular and useful models and frameworks currently available. While all of these can serve as maps to help us build a secure infrastructure, they leave us with a couple fundamental questions unanswered:

  • Which tools provide defense in depth, and which are just causing duplication?
  • How do I compare competing products and the protections they provide?

 

To help answer those questions, we needed a clear way to map where individual security tools fit into a comprehensive security infrastructure. That’s where the reference model comes in, and the following four posts each zoomed in on each of the four domains of IT security:

  • Perimeter - Network Security, Email Security, Web Security, DDoS Protection, Data Loss Prevention, and Ecosystem Risk Management
  • Endpoint & Application - EPP / EDR, Patch & Vulnerability Management, Encryption, Secure Application Delivery, Mobile Device Management, and Cloud Governance
  • Identity & Access - SSO (IAM), Privileged Account Management, Multi-Factor Authentication, CASB, Secure Access (VPN), and Network Access Control
  • Visibility & Control - Automation & Orchestration, SIEM, UBA / UEBA, Device Management, Policy Management, and Threat Intelligence

 

Now we can zoom out and take a look at the full picture:

Reference Model for IT Infrastructure Security

 

Think of this like one of the maps you might find in a mall or other public area, telling you confidently: you are here.

 

This particular map aims to give you the ability to answer those two stubborn questions above. By knowing which domain and category within the InfoSec landscape you are dealing with, you can evaluate various tools in an apples to apples comparisons. When the latest hot security company or product comes on the market, you can judge it against your existing infrastructure by placing it on this map.

 

How many network security devices, SSO services, or threat intelligence providers you need is unique to each organization. However, there is a big difference between intentionally adding depth to your security posture and unwittingly adding duplication. Use this model to ensure you only add the tools you really need, filling a gap or replacing a less adequate solution.

 

Speaking of gaps, that's another great way to use this map. There’s a third important question we can answer: Does your current security infrastructure provide the protection you need? Once you understand your organization’s risks and goals, you can use this model to ensure that all the right boxes are filled with a product or service that does the needed job.

 

Not every company needs a tool in each of these categories, of course, and some of you may need multiple protections in one or more of the categories. Also note that there are various ways to provide those protections. Each of these categories can be addressed by technical tools (hardware, software, and services), legal tools (e.g., contracts), organizational tools (policies and procedures), and human “tools” (like training and awareness), or a combination of two or more of these countermeasures. The key is understanding where real gaps exist, and what’s available to fill them.

 

Finally, we must always remember that the map is not the terrain. While I have found this model to be extremely useful in many discussions with CIOs, CISOs, IT management, and security practitioners, it can’t tell the whole picture. Thinking about the NIST Cybersecurity Framework of Identify, Protect, Detect, Respond, and Recover. This model sits mostly in the protect and detect realms. You still need talented staff or third parties to identify your most valuable assets, your compliance requirements, and your risks, goals, and vulnerabilities. Not to mention responding to attacks that do occur and recovering after an incident with policy updates, tool refreshes, or public relations.

 

Now it’s up to you – how will you use this new resource to better protect your organization?

Today, in the fifth post of this six-part series, we’re going to cover the fourth and final domain of our reference model for IT infrastructure security. Not only is this the last domain in the model, it is one of the most exciting.

 

As IT professionals, we are all being asked to do more with less. This is why we need security tools that give us more visibility and control. But what do those tools look like? Let’s take a peek.

 

Domain: Visibility & Control

If we were securing a castle, it might be good enough to go to a high tower to see the battlefield, and we might be able to use horns or smoke signals to coordinate our defense. In a modern organization, we need to do a little better than that. Real-time visibility providing contextual awareness and granular control of all our security tools is required to defend against today’s threats.

 

The categories in the visibility and control domain are: automation and orchestration, security incident and event management (SIEM), user (and entity) behavior analytics (UBA/UEBA), device management, policy management, and threat intelligence.

 

Category: Automation and Orchestration

Automation and orchestration are the tools that make it easier to operate a secure infrastructure. These tools should work across the vendors in your environment and simplify the job of your security practitioners by reducing tedious and error prone manual tasks, reducing incident response times, and increasing operational efficiency and resiliency. This category is still emerging. This means that even more than the other categories, there is an option to build this functionality with open source tools and, more recently, to buy a commercial platform.

