Home
Part-2 Design Networks with Cybersecurity Risk in Mind
screen-shot-2017-07-21-at-10-39-11-pm

Part-2 Design Networks with Cybersecurity Risk in Mind

Part-1 of this blog series defined and discussed the concepts of risk management in the context of cybersecurity.

Part-2 takes cybersecurity risk as an input or a baseline in architecting or choosing networking solutions, by using a conceptual and architectural approach “with cybersecurity risk in mind”.

Let’s assume that your organization established one of its primary goals which is to reduce the exposure of the organization to cybersecurity risks. After you completed your cybersecurity risk analysis based on the concepts discussed in Part-1 of this blog series as well as your business objectives, the following three objectives were proposed by the security team:

  • Implement a next generation firewall and next generation intrusion prevention system by the first quarter of next fiscal year
  • Implement a web application firewall at the DMZ where the public webservers located.
  • Ensure to install the latest antivirus security patches on the company owned windows machines within 24 hours of the release time.
  • Conduct a cybersecurity training for employees once a year.

Before we analyze the aforementioned security objectives, let’s think of the following two questions which are applicable to today’s cybersecurity and cyberattacks world:

What would you do differently if someone tells you, that you will be robbed?

What about if you knew that you have been already robbed without noticing?

Keep these two questions in mind, and at the end of this blog we will rethink about them

First of all, from network architecture point of view, an enterprise network architecture typically has limited entry and exit points to external networks, compared to service provider networks that have myriad of entry and exit points.

screen-shot-2017-07-21-at-10-46-39-pm

Nevertheless, if you are designing with cybersecurity risk in mind, this won’t be the case, why?

In the digital age, the number of connected devices is growing exponentially e.g. mobility, IoT devices etc. in which we need to deal with IoT scale.

This means each user, mobile and IoT device connection is a potential entry point of attack into the enterprise network. So should we lockdown these connections, to ensure we are secure? (Security Vs. Usability).

custom_life_balance_13780-1

If security ends up constraining the business and limiting its flexibility and functions, then the value of using technology to enable your business to succeed will be undermined in this case!

We all know, today most of the enterprises (at least the ones that have specialized security, compliance, governance etc. teams) have strong and well-tuned next generation firewalls, intrusion pretension systems, web proxies, etc. to protect the network edge and prevent any undesired access, files, connections, combined with control plane security for both layer 2 and layer 3 protocols.

However, almost monthly or weekly, there are new reports of cyber-driven data breaches and thefts against large enterprises some of which are government entities.

In addition, almost always the breaching events, on those enterprises were targeted directly by the threat actors, and what is more concerning, many organizations discover that they have been hacked weeks or months after the actual hacking or theft event. Not to mention the recent ransomware attacks that hit the cyber walls of companies on a global scale.

The first logical question you may ask is; how cloud this happens while many of these organizations deploy best of breed security systems?

There could be various reasons, based on the organization and threats. Nonetheless, the reasons that are almost always common among most (if not all) of the enterprises today are:

Technical:

  • Using classical security architecture or approach: focusing on securing the network boundary in a preventive manner.
  • Security systems work in isolation of each other
  • Mix of old and new security technologies are used together

Human

  • Operational complexity which leads to the risk of configuration errors which in turn leads to policy violations (according to a Macknzey findings conducted in 2016, companies are spending 60B$ on Opex, one of the reasons is that 70% of companies’ policy volitions are due to human errors)
  • Lack of advanced security expertise
  • Lack of end users training: social engineering etc.

In brief, by focusing on securing the network edge or boundary, its like building a wall to protect your organization.

screen-shot-2017-07-21-at-6-05-54-pm

But, no matter how solid this wall is, someone somehow will ultimately manage to break through.

figure_breaking_through_wall_anim_150_clr_15036

I noticed the most common solution to this architectural or network security design limitation in the digital era, is as simple as adding more security layers at the network edge (back to back firewalls, IPS etc.).

