Intelligence in Depth applies the latest InfoSec techniques to address today’s sophisticated cyber-attacks and offer simplified management.
By Brian Thomas, CTO
Security7 offers a suite of services and products that identify risk and improve an organization's ability to immediately defend against current cyber-threats.
We created a solution, Intelligence in Depth, which at its core, expands upon the concept of Defense in Depth. Intelligence in Depth places traditional security technologies (end-point anti-virus, premise based security appliances and managed SIEMs) with a collection of cloud-delivered and cloud-managed technologies that apply the latest techniques to address today’s sophisticated cyber-attacks and offer simplified management.
We crafted this solution because existing techniques and technologies are inhibiting the ability to detect and respond to current threats. Intelligence in Depth applies overlapping layers of continuous automated prevention and rapid machine learning detection to significantly reduce security risks and incident response times, and provides our clients with peace of mind.
We also help organizations make informed decisions regarding security expenditures by providing a report that establishes a baseline of existing risk, quantified in financial terms. Though this step may not be where our security improvement process begins, it is important to understand.
So much so that we offer an initial assessment of a limited number of systems, free of charge. In addition, we provide a gap analysis of existing security countermeasures relative to current cyber-threats so we can accurately assess the effectiveness of current security management technologies.
This approach offers a well designed and managed security architecture that reduces your organization’s attack surface as much as possible, without inhibiting business operations.A sustainable security architecture needs to be:
Security7 divides the security architecture into four discrete areas and implements a combination of technologies and techniques to address a predetermined set of risks associated with each area.
The primary areas of concern are Inbound, End-point, Lateral and Organizational, which will be expanded upon later.
Security7 has developed a straightforward—seven step process—to address those objectives and provide comprehensive security coverage in the context of the risks that need to be managed.
Scan systems for sensitive data, vulnerabilities, and inappropriate access permissions. Place a financial value on the amount of liability stored on each system.
Combine regulatory requirements with the Security Risk Assessment to determine an appropriate security governance framework.
Map current and evolving cyber-threats to identified security gaps and associate risk to determine the magnitude of impact.
Examine methods to reduce given risks. Assign priorities based upon impact, breadth of coverage & ease of implementation.
Improve security and operational visibility with a cohesive, multi-layered security architecture coupled with the use of advanced analytics and visualization
Evaluate existing countermeasures on a continual basis to improve security and operational efficiencies.
Leverage the benefits of a modular security architecture and stay ahead of threats.
Counter inbound threats by reducing the attack surface. Limit or filter outbound web traffic and only allow required services to communicate (limiting your exposure to Distributed Denial of Service Attacks [DDoS]). Security7 can help you consolidate security controls like:
By making these changes we can prevent access from malicious actors and the execution of unwanted programs, scripts and malware. In addition we control and monitor access to systems and files and provide low friction enforcement of security controls early in the DevOps cycle.
Security7 can also apply consistent policy regardless of location (private, hybrid or public cloud). As a result Security7 can immediately detect and respond to unusual activity.
Internet facing applications present unique security challenges that require additional technologies and techniques . They must be employed to address the business requirements of making sure a hosted application both widely available and secure.
|Distributed Denial of Service (DNS, Layers 3, 4 & 7)||●||◇|
|Injection (Operating Systems, Shell, Application & SQL||●||○|
|Cross-Site Scripting (XSS)||●||○|
|Insecure Direct Object Reference||●||○|
|Missing Function Level Access Control||●||○|
|Cross-Site Request Forgery (CSRF)||●||○|
|Unvalidated Redirects and Forwards||●||○|
| New Solution - Full/Partial/No Coverage ● ◇ ○ | Old Solution - Full/Partial/No Coverage ● ◇ ○ |
By making these changes we can prevent malicious actors from accessing our client’s systems and the execution of unwanted executables, scripts and malware. In addition Security7 controls and monitors access to the client’s systems and files.
We provide low friction enforcement of security controls early in the DevOps cycle. We also apply consistent policy regardless of location (private, hybrid or public cloud). As a result Security7 can immediately detect and respond to unusual activity.
