This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2012: Your picks for the best security products."
Download it now to read this article plus other related content.
Staying safe on the road involves a number of controls, rules and responses. The car itself is equipped with safety features like anti-lock brakes, blind-spot warnings, seatbelts and airbags. Rules
But what appears ludicrous in the realm of safe driving can be tempting in the hectic world of IT. Can't a company just buy a single unified threat management (UTM) product with the best, most advanced threat detection technology and guarantee the organization is protected? Unfortunately, the answer is “no.” Just like driving a car requires multiple parts working together, "driving" a corporate IT network safely requires a blend of the traditional triumvirate: people, process and technology.
So what goes into creating a successful threat management program? Read on to hear what security professionals have to say about best practices for enterprise threat prevention.
ENTERPRISE THREAT PREVENTION: BUILDING A FOUNDATION
In 2012, threat prevention has evolved into an integral part of the corporate IT risk and security management program. Most companies have moved beyond stand-alone monthly malware updates and quarterly device scans to an integrated set of technologies that are fully incorporated with the security or network operations center.
Security pros have various ways of defining threat management at their organizations. Waqas Akkawi, director of information security at global moving and relocation services provider SIRVA, defines threat management at a high level as the "real-time monitoring and reporting of user activities – and having the ability to effectively query the environment, report on capabilities and send timely alerts" when someone or something accesses protected data. Leo Walsh, IT risk compliance subject matter expert for Memphis, Tenn.-based bank holding company First Horizon National Corporation, notes that a formal definition is less important to threat prevention and management than having an IT risk operations team of people who are entirely focused on IT risk operations and strict change control processes. However, he and other security pros agree on this: The core purpose of threat management is to protect business data and assets from internal and external attacks.
Though the specific answers to what a threat is and how to manage it will vary from organization to organization, there are some high-level definitions that apply to all (or almost all) threat management programs. Taking a moment to review these is worthwhile because it helps a company to level set the business needs for the threat management program and ensure the right systems are selected. Since threats can come from multiple sources and at many points in the IT architecture, understanding where and how the attacks originate will enable a company to create a more robust plan for mitigating and preventing those attacks.
Threat management begins with threat identification. In SP800-30, NIST defines a threat as "the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability." A threat source can be human, such as a hacker or disgruntled internal employee; natural, such as tsunamis or tornadoes; or environmental, such as a power outage or water damage from leaky pipes. So a comprehensive threat management program must take into account all the sources. NIST also recommends defining the threat motivations of each threat source and the potential actions of these sources. For example:
Threat source: Disgruntled employee
Motivation: Damage company reputation
Action: Logic bomb that defaces website in publicly embarrassing manner
But formal threat definitions aren’t for everyone. The First Horizon IT Risk Operations Team focuses on trying to keep the company safe, Walsh says, "There are so many ways unauthorized access can happen – an effective approach is to look at what needs to be protected, assess whether or not it has been protected and then monitor the asset continuously to see whether or not it has been accessed," he adds.
As Philip Keibler, director of information security at athletic shoe and apparel retailer The Finish Line, puts it, successful threat management starts with a "need to understand the infrastructure and data, the ability to be proactive and to leverage protection components before the attacker does." Components of a robust threat management and prevention program are not restricted to technical controls like anti-malware, firewalls and IDSes, he adds. While these technologies play an important and active role in threat management, they need to be part of a traditional process-technology-people triumvirate, and part of the bigger enterprise risk management picture.
THREAT MANAGEMENT PROCESS
How formal the threat prevention and management process is will vary by enterprise. Some companies have adopted formal standards like ISO 27001 and ISO 27005 guidelines that call for certain activities and artifacts to be completed as part of the security management process, and extend this approach into the threat management program. Keep in mind that although there are many excellent guidelines for risk management frameworks and processes, including OCTAVE, NIST Risk Management Framework, the FFIEC Examiner’s Handbook on information security risk assessment, and ISO 27005, none of these are specific to threat management. And for smaller organizations, a process-heavy approach may not be feasible.
However, even in very informal environments, it's important to create and maintain at least high-level written policy and procedure documents because these will be required during most audit cycles. Without proper documentation, even the best threat management program on the planet could fail an audit simply because the written proof of the process wasn’t available. “Any good security program will have policies as a foundation” and the ability to monitor conformance to those policies with proper tools and reporting, The Finish Line's Keibler says.
Keeping the process proactive or "pre-attack" focused keeps a company ahead of the attacker. Keibler doesn’t like playing catch-up and stays prepared using a process that includes scanning so vulnerabilities can be remediated before they're exploited. The Finish Line process also leverages data classification and network segmentation for "before-the-fact" protection and continuous deep-packet inspection monitoring is performed on all traffic going into and out of the segments. Policies and rules are set according to the sensitivity and classification of the asset or data, so data that requires tighter controls is placed in a higher trust zone than data at a lower sensitivity level.
