As information technology continues to advance and evolve, so do the risks associated with cybersecurity threats. Organizations face many challenges in securing their IT systems and infrastructure, especially against new and emerging threats.
The broad range of security products on the market can also increase the challenges with implementing and enforcing security for any business environment. For example, in many of my customer environments, there are numerous security tools deployed. Many of these products do not work together natively, which can result in gaps in visibility and security enforcement, thus increasing risk, and further complicating a consistent approach to securing the business environment.
Considering these variables, what tools fit where to assist us in mitigating risk and protecting our critical information and infrastructure, and how can we use this knowledge to identify gaps in our own security posture and thus reduce potential cybersecurity threats?
I would like to take you on a journey to demystify the security tool landscape. This may help you better understand where security products fit in your environment, and the role they play to help reduce overall risk to the business.
To visualize where we are going, simply imagine that your IT business systems and infrastructure are like a house. As you look at the house from the street, you see the fence around the front yard, or the perimeter of the house. This can be likened to the demilitarized zone, or perimeter network in an IT infrastructure. This is normally an area where public facing applications such as web servers reside and it is normally built out using a perimeter network strategy as part of firewall deployment.
In this scenario, the firewall is deployed at the perimeter, allowing access for the public to the “front yard”, or web application servers. However, the firewall is also securing the path to access the front door of the main house (or access to internal systems). It is also common to see security products such as intrusion prevention systems (IPS) and intrusion detection systems (IDS) deployed at the perimeter, to monitor ingress and egress traffic at the edge between the public and private networks, to identify any unknown or suspicious behavior.
Now as we continue to look past the front yard to the main house, you will notice the house has a front door and windows, and you see a sign out front with the name of a security system in use.
As you can imagine, most homeowners will have locks on the doors and windows, as these represent entry and exit points to the house. Ideally, only authorized individuals with an alarm code and key can gain access. If someone unauthorized tries to gain access, this sets off an alarm, letting appropriate parties know a break-in is occurring.
In the same way, an IT infrastructure would normally have such basic security. Access to applications would require a user account and password, and as we have discussed, technology such as firewalls guard the pathways to the outside world. Logs and alerts should be generated, and ideally sent to a central source for appropriate security staff to investigate and remediate.
However, once an authorized individual gains access into the house, do you allow them to roam freely to every room in the house?
The above example can be likened to how an organization controls user access to systems once they have initial access to the network. From a technology standpoint, this would fall into the realm of Network Access Control (NAC) systems.
A network access control product can leverage role-based access control. What this means is that, based on an individual’s defined role in an organization, they can be granted access to only the business applications and systems they need.
Another facet of Network Access Control technology is called posture assessment. Let’s say someone enters the house but has mud (or worse) on their shoes, posture assessment would allow you to quarantine the person at the entryway, until they take some action, such as removing their shoes.
From an IT systems perspective, this could mean quarantining a device until it has updated its operating system to a given patch level or to a current anti-virus definition file, before allowing the device onto the network.
As you can see in the above examples, with so many different security products available, covering so many parts of the security landscape, things can get muddied when trying to identify gaps in coverage and to correlate the information into one holistic view, so it can be acted on quickly.
Going back to the house analogy, many houses have porch lights, floodlights, and cameras which provide illumination and visibility in and around the house. Considering the broad range of security products and tools, how can we gain clear visibility into the alerts, logs and reports from these diverse security products via a single pane of glass?
Reporting from diverse systems to a central manager is where the use of a security information and event management (SIEM) solution comes into play. These solutions collect the security information and alerts generated by security products, applications, and network hardware and provide real-time analysis. This type of product is also helpful from a compliance standpoint.
We have only touched the surface of the security tool landscape in this article. Hopefully this will give you some idea of how the tools play together and help you to identify gaps in your environment. But as you can see, with the correct planning and approach, you can significantly reduce the risk to your organization by properly deploying, monitoring and analyzing security data using the correct tools.