To address the issues mentioned above, an application security stack should:
Perimeter firewalls (host based firewalls for public cloud applications) should be configured to accept traffic from a highly limited set of source addresses.
This ensures that all traffic accessing an origin server has been filtered to eliminate a significant percentage of malicious actors. Web servers should be further restricted in their outbound communications to only those services that are required for a given application to function and receive updates.
This simple design approach virtually eliminates the possibility for command and control traffic to be established with a server.
Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges for organizations large and small. Although DoS attacks are not a recent phenomenon, the methods and resources available to conduct and mask such attacks have dramatically evolved to include distributed (DDoS) and, more recently, distributed reflector (DRDoS) attacks—attacks that simply cannot be addressed by traditional on-premise solutions. Advanced DDoS protection, provisioned as a service at the network edge, matches the sophistication and scale of such threats, and can be used to mitigate attacks of all forms and sizes including those that target the User Datagram Protocol (UDP) and Internet Control Message Protocols (ICMP), as well as SYN/ACK, Domain Name System (DNS) amplification and Layer 7 attacks.
On-premise firewalls quickly become outdated and require professional service hours to regularly update rules to protect against new threats.
Cloud based Web Application Firewalls (WAF) help you stay ahead of threats by automatically updating rules when new security vulnerabilities are discovered. This is another example of leveraging the crowd-effect through the analysis of millions of requests requests being processed every second.
If you’re using a WAF that doesn’t leverage the collective intelligence of other web properties, you need to supply all your own WAF rules from scratch, which means you need to monitor the entire Internet security landscape on your own.
Traditional server security tools are not built for automated toolchains.
Typically, they require manual configuration before they can be put in production, slowing down the DevOps cycle and increasing the risk of configuration errors.
Legacy security tools also lack the full scale of security controls that enterprises need. Each tool provides only one or two security functions, which forces the customer to purchase and maintain multiple tools.
Lastly, traditional security tools are typically applied late in the development cycle. They don’t provide early feedback to developers at the point when vulnerability issues can most easily be fixed.
A strong application security architecture should employ and continuously monitor the enforcement of the following security controls:
Web application security testing is critical to protecting your both your apps and your organization. An organizations web applications are likely to be the attack vector for malicious individuals seeking to breach your security defenses.
Available to users 24/7, web apps are the easiest target for hackers seeking access to confidential back-end data. Developer training—while scanning tools and other security frameworks are widely adopted, they don't provide the language and code-level guidance developers need, leaving them unequipped to fix security holes.
A comprehensive security training platform coupled with a contextual coding knowledge-base will allow developers to understand and remediate application development risks. Additional technologies may also apply to this area of concern, namely Next Generation End-point Protection (NGEP) for Windows based environments and End-point Detection and Response (EDR).
Both technologies should be applied to servers and workstations alike.
Organizations often fail to apply the most basic tenant of security - principle of least privilege - in favor of ease of use and access. Traditional technologies and approaches to cyber security have contributed to this problem by being too limited or difficult to manage. Due to rapidly evolving technologies, users are demanding access to the latest online applications and legacy security technologies and management techniques struggle to keep up, which leads to poor security decisions.
To counter end-point threats, we use a Secure Web Gateway (SWG) with the latest technologies to provide constantly improving security controls. Our next-generation Endpoint Protection leverages artificial intelligence and machine learning to prevent malicious code from ever executing. End-point Detection and Response software comes pre-configured to detect the most common data breach methods by using advanced modeling and analysis techniques.
Far too often organizations fail to apply the most basic tenant of security—principle of least privilege—in favor of ease of use and access. Traditional technologies and approaches to cybersecurity have contributed to this problem by being too limited or difficult to manage in a rapidly evolving technological world.
|Command & Control Callbacks||●||◇|
|Virus, Worms, Trojans, Root Kit, Spyware||●||◇|
|Unsanctioned Web Application Usage||●||◇|
|Man in the Middle Attacks||●||○|
|Zero Day Exploits||●||○||●||○|
|Mobile Device Protection||●||○||●|
|Unauthorized Removable Media||●||◇|
| New Solution - Full/Partial/No Coverage ● ◇ ○ | Old Solution - Full/Partial/No Coverage ● ◇ ○ |
Users demand access to the latest online applications, legacy security technologies and management techniques can’t keep pace; so ultimately poor security decisions are permitted to occur.
