Perpetual Information Security - Driving Data Protection in an Evolving Compl...
A Case for Multi-tiered Security_WP_(EN)_web
1. A Case for Multi-tiered Security
WHITE PAPER
Introduction
Perimeter network defense alone is insufficient to combat the full range of enterprise security
threats. A defense-in-depth approach focused on protecting the confidentiality and integrity
of data, while providing authenticated access to computing resources, is necessary to mitigate
today’s risks. Paradigm shifts, such as cloud computing, software-as-a-service, and remote
data warehousing, add significant challenges, as does the proliferation of sophisticated
botnets and small, inexpensive, high-capacity portable storage devices. This paper outlines a
balanced approach to enterprise security—defending the perimeter while protecting interior
services and critical data.
The Advancing Threat Environment
Business or mission impacts result when threats exploit vulnerabilities through an access
vector to affect targets, as shown in Figure 1. The relationship between these attack
components is many-to-many, with a large Threat
number of combinations yielding a vast set Vector
of threads against which the enterprise Target
Impact
must be protected.
Unk
it no
x plo wn
According to Gartner’s 2008 For the purpose of illustration, we have yE Te
g In te
rn
ch igin
o
report on IT Security Threats1, used very coarse groupings; however, a
ol
Data At Res
no
t
hn
lO
log
r
ec
cyber threats continue to evolve further decomposition of threats, vectors,
nT
y
ns
E xp
tio
Data Loss/
and are driven by technology and targets would reveal even more
Know
ica
Compromise
n
ppl
External Origi
loit
Dat
Compliance
changes, as well as increased threads of potential vulnerability. This
User A
a In Motion
Violation/
Mission/ Liability
user trust and/or complacency. property, in which an attacker may exploit Business
Disruption Loss of
ploit
Confidence/
multiple targets through multiple vectors Increased Reputation
Com
Operating
y Ex
in an attempt to produce a given impact, Costs
ms
S oc
s
ra
I
ce
i
nf
log
st rv
reinforces the need for defense-in-depth to ru Se
ial
ctu g
utin
o
re
Comp
hn
/P
protect critical assets.
ro
ec
es T
c
s c
Ex Hybrid hi
plo orp
According to Gartner’s 2008 report on IT it
Polym
Security Threats1, cyber threats continue
Figure 1. Attackers use a range of exploits through multiple
to evolve and are driven by technology
access vectors to impact targets and damage the enterprise
changes, as well as increased user trust
A Case for Multi-tiered Security White Paper 1
2. and/or complacency. Motivated by financial gain, attacks are becoming more focused and
sophisticated as targets have shifted from vulnerable PCs to websites and user data. Highly
ranked vulnerabilities on the common vulnerability scoring system continue to soar, more than
tripling from 2007 to 2008. Web and social networking sites are compromised with malware
payloads, while spear phishing techniques are used to deploy botnets over email. Data from
Microsoft Corporation’s Malicious Software Removal Tool indicates that, since late 2006, the
fastest-growing category of malware is botnet clients.
Serious incidents involving data compromise and loss, both deliberate and accidental, are also
on the rise. Portable storage, especially universal serial bus (USB) devices, enables uncontrolled
movement and modification of large volumes of data, resulting in information theft and loss.
Additionally, these storage devices provide another convenient means to bypass network-based
security and inject malware into the enterprise that can spread quickly to wired and wireless
technologies.
Serious incidents involving Figure 2 summarizes these challenges in the context of a typical enterprise. Threats exploit
data compromise and loss, all vectors, including witting and unwitting insiders. They include poor physical security, lack
both deliberate and accidental, of user security awareness, malicious downloads, weak authentication, limited or no security
are also on the rise. Portable monitoring, unauthorized access to applications, and even the supply chain to infiltrate an
storage, especially universal enterprise. Once in, threats propagate, multiply, steal, disrupt, and, above all, attempt to avoid
serial bus (USB) devices, detection and remain persistent in the network.
enables uncontrolled movement
and modification of large
volumes of data, resulting in Data In Data At
information theft and loss. Motion Rest
Enterprise
Virtual
“Cloud” Data At Data In
Computer Rest Business & Use
Computing
Data In Mission
Systems/
Use Data
Servers
Repositories
Data In
Public External Threats Use
Threats End User
Network(s) Systems
Data In
Threats
Motion Users
Data At
Data In Data At Rest
Communications Portable
Motion Rest Infrastructure Assets
Mobile
Systems
Data In
Use
Users
Figure 2. The enterprise is threatened from both internal and external sources targeting data, technology, and users.
Countermeasure Analysis
Perimeter defense is a fundamental component of an enterprise defense-in-depth solution.
Designed primarily to mitigate external threats, these approaches include network-based
firewalls, intrusion detection, and intrusion prevention systems. The technology can be
signature-based or attempt to detect traffic anomalies through statistical traffic and/or log
analysis. Implementations range from basic header filtering to stateful deep packet inspection.
A Case for Multi-tiered Security White Paper 2
3. As shown in Figure 3, typical deployments of perimeter defenses first aggregate external
connections through common gateways to limit the number of protection points.
