Dealing with network security technologies can be a challenging job, but it's important to remember that security is often not the end goal, and that the technologies were purchased to meet specific business directives.
In this video, we'll discuss how moving from primary business functions to more detailed business tasks can identify goals that network security can assist in meeting.
About the author:
Jennifer Jabbusch is CISO with Carolina Advanced Digital Inc.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Meeting business goals with network security technologies
Jennifer Jabbusch: Hey, I'm Jennifer Jabbusch with SearchSecurity, and
we're doing a security school. Today we're going to be talking about using
network security technologies to meet an organization's business needs.
The first thing I want to do is segue in and explain some of the foundations
and fundamentals of what I would consider, I think, most people would
consider, the primary business functions of any organization, whether it's in
the financial market, even government agencies.
Anybody that's going to be looking at this, I would say there are five main
primary business functions that we're going to look at, financial, legal,
production - and production could be goods, services, or resources and
data, such as intellectual property, so that all falls under production -
human resources and employees, and then public image and PR. Those
are the five main things that everything we're going to talk about kind of falls
into these five primary business objectives. As we break those five things
down, we can get into a little bit more detailed business goals that fall
under one or more of these categories. As we go through these, you'll see
some of these, specifically within financial and legal, some of these more
specific goals and tasks are going to fall under one or more of the primary
We're going to start off with compliance regulations. I think most
organizations today fall under some type of regulation, whether it's
corporate, government. We have Sarbanes-Oxley, HIPAA, all these different
compliance and regulations that dictate data, how we're moving and storing
data, dealing with the public and the public's data and its financial,
personal, identifiable information helps specifically. The next bullet item
here would be protection of assets, and assets in this case would be
anything that an organization owns or is protecting. It could be the actual
network and infrastructure, its employees and resources, or even the data
on the network, that all falls under assets.
The next bullet item of intellectual property protection would be falling
under a sub-set of assets, so intellectual property would be a business
asset in that case and then demonstrating due diligence. This is something
that I think is a common type of thing. It's not really defined clearly
throughout the different businesses, but showing due diligence and just
demonstrating to the public, to your employees and to everybody that you're
doing what you need to do as a business, and you put some thought into your
Moving on, we have reduction of liability, and this falls under legal, and
it could fall under financial because same with compliance, oftentimes your
legal obligations can lead to a financial issue if you're not meeting them.
Protecting employees and protecting the business from employees. We're
going to get into more detail and talk about that, but generally that would
encompass anything from insider attacks to even just protecting the
employees from themselves or malicious users.
Business continuity is a big one, especially in the past couple of years,
as we've seen a lot of natural disasters and things happening where there's
a situation or pandemics where the primary support staff and the business
functions can't make it into the office for one reason or another. Business
continuity is a big issue that they're facing, and network security and
technologies, that we're going to be discussing, really play a big role. I
would say technologies plays one of the biggest roles in business
continuity planning. And then, the overall ROI. Meeting your business
needs, making sure that your bottom line is staying in the black, getting a
good ROI, investing in technology that's going to not cost you more than it
should for what you're trying to protect. And we'll talk about that, too.
Continuing on, we have protection of partner, customer, or any third party
data. This could also be employee information because you're going to be
storing your employees' Social Security numbers, possibly their bank
account numbers, if they have direct deposit, their salary information. You
could have a lot of health and financial information that you are
responsible for, but you don't have ownership of, and partners and
customers fall into that same category.
Maintaining positive industrial relations, and this falls into the whole
public image thing, and it falls into the financial category. So, keeping
your business, especially if you're a publicly traded company, keeping
everybody happy there. And then, that falls into my last bullet point here,
maintaining a good corporate image, just making sure that you're not that
headline news where people are going to be questioning whether or not they
should do business with you.