To address these shortcomings, a strong end-point security design should address the following concerns:
In order to achieve these objectives a multi-layered architecture needs to be implemented. We break apart this architecture into three fundamental components; Secure Web Gateway (SWG), Next Generation End-point Protection (NGEP) and End-point Detection and Response (EDR).
In today’s mobile and online world we fundamentally believe that controlling access to the cloud needs to be performed in the cloud. A cloud based secure web gateway ensures that security controls are applied in a consistent fashion regardless of user location.
A good SWG, layers multiple technologies to provide constantly improving security controls by leveraging the crowd-effect of millions of users, sandboxing at scale, multiple threat intelligence feeds and page ranking to assess the risk of every page visited and object being downloaded. This first line of defense provides a level of assurance that the content being downloaded from the web is free of known malicious content.
Traditional anti-virus (AV) products leverage relatively simple logical analysis mechanisms to detect malicious software and behavior. Mechanisms like pattern matching, pattern recognition, heuristic analysis, behavioral analysis and hash matching. Once each of the techniques being applied by an AV vendor is understood by an attacker, evading a given technique or set of techniques becomes a straightforward process.
For example attackers easily bypass signatures by mutating, obfuscating, or otherwise changing the code in their malware. Adding random data to malware can easily bypass heuristic approaches. Behavioral analysis requires that the malware has to run first before the AV product can detect it; isn’t that what we’re attempting to avoid in the first place? The problem with hashes is similar to pattern matching; if a single bit gets changed, the resulting hashes differ dramatically.
A fundamentally different, signature-less approach to traditional anti-virus that leverages artificial intelligence and machine learning to prevent malicious code from ever executing is required to combat today’s sophisticated attacks. Instead of a simple, straightforward, step-based processes, algorithmic learning is applied utilizing a deep neural network—a complex branched system that feeds back into itself and learns from the past to infer the future.
Millions of features are identified across billions of file samples and a confidence score is derived to determine if a file is potentially malicious. Evading this type of defense becomes a nearly insurmountable effort to overcome. We’re not saying it is impossible just highly improbable.
While we believe that the aforementioned technologies will prevent the broadest array of attacks, we also believe in the old adage of trust but verify…enter the need for EDR. An EDR product should be easy to implement and provide near immediate time to value. It should also come pre-configured to detect the most common data breach methods using advanced modeling and analysis techniques.
Malware models—these models look for the tell-tale signs of known and unknown malware, malicious tools, and zero-day exploits that attackers use to get an initial foothold in your environment.
Command and control models—spot network traffic from your environment to command and control servers controlled by your adversaries. Command and control detection models identify behaviors such as domain generation algorithms (DGA).
Lateral movement models—these models identify attackers trying to expand their foothold in your environment by using legitimate tools, a method that traditional security programs cannot detect.
Privilege escalation models—these models examine user and process behavior to identify the attacker's attempt to gain a higher level of access to resources in your environment.
Data exfiltration models—these models identify the attacker's attempt to exfiltrate data or cause other types of damage in your environment.
Ransomware models—these models identify malware that encrypts files in attempt to extort money from users.
If the aforementioned prevention technologies are in place then it stands to reason that an alert generated by the EDR system should be treated with the utmost urgency. Therefore a 24x7 Security Operations Center is needed to immediately assess the threat and respond within the shortest time possible—hours vs. days, weeks or months as is often the case with a managed SIEM solution.
Lateral threats can be countered by leveraging existing enterprise switching solutions and complementing them with proper network monitoring and deceptive countermeasures to effectively identify elusive threats. 802.1x authentication, Private VLANs and Internal Segmentation Firewalling can be used to stop malware like WannaCry in its tracks.
