If you ask any end user, “Are you OK with doing business with a company that has recently had a major security breach?,” the usual response will be NO.
That answer is exactly what organizations should be worried about because it directly impacts their business, and can also weaken their brand and reputation in the market. Your Competitors can thus leverage this weakness of yours to acquire your customers.
The shift to a digital economy has increased the dependency of businesses on IT systems, and the necessity of leveraging technology to reach a potentially large customer base. The exponential growth of customers accessing the Internet with newer devices, and new channels to access required services quickly and economically, has forced enterprises to be more accessible and reliable. One major way customers determine if an organization is “reliable” is when it is a known or desirable brand that also allows them to access services easily and securely. When it comes to establishing reliability, Information Security or IT Security plays a major role.
Today’s cybercriminals run their operations like a business, and to be successful they constantly invest in the latest tools in order to circumvent security and breach the networks of their targeted victims. As a result, today’s security landscape is highly dynamic and constantly evolving. To keep ahead of hackers, IT departments also need to stay at the cutting edge of security technology. The IT department has to add the image of a “protector” to that of “facilitator” for organization’s IT infrastructure. At the same time, enterprises need to move beyond their traditional “Detect and Remediate” approach to security to a “Prevent and Analyze” strategy.
For IT Security department, security starts at the constantly shifting enterprise perimeter and access points. This has always been the first line of defense, and even in increasingly borderless environments protecting the demarcation point between inside and outside still needs to be the effective in order to identify and thwart threats before they enter the enterprise. Traditionally, the enterprise perimeter has been protected by a firewall, as Internet connections from ISPs terminate here and it serves as the primary ingress/egress point for enterprise traffic. Over time, firewalls were gradually replaced by UTMs, which are now being replaced by Next Generation Firewalls. With the advent of cloud services, mobile devices, public networks, and multiple ways to access information, the enterprise boundary has changed from a physical edge to a logical one. However, there still needs to be a starting point where we define the enterprise perimeter, and ingress/egress points are still a good place to start.
When securing the perimeter, a few things need to be considered:
- Define “The Enterprise”: The first step is to define the distributed organization. This includes the datacenter, branch offices, HQ, cloud-based services, mobile users, consultants and clients, and end user devices. This not only includes identifying physical locations, but the business verticals and functions and various business processes running across the organization. Remember, you can only implement protections if you know what needs to be protected.
- Identify all possible entry / exit points: Based on the regular assessment of your network, continually identify all physical and logical entry/ exit points to where organizational data is generated, stored, transmitted, used, archived, or deleted. The complete lifecycle of enterprise data needs to be understood to clearly demarcate the entry/exit points or gateways.
- Analyze the traffic flowing through access points: Once your gateways are defined, the next step is to analyze the data that is traversing through these gateways. This will not only require a set of analysis tools, but input from the business in order to understand the context of that data.
- Calculate possible risk associated with moving data: Once content and context is being analyzed, associate risks with that data. Ask questions like, “Is there any threat if this data leaves the organization without authorization?” Or, “Can the data traversing through the gateway be leveraged to create a channel for the entry of malware?”
- Secure the gateways: The next step would be to implement strict security controls on these gateways. There are lots of solutions available in the market to meet this requirement, e.g. Web Security Gateways for HTTP traffic, Email Security Gateways for SMTP traffic, NGFWs with AV, IPS, URL Filtering, etc. for the traffic at the datacenter gateway. There are equivalent solutions for cloud and virtualized environments. An important point to remember is to have visibility into the traffic that is traversing through the gateway, which includes SSL decryption (since today, 50-60% of all traffic is protected by SSL), or Application Identification that allows administrators to understand the applications being used (or misused) in the organization.
- Segment the network: Once traffic has been identified and analyzed, it needs to be directed to secure network zones or segments. Segmentation protects sensitive data, can isolate less trustworthy data, such as IoT, extends security visibility deeper into the network, and provides controls all along the data path.
- Correlate threat intelligence: Given the speed at which breaches and data theft can occur, it is essential that deployed security devices are able to share and correlate threat intelligence, and where possible, automatically synchronize a response. This may require transitioning from the traditional point-product approach of deploying isolated security devices to developing a security framework approach, such as a security fabric, that ties security together into a holistic whole.
- Enable Alerting: The next step is to enable alerting. Such alerting can be directed to administrators, ISOs, server owners, or business owners to enable them to see problems, initiate remediation, or even better, monitor automated security responses. Alerting can also be enabled on end user interfaces to remind them that their actions are being monitored, and at those points where traffic necessarily crosses between network segments.
- Action Plan for security alerts: Prepare and keep handy the remediation plan / SOP that needs to be triggered in case any alert is received by the respective individuals. These action plans should clearly have a RACI (Responsible, Accountable, Consulted, and Informed) matrix defined with timelines for any action to be initiated.
- Forensic Analysis: Once an identified incident has been controlled, a detailed forensic analysis needs to be done on the incident. This will enable the security team to identify the possible vulnerability in the infrastructure, along with which devices may have been compromised, and take corrective actions to prevent future occurrences of similar nature.
- Ongoing Monitoring and Control: Once a process has been established, security systems need to be continuously monitored, alerts acknowledged, corrective actions taken, and improved prevention strategies implemented. should be part of the IT security operations.
- User Training: An critical component of any security strategy is the regular education of end users to enable them to not only reduce risky behavior, but to enlist them as combatants against hackers by fortifying what is often the weakest link in the entire security chain.
- Management Reporting: Effective reporting enables business leadership to see and acknowledge the IT Security team’s efforts to ensure the business remains up and running, and that any possible losses due to breaches are minimized or averted. Most of the organizations miss this bit, and the result is that business leaders and LOBs will unnecessarily debate the budgets allocated to IT security.
Everyone knows that there is no such thing as 100% security. However, there needs to be a place where we strive to reach as close as possible to that goal. Definitely, the enterprise perimeters and access points, whether physical or logical, are the best places to start because you can only protect what you can see.
About the Author:
Prasanna works with Intertec Systems at Senior Presales Consultant – Security and has more than 13 years of experience in providing security consulting services to industry leaders across the globe. He has keen interest in addressing the challenges that are arise due to the dynamic nature of IT security landscape.