Public/ Perimeter
External Defense
Network(s) System(s)
Enterprise C
Threats
Border Enterprise B
Gateway
Real-time Enterprise A
Inspection
Signatures Thresholds Systems &
Resources
Policy/ Data
Statistics
Rules
Users
Figure 3. Perimeter defense systems focus on keeping external threats from penetrating the enterprise
Protection is then applied at the aggregate, high-speed demarcation point into the public
or transport network. While this is a prudent approach to reducing risk, its effectiveness is
dependent upon a defined and functioning set of security policies governing the entire network
using the external connection. If the external connection is servicing multiple networks with
differing policies (for example, acceptable user applications), establishing the real-time rules
and statistics needed by the perimeter defense technology will be problematic.
The traditional perimeter- Complicating matters, today’s applications (and malware) use tunnels, masquerading, spoofing,
centric security philosophy and encryption to bypass network-based controls and hide in normal traffic. The larger and more
assumes that perimeter heterogeneous the enterprise becomes, the higher the “noise floor” becomes, making it more
defenses “keep the bad guys difficult to distinguish normal behavior from threat behavior, and to identify covert channels.
out” and ensure that sensitive
Cloud-computing services, such as those offered via Google and Amazon, store and process
data is only accessed by trusted
data on virtual machines located beyond the client’s enterprise. This growing trend, promising
users within the enterprise.
increased reliability, availability, and lower cost, has been hailed as the next big step in
computing. However, from a security perspective, it reduces the applicability perimeter defense
as it blurs the line defining the “perimeter.” In this paradigm, any assumption of privacy or
confidentiality is naive and users are advised to adopt technologies such as encryption, identity
management, and controlled access.
The traditional perimeter-centric security philosophy assumes that perimeter defenses “keep
the bad guys out” and ensure that sensitive data is only accessed by trusted users within the
enterprise. While the perimeter provides one layer of protection, as depicted in Figure 4, sensitive
data continues to escape the enterprise at an increasing frequency. As described on the National
Institute of Standards and Technology’s (NIST’s) National Cyber Security Fact Sheet2: “Many
of today’s tools and mechanisms for protecting against cyber attacks were designed with
yesterday’s technology in mind. Information systems have evolved from room-size computer
workstations shut off from the rest of the world to ubiquitous mobile devices interconnected by
a global Internet. In this diverse ecology of communication devices, no cyber security solution
works on all operating systems and can protect every type of computer and network component.”
In fact, today’s enterprise networks include so many teleworkers, branch offices, network
capable smartphones, and removable media platforms that traditional security solutions
designed to protect network systems are no longer adequately protecting the data. In addition, a
perimeter-based approach does not address insider threats or the real-world problem in which a
breach of the perimeter defense provides unauthorized parties free access to the data.
A Case for Multi-tiered Security White Paper 3
4. E
ICAL S CUR
YS ASTRUC ITY
PH INFR TUR
E
RK AN
D ACCESS MA
NA
D
TY
O
G
E F EN T
TW
TI
EN
EM
EN
NE
SE
ID
Sensitive
Data
ks ection
Fire
TO
wa
ll ,
t
K O
ENS, PKI, SS
De
An
tru ti-V ion
oc
irus, Intrus
S
ctu
res, Barriers, L
Figure 4. Sensitive data is escaping despite state-of-the-art perimeter defenses
Additional security layers are needed to protect the enterprise from unauthorized connections
within the network. This includes security technologies such as user authentication, device
authentication, network access control, and comprehensive wireless security. It is imperative to
also protect the data itself using strong encryption and key management technologies to prevent
inadvertent loss, intentional theft, or malicious injection of data.
To highlight the benefits of a multi-tier security approach, consider the following scenario.
An attacker, or unwitting user, introduces self-propagating malware (i.e., worm) from a USB
portable storage device directly into the enterprise network via a host USB port.
The worm contains a bot client designed to search for data of interest and exfiltrate the data
slowly over time using various covert channels. In this scenario, unless this botnet is well-known
and has been analyzed, perimeter defenses are highly unlikely to detect its first communications
with the bot-herder or master. It is likely that the bot will operate for some time before detection,
especially if it is polymorphic – changing its signature regularly – or if the duration between
communication to the bot-herder is spaced in an undetectable pattern. Upon suspicion of a
compromise, perimeter defenses would be focused and fine-tuned in an attempt to detect
and disrupt the covert channel. However, by the time perimeter defenses are successful,
considerable data will likely have been compromised.
Three principal countermeasures should be applied to protect against this scenario.
1. Technical enforcement of policy governing controlled use of all external interfaces on host
computers. Since this scenario involves deliberate misuse, administrative controls and
physical security are not sufficient, and interfaces need to be either disconnected or logically
controlled by software.
2. Data at rest should be encrypted. This would not prevent the exfiltration, but it would prevent
compromise as the data would not be exposed.
3. Critical data and access to resources should be protected using multi-factor authentication.
This would limit access to the data and resources that the worm could access, even if it is
capable of capturing user names and passwords.
A Case for Multi-tiered Security White Paper 4