A good commercial EDR solution can go a long way to detect lateral threats, but additional technologies can greatly reduce exposure in this area. Most enterprise switching solutions support two key technologies that are instrumental in reducing the risk of lateral threats. We complement those technologies with network monitoring and deceptive counter measures to effectively identify even the most elusive threats. To stop malware like WannaCry in its tracks, we use 802.1x authentication, Private VLANs and Internal Segmentation.
|Managed SIEM||Network Security||Routing|
|Ransomware Proliferation Prevention||●||◇|
|Command & Control Call-Back Detection||●||◇|
|Privilege Escalation Detection||●||◇|
|Data Exfiltration Detection||●||○|
|Information Reconnaissance Detection||●||○|
|Brute Force Authentication Detection||●||●||●||○|
|Lateral Movement Detection/Restriction||●||○||●||○|
|System & User Authentication||●||○|
|Protocol Attack Prevention||●||○|
| New Solution - Full/Partial/No Coverage ● ◇ ○ | Old Solution - Full/Partial/No Coverage ● ◇ ○ |
Firewalling - Most enterprise switching solutions support two key technologies that can be instrumental in reducing the risk of lateral threats. Complementing those technologies with network monitoring and deceptive countermeasures is an effective means of identifying even the most elusive threats.
The first is 802.1x authentication. 802.1X is an IEEE Standard for port-based Network Access Control. It provides an authentication mechanism to devices wishing to attach to a Local Area Network (LAN) or Wireless Local Area Network (WLAN). When configured properly, dot1x authentication ensures that any system connecting to your internal networks is valid and approved to do so.
Devices that do not pass authentication are either placed on a guest segment with Internet access or can be quarantined altogether. Private VLANing (PVLAN), also known as port isolation, can not only reduce the threat of lateral movement but also “wormified” malware such as WannaCry.
Port isolation is a technique that restricts intra-VLAN traffic in such a way that ports can only communicate with a given uplink, or set of uplinks. The uplink will typically be a port that is connected to a router or firewall.
If you employ a firewall that is capable of line-rate IPS scanning, you can also apply network signature analysis to block the outbreak of known attacks across subnets using a technique called Internal Segmentation Firewalling (ISFW). Deception is another technique that should be used to detect lateral and insider threats.
Strategic placement of honeypots throughout your server and DMZ segments coupled with honey-files placed on existing file server resources can be an effective mechanism in identifying insider threats and network reconnaissance activity.
As soon as one of these fictitious resources is accessed an alert should be raised and an immediate investigation should be conducted by the IT security team.
Organizational threats can be just as damaging to brand identity as Inbound, End-Point and Lateral threats can be to security infrastructure. You can counter these organizational threats through Domain Protection techniques like Registry Locking, Registrar Locking, Role Accounts and early Domain Renewal as well as DNS Security. Email Protection is also applicable here as it can help stop things like Phishing attacks with traditional tools like Domain Keys Identified Mail (DKIM) and SPF as well as Domain-based Message Authentication, Reporting & Conformance (DMARC).
We’ve spent a lot of time talking about securing applications, end-points, servers and network infrastructure but what about the things that matter most to a business such as their brand and integrity of their online identity. Few organizations take all of the steps necessary to ensure that their presence on the Internet—their domain and related technologies are secured properly.
Domain Protection Insecure domain and registrar practices allow attackers to hijack your site and redirect your visitors to any server they want. To prevent this from happening an organization should ensure that domains are renewed long before their expiration date (6 months minimum), employ the use of role accounts coupled with domain privacy, ensure that registrar locking is enabled at the registrar and for the most security conscious organizations—implement registry locking.
Registry Lock is a special flag in the registry (not your registrar) that prevents anybody from making changes to your domain without out-of-band communication with the registry. In other words, to transfer your domain or update your name servers, your registrar needs to pick up the phone, call the global registry, authorize with a verbal passphrase, and tell them to remove the registry lock.
This kind of strong verification protects against compromise of the registrar’s servers and from someone compromising your account. Even if an attacker has access to your email account and your 2-factor authentication codes, it’s still not enough to hijack a registry-locked domain.
Registry Lock is the gold standard of domain security, and it’s only offered through security-conscious registrars. Note that Registry Lock is only available for .com, .net, and a few other top-level domains.
Registry Lock, Registrar Lock, Role Accounts, and Domain Expiration all have to do with securing your domain at the registry/registrar. However, there’s another type of domain hijacking attack that can affect your domain even it’s completely locked down at the registry level.