March 1, 2018 •Jason Dell
Previously we discussed our plans in this security blog series for a simplified approach to cybersecurity.
In Part 1 we discussed the importance of identifying and documenting your data assets—the data repositories that you have or the services that you provide that are critical to the success and growth of your business. We encouraged documenting the risks to your data assets, and suggested you consider the impact of compromise to your data assets.
Then in Part 2 we emphasized the importance of creating a written security policy to be included as one of your controls to mitigate risk to your data assets.
In Part 3, we walked you through how to evaluate your current controls.
Finally in Part 4, the final installment of the series, we will discuss effective security technologies that will reduce the risk to your data assets, and mention products that match these security technologies.
SECURITY TECHNOLOGIES
Examples of security technologies and how they mitigate risk to data assets are:
- Next-Generation Firewall (NGFW)
- Web Security
- Email Security
- Endpoint Anti-Malware
- Access Control
MATCHING TECHNOLOGIES TO RISKS
Next-Generation Firewall
Let’s state the obvious: If your enterprise is connected to the Internet, you need to have a firewall at the Internet edge. In general, a firewall will provide safe outbound Internet access, but permit just enough inbound Internet access to serve your Internet-facing applications (i.e. web servers or email servers).
First-generation and second-generation firewalls provide some level of control to mitigate the risk of direct access to your internal data resources but they really only prevent bad actors from entering a front door that was left wide-open, and will only mitigate the most basic of attacks. They will not provide the depth of threat mitigation that a next-generation firewall (NGFW) provides.
NGFWs provides Application Visibility and Control (AVC) 
- Visibility: You can only protect what is visible to you. A NGFW, through deep-packet inspection, will identify endpoints and applications. Effective NGFWs will identify operating systems, web browsers, and web applications. Through threat intelligence, an NGFW will keep up with new and emerging applications. As well, an NGFW will identify users. An NGFW will build a comprehensive database of your environment.
- Control: With the comprehensive database of your environment, an NGFW will effectively block or allow specific applications depending on parameters that you define, including source, destination, username, or even geolocation. An effective NGFW AVC will be able to identify and control even elusive applications that utilize non-standard or ephemeral ports.
NGFWs provide Next-Generation Intrusion Prevention (NGIPS)
With the comprehensive database of your environment that AVC provides, NGIPS can enable and tune only relevant intrusion prevention rules that pertain to your specific environment. Other rules need not be enabled. If new endpoints and/or applications are added to your environment, AVC will add them to the database, and NGIPS will then enable the appropriate rule(s). NGIPS leverages threat intelligence to stay up-to-date with new vulnerabilities that may provide back-door access to sensitive data resources.
NGFWs provide Anti-Malware
Why let malware go all the way to the endpoint before it is identified? NGFWs have Anti-Malware capabilities to stop malware at the Internet edge rather than letting the malware traverse your internal network. Effective NGFWs will have Anti-Malware that provides continuous file analysis with retrospection. Files that were previously thought to be benign, but later are identified as malicious, can be tracked down and remediated.
NGFWs provide web visibility and control
Having the ability to evaluate URLs by category and risk at the Internet edge helps your NGFW build a more complete picture of your Internet application traffic. It can also help to mitigate URL connectivity to malicious infrastructures.
Recommended Products
The Cisco ASA5500X-series, the Cisco Firepower 2100-series, the Cisco Firepower 4100-series, and the Cisco 9300-series Next-Generation Firewalls are effective next-generation firewalls that provide all of the threat mitigation services that I mentioned in this section.
An effective next-generation firewall will protect your data assets by mitigating the risk of direct access to your internal resources, but it will also mitigate the risk of accessing your internal resources through permitted traffics by evaluating application traffic behavior to look for, and block malicious behavior. It will also block malware and exploits of application vulnerabilities to prevent theft, corruption, or exfiltration of sensitive data.
Web Security
The Mr. Obvious Show: If your enterprise is connected to the Internet, you need to have web security. Web and email are the top two threat vectors. Blocking access to websites by category is a function that nearly all web security products can do and likely do fairly well. However, web security for the sake of mitigating risks to data assets requires deeper consideration.
Reputation
A company website may not fall into a category that you choose to block, but the website may have a reputation for malicious behavior. As well, a given website may be of a reputable company without any malicious intent. However if the website is compromised it may, without company knowledge, be used for malicious intent, giving it a temporary bad reputation. An effective web security solution should, through threat intelligence, be able to learn very quickly of the reputation of web destinations and be dynamic enough to change the disposition from day to day.
Anti-Malware
Some web security solutions provide Anti-Malware for files downloaded through the web. Continuous file analysis with retrospection is a plus when it comes to web security.
Protocol Agnostic
A limitation of some web security products is that they can only inspect a subset of protocols and application traffic. An effective web security solution can inspect and protect applications regardless of the Internet protocols that they use.
