Welcome

Dan GriffinWelcome to the 26th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.

The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.

Keep High-Value Assets in a Stronghold

How Can You Protect Your Assets?

De-perimeterization is a recent buzzword. JW Secure imagery showing who, what, where, and why.
The thinking goes something like this: it is really hard to keep your enterprise network free of unmanaged assets, so don’t even try. Instead, security solutions attempt to protect every server equally whether it is solely internal or on the internet. Moreover, there is little differentiation of authorization policy or level of authentication. In this way, the security industry is moving in the wrong direction. You can’t treat the network perimeter as completely porous, treat all endpoints as equivalent, and then expect risk to be evenly distributed across assets.

A better solution: high-value assets must be identified and placed within a distinct perimeter. The perimeter must support performant collaboration within and without, as required by the business. We call the servers and networks within that perimeter a Stronghold.

A Stronghold Is an Onion

Medieval castles had a keep JW Secure imagery showing layers of security and valuefor protection of high-value assets from incursions that overwhelmed the castle walls. Similarly, a server Stronghold keeps secrets—such as cryptographic keys, strategic plans, and trade secrets—that have very high value to the enterprise.

The attached figure shows the layers of protection with the data inside the enterprise shown as (1) mid-value, the data in the Stronghold as (2) high-value and the data in the Keep as (3) very high-value. These levels are sometimes labeled as (1) Confidential, (2) Secret and (3) Top Secret.

There are two paths shown in the figure. The first path shows how requests pass into the deepest layers of security. Once a request is generated inside the enterprise, the request is passed through the following layers of the “onion”:

  1. The request must be generated inside the corporation (Layer 1).
  2. The request must pass through a gateway that understands the privilege level of the requestor.
  3. The request goes to a process inside the Stronghold (2) that only talks to the gateway.
  4. The request is processed and passed to a service that only talks to the Keep gateway.
  5. The Keep gateway understands the privilege level of the Stronghold service.
  6. The request is passed to a service inside the Keep (3).

There are several important points to the path taken by the request:

  1. The Kill Chain is a set of independent processes all of which can block (kill) an attack.
  2. The gateways (consisting of Firewalls; Intrusion Detection Systems, IDS; and/or Intrusion Prevention Systems, IPS) can evaluate the source, destination and contents of the request to ensure that all are valid.
  3. Processes only talk to gateways at one level. Processes should never be configured to talk up or down the layer protection chain. That means each process is a distinct link in the kill chain.
  4. The result of processing the request should also pass back through the full Kill Chain to give many opportunities to block exfiltration of high-value data (Data Loss Prevention, DLP).

Independent of the request Kill Chain is a set of nested security and network monitors. The security monitor within each layer of the onion has full knowledge of every server, network device, user, role, application and service permitted to operate at that level. As each component performs its function, it reports the result to the security monitor in the form of audit events. Every event that does not fit the known good pattern triggers a security incident for evaluation.

Some vendors combine intrusion detection with intrusion protection. That combination is better than no solution, but it is not best practice. Returning to the Stronghold metaphor, the IDS is like a patrolling night watchman and the IPS is like a gatekeeper.

Mechanisms to Protect Devices in the Stronghold

Devices in the Stronghold must be as secure as feasible. That means that Stronghold devices must:

  1. Be built of secure components, and
  2. Maintain security in the face of daily use and administration.

Our recommendation is to create an image (aka Golden Build) to show how the application should be constructed in the first place. Then deploy a configuration management and reporting support system that allows updates and that verifies that all devices within the Stronghold remain secure.

At the physical device level we recommend the use of trusted platform modules (TPMs) and a remote platform attestation solution in order to enforce high-assurance measurement of security compliance. We also recommend the use of UEFI secure boot, including for virtual machines.

There are a variety of tools for setting and testing aggregate server configuration within the Stronghold datacenter. One new tool is the Desired State Configuration feature of PowerShell 4. Another is System Center Configuration Manager. Whichever mechanism is chosen, be sure that it is attached to a high quality Security Information and Event Management system.

Call to Action

The major takeaways for this article should be a better understanding of these concepts:

  1. De-emphasis of the protection perimeter at the enterprise level increases the need for perimeters within the enterprise.
  2. Some data is more valuable than other data and need deeper protections.
  3. Key business processes are dependent upon secure, efficient access to high-value data. Provide that service with a Stronghold.
  4. A Kill Chain between the attacker and the high-value assets should be both long and strong. Like a load-bearing chain, a single link, if it cannot be bypassed, can be disabled to kill an attack.
  5. Some attacks, both malicious and accidental, can be initiated by insiders. Monitoring is the best defense.

JW Secure has been supporting de-perimeterization with our StrongNet and Four Pillars of Endpoint Security solutions for many industries throughout the years. Contact JW Secure at sales@jwsecure.com to learn more about our extensive experience in Strongholds for internal data-loss prevention or in StrongNet for external data-loss prevention.

Read More

Security Intelligence: Attacking the Cyber Kill Chain – The SANS Institute
Practical Risk Analysis and Threat Modeling Spreadsheet from the SANS institute
Cyber Threat Metrics – A Sandia Report – March 2012