Tag Archives: monitoring

July 2, 2012

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Enforcing Network Policy Internally, Remotely And To Mobile DevicesMany corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.

Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.

Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.

The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.

ScreenShot2012 06 04at92743PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

(Cisco’s Web-Security Portfolio)

A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office.ScreenShot2012 06 30at110329PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.

Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security, Host And Mobile Device Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 24, 2012

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And LabCisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.

APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.

Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology.  Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.

Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.

MY Lancope LAB

When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.
Screen Shot 2012 05 21 at 5.35.16 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Screen Shot 2012 05 21 at 5.37.02 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Once launched, the management interface of Lancope looks like this.

Screen Shot 2012 05 21 at 5.38.27 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.

Screen Shot 2012 05 21 at 5.39.18 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope dashboard shows traffic by hosts and bandwidth usage.

Screen Shot 2012 05 21 at 5.39.39 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.

Screen Shot 2012 05 21 at 5.39.47 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope diagram shows a global map of host relationship usage.

Screen Shot 2012 05 21 at 5.39.54 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.

Screen Shot 2012 05 23 at 4.24.49 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

4 Comments

Filed under Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

November 11, 2011

Developing A Continuous Monitoring Solution

Developing A Continuous Monitoring SolutionThere isn’t a single “silver bullet” product that addresses Continuous Monitoring. There are too many factors to consider, which require multiple security elements to function as a single solution. A good approach to continuous monitoring is securing all threat vectors and having those solutions provide data to a central reporting engine. Once data is centralized, things like risk level auditing and policy enforcement can take place. My team has developed a Continuous Monitoring Reference Architecture based on research from customer requirements and testing various security products.

The first step to build a continuous monitoring solution is identifying what should be monitored. A complete continuous monitoring architecture should consider everything from network access alerts to software installed on endpoints. Most networks have gaps in process or technology, which leave holes in desired monitoring reports. For example, administrators may use scanners to audit server vulnerabilities however not monitor configuration changes on routers. Network devices, servers, printers and other network elements offer various forms of risk that need to be detected before a complete continuous monitoring solution can be put into place.

Here are some questions to think about regarding what could be monitored:

1) Do you have a continuos monitoring solution for devices accessing the network?

  • Does that solution cover all access avenues (LAN, VPN, WIRELESS)?
  • Is everything continuously verified or is it a one-time verification?
  • Are policies enforced for different users and devices (guest, contractors and employees)?
  • Do you scan devices for threats / risk before or while on the network?

2) Do you have a continuos monitoring solution for enforcing endpoint policy?

  • Do you have a solution for checking what is installed on devices?
  • Are laptops, desktops, etc. continuously monitored or randomly scanned?
  • Are policies enforced?
  • Are all endpoints considered (mobile phones, laptops, USB drives)?

3) Do you have a continuos monitoring solution for critical data control?

  • Does this include Server, Email and Web data?
  • Are policies for data loss enforced on and off the network?
  • Does security follow the data (IE copy a sensitive file to a USB drive)?
  • Is data limited to users with access credentials or open to all employees?

4) Do you have a policy for physical access to critical areas?

  • Are all access points monitored?
  • Do you monitor all users entering and leaving a controlled environment?
  • Do physical access controls match with logical controls (who walked in and logged into a server)?

5) Do you have a continuos monitoring solution for network devices?

  • Do you monitor who makes configuration changes?
  • Do you have policies for code versions, configuration templates, etc. that are mandated for network devices?
  • Do you collect logs and react to events?

6) Do you adhere to legal or company mandates?

  • How often to you test for compliance?
  • Do you meet all aspects of mandate requirements?
  • Do you know the impact of daily changes to your mandate requirements?

Some examples of solutions for the questions above areNetwork Admission Control, Scanners (Nessus, Retina, etc), Data Loss Prevention, Network Management Applications (Cisco LMS, EMC Ionix, etc.) Desktop Management Applications (Altiris, BigFix, etc),  Physical Access Controls, Authentication Solutions, Email and Web Solutions, etc.

Developing A Continuous Monitoring SolutionOnce security toolsets are established to capture security events, the next step for a continuos monitoring solution is centralizing all alerts to single management system. A common solution is a security information and event management tool (SIEM). The benefits of most SIEMs are correlating events into one threat, aggregating millions of events into readable data, identifying top problems to remediate and quickly searching through millions of logs for specific data. Some SIEMs offer other features such as compliance reports and workflows however few offer a complete C-level reporting package. An example of a C-level deliverable is alerting the impact of adding a router to the overall FISMA status or determine the cost savings of replacing the router with a more efficient model. There are complimentary solutions to SIEMs to provide this type of data.

To summarize a continuous monitoring architecture, first identify all threat vectors on your network. Develop security solutions to address threat vectores with near real-time reporting capabilities. Build a centralized event management infrastructure that offers various reports that meet business requirements. Most likely it will take time to understand what the desired end result should be so expect many revisions as you develop your continuous monitoring infrastructure.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,