Threat Intelligence
An effective web security solution will leverage threat intelligence to evaluate the disposition of a destination by a number of factors other than just category, such as whether it distributes malware, whether it facilitates command-and-control, phishing attacks, dynamic DNS, DNS tunneling, or is a newly seen domain.
Roaming Protection
You want your users to have the same web security off-network as they have on-network to mitigate the chances of them bringing in malware (for example).
Recommend Products
Cisco Umbrella and Cisco Web Security Appliance both provide effective web security, each appropriate for different use cases.
An effective web security solution will protect your data assets by mitigating the download or access of malicious files that could provide unsanctioned connectivity to the internal data resources. Effective web security will protect your data assets by mitigating the download of malware, ransomware, and command-and-control that could facilitate of destruction, theft, or exfiltration of sensitive data.
Email Security
People don’t talk about email security enough. As mentioned above, email and web are the top two threat vectors. Email is the #1 method of contracting ransomware. Spam is annoying for sure, but it is not necessarily a threat. An effective email security solution is a must for mitigating phishing attacks or the download of complex malware.
- Reputation: Email sources can have bad reputations (either temporarily or permanently). Effective email security will leverage reputable threat intelligence is required for effective email security.
- Anti-Malware: Point-in-time anti-malware is not sufficient for today’s complex malware threats. Continuous file analysis with retrospection will mitigate malicious attachments to phishing emails intended to obtain credentials or deploy ransomware.
Recommended Products
Cisco Cloud Email Security and Cisco Email Security appliance both provide effective email security, each appropriate for different use cases.
Endpoint Anti-Malware
Endpoints include servers, workstations and mobile devices. Laptops, tablets and smart phones come and go from your network. While off-network, they are not under the protection of your perimeter security products.
Continuous File Analysis
Point-in-time malware prevention only uses signatures to check a file once. Known bad files are dropped, while unknown files are allowed to pass and are never evaluated again. Modern malware often employs sleep techniques and other malware prevention evasion techniques to hide malicious intent long enough to pass through point-in-time malware prevention. Continuous file analysis keeps track of all files that the endpoint has ever seen and can quarantine a file that was previously allowed through, but is later discovered to be malicious.
Centralized reporting and configuration of endpoint security quickly facilitates deployment and policy changes. A centralized database is useful for determining prevalence of applications, so that you can investigate unknown applications that are only deployed on one or two endpoints.
Anti-Malware
Effective endpoint anti-malware will protect your data assets by mitigating the download or access of files or resources that could provide unsanctioned connectivity to the internal data resources. As well effective endpoint anti-malware will protect your data assets by mitigating the download of malware, ransomware, and command-and-control that could facilitate of destruction, theft, or exfiltration of sensitive data.
Products We Recommend
Cisco AMP for Endpoints is an effective endpoint anti-malware solution.
Access Control
Access to your network infrastructure can be via wired connection, wireless, or via VPN. Server and application authentication is not sufficient to protect your sensitive data. Access control at it’s core provides AAA: Authentication, Authorization, and Accounting.
- Access control controls WHO can connect to your network. In addition to user authentication, you may also require a certificate to be installed on the client endpoint as a means of secondary authentication verification.
- Access control controls WHAT can connect to your network. It puts you in control of the types of devices that you want to permit to connect to your network. You decide whether you want to permit BYOD, for example. It can also perform device profiling or posture assessment.
- Access control controls WHERE authenticated users/devices are permitted to navigate to based on certain criteria.
- Access control logs what authenticated users/devices have had access to. This is useful for forensics.
- Access control can provide guest provisioning to allow only the guests that you authorize to have access to the Internet
Effective access control will protect your data assets by mitigating unauthorized connectivity to your network infrastructure, including to sensitive internal data resources.
Recommended Products
Cisco Identity Service Engine is an effective access control solution.
INTEGRATIONS
Having discordant security products is not as effective as security products that work together as a security system. Having to look at mulitiple products to investigate a potential breach is frustrating and ineffective. Consider whether your security products pass contextual security information between each other. Reduce the management interfaces, where possible.
SUMMARY
To recap:
- Identify your Data Assets.
- Document the Risks to your data Assets, and the impact of compromise to your data assets.
- Develop/revise a Written Security Policy as a tool to mitigate risks to your data assets.
- Evaluate how well your Current Controls mitigate risks to your data assets.
- Determine Security Technologies to mitigate the risks to your data assets.
- Select Security Products that provide the security technologies that mitigate the risks to your data assets.
…and repeat at least annually
Repeatedly we hear that it is not a matter of IF you will be compromised, but WHEN you will be compromised. Keep your data assets in focus. Being transparent with upper management with risk and potential impact of compromise will help to gain support and get your security projects approved. NSI is your trusted partner for helping you assess your overall security posture and to help you develop a roadmap for risk mitigation. Reach out to NSI for more information. We're happy to help!