Managed Services: Security
Jade Networks helps companies with the design, implementation, deployment, management and outsourcing of enterprise networks. We also help in areas including disaster planning and recovery, policy planning and analysis, network and vulnerability assessment, network automation, backup, and others. Our managed services focus on both the operational and security aspects of enterprise networks. We break these services apart into Security, Monitoring, and Analysis/Response Systems however all are tightly related and are treated separately for descriptive purposes only. This document describes Security Systems.
We are also actively involved in designing and building new security tools. The Jade Unified Security Framework (USF) is a thin extendable security layer providing easy to use hooks for applications and security components to control network security settings. The first version of the USF is complete and in use and includes tools for the manipulation of firewall IP block rules (timed and static) by any machine on the network. Command line tools are also provided to run and maintain the Jade DNSBL spam defense. These tools provide the basic network hooks needed to easily communicate and configure network routers, switches, IPS and other systems. The second version of the USF will have tighter SIEM and IDS integration.
Security, in it’s many forms, is a hot topic today. We’ve all heard about how criminals wreak havoc on companies and individuals many ways, including identity theft, denial of service (DOS) attacks, viruses and worms, and many more. They exploit vulnerabilities anywhere they can find them, from the lower network layers up to the applications and social networking. It is critically important for companies and individuals to take these threats seriously and protect themselves where they can.
Securing network assets and information can be a very complex and time consuming endeavor. Nothing is sacred to the criminals wanting to exploit an organization or its resources. Motives include direct financial gain (theft), abusing resources as an attack base against other organizations, theft of services (DOS), and targeting of corporate information and/or users. All infrastructure elements, including the human ones, need to be addressed to provide true protection. Vulnerabilities anywhere can provide the criminal the opening they need to gain access.
When we discuss managed security we combine traditional security with operational management. Many of the controls necessary to monitor and manage one can be applied to the other. Our focus is being able to provide business directed services for our customers, partners, and staff. Security is clearly critically important however so is maintaining operational integrity. Having adequate security but not being able to keep services running misses the point of building enterprise networks in the first place. Our focus is managing networks which are both secure and perform at or above the levels needed.
The Myth of Absolute Security and Risk Management
Let’s get one thing out of the way first – if you’re looking for absolute or perfect security you won’t find it. It doesn’t exist. No matter what the slick salesman tells you, no product or set of services can deliver on this promise. They never could and never will. Security is an area that is managed. If done well the important holes will be filled and all will be well. This is often referred to as risk management – understanding where the known remaining vulnerabilities remain and isolating them the best you can. By understanding risk tolerance, security activities can be prioritized, allowing organizations to make informed decisions about future expenditures.
If you still don’t believe this, let’s illustrate using a somewhat simple and silly example. Say you have to protect your son’s piggy bank which holds the loose change he’s been collecting for the past six months or so. Not a lot of money but it’s important to him. You could put it in a safe and lock it up. But then a thief could always steal the safe or break into it using other means. If you had infinite resources you could build a fortified structure like Fort Knox to hold the safe. That would get you pretty close as there would be few thieves willing to go to the expense and trouble to steal a piggy bank with that much security in place. There is always the extremely small chance however that a plane or other object could crash down physically destroying the facility (substitute your favorite natural disaster here if you prefer). The point is that you can get close to your goal, but never quite get to 100% security. And you’ve long passed the point of diminishing returns very early on.
So you say this is nonsense and has no bearing on IT security. OK, in that case change the piggy bank to your favorite server and the information stored on it. Unlike the piggy bank example now the thief has real motive to steal as there is the prospect of far more valuable assets to take. Instead of only worrying about physical security, now we have to worry about network security, application security, social engineering attacks and using mobile devices (wifi, web access, thumb drives, etc). If you could not provide absolute protection for the little piggy bank, how are you going to do it with so many more ways an attacker can get in? It simply can’t be done. But by making it more and more difficult (and expensive) for an attacker to get in, we can get close and through proper risk management have enough locked down that everyone should be able to sleep well at night.
Security Classifications
Threats and attacks can come from anywhere and at anytime. It only takes one successful breach to put an organization at risk so all attack surfaces need to be protected. There is no single way to protect an enterprise as most countermeasures target a specific class of attacks. A proper security framework breaks the problem down by type and establishes defense layers which are then managed separately. It’s possible to break security down many different ways however for our purposes we focus on the following aspects:
- Physical
- Network
- Application
- Operating Systems
- Social Engineered Attacks
Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism. [1] Three important components of physical security include: access control, surveillance and testing. For a more in-depth review, please see Physical Security and Why It Is Important (SANS Institute InfoSec Reading Room).
