Understanding Strategies€¦ · Understanding Defense in Depth Strategies David Lespier...

Understanding Defense in Depth Strategies

David LespierCISSP‐ISSEP, ISSMP, PMP, ITIL, CEH, MCITP

[email protected]

AFCEA Tucson ‐ Cybersecurity Collaboration Forum (CSCF)

20 May 2016

What is Defense in Depth?

• Originally a military strategy developed to defend strategic assets by creating layers of defense to delay the attack and force the attacker to expend an unstainable amount of resources. Leaving them vulnerable to counter attacks and ultimately defeat through attrition.

• A “best practices” strategy relying on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability, cost, performance, along with operational considerations.

• A methodology to ensure the breach or failure of any single security control or layered defense is insufficient to result in the compromise of a host or network.

AFCEA Tucson ‐ Cybersecurity Collaboration Forum (CSCF) – 20 May 2016 2

Finding The Right Balance: Security ‐vs‐Capability

• High security often comes with reduced capability.

• Capability restrictions may impact organizational objectives.

• Security must be tailored to the organization’s requirements.

• Understand organizational objectives and requirements before settling on any security architecture or solution.

SecuritySecurity CapabilityCapability


How Many Layers Do You Need?

• Defense in Depth is NOT a one size fits all solution.

• The number and types of layers are dependent on the organization’s requirements and must be tuned to maximize effectiveness without obstructing business operations.

• A generic example:


1. Physical Security 2. People, Policies, Procedures

3. Network Architecture 4. Network Security / Services

5. Host Level Security6. Application Level Security

7. System or Data Specific Security

Layer 1 ‐ Physical Security:A Datacenter example

• Location:• Away from Corporate office.

• Avoid areas prone to natural disasters.

• Redundant utilities:• Separate power grids and water supplies.

• Dual voice and data circuits.

• Construction:• True floor to ceiling walls.

• Steel reinforced concrete.

• Limited windows if any at all.

• 360˚ perimeter around facility:• Clear line of sight 100 feet around the

facility.

• Dedicated vehicle entry points:• Control parking and commercial deliveries.

• Limit vehicle proximity to facility.

• Limited entry points:• One main entrance for staff and visitors.

• Multiple one‐way emergency exits.

• Internal and external CCTV.• Consider motion detection, PTZ, and

lighting.

• Secure facility HVAC, UPS, and generator equipment.

• Two‐factor access control and authentication.


Layer 2 ‐ People, Policies, Procedures:

People

• Background investigations

• Security Clearance**

• Training & Certification

• Job Experience

• Separation of Duties

** DoD and Government only

Policies

• Mandatory training

• Acceptable Use

• Privileged Access

• COOP and DR

• Information Assurance

• Vulnerability Management

• Incident Response

• Data handling • PII, HIPPA, Classified**


Procedures• Incident Handling

• Detection, Response, Reporting, Cleanup

• COOP Initiation Plan

• Triggers, How, Objectives, Location, Critical Services / Capabilities

• Disaster Recovery Plan

• Recovery Timeframes, Hardware, Software, Data Recovery, Location

• Vulnerability Management

• Scanning, Patching, Continuous Monitoring

Layer 3 ‐Network Architecture:

• Boundary Security:

• Perimeter Firewall w/ DAPE ruleset.

• IPS monitoring:

• Strategic placement of sensors to ensure visibility of all network traffic.

• Dedicated DMZ:

• Isolated enclave for all internet and/or WAN accessible services.

• Encrypted VPN:

• Secure network access for remote sites and road warriors.

• Tunnels terminate at FW for IPS inspection of all remote traffic.



• Data Center FW:

• Strict control of in / out bound traffic to necessary and authorized ports, protocols, and services.

• Traffic Separation.

• Leverage VLANs to segregate network traffic. (i.e. separate wireless and wired traffic).

• IPS Monitoring:

• Strategic placement of sensors to ensure visibility of all LAN traffic to include Data Center access.


• Sandboxed R&D Lab:• 100% isolated lab provides max security for both research initiatives and prevents contamination of the Local LAN.


• Perimeter:• Boundary Security.

• IPS Monitoring.

• Dedicated DMZ.

• Encrypted VPN.

• Local LAN• Data Center FW

• Traffic Separation.

• IPS Monitoring.

• Sandboxed Lab.


Layer 4 ‐Network Security / Services:

• Firewall ACLs:

• In and Outbound rules.

• Deny All Permit by Exception (DAPE).

• Intrusion Detection / Prevention:

• Heuristic or Signature based.

• Tuned to the environment.

• Wireless Monitoring.

• Forward and Reverse Proxies:

• Web content filtering.

• Load balancing.

• IPsec / SSL Encryption:

• Remote access VPN.

• Point‐to‐Point tunneling.

• Traffic Analysis:

• Full packet capture & playback.

• Forensics.

• Logging:

• Remote logging (SYSLOG).

• Event forwarding & correlation.


Layer 5 ‐ Host Level Security:

• Physical Security:

• Secure Data Center with locking racks/cabinets, alarm system, and CCTV.

• Cable locks for mobile system.

• OS Management &Hardening:

• Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG)**.

• NIST 800 Series Special Publications & Security Configuration Checklists .

• Vulnerability Mitigation:

• Repeatable vulnerability scanning processes/procedures.

• Test and implement vendor security updates and bug fixes.