Moving on to the next section. We're going to talk about how we're going to
meet these goals using technology, and some of the technology that we're
really targeting in this discussion would be things like advance network
security. IDS, IPS and NBAD, so that would be intrusion detection systems,
intrusion prevention systems, and NBAD which is network behavior anomaly
detection. If you're not familiar with these things, we'll link to some
other resources on the search site for you, but generally IDS and IPS are
traditionally deployed at the gateway, making sure that things coming in
should be coming in, things going out should be going out, and stopping
those attacks there. It can also be used on the inside of the network. NBAD
is more traditionally used on the inside of the network, and this is flow
analysis, taking sampling from the internal LAN and just making sure that
the traffic looks good, healthy, and nothing bad is going on.
Let's talk about how we can use those three or four technologies to meet
our business goals. The first big one, and this is a hot three letter thing
for 2010 and 2009 as well, is daily leak and protection, so DLP is kind of
a hot topic now. These three technologies put together are a great solution
for making sure that the data that's on your network that should be secured
is not leaving your network, either in a method that shouldn't be leaving
or to a location and a destination that it shouldn't be going to.
Protection from data thefts and modification. Obviously, data theft, most
people have a clear understanding of you don't want somebody intruding into
your network and removing data, whether it's private information, PII, or
intellectual property and taking it out. You also don't want them modifying
data and sacrificing the integrity of that data. For example, you don't
want somebody to attack your bank, and suddenly make your bank account look
like it has $2 instead of $2000. So protecting the data from theft and
modification. IDS, IPS and anomaly detection all play a role here.
The next bullet is protection from insider attacks. I think most
organizations are pretty comfortable with the idea of protecting the inside
of the network from the outside of the network, and we have this concept of
the edge, the inside, and the WAN side - them and us. The problem is that
over the past several years that edge has really blurred, so we don't have
the one point of entry and point of exit in the network, we have multiple -
any wireless, any routers, any switches, any end points that have external
connections for all points of entry and exit, and they all have to be
secured. Protection from insider attack. We need to make sure that not only
have we authenticated and authorized these people to be in our network but
that they are not abusing those privileges. Again, IDS, IPS, and NBAD and
any network security technologies used in the right combination will give
you this kind of protection.
Moving on and this is going back to the ROI discussion we had, providing
central points to view and manage the network, so getting that single pane
of glass, that one view into your wired network, your wireless network,
your remote access and users. It's kind of hard to tell what's going on in
protecting against these threats if you can't see everything together
globally. If you have a little bit of data sets over here, a little bit of
data sets over here, and you can't really connect those different events
and see what's going on, you don't have a good picture and you don't have
protection from people attacking your network or people abusing their
Along the same lines, the creation of logging, accounting, and reports for
audit and review. This could go back to protecting against insider attack
and data theft and protection as well as compliance reporting. A lot of the
pieces of compliance now is not only to comply with the regulations but to
prove that you're in compliance, and then the second part of that is if
something happens, you have breach notification. You can't have a breach
notification if you don't know that the breach happened. So, again, IDS,
IPS are great at logging and providing a report to audit from.
The next bullet is a little controversial, maybe, the availability of
evidence to prosecute attackers. This is kind of an interesting dynamic
because I would say most small and maybe even some medium sized
organizations don't really care about this. Larger organizations are those
that are high risk, government, banks, and other financial organizations
frequently will set up something, possibly like a honey pot, with an IDS
system, the intrusion detection system instead of a prevention system. What
that lets them do is if they have somebody that's trying to attack their
network and it really doesn't matter where they are, they set this up, they
have the IDS system in place, and the IDS system will watch, monitor, and
log as the person infiltrates and attacks the network.
Now, hopefully this is set up in a position where it's not actually getting
to real data, but it gives the organization enough information to prove
that the entity or group actually did break in and attempt to violate the
network. So, an IDS system lets you do that whereas some of the other
preventative systems don't because you've locked that door and stopped them
from getting in.
Visibility into events within the network and leaving the network. Really,
again, here same thing. NBAD and the network behavior anomaly detection and
the IDS and IPS, each and then all together provide these functions. Like I
said, more specifically IDS and IPS tend to be at the gateway. That's not
100% but most commonly, and then the anomaly detection stuff that's
happening on the switches and routers inside the network will let you get a
view of what's going on inside which kind of segues into the next bullet,
creating a baseline of activity to spot anomalies or strange traffic or
So, again, the insider attack thing. We have somebody that we've let onto
the network, but then maybe, perhaps, we see that suddenly they're
accessing a resource somewhere on the network or on a remote portion of the
network that they would not normally access or need to access. An NBAD
system would let us see that.