 

Category: SIEM

Security information and event management (SIEM) products and services combine security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware. SIEM solutions collect and correlate a wide variety of information, including logs, alerts, and network data-flow characteristics, and present the data in human-readable formats that administrators use for a variety of reasons, such as application tuning or regulatory compliance. More and more, these tools are complemented with some form of automation platform to provide instructions to analysts for how to deal with alerts, or even act on them automatically!

 

Category: UBA / UEBA

User behavior analytics (UBA) solutions look at patterns in user behavior and then use algorithms or machine learning to detect anomalies to prevent insider threats like theft, fraud, or sabotage. User and entity behavior analytics (UEBA) tools expand that to look at the behavior of any entity with an IP address to more broadly encompass "malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP."

 

Category: Device Management

Device management is all about managing your security devices. These tools are often vendor-specific, and most attempt to display data in a single pane of glass using a central management system (CMS).  Recently, many vendors have recognized the need for a single interface and have enabled APIs to accommodate third-party reporting. Going forward, these tools may be replaced or controlled by other, vendor-agnostic automation tools in a more mature security infrastructure.

 

Category: Policy Management

Policy management tools make it easier to maintain homogeneous security policies across a large number of devices. These tools were initially vendor-specific, but vendor-neutral policy managers are becoming more prolific. They give the ability to deploy a common policy across an organization, a group of devices, or to a single device.  Additionally, Policy Management tools often give a user the ability to test/validate configurations before deploying them.  Finally, Policy Management tools provide a mechanism to create configuration templates used for no-touch/zero-touch provisioning.

 

Category: Threat Intelligence

Threat intelligence can take many forms. The unifying purpose of them is to provide you, your security organization, and your other security tools information on external threats. Threat intelligence gathers knowledge of malware, zero-days, advanced persistent threats (APT), and other exploits so that you can block them before they affect your systems or data.

 

One More Thing

In the final post in this series we’ll look at the full model that has been described thus far and consider how you can put it to use to meet your individual security goals. Be sure to stick with me for the conclusion!

Where are you? Halfway through this 6-part series exploring a new reference model for IT infrastructure security!

 

As you learned in earlier posts, this model breaks the security infrastructure landscape into four domains that each contain six categories. While today’s domain may seem simple, it is an area that I constantly see folks getting wrong--both in my clients and in the news. So, let’s carefully review the components that make up a comprehensive identity and access security system:

 

DOMAIN: IDENTITY & ACCESS

Your castle walls are no use if the attacking hoard has keys to the gate. In IT infrastructure, those keys are user credentials. Most of the recent high-profile breaches in the news were simple cases of compromised passwords. We can do better, and the tools in this domain can help.

 

The categories in the identity and access domain are; single sign-on (SSO – also called identity and access management, IAM), privileged account management (PAM), multi-factor authentication (MFA), cloud access security brokers (CASB), secure access (user VPN), and network access control (NAC).

 

CATEGORY: SSO (IAM)

The weakest link in almost every organization’s security posture is its users. One of the hardest things for users to do (apparently) is manage passwords for multiple devices, applications, and services. What if you could make it easier for them by letting them log in once, and get access to everything they need? You can! It’s called single sign-on (SSO) and a good solution comes with additional authentication, authorization, accounting, and auditing (AAAA) features that aren’t possible without such a system – that’s IAM.

 

CATEGORY: PAM

Not all users are created equal. A privileged user is one who has administrative or root access to critical systems. Privileged account management (PAM) solutions provide the tools you need to secure critical assets while allowing needed access and maintaining compliance. Current PAM solutions follow “least access required” guidelines and adhere to separation-of-responsibilities best practices.

 

CATEGORY: MFA

Even strong passwords can be stolen. Multi-factor authentication (MFA) is the answer. MFA solutions combine any of the following: something you know (the password), something you have (a token, smart phone, etc.), something you are (biometrics, enrolled device, etc), and/or somewhere you are (geolocation) for a much higher level of security. Governing security controls, such as PCI-DSS, and industry best practices require MFA to be in place for user access.

 

CATEGORY: CASB

According to Gartner: “Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, and so on.” If you are using multiple SaaS/PaaS/IaaS offerings, you should probably consider a CASB.