At SIRVA, Akkawi says he's integrated threat management into the company’s risk management program so IT security can "decrease the risk while ensuring the company continues to operate in a profitable manner." Akkawi’s team uses data maps to follow where the data is going; threat and risk management questions are addressed during pre-deployment assessments of new applications. In collaboration with the business, IT answers questions such as, "What kind of data will the application handle?" "How will that data be protected?" and "Who will have access to that data?" IT then uses the answers to put proper controls in place and build alert and remediation procedures in the event of unauthorized access and to train technicians on response plans.
Cloud and managed services
A lot of threat management activity is still happening on-premise for larger companies with a few notable exceptions where they're comfortable using cloud services, such as message hygiene and vulnerability scanning.
“Today, most customers have a combination of on-premise and cloud," says Sadik Al-Abdulla, CDW security practice senior manager, explaining how customers are adopting cloud services for threat management. "Email security, for example, has been a highly effective cloud offering for many years and holds a disproportionate amount of the market compared to on-premise solutions. Web security, on the other hand, is almost exclusively on-premise."
He says the most common managed security service provider (MSSP) offering is usually a combination of firewalling and intrusion prevention, but that still has minimal market penetration, and even where used, there are other unmanaged threat prevention solutions in play. According to Al-Abdulla, the most frequently observed threat management architectures today are, in order of occurrence:
1. Mostly on-premise with cloud email security;
2. Fully on-premise;
3. MSSP firewall, other on-premise, and cloud email security; and
4. MSSP firewall, other on-premise.
Weaving threat prevention management into change management is part of the process at First Horizon. Scans and penetration tests can be conducted before implementing a change in production. If a vulnerability in a particular device is discovered, the IT risk operations team contacts the business owner about it and is able to block the change until the vulnerability is fixed, Walsh says.
Though integration with other processes and systems, including change management, helps to ensure the threat management program runs in concert with the business, there is one area where it makes sense to have separation of duties: audit and compliance. Some change requests may come in as highly time sensitive for the business without giving the operations team enough time to evaluate the threat impacts. Having a separate team review and validate changes can prevent or limit unintended threat exposures because the separate audit or compliance team has more time to spend on threat impact analysis. If the compliance, audit or risk team determines the business need can be met with a more restrictive granular rule, then updates are implemented accordingly.
Remediation is an essential part of a successful threat management process, but one that organizations can neglect, according to Sadik Al-Abdulla, CDW security practice senior manager. "Many organizations have a blind spot, and until a serious breach occurs, the necessity of a response plan is rarely recognized," he says.
Key components of a remediation plan should include executive ownership, a communications plan, an escalation strategy and a law-enforcement contact strategy. "You don’t want people that are under severe stress making decisions about what and how to communicate to customers," he says.The communication plan is often overlooked in IT, but as breaches and exposure scenarios continue to increase, there will be increasing pressure for companies to go on record when attacks occur. Having media-trained technologists who can convey difficult technical concepts in a calm and understandable manner will go a long way towards preventing compounding data breach damage with a major PR gaffe.
A LAYERED APPROACH
Finding the right threat management technology fit is not as simple as buying a high-powered UTM and putting it between the organization’s internal network and the Internet. There are no one-size-fits-all answers, or as SIRVA's Akkawi puts it, “there is no magic solution.”The most effective threat management solutions use layered technology approaches, both architecturally and technically to detect, alert and respond. “Bluntly, it’s ‘defense in depth.’ This is the same drum that the security industry has been banging since inception, but the evolution of more and more sophisticated threats is reproving that it is absolutely essential," says CDW's Al-Abdulla.
Technologies in use at companies as part of their threat management program include (but are not limited to):
- Firewalls/next-generation firewalls;
- Intrusion prevention/detection systems (IPS/IDS);
- UTMs (firewall, IPS, anti-malware, Web filtering, etc.);
- Endpoint protection suites (anti-malware, host firewalling, filtering);
- Message hygiene filters;
- Web hygiene filters;
- Network access control (NAC);
- Data loss prevention;
- Security information and event management (SIEM)/log aggregation;
- Network vulnerability scanners/Web app scanners;
- Policy and configuration management;
- Patching and software delivery;
- Web application firewalls/database monitors;
- Penetration testing tools; and
- Strong authentication.
Every threat management program doesn’t need all of the above listed technologies and some use other technologies. The goal isn’t to check off the most “product” boxes, it is to reduce the threat surface and prevent attacks. So assess each technology for how well it will accomplish the business goal of threat detection and prevention.