General support of confidentiality, availability, and integrity of the
business, its resources, and data. Common CIS is the term here, the CIA
triangular IAC. Confidentiality, integrity, and availability. So,
confidentiality, making sure that data that should be secret is secret and
private is private. Availability is making sure that the data is accessible
and usable. The data really isn't any good if it's secured and we can't get
to it. And then, integrity, again, going bank to the bank scenario. Making
sure that the data that we're working with is not tampered with.
To bring that back around for organizations doing my due diligence here, I
have a list of about six bullet items that I would say are considerations
for organizations looking at these technologies, starting with scaling the
technology for the enterprise. Enterprise here could be all types of
organizations, and some are smaller and maybe have a single building or a
few buildings, maybe in a little campus environment. And then we have large
organizations that are international. Maybe, they have dozens or even
hundreds of locations all over the country or the globe.
What we deal with there is a little bit different because if you're
international, you have global rules, you have rules for different
countries and regulations for that, the way that you gather, store, and
aggregate the data is going to be a lot different, depending on your
organization type. So, finding the right fit of product for your type of
enterprise is a scaling issue.
Next, identifying assets and critical or sensitive data. Again, I would say
that most private organizations that are large, especially banks and
financials - I'm picking on them - but they do a good job here as well as
healthcare. Most of these organizations already know where their data is,
but you would be surprised how many small-medium enterprises have a lot of
critical or sensitive data floating around, and they don't really know
exactly where it is. I know that because one of the main things that the
red teams go in and do when they do penetration testing, their first target
within the inside of a building is to find where the organization is
putting their de-provisioned equipment, so where those computers, laptops,
hard drives, anything that's not being used anymore that might have had
data on it at some point. Whether it's been de-provisioned or not or moved,
we have data all over the place, and we might not actually know where it
is. You can't really secure something if you don't know where it is, so
that's one of my top considerations here.
Once you know that, you can do risk and vulnerability assessment and then
quantify the risk. You understand what your data is, where it is. You can
then have somebody come in and help you analyze and determine what the risk
and vulnerabilities are to that data and then the cost associated if
something were to happen to the data. Again, once you know that, we move on
to the fourth item, which is understand and outline the goals. This is
where we have a breakdown a lot of times in a corporate environment. Once
you know all of these first two bullet items, you move on and you need to
clearly identify what the goals are because some things are going to be
written off as a business expense in terms of fees or compliance issues,
and some things need to be addressed.
What you'll need to know is what you're addressing and what you're not
addressing and then be able to find the technology to fill that gap, if you
need to. Once you have that, move on down and create written policies to
reflect those goals and then describe the use of the technology to meet
them. Again, four and five is where I see the breakdown. A lot of network
administrators walk in. The network is their domain, their realm. They do
whatever they want to do. They secure stuff. They lock people out. They
manage the policies, and maybe they don't really have a clear understanding
of those few two bullet items, what is the business trying to accomplish,
and how are we going to use technology to accomplish that? That should be a
business decision, not an IT decision.
Then, more specifically for this technology, IDS, IPS and NBAD, my last
piece of advice here is to invest in the technology and not the product.
What I mean by that is these are not product based solutions even though
they are product based solutions. You don't get to walk in, take this thing
out of the box, throw it in, and have it do what it's supposed to. It's
going to have to be tuned and trained for your environment, or it's just
going to be a lot of noise and not anything meaningful is going to come out
of it. This might mean getting training, services, assistance setting this
up, and then maintaining the system because your network is going to
change, your users are going to change, your traffic is going to change,
your data might be changing. These things have to be tweaked and tuned
along the way to accommodate those changes.
To wrap everything up here, we'll visit the five primary business functions
here: financial, legal, production - and again, that was production, goods,
services, or intellectual property - employees and human resources, and
public image. We see how we can use network security to support and address
all of these business goals in an effective manner.
With that, again, I'm Jennifer Jabbusch with SearchSecurity.