By: Chris Conley, Trace3 ATG Regional Lead
Network security is only as good as your strategy. But how do you know if your strategy is sufficient? The SANS Institute defines Network Security as:
“The process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users, and programs to perform their permitted critical functions within a secure environment”.
The key word here is “process”. If you take these preventative measures once, you’re only secure today. A security strategy is a process that requires constant evaluation, review, and change to continuously keep your business secure.
When implementing a successful security strategy, it’s important to understand a typical security lifecycle. In the image shown below, each piece of the security lifecycle has different requirements that will vary by environment, but all sections are necessary to the cycle. Each phase requires input from their predecessors. For example, you can’t monitor a system that hasn’t been implemented.
Let’s breakdown the security lifecycle to get a better understanding of all 7 phases.
- Planning – Areas of the Enterprise that need to be secured are identified. This can include identifying and planning for the securing of data on-premises or in the cloud, securing remote access to systems or services, and / or securing devices. Additionally, creation of policies for acceptable use, system access, change management and incident response can fall under the Planning phase.
- Policy Enforcement / Implementation – The security policies that were created as a result of the previous phase are enforced. This task can be performed either via security appliance, i.e. a firewall enforcing a strict “no Facebook access policy” or through an Acceptable Use Policy (AUP) that each user must sign.
- Monitor & Manage – Security devices and software are monitored and managed to ensure that the areas identified in the Planning phase are being properly protected. The typical Enterprise will also review published security documents relating to vulnerabilities and / or weaknesses discovered within relevant systems, so that a potential vulnerability can be addressed before it becomes an issue.
- Intrusion Detection – Covering more than just the typical IPS / IDS systems and the results they provide; this phase encompasses multiple systems and services to help identify possible breaches or breach attempts. As an example, your typical IPS will NOT flag a user logging in with stolen credentials. To most systems, this traffic and activity will appear normal but is, in fact, an intrusion and breach of security. Identifying these types of incidents is usually something that is first seen during the Monitor & Manage phase and is mitigated during the next phases. This phase can also include detection of scanning or probing attempts by potential threats.
- Security Assessment – The vast majority of Enterprises assess their security posture only AFTER an incident is observed. An incident can be anything ranging from an observed port scan from a potentially malicious host to a breach of a database containing client information. This approach is completely reactive and brings with it a high level of risk. The most secure networks are designed and managed by those who are proactive in nature. Proactive organizations either perform their own testing of applications and systems and / or outsource those functions to trusted 3rd.
- Threat / Risk Analysis – The likelihood of a threat, risk, or vulnerability is determined in this phase and what the result of that exploitation could be. While it’s impossible to completely eliminate risk, there are measures that can be taken to increase the level of difficulty for corruption. Patching vulnerable systems, installing an in-line IPS, updating or upgrading a firewall, and adhering to best practices for system hardening guidelines are just a few ways that threats, and risks can be minimized and, in some cases, eliminated. This phase can also include analysis of newly released technologies.
- Security Policy Creation – This phase involves mitigation of the threats and risks that were identified in the previous phase. Creation of security policy may involve writing anew or amending an existing AUP, or it can involve creating security policies on security appliances to mitigate a threat or risk that has been identified during a previous phase. Creating security policies can be a direct result of identifying a known threat such as an increase in port scanning attempts from a group of internet-based hosts. In this case, a security policy could be created on a security appliance to block the offending hosts attempts.
A comprehensive security strategy starts with an understanding that it cannot be defined simply as a goal. It is a process that requires constant evaluation and adjustment. As environments, threats, systems, and applications change and evolve, the tools and methods we utilize as part of the process for securing our computing environments must also change.
To learn more visit: https://www.trace3.com/expertise/security