Network security describes the policies and procedures used to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. The term covers a wide range of technologies and areas including authentication, protocols (network and application layer), information (data), devices (routers, switches), and security components (firewalls, intrusion detection and protection systems, network management systems, SIEM, etc.). Threats in this area often are directed at the lower layer networking protocols such as TCP, IP, UDP and ICMP.
Application security is actually a subset of network security but broken out here to separate application layer threats from the lower layer threats mentioned above. Any threats to applications or end-user services fit into this category. Authentication attacks against standard services (SSH, SIP, SMTP, POP3, IMAP, LDAP, HTTP to name a few) are common. Other application layer issues include backend services such as DNS (amplification DOS attacks for instance). A wide range of threats span web services including cross-site scripting and attacks on specific applications (WordPress or Drupal CMS systems for instance).
Operating systems are often the ultimate target of many attacks. OS security deals with confidentiality, integrity and availability of system resources. Other related areas include patch management (making sure all software is properly updated) and license management. Other areas covered include the protection of the integrity of server and device operating systems, the applications that run on them, and files from unauthorized access or modification.
Social engineered attacks refer to psychological manipulation of people to perform actions or divulge confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme., but at the same time, with proper end-user education are the easiest to protect against. [2] Common social engineered frauds include baiting, phishing, pretexting, quid pro quo, spear phishing and tailgating. These types of attacks are commonly found in spam email and fraudulent websites. Spam provides a simple way for criminals to get viruses, worms, trojans, and other similar malware installed on the local network. For more information on spam, what it is and how to detect, see our What Is Spam page. Additional resources which go into much greater depth on social engineered attacks can be found at:
- What is social engineering? How criminals take advantage of human behavior (IDG)
- What is Social Engineering? Defining and Avoiding Common Social Engineering Threats (Digital Guardian)
- What is Social Engineering? Examples & Prevention Tips (WebRoot)
There are many tools available for defending against web and email social networking attacks which in some situations can be effective. The best defense against this type of threat however is regular end-user education.
Define What You Need To Defend
The first step in establishing a suitable security framework is the evaluation of what needs to protected (sorted by priority) and then the determination how these assets might be compromised (vulnerabilities). Countermeasures can then be established consistent with the corporate security policy. These range from procedural, administrative and physical for people type problems to more technical solutions for direct infrastructure attacks. The choice of tools and solutions is heavily dependent upon what needs to be protected and available tools. Vulnerabilities in the network itself are often addressed with a combination of firewall, intrusion prevention systems, and host based countermeasures. Vulnerabilities at the application layer are often handled by specialized firewalls (HTTP), within the applications themselves, or in combination with other security specific tools (anti-virus, email spam detectors, dns amplification detectors, etc).
Important: All machines should undergo regular audits to compare the actual services that are being run against what is officially designed to run in a given environment. System upgrades or breakdowns in communication between admin groups can result in unnecessary services being launched. Make sure that the only services being run are what you really need and shut everything else down. This way you know precisely what needs to be protected and extra resources are not spent protecting the rest. The worst case is when unnecessary (or unknown) running services provide potential unmonitored holes in your defense which attackers can exploit. If a service is not needed, shut it down.
Some attacks can be detected as they occur. For these either the machine or application detecting the attack can act on their own, or they can log the attack for later detection and formal incident generation by an external monitoring system. Sometimes both approaches may be taken for a detected problem. On our systems, certain types of lower layer network attacks are handled directly by the Linux kernel (IPSET/IPTABLES) while at the same time generating syslog records to be picked up by one of our SIEM servers. The kernel action is immediate based on current traffic whereas the SIEM server is able to correlate these problems by type, IP address and across time to see the bigger picture of a potential attack and take different action. Resource usage and similar metrics are monitored and handled by our Network Management systems.
Threat Detection and Response
Once we know what to look for and where the threats might come from it is important to match these with systems or processes which at a minimum will detect and report anomalies. As attacks can be directed at different resources at different layers and across the infrastructure this requires a coordinated defense with different components watching for different threat types. Network stack attacks are best detected with packet monitoring IPS systems and/or within the host operating systems. Authentication attacks can sometimes be detected the same way but often are best discovered at the application layer (the service being attacked rather than the network infrastructure). Protocol specific attacks need to be detected by the application responsible for the service. All threats should communicate problems back to the appropriate network management and/or SIEM monitoring back-ends for recording, analysis, correlation, and response. In some situations it may be possible that the systems or processes on their own can detect and respond to threats. In such cases it is best if they go ahead and take action in real-time while at the same time also notifying the back-end monitoring systems of what has happened.
