Traditional security is dead; long live traditional security!
- By Joel Dolisy
- Aug 26, 2015
The cybersecurity landscape is changing right before our eyes.
Cyber-attacks are affecting more and more government agencies; we read new headlines almost daily about the latest breach and its impact. And more often than not, the attacks originate from people with inside access, giving attackers plenty of time to do serious damage.
In the past, cyber security methods closely mirrored physical security – focused primarily on the perimeter and preventing access from the outside. As threats advanced, both have added layers, requiring access credentials or permission to access rooms and systems, and additional defensive layers continued to be added for further protection.
Today, however, the assumption is that everything is accessible; it’s assumed that no layer is secure and that, at some point, an intruder will get in—or is already in. Case in point: According to the Mandiant M-Trends 2015 report, attackers in 2014 who breached environments had access for a median of 205 days before being detected.
What does this mean for the federal IT pro? Does it mean traditional security models are insufficient? On the contrary; it means that as attacks – and attackers – get more sophisticated, traditional security models become one piece of a far greater security strategy made up of processes and tools that IT pros must implement to enhance their agency’s security posture.
A layered approach
There is no need to throw out traditional security methodologies and start over. It’s more a matter of adding layers.
Currently, agencies must satisfy federal compliance requirements. Certainly the days of “accredit and forget it” are long gone, which is why the Risk Management Framework (RMF) was created to provide continuous monitoring. That said, meeting federal compliance does not mean you’re 100 percent secure; it’s simply one—critical—layer.
The next series of layers that federal IT pros should consider are those involved in network operations. Not often considered as part of an agency’s security strategy, implementing tools at each layer within network operations can dramatically enhance security across the enterprise.
A key component of every security plan should be change management. Network reliability is greatly improved through change monitoring, alerting, backups and rollbacks. To complement change management, consider adding configuration management tools, which can play several critical security roles.
First, a network configuration manager tool will help with aforementioned compliance requirements. A good tool will:
- Actively maintain your network configurations in compliance with internal security policies and external regulatory standards.
- Proactively perform device vulnerability scanning.
- Leverage sources such as the National Vulnerability Database.
- Provide automated compliance assessments and reports; some tools go so far as to automatically correct out-of-compliance issues.
A network configuration management tool will also help you create a standard, compliant configuration and deploy that across the agency. In fact, a good tool will let you create a template that meets all requirements and use that to configure new devices.
The key here is automation – and the time-saving that automation allows. Your environment is not static; it changes all the time. Attacks are constantly changing as well. A configuration management tool will help you keep up with those changes automatically; it will let you change your configuration template based on new National Institute of Standards and Technology recommendations and get those changes out quickly to ensure all devices maintain compliance.
In addition to a network configuration tool, federal IT pros should consider layering in the following tools to enhance security:
Firewall management. Do you know how the different firewall rules within your environment affect one another? Is it possible that you have a higher-level rule negating a lower-level rule? This is a very common scenario, putting an agency at risk. A firewall security manager can help you identify configuration issues or inconsistencies with firewall rules and prevent this situation. In fact, a good firewall management tool will offer ongoing rule and change tracking, which will also help enhance compliance.
Patch management. Software is constantly being updated; patch management is critical to ensuring all clients, desktop and server applications are up to date, and all vulnerabilities covered through those patches are in place. As I mentioned earlier, your environment is constantly changing and threats are constantly being created and unleashed. Patch management is critical to a strong security posture. In fact, make sure to look for a patch management tool that is automated—for quicker deployment—and supports custom applications, as many agencies have unique needs and unique applications.
Traffic analysis. A traffic analyzer will tell you, at any given time, who is talking to whom, who is using which IP address, and who is sending what to whom. This is vital information. Particularly in the case of a threat, where you need to conduct forensics, a traffic analysis tool is your best weapon.
Security information and event management. A log and event management tool is like the icing on your security cake. It brings all the other pieces together to allow a federal IT pro to see the entire environment—the bigger picture—to correlate information and make connections that may not have been visible before. Visibility across all network operations can point to an intruder or attack that may otherwise have gone undetected.
As I said at the start of this article, the cybersecurity landscape is changing right before our eyes. Are traditional security methods dead? Certainly not. They’re evolving, as threats evolve—as it should be.
The ideal solution is to build on what you already have; use what works and keep adding. Create layers of security within every crevice of your environment. The more you can enhance your visibility, the more you know, the harder it will be for attackers to get through and the greater your chances of dramatically reducing risk will be.
Joel Dolisy is the CIO at SolarWinds.