 

CATEGORY: SECURE ACCESS (VPN)

Your employees expect to work from anywhere. You expect your corporate resources to remain secure. How do we do both? With secure access. Common components of a Secure Access solution include a VPN concentrator and a client (or web portal) for each user. Worth noting, the new category of software defined perimeter (SDP) services mentioned in part 2 often look and act a lot like an always-on VPN. In any case, the products in this category ensure that users can securely connect to the resources they need, even when they’re not in the office.

 

CATEGORY: NAC

Let’s say a criminal or a spy is able to get into your office. Can they join the Wi-Fi or plug into an open jack and get access to all of your applications and data? Less nefarious, what if a user computer hasn’t completed a successful security scan in over a week? Network access control (NAC) makes sure the bad guys can’t get onto the network and that the security posture of devices permitted on the network is maintained. Those users or devices that don’t adhere to NAC policies are either blocked or quarantined via rules an administrator configures. Secure access and NAC are converging, but it’s too early for us to collapse the categories just yet.

 

ONE MORE DOMAIN!

While we’ve made a lot of progress, our journey through the domains of IT infrastructure security isn’t over yet. In the next post, we’ll peer into the tools and technologies that provide us with visibility and control. Even that isn’t the end though, as we’ll wrap the series up with a final post covering the model as a whole, including how to apply it and where it may be lacking. I hope you’ll continue to travel along with me!

So far in this series we have reviewed a few popular and emerging models and frameworks. These tools are meant to help you make sense of where you are and how to get where you’re going when it comes to information security or cybersecurity. We’ve also started the process of defining a new, more practical, more technology-focused map of the cybersecurity landscape. At this point you are familiar with the concept of four critical domains, and six key technology categories within each. Today we’ll dive into the second domain: Endpoint and Application.

 

I must admit that not everyone agrees with me about lumping servers and applications in with laptops and mobile phones as a security domain. I admit that the choice was a risk, but I believe it makes the most sense. So many of the tools and techniques are the same for both groups of devices. Especially now, as we move our endpoints out onto networks that we don’t fully control (or control at all in some cases). Let’s explore it together - and then let me know what you think!

 

Domain: Endpoint & Application

If we stick with the castle analogy from part 2, endpoints and applications are the people living inside the walls. Endpoints are the devices your people use to work: desktops, laptops, tablets, phones, etc. Applications are made up of the servers and software your employees, customers, and partners rely upon. These are the things that are affected if an attack penetrates your perimeter, and as such, they need their own defenses.

 

The categories in the endpoint and application domain are endpoint protection, detection, and response (EPP / EDR), patch and vulnerability management, encryption, secure application delivery, mobile device management (MDM), and cloud governance.

 

Category: EPP / EDR

The oldest forms of IT security are firewalls and host antivirus. Both have matured a lot in the past 30+ years. Endpoint protection (EPP) is the evolution of host based anti-malware tools, combining many features into products with great success rates. Nothing is perfect, however, and there are advanced persistent threats (APT) that can get into your devices and do damage over time. Endpoint detection and response (EDR) tools are the answer to APT. We're combining these two concepts into a single category because you need both – and luckily for us, many manufacturers now combine them as features of their endpoint security solution.

 

Category: Patch and Vulnerability Management

While catching and stopping malware and other attacks is great, what if you didn’t have to? Tracking potential vulnerabilities across your systems and automatically applying patches as needed should reduce the exploit capabilities of an attacker and help you sleep better at night. While you can address patch management without vulnerability management, I recommend that you take a comprehensive and automated approach, which is why they are both covered in this category.

 

Category: Encryption

When properly applied, encryption is the most effective way to protect your data from unwanted disclosure. Of course, encrypted data is only useful if you can decrypt it when needed – be sure to have a plan (and the proper tools) for extraction! Encryption/decryption utilities can protect data at rest (stored files), data in use (an open file), and data in motion (sending/receiving a file).

 

Category: Secure Application Delivery

Load balancers used to be all you needed to round-robin requests to your various application servers. Today application delivery controllers (ADC) are much more than that. You always want to put security first, so I recommend an ADC that includes web application firewall (WAF) and other security features for secure application delivery.

 

Category: Mobile Device Management

EPP and EDR may be enough for devices that stay on-prem, under the protection of your perimeter security tools, but what about mobile devices? When people are bringing their own devices into your network, and taking your devices onto other networks, a more comprehensive security-focused solution is needed. These solutions fall under the umbrella of mobile device management (MDM). 