All infrastructure elements need to be able to communicate with the back-end monitors. This includes all servers as well as routers, switches, security devices (IPS/IDS systems, firewalls, etc) and the monitoring systems themselves (they also can come under attack). Depending on the threat type, devices involved, and capabilities of the these devices, automated alert and possible corrective action should be immediately taken as well as notification to the monitoring systems. The ability for ALL infrastructure elements to be able to communicate is important.
SIEM systems excel at being able to take data from multiple sources, analyze and correlate across these and then take action. Consider a coordinated attack which is performing authentication attacks against SSH, SMTP, SIP, and also performing TCP/UDP attacks against multiple servers, while at the same time engaging in application layer attacks against the DNS and Web infrastructures. The sensors across the infrastructure may each catch one or two of these but none will have the complete picture of what is going on. An occasional authentication failure targeted against the VoIP systems (SIP) is likely not a big deal. But if the same attacker were also targeting other application protocols and infrastructure elements at the same time you can be pretty sure a coordinated attack is in progress.
Getting all the infrastructure elements properly communicating with the desired back-end systems is the first half of the problem. Many of these communicate using standard protocols such as syslog. Others use their own local logging formats which need to be translated and then fed into the monitoring back-end. Others may need glue scripts or programs written to link everything correctly.
The other side of the problem is what to do once a threat has been identified. For most situations alerts should be sent out to the responsible administrators to let them know. Increasingly we find that the better we can define the threat, the higher the probability we can then formulate an automated response to this threat. For instance when we have multiple application layer attacks across several machines, we can automatically shut down access at the public router for the attacker IP address for a predetermined period of time. To do this requires coordination across protocol layers as well as systems.
For more information on monitoring systems, see our page on Managed Services: Monitoring which goes into detail on Network Management systems and provides an overview to the differences between Network Management and SIEM systems. For more information about responding to threats and SIEM systems, see our Managed Services: Analysis and Response Systems page.
Intrusion Detection / Prevention Systems and Firewalls
Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Firewalls are three similar types of devices designed to detect and protect networks from external threats. Traditionally these three types of systems performed slightly different functions however as time goes by the lines of distinction between them are becoming ever more blurred. What follows are generalized comments on these three types of systems. Not all solutions are the same, and the way they behave can be different as they try to differentiate themselves from the competition.
Firewalls are devices or applications which analyze packet headers and enforce a security policy based on combinations of source address, destination address, source port and destination ports. They tend to be rule based engines designed to only allow packets through to known and approved services. Note that these devices usually only analyze the packet HEADERS and not the payload. They are good for quick filtering of undesired traffic and are positioned at the edge of the network. Most look for what to accept and then deny everything else.
IDS systems, like firewalls, analyze inbound packets looking for problems. Unlike firewalls though IDS systems check the packet headers AND payload data. Some IDS systems also do limited packet reassembly to reconstruct application layer streams. The data is then analyzed for threats. There are two types of detection techniques in use: signature and anomaly. Signature systems compare the inbound data to patterns of known malicious traffic. Once a signature match is detected the system generates an alert. Anomaly based systems are less concerned with the traffic data than the activities that generated it. Network traffic and sometimes behavior baselines are established and the IDS looks for unusual activity that deviates from previously established statistical averages. When this happens alerts are generated. It should be noted that anomaly based systems run the risk of excessive false positives if not very carefully tuned.
IPS systems are very similar to IDS systems except they tend to be more active and can directly respond to detected threats. IDS systems passively watch the data and when detecting a threat send an alert or message to an administrator or SIEM system for processing. IDS systems have the ability to actively respond to the threat by sending an alert, shutting down the connection, or directly performing other administrator specified actions.
IDS/IPS systems are usually placed between the outside firewall and the network to be protected. Unlike firewalls who look for what to accept and then deny everything else, IDS/IPS systems tend to work the other way around. As they are specifically looking for threats they will send alerts or react otherwise to detected threats but otherwise let all other traffic through. While internally IDS and IPS systems are very similar in terms of detection abilities, they tend to have very different use scenarios due to the passive / active nature of the two solutions. As IPS systems tend to provide a superset of the capabilities of an IDS, they are our normal implementation choice. In situations where a fast SIEM back-end is in place, and IDS may however be sufficient. An active IPS combined with proper alerts (logging) to an active SIEM backend provide the best combination of capabilities and response times.