The typical justification to this design approach, is defense in depth, however, this is not a true defense in depth because we are still at the edge, and focusing on prevention only! Later in this blog we will look at what is a true defense in depth should look like.

Apart from the increased complexity and cost of this approach, the reality is, threat actors will find a way to break through and get around. And this what is happening today, all the organizations that have been breached, have best of breed security systems.

ways_around_the_wall_800_clr_11617To keep it simple, let’s look at it from a different perspective, assuming (hypothetically) the network edge is secured enough to prevent any malicious access.

What if someone (a trusted user) from inside facilities the access?

open_door_welcoming_salesman_800_clr_5847

 

 

 

 

 

Or, a threat actor, managed to obtain an authorized access credential (Identity Theft)?

walk_though_security_door_pa_300_clr_5756

 

 

 

 

 

 

How would you know about this an unauthorized person access since it sounds legitimate at the boundary?

How can you track this person (threat actor) activities and behaviors when he is inside your network?

screen-shot-2017-07-21-at-6-21-05-pm

 

Let’s agree that we can’t mitigate the risk of unknown threats if we can’t see them.

In the cyberspace and digital era, It’s not about how good and reliable my edge security is, it’s about how much my security systems are integrated and working in a harmony. In other words, we need an integrated security architecture to address today’s sophisticated cybersecurity threats across the entire attack continuum.

Attack continuum in Cisco terminologies referred to as (Before the attack “prevention”, During “detection and containment” and After “remediation”)

screen-shot-2017-07-21-at-6-23-17-pm

In fact, this approach is a True Defense in Depth, based on the facts: what you couldn’t stop or prevent at the network edge, you need to be able to detect it. If you detect a threat or malicious act, it means you weren’t able to prevent it somewhere at your edge. Therefore, you should take a corrective action (remediation) to stop it and avoid it next time. Therefore, all three phases work together: Before-preventive, during-detective, and after-corrective.

screen-shot-2017-07-21-at-5-34-52-pm

Is there a Recommended Tool to provide detective and corrective functions at IoT scale?

The best tool to do so, is your transport network, Yes the network itself, even though it has been overlooked or underestimated by security professionals, it is your best tool to detect and correct cybersecurity breaches in the digital age. And this is not a new concept, service providers have been using their networks to monitor and mitigate risks such as DDoS attacks and other targeted attacks since long time.

Is this achievable by any network?

Not really, you need a network that is capable enough to transform your enterprise network to act as sensor (Network as a Sensor) and enforcer (Network as an Enforcer). Then, you will be able to see (detect) and then enable you to contain and prevent, based on the meaningful information presented to you using correlation & machine learning from the different sources across the network.

In simple words, what your edge security couldn’t prevent, the “Network as a Sensor and enforcer” can detect it, track it, watch it, report it and then contain it or block it.

Technically, your transport network devices expert the detailed flows info (by Cisco IOS® Flexible NetFlow). This, in turn presented to you as real-time monitoring, alerts with detailed security analytics, which provide you with a network wide visibility that you receive from StealthWatch along with contextual data from the Cisco Identity Services Engine (ISE). In addition, SNMP, Syslog, Netflow and Streaming Telemetry, as well as contextual data related to devices such as DNS, topology, AAA, LDAP, inventory, location etc. they have been around for years. However, it was very challenging for organizations to correlate and extract value from these massive individual data points.

This is where the Cisco Network Data Platform, also referred to as NDP (the analytics engine) comes into play. Now we can use this information that we already have it flowing across the network, presented to us in a meaningful format, as the NDP does the correlation and uses machine learning to provide meaning from this mass of information flowing within the network.

screen-shot-2017-07-21-at-5-35-07-pm

In addition, with the Cisco Software defined access (SDA) solution , you can take it further by providing simplified secure segmentation, role based network access, intelligent system wide policy enforcement and seamless wired and wireless host mobility without compromising depreciated services.