For example, at SIRVA Akkawi has found the IPS component of the company's NAC system from ForeScout to be extremely helpful with threat management. The NAC product allows them to see who is connected, what their patch level is, and passes all the information into the LogRhythm SIEM so it can be reviewed and correlated, he says. SIRVA is also using the endpoint protection to detect issues like patch levels that are not up to data and devices that do not have antivirus installed. When the NAC detects non-compliant devices, it triggers alarms and the devices are taken off the network and put into a quarantined network segment until they can be remediated.
Finish Line, meanwhile, is exploring handling Web application threats using a combination of load balancing from F5 Networks and Web application scanning from WhiteHat. If the Web application scanner detects a vulnerability in an application, a virtual patch can be applied to the Web application firewall to mitigate exposure. Finish Line also uses endpoint security from Sophos as part of its threat management program.
Keibler notes the importance of bringing alerting and reporting information from tools like an endpoint suite to a single console like a SIEM (his company uses Envision's) so administrators can have visibility into potential threat activity across the network. Some of the things to look for in the SIEM that may indicate threat activity include number of failed logins, multiple login attempts from the same ID but different IP addresses, and creation of new, privileged accounts on servers or databases.
First Horizon's Walsh says a high noise ratio of “false positive correlations may be as much of a problem as no correlation at all.” To keep focus on activities with a strong signal, the bank runs a variety of reports from its log aggregation tool that show the number of hits on a specific rule (e.g. access of DMZ via HTTPS) and uses a firewall policy management tool in order to find and assess issues. An anomaly like a huge spike in traffic is “relevant and throws an alert that really stands out” and is of high value to the security operations team, he says.
Another threat prevention technique in use at the bank is segmentation with VLANS. Rather than having to re-provision a switch, blades that are attached to the switches are tagged with the VLAN ID and separated from other servers on the VM switch. Inter-policy zone checks are completed by the firewalls when data crosses from one VLAN to another, providing a way to block unauthorized access and to prevent leaks of sensitive data out of protected zones.
THE HUMAN ELEMENT
As is almost always the case, the effectiveness of a technology tool is, in large part, directly related to the capability of the human interacting with that tool. For threat management, people skills come into play in a few main areas: The people running the threat management tools (admins and engineers), the people interacting with the systems that are under attack (users) and the customer service reps interacting with the users. Don’t underestimate the importance of educating each one of these groups. Although it may be tempting to look for a tool that’s so easy a child could use it, or to write off users as too “non techie” to help prevent attacks, resist the urge. People really are a full one third of the overall solution.
“If you are relying on the endpoint to stop all the malware, then it’s too late. If the malware gets in, then something failed along the way," says Finish Line's Keibler. "A more effective approach is to start with employee awareness, partner with employees and help them to be another arm of the security program.”
“Because there are some social engineering components in 70 to 80 percent of attacks, every employee has to be part of the program," he adds. At Finish Line, this extends to the help desk, where reps are trained to identify hallmarks of suspicious activity, like a substantial slowdown in device performance that may indicate presence of a bot, and flag this for investigation by the security team.
At First Horizon, data protection is a key driver for all of the IT risk staff. Walsh says he has a seasoned IT risk operations team that's "internally driven and knows the value to the business of keeping out of the Verizon DBIR.” He adds, “If your employees are not motivated to keep corporate data safe, no framework or formula will do the trick.”
The bank also engages people on the business side through regular communication with executives about risk, especially when there are real-world examples in the news with direct impact to the financial services industry. The bank also has a change advisory board that engages business owners in the threat management discussions when new services are brought on and changes are made, Walsh says. It also provides a corporate-wide information security awareness program that includes an annual test that all users must take.
Good user education can go a long way in helping your threat management program succeed. At SIRVA, employees are educated on data security and threat prevention – work that certainly paid off when an employee received a well-crafted spear phishing email that pretended to be a $1000 reward gift card from corporate HR. Rather than clicking on the gift link to collect the reward, the employee immediately reported the email to IT and Akkawi’s team proceeded to investigate. A review of the log files and interviews with the employee showed that the spear phish had used social network data from outside the company and had not breached internal systems.
Though successful threat management programs have a number of moving parts and layers, they do not need to be overly complex or process-heavy. Advice from the trenches is to focus on what needs to be protected for the business. Know where the data and assets are and who (or what) has approved access to them. Use network segmentation to cordon off sensitive assets and prevent “panic” moments and audit documentation failures by setting down policy and procedures in writing.
Most companies find success using a layered set of solutions to identify and prevent attacks and maintain visibility into reporting from all of those solutions by rolling them up into a central stem console like a SIEM. And most importantly, don’t forget about the people part of the program. Train engineers on data maps and flows and train users to know what’s fishy or suspect and how to report suspicious activity to the correct parties.
About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. Send comments on this article to firstname.lastname@example.org.
This was first published in September 2012