Unified Threat Management (UTM) Systems are relative newcomers to the array of available security options. Generally speaking they are sold as network appliances targeting the SMB market. The intent of these systems is to combine the traditional roles of a edge facing firewall with an IDS/IPS system in one box resulting in a lower overall cost solution which can easily plug into simple networks. While we have yet to field any UTM appliances we have noted that several solutions are being offered by very reputable companies in the network security business. Several industry reports have also suggested that going with a combined solution results in necessary compromises – usually in the instrumentation and capabilities on the IDS/IPS side. With that said, depending on the size of the organization and the nature of their security needs, a UTM appliance can be another viable option to consider.
Intelligence Threat Feeds
IDS, IPS, Firewall, SIEM, and some other security control systems can all be statically configured with rules that change infrequently. These rules can be provided by the solution provider and supplemented by the local administrator. For well known threat types this works fine. Unfortunately in our fast changing world, the threats continue to evolve and change daily. To be able to keep up with all the attack types detected around the world is an impossible task for anyone other than a specialized threat analysis group. To address this gap, many different types of threat analysis feeds are available which provide actionable information on adversaries. These feeds provide system control system updates on a regular basis enabling them to be able to search for and detect the latest known threat types. They help organizations understand the risks and better protect against zero-day threats, advanced persistent threats and exploits, especially those most likely to affect their specific environment.
Threat intelligence feeds are available from many sources. These include free open source data provided by the network security community, vetted and aggregated commercial products, and closed information-sharing communities focused on specific industries. Other than the free open source feeds most feeds are subscription services which can get quite costly. The nature of the feeds should match the specific needs of the organization. In particular organizations should consider the following areas to determine the best match: business alignment (threats addressed in a feed need to be consistent with what is expected in a particular industry), sensor capabilities (what data you able to collect), and intelligence gap analysis (what new threat types a feed add to the detection capability).
When using threat intelligence feeds it is critical that they are tightly integrated with the security control systems and not overload the administrator with a sea of unusable data. The focus must to make it easier to detect problems in huge streams of data and not to increase the analytic overhead to the point where the data is either unusable or to difficult to deal with to be used. A nice introduction to threat intelligence can be found in the article An Introduction to Threat Intelligence Platforms in the Enterprise (SearchSecurity / TechTarget). A good review of some of the top threat intelligence feeds can be found at the site Cyber Threat Intelligence Feeds (The Cyber Threat).
We’ve Been Compromised – Now What?
Being the victim of a computer or network break-in is the worst nightmare for those of us in the security business. The best course of action for any organization is to be as prepared as possible and have the best defenses in place BEFORE an attack can get through. But even then, as no security solution is absolute, there is always the possibility that some bad guys may eventually get through. So what to do then?
There are no checklists that we are aware of that apply to all situations. The systems and information which were compromised will largely drive subsequent actions. With that said however there are usually two phases that apply to most situations. The first thing to do is to try to mitigate any possible damage by isolating affected machines or processes as soon as possible, preferably immediately. In the case of machines (servers, routers, security devices, etc), they should be taken off-line and isolated. This applies to both wired and wireless access. All machines that could possibly be affected should be isolated until it is proven that they pose no risk to the organization. In cases where human decisions and/or actions were involved the people need to be isolated from the problem situation until it is understood how they were involved.
Once actions to ensure the problems are contained and no further information or services are at risk, the second phase can begin. At this point it is important to determine what, why, when, and how the systems were compromised. The extent of the damage needs to be determined and all affected need to be notified. It is common to reset all passwords and keys, and if any information has been lost, to recover from backup media. Systems need to be analyzed to make sure no backdoors, viruses, trojans, or other malware remains (including from backup media). In some situations this may require a complete rebuild of any or all of the machine(s) affected.
Depending upon what security systems were in place when the attack took place there may be additional forensic data and tools at your disposal to help sort out what happened. Network Management and SIEM systems can contain information about the state of the network, servers, and processes at the time which when put together can provide a clearer picture of what happened and where the attack came from. Some intrusion detection and prevention systems have the ability to perform full packet capture of network traffic for later analysis. If you have this in place it may be possible to go back and replay the actual transaction data responsible.
This is just a short generalization of what needs to be done after compromise. After first isolating and taking off-line any affected machines the IT and management staff need to sit down to evaluate what has happened and come up with a coordinated plan for moving forward. This will likely involve much more than the few items listed here.
Where To Go From Here
Jade Networks can assist in any or all the phases including assessment and planning, security deployment, countermeasures and monitoring. This can be done directly with customer assets (Linux kernel network filters, firewall configuration, other network device configuration, and host based controls). We can help in the design and roll out of monitoring solutions, either on-site or off-site. For more information just let us know what you need.