The Critical Security Controls covers the spectrum of Information Security from procedural to technical. The next control covered in my series, in my opinion, is one of the most difficult to master. Boundary defense is more than firewalls and routers. This control about watching and reacting to the data moving through the network. Not a simple task that one device alone can help you accomplish.
Here what the control says –
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
The solution is not simple or cheap. A firewall alone is no longer sufficient to prevent many types of attacks or provide proper visibility into your environment’s behavior. Your boundary is the first line of defense and one of the first steps an external attacker will take. Scanning and probing the outer walls to find an entry point into the deeper layers of your network where the data resides. There are many avenues of entry, some more obvious than others, that no one person or team can continually keep an eye on. This is where the collection of various technologies used in unison can help you.
These are but not limited to –
- Intrusion Detection Systems (IDS) – A device that monitors the network for patterns, viruses and malware and other malicious activity and policy violations. IDS are passive, meaning they monitor and report but don’t act.
- Intrusion Prevention System (IPS) – Similar to an IDS an IPS will actively block and prevent detected activity from advancing. Most current generation firewalls have some IPS capabilities built into them in the form of packet dropping, re-routing or blocking.
- Security Information Event Management System (SIEM) – Pronounced (See-eem or Sim) the SIEM is the central collection point of all application, server, event and incident alerts. This allows for end to end correlation across all systems. When an IP addresses is detected coming in, properly tuned, the SIEM can report on all the hops, systems and resources that subject accessed. A SIEM is a critical and required component to any security program.
- Web Filters – Prevent internal people from accessing unwanted external websites and services.
- Cloud Access Security Brokers (CASB) – Current generation filters specifically designed to monitor and control access and data flow to external cloud services.
- SSL Decryption – A process that decrypts all external bound traffic to inspect the data before it leaves the organization.
Through those mechanisms and other endpoint security components such as desktop level antivirus and DLP can help you achieve deeper visibility and control to the data flow through your environment. Recently most breaches are not caused by breaking the security barriers but rather using legitimate access to move the data out. Strong access control is vital but not the end game when it comes to securing and environment properly.
How It Could Be Exploited
There are so many ways this could be exploited I wont list them here. Unless you have visibility and a structure of alerting in your environment you will never know anything. This could be a simple as an employee transferring a database out to a legitimate and approved cloud service or an external entity setting up a TCP tunnel to gain access through a web port. This control isn’t about configuration or shutting off services but watching what it allowed and if what is being done is allowed.
You will never cover all your bases, one zero day announcement and you’re scrambling to close the hole or block the flow. Through your risk assessments is how you can identify what and where your biggest risks are and what you need to do to get eyes on that area. Hackers are clever and always changing their approaches. The best defense is to bring in technology that can dynamically monitor the behavior of the network rather than look for specific events. The simplest example comes out of the Anthem breach. The breach was discovered because a legitimate, trusted administration was seen to be used when the owner was on vacation. Out-of-band patterns like that, only defined by the knowledge of your environment, are what you need to be looking for. Getting visibility end to end is the challenging and expensive part.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.