Protecting the Perimeter – A Cyber Defense Strategy
If you have read my articles (past) you will find that I am a big fan of proactive defense strategies when it pertains to protecting your company network and infrastructure and bottom line, your “IP” aka “intellectual property”, no matter what that might consist of (customer data, medical data, strategic plans, etc.) The strategy and a smart one comes down to keeping the bad guy as far away from the inside of your network as possible.
Your Cyber Defense Strategy should include solutions (process, technology, 3rd party vendor, etc.) to cover both everyday “events” and “incidents” as they occur. A good cyber defense strategy will include the “3” solutions that I mentioned above, and among the 3 solutions, could involve 1 or more of each type. I have been protecting company networks and “defending” them as well for the last 20+ years, and I believe my approach has been quite successful. Of course, depending on the particular network and topology, solutions can be different from the next. Some of the solution providers (3rd parties) would likely be different, because in some cases where I was not the original InfoSec Leader, existing solutions were already in place, and I had to work with those existing programs to be successful.
It is common that your company may have a network operations center (NOC) and they may offer monitoring of your network. Its likely and possible with larger companies. It is not recommended to only rely on your NOC staff. They are more interested in ensuring network appliances are running, have enough memory and CPU and other operational metrics. They are less interested in the traffic and behaviors of users that might be targeting your company. Sure, your NOC staff will be a partner that you will work with to implement router changes, firewall blocks and other infrastructure needs. BUT, it is vital that your information security team conduct its own perimeter monitoring.
Your monitoring can be accomplished several ways, internal, external and/or both. Most companies and organizations have a SIEM or log aggregator that they collect their logs with (firewalls, IDS, IPS, VPN, etc.) but in many cases lack the necessary resources to properly manage their SIEM. This can be time consuming and frustrating if you lack the necessary staff to accomplish this. Some companies utilize MSSP’s (Managed Security Service) to address the first level of log analysis and event monitoring (SOC – Security Operation Center) and then escalate to an internal team that addresses the next stage of research and investigation. In these scenarios, the MSSP may offer their own SIEM solution and in addition will manage the solution completely. I have worked in numerous environments that included both scenarios – internal teams 100% managed SIEM and monitoring and a combination of internal and external teams accomplishing the task. There are many pros and cons as well to both. First and foremost, most MSSP providers are 24×7, while your internal teams may not be. This can be a challenge, depending on your environment and the need for continuous coverage, or not. In some environments this scenario works out well.
In choosing an MSSP, there are so many to choose from. I will say from my experience, that there are two that I really enjoy working with, and have proven to be greatly flexible in their offering with their clients. What I mean here is, that many of the large well known MSSP’s (Dell, Symantec, HP) are all stuck on 1 solution that fits all, and there is no room for flexibility. For an enterprise that requires a fully managed solution, then these MSSP’s are the way to go – fully outsourced. This is not my recommendation, as I believe there needs to be a partnership and collaboration between the MSSP and your internal information security staff, because only you know your business the best. The two MSSP’s that I really like are CSC and Solutionary. (If you have questions offline, email me and I can provide greater details).
In addition to the partnership between your MSSP and internal staff handling the escalations of events and incidents, there is your team that is engaged in a proactive monitoring strategy. I wrote a whole other article on proactive monitoring and investigation, and this is a concept that works really well. The need to understand your network traffic, what is normal v. abnormal, authorized and anomalous activity. Together, with all of these strategies, your perimeter will be well monitored and watched.
Obviously, there needs to perimeter devices, and these are often chosen by your network security team or infrastructure teams, or possibly your Information Security team. Your part in protecting your perimeter comes with working with the appropriate teams to ensure that your network perimeter devices are tuned and configured properly to meet your cyber security/risk needs. Much of this tuning and decisions on configurations will come from an assessment, review of industry trends and reviewing your own network’s traffic and activity.
Most network perimeter devices can be tuned and configured various ways to prevent, block, drop and/or notify your teams of different types of network traffic. These “rules” or “signatures” are part of the device offering, but in many cases are subscriptions or additional device offerings that are purchased for in depth threat prevention. It is also important to decide amongst your team and your network teams on how to address router blocks, firewall blocking and other blocking needs at the Intrusion Detection levels as well. You should also investigate whether any infrastructure changes will require a change management process as well. Then there is also the need for “emergency” changes, like DDOS or other attack.
This is another area of perimeter defense that is typically forgotten about too many times, until the instance when you require a solution and it is too late. This is why careful preparation and planning is important, after all all of these actions and plans will or should be covered in your strategy.
DDOS Mitigation can be accomplished in several ways as well, and typically most companies will utilize a combination of internal devices (e.g. Arbor) and an external 3rd party provider that can take over when necessary. Many of the available 3rd party providers can assume bad traffic in the 300-500 Gbps range, much higher than most networks can handle themselves. I always like to recommend Neustar as a 3rd party provider as my experiences have been very successful when engaged in the past. There are some newcomers to the arena as well, and always worth looking at and examining. It is always good to ask for references.
This is another area that gets missed by Information Security teams when thinking about perimeter protection. Depending on how much e-commerce plays a part in your business, and if you are a retail company, then e-commerce will play a major role. Industry trends tell us that web application attacks are in the top 3 types of attacks that target e-commerce, through SQL style injection attacks and XSS (Cross Site Scripting) attacks. It is the vulnerabilities in system OS and applications that bad actors are constantly looking for and exploiting. Hopefully, your team already has a vulnerability management program in place as well.
There may be the need to maintain a higher level of perimeter protection around e-commerce systems/servers to ensure a higher level of protection. This can be coupled with a 3rd party service as well, typically provided through your outsourced CDN – or Content Delivery Network, and they provide varying levels of protection, including countermeasures when necessary.
We must remember that technology and solutions cannot accomplish proper levels of perimeter defense alone. The third aspect is people, not only those that are required to maintain the “care and feeding” of the technology in use, but also the team that will be responsible for handling escalations and conducting proactive monitoring and investigations.
Harris D. Schwartz, Cyber Security Expert.