 

Category: Cloud (XaaS) Governance

Cloud Governance is a fairly emergent realm and in many ways is still being defined. What’s more is that to an even higher degree than the other categories here, governance must always include people, processes, and technology. Since this reference model is focused on technology and practical tools, this category includes technologies that enable and enforce governance.  As your organization becomes more and more dependent on more and more cloud platforms, you need visibility and policy control over that emerging multi-cloud environment. A solid cloud governance tool provides that.

What's Next?

We are now three parts into this six-part series. Are you starting to feel like you know where you are? How about where you need to be going? Don’t worry, we still have two more domains to cover, and then a final word on how to make this model practical for you and your organization. Keep an eye out for part 4, where we’ll dive into identity and access - an area that many of you are probably neglecting, despite its extreme importance. Talk to you then!

In part 1 of this series, we covered some of the most prevalent and most promising cybersecurity models and frameworks available today. These are all tools that can help you determine the size and shape of the current information security landscape, and where you and your organization are within it. We also realized that even with all of this, you still can’t answer some fundamental questions about the specific technology you need to protect your digital infrastructure. As promised, I’m going to spend the next four posts covering the four critical domains of IT infrastructure security and the categories they each contain. Let’s start today with the perimeter.

 

Domain: Perimeter

The perimeter domain can be seen as the walls of a castle. These technologies are meant to keep information in and attackers out.  In many cases, a Demilitarized Zone (DMZ) and other public network services are exposed to the routable internet via systems within the perimeter domain. Additionally, an organization may have multiple perimeters, similar to an outer wall and an inner wall protecting a castle.

 

The categories in the perimeter domain are network security, email security, web security, DDoS protection, data loss prevention (DLP), and ecosystem risk management.

 

Category: Network Security

Network security is typically the primary line of defense for traffic entering or leaving an organization’s network, providing a first-look analysis of traffic inbound and a last-look at traffic leaving your network’s span of control. The primary products in this category are firewalls, network intrusion detection/prevention systems (IDS/IPS), deep packet inspection (DPI), and other security gateways. Today, we rely on so-called next generation firewalls (NGFW) to package the functionality of what used to be many devices into a single appliance or virtual machine. More and more we are facing the challenges of deperimeterization as BYOD and cloud services stretch and blur the previously hard lines that defined our networks' boundaries. This is leading to the rise of software defined perimeter (SDP) tools that push security to the very edge of your new multi-cloud network.

 

Category: Email Security

Email has become a nearly universal communication medium for individuals and businesses alike, which also makes it a prime attack vector. Spam (Unsolicited Commercial Email - UCE) has been a nuisance for many years, and now phishing, click-bait, and malware attachments create real organizational threats. These attacks are so prolific that it often makes sense to layer email-specific security measures on top of network and endpoint solutions. Included within this category are email security products that offer antivirus, anti-spam, anti-phishing, and anti-malware features. Additional tie-ins to DLP and encryption are also available.

 

Category: Web Security

Much of our online activity centers around the web. This is increasingly true in our more and more SaaS-focused world. Web security seeks specifically to protect your users from visiting malicious websites. URL filtering (whitelist/blacklist) and other DNS tools fit into this category. Today, known and emerging threats are addressed within this category using Advanced Threat Protection (ATP) capabilities to analyze, diagnose, and dynamically implement rules governing web access in real-time.  This capability is typically provided using a subscription service to a threat database that has an influence on data exchange or name resolution traffic traversing a network.

 

Category: DDoS Protection

Pundits and others spend a lot of time talking about “going digital.” What this likely means to you is that internet access is crucial to your business. Your employees need to reach the information and services they need, and your customers need to reach your website and other applications. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks generate malformed/malicious packets or an excessive amount of inbound traffic to flood systems responsible for responding to valid queries.  Under such an attack, systems are unable to keep up with responses. D/DoS protection services recognize these attack techniques and implement methods to block the attempts or clean the inbound data streams so that only the valid traffic remains.

 

Category: Data Loss Prevention

Data is the new gold. Your intellectual property is now made up of ones and zeros, so you can’t lock it in a file cabinet or a safe. You can still protect it though – probably better than you could when it was on paper. Data loss prevention (DLP) tools classify, analyze, and react to data at rest, in use, or in motion. DLP ensures that your data remains available to those who need it, and out of the hands of would-be attackers.