• Common Vulnerabilities and Exposures (CVE) tracking and mitigation.

• Backup & Recovery

• Test and validate recovery processes and media at regular intervals.

• Consider encryption and offsite storage of backup data.



Layer 5 ‐ Host Level Security:

• Host Based Firewall:

• Deny All Permit by Exception (DAPE) ACLs.

• Limited number of “trusted” networks/hosts.

• Host Based IDS/IPS:

• Tune signatures to the operating environment and applications deployed.

• Anti‐Virus

• Leverage current virus definitions from the vendor.

• Utilize Incident Handling procedures to mitigate quarantined and unhandled infections.

• Data Loss Prevention (DLP):

• Secure vital, sensitive, and/or classified** information from unauthorized exposure and duplication.

• Encryption:

• Data at Rest (DAR) encryption for mobile systems.


Layer 6 ‐Application Level Security:

• Application hardening:• Best practices for Web and Database technologies.

• Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG)**.

• NIST 800 Series Special Publications & Security Configuration Checklists .

• Account management:• Use a defined access control methodology (Discretionary, Role based, etc.).

• Leverage Two Factor Authentication or enforce strict password length, expiration, and lock‐out requirements.

• Track inactivity and disable or delete unused accounts.

• Unnecessary components and/or services:• Limit attack vectors by removing or disabling unnecessary ports, protocols, and services.

• Define and document system baselines (i.e. track and maintain system integrity)

• Embedded third party components:• Require special consideration and coordination with vendors for support.

• Often go unpatched and can represent a significant risk.• Examples: Java, Apache / TomCat, Databases, etc.



Layer 7 ‐ System or Data Specific Security:

• Unique security requirements derived from specialized systems and/or data sets.

• Common with systems/data requiring extreme levels of Integrity or Confidentiality:• Examples include: DoD, National Security, Healthcare, and Payment card processing systems.

• Additional requirements may consist of:• Technical:

• Dedicated systems and/or networks for isolation of classified, sensitive, or highly confidential data.

• Air‐gapped systems with no remote or external connections.

• End‐to‐end encryption for data in transit and at rest.

• Administrative:

• Specialized training or certification for users and system administrators.

• Non‐disclosure agreements.

• Comprehensive background checks or security clearances (DoD, DoE, etc.)


Known issues with Defense in Depth:

• Can lead to a false sense of security fueled by a “Too Big to Fail” mentality:

• Unfounded confidence in a large and complex security solutions.

• Blind faith administrators have it covered and never abuse privileges or miss a patch.

• Over confidence in a workforce’s ability to identify and take appropriate measures against social engineering or phishing attempts.

• Cannot be implemented as originally intended:

• Counter attacks to destroy or disrupt the attacking enemy is key to the original intent of Defense of Depth.

• No ROI, ethics, legality and already strained resources make counter attacks all but impossible.

• This leaves organizations with no way to halt a constant barrage of attacks.

• The threats have evolved into a Sustained Cyber‐Siege:

• Today’s corporate, government and military networks are under constant attack by persistent threats with virtually unlimited resources. Defense in Depth was never intended to combat an endless wave of attacks.

• Attackers are ignoring the perimeter and bypassing layered security by focusing on client‐side attacks.

• Advanced Persistent Threats are used to gain a foothold and avoid detection through encryption or masquerading as legitimate traffic.


Known issues with Defense in Depth:

•The Insider Threat:• One of the hardest threats to counteract and defend against:

• Attacks are carried our by trusted individuals, typically operating inside defensive measures or with the ability to circumvent existing security controls.

• Insiders are familiar with organizational policies, procedures, incident response protocols, etc.

• Security controls to reduce or prevent insider threats:• Have a higher impact on workforce flexibility and responsiveness.

• Are commonly viewed by administrators as cumbersome and unnecessary.

• Come with a higher overhead costs realized through expensive security solutions and performance delays caused by the additional security measures.


Gaps In The Wall:Metrics from the Verizon® 2015 Data Breach Investigation Report

• A few notable issues from last year:

• Lack of persistent vulnerability tracking and mitigation:• 99.9% of exploited vulnerabilities were

compromised more than a year after the CVE was initially published.

• You are the weakest link:• On average 23% of recipients will open a

phishing email and 11% will open the attachment.

• In a test comprised of 150,000 phishing emails, nearly 50% of users open e‐mails AND click on phishing links within the first hour of delivery.

• The Insider:• In 55% of the incidents associated with the

Insider Misuse threat landscape were attributable to individuals abusing the access they had been entrusted with.


Filling The Gaps:

• Many of these shortfalls can be categorized as: • Poorly enforced and/or documented policies and procedures.

• Lack of training (both initial and refreshment).

• Insufficient oversight and monitoring.

• Suggestions:• Implement a Continuous Monitoring program to review and improve IA controls and

policies:• NIST SP800‐137, Information Security Continuous Monitoring (ISCM) for Federal Information

Systems and Organizations.

• Make security focused training mandatory, track compliance and refresh training at least annually:• Cover key areas such as : Social Engineering, Credential management, How to detect and

respond to threats.

• Trust but verify:• Monitor and audit administrator actions and leverage separation of duties whenever possible.


Questions?


Understanding Strategies€¦ · Understanding Defense in Depth Strategies David Lespier...

Documents

Transcript of Understanding Strategies€¦ · Understanding Defense in Depth Strategies David Lespier...