What about encrypted traffic?

According to Gartner, by 2019, 80 percent of web traffic will be encrypted, in addition, Gartner believes that half of malware campaigns in 2019 will use some type of encryption to conceal malware delivery, command and control activity, or data exfiltration.

data_secured_anim_300_clr_9241

In the digital age, the classical threat inspection with bulk decryption, analysis and reencryption is not always practical, scalable or even feasible for performance. It is difficult for organizations to know how much of their digital business and user traffic will be in clear versus encrypted format. Not to mention privacy aspect as well (unless there is a compliance requirement that mandate decryption).

With the typical (unencrypted traffic) intra-flow metadata is used, to obtain information about events that occur inside of a flow, which can be collected, stored and analyzed within a flow monitoring framework.

This data is also important when traffic is encrypted, simply because deep-packet inspection is no longer possible. The intra-flow metadata, called Encrypted Traffic Analytics, is derived by using new types of data elements or telemetry that are independent of protocol details, such as the lengths and arrival times of messages within a flow

What does this mean?

This means, with this approach Encrypted Traffic Analytics can maintain the integrity of the encrypted flow without the need for bulk decryption, at the same time it can identify malware communication in encrypted traffic

In addition, with the integration of Cognitive Analytics, a cloud-based analysis engine, that maintains a global risk map, which is a very broad behavioral profile about servers on the Internet, which is capable of identifying servers that are related to attacks, may be exploited etc.

Stealthwatch in this case will be able to correlate traffic with global threat behaviors to automatically identify infected hosts, command and control communication and suspicious traffic.

As a result, your network will be able to detect and react upon a discovery of a malicious flow (in clear or encrypted) which is then can be blocked or quarantined by Stealthwatch, by employing policy-driven remediation actions via pxGrid using Cisco Identity Services Engine (ISE) with Cisco TrustSec® as part of the Software-Defined Access (SD- Access). Which will simplify and accelerate network security operations and untimely reduce cybersecurity risk across the network.three_intersecting_arrow_circles_standout_11882-1

We know, in order to allow the business to continue, it is not possible to prevent everything or too many things at the network edge. That’s why what we cannot prevent, we must be able to detect it and then take action against, therefore, it is more effective and feasible that preventive and detective measures are always deployed in an integrated manner and not in isolation, and this is how Cisco StealthWatch and ISE work.

 

In summary, by transforming your network as sensor and enforcer using Cisco SDA, you will be able to minimize the impact magnitude of cybersecurity risks as following:

  • Reduce the risk of human errors > Simplicity and Automation to build complex polices
  • Segmentation, to minimize security risk impact magnitude > role-based segmentation e.g. IoT devices, trusted users, guest etc. (based on the “least privilege” security principle)
  • Gain network wide security visibility > by turning your entire network into a security sensor and gain insight into threats in encrypted and unencrypted traffic using network analytics
  • Faster time to response > significantly reduces the identification of root causes for problems to suggest solutions as well as to contain infected devices and users with understanding how, when, where, and why users and devices connect to your network
  • Network as a sensor/enforcer offer built-in security holistically across the network: security features and capabilities (segmentation, group policy tagging, role based access, analytics, ETA etc.) are all designed with security in mind and Not as some afterthought capabilities, as its not optimal and won’t be always scalable to “add-on” security capabilities later.

screen-shot-2017-07-21-at-5-33-53-pm

Last but not least, next time when someone comes to you to talk about his or her powerful NG firewall or IPS, the simple question you should ask: What can you do for me when someone break’s through this edge device? (during and after an attack taking place).

Now we should be able to go back to the very first two questions in this blog, and rethink about them, in terms of; How we should architect and protect our network differently within the cyberspace to reduce cybersecurity risks in the digital age.

What about the Data Center? this is what is going to be discussed in part-3 of this blog series

Marwan Al-shawi – CCDE No. 20130066 – is a Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide & the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.

Leave a Comment

*

*