 

Category: Ecosystem Risk Management

Your cybersecurity is only as strong as the weakest link in your ecosystem. A vulnerability anywhere in the supply chain escalates organizational risk and jeopardizes productivity, profitability, and reputation. Partner, supplier, and vendor security risk is a major area that cannot be ignored as a business issue any longer. You need to be able to continuously identify, monitor, and manage risk to improve the cyberhealth of your vendor ecosystem.

 

Up Next

Obviously, the castle walls are only one part of a well-crafted defense. In the next three posts of this 6-part series, we’ll cover the remaining domains of endpoint & application, identity & access, and visibility & control. In the final post, we’ll look at the full model that these four domains create, how it fits into the broader cybersecurity landscape, and provide some advice on how to put it all into practice. Stay tuned!

Now that we all carry supercomputers complete with real-time GPS mapping in our pockets, a reference to physical maps may feel a bit antiquated. You know the ones I’m talking about; you can still find them at many malls or theme parks, and even some downtown city streets. It’s usually a backlit map on a pillar with a little arrow marking “you are here.” It’s designed to give you a sense of where you are and how to get where you're going. While that physical map may feel a bit dated, at least it’s still effective. That’s more than I can say for many of the InfoSec practices, products, and procedures we find at companies of all shapes and sizes.

 

That security gap is really not surprising though. Organizations and individuals alike are becoming more and more connected, while information and assets are becoming more and more digital. At the same time, the bad guys are becoming more and more organized and sophisticated. It feels like new threats, vulnerabilities, and breaches are announced every day. To keep pace, vendors seem to announce new products every week, not to mention all the new companies that are constantly popping up. As security professionals, we are left trying to sort out the mess. Which tools provide defense in depth, and which are just causing duplication? How do I even compare competing products and the protections they provide?

 

Luckily there are some models, frameworks, and best practices available to help us figure it all out.

 

Three of the most widely known and referenced are ISACA COBIT, ISO 27002, and NIST CSF:

  • COBIT is a "business framework for the governance and management of enterprise IT” published by the Information Systems Audit and Control Association (ISACA). Governance is the key word there; this is a high-level framework to help executives execute policies and procedures. It’s the widest in scope, is best used for aligning business objectives with IT and security goals, and can be thought of as a strategic base for the ISO and NIST frameworks.
  • ISO 27002 is a set of best practice recommendations for implementing an Information Security Management System (ISMS) published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is essentially a list of checklists for operational controls that are used in conjunction with the requirements laid out in ISO 27001 to help ensure that your approach is comprehensive.
  • The Cyber Security Framework (CSF) published by the US National Institute for Science and Technology (NIST) is much more tactical in nature. Its most recognizable aspect is called the “Framework Core,” which includes five functions: Identify, Protect, Detect, Respond, and Recover. It also includes “Implementation Tiers” and “Profiles” to help you define your current risk management abilities and future/target goals within each of the functions.

 

A couple additional frameworks that are less well known but worth reviewing are RMIAS and ATT&CK:

  • RMIAS stands for Reference Model for Information Assurance & Security. This model "endeavors to address the recent trends in the IAS evolution, namely diversification and deperimeterization.” It describes four dimensions (security development lifecycle, information taxonomy, security goals, and security countermeasures) and incorporates them into a methodology that helps to ensure completeness, risk analysis, cost-effectiveness/efficiency, and consistency in your IAS practice.
  • ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. It "is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” In other words, it contains deep knowledge about how and where the bad guys are known to attack. Provided by MITRE, a non-profit R&D organization, it is gaining wide acceptance among practitioners and vendors alike as a common language and reference.

 

Of course, there are also a growing list of industry specific frameworks, models, and regulations like HIPAA, HITRUST, FEDRAMP, PCI-DSS, SOC, CIS, and more. While all of this is great, I’m still left with those same questions: Which tools provide defense in depth, and which are just causing duplication? How do I even compare competing products and the protections they provide?

 

What we require is a more practical model of the specific technologies needed to secure our organizations.

 

Through the remainder of this series, I will introduce and describe a reference model of IT infrastructure security that aims to fill this gap. Over the next four posts I will illustrate four technology domains (perimeter, endpoint & application, identity & access, and visibility & control), including the current drivers and the specific categories within each. Then, in the final post, I will describe how this model fits within the broader ecosystem of cybersecurity countermeasures and provide some advice on how to put it all into practice.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.