Each month, we ask Fuel members to weign in with their opinions on the Cybersecurity Question of the Month, and we’re sharing their answers here.
Phil De Meyer, a senior network administrator, and Paul Carter, an information security engineer, are members of Fuel’s Editorial Subcommittee under the Community Development Council. Paul and Phil shared their thoughts on the most recent Cybersecurity Question of the Month.
In the past, an IT perimeter for network security could be more easily defined and contained. Now, there are numerous devices that break traditional perimeter security including: applications that traverse through firewall policies; mobile devices; IP-enabled devices internal to the network; external devices that are allowed on the internal network 'temporarily;' wireless access points that are unknowingly deployed; and direct internet access from devices.
What are the limits of a ‘perimeter-oriented’ security posture? What approaches do you take to keep ever-changing networks secure?
Paul: The perimeter-oriented security posture is usually focused on the external networks being bad and the internal network being stable and good.
The networks of today have controlled devices (e.g., servers, storage, etc.) and other wireless devices that may be connected to the network permanently or temporarily. The wireless devices may introduce vulnerabilities and malware that can impact the internal network because it was introduced by an internal user. With only a perimeter-oriented security posture, this insider threat would be ignored until command and control traffic attempted to go outside the internal network.
To maintain an effective security posture, the network must have a perimeter-oriented and a verify-then-trust security posture. The external threats will be addressed with the perimeter-oriented security posture. With the verify-then-trust security posture, the network is continually baselined and monitored to ensure that approved and intended traffic is occurring. If traffic is abnormal, this can be inspected, approved/blocked and added to the baseline. The continual intelligence on the internal network will allow for a more informed defensive approach.
Phil: I will say that the perimeter is harder to define than it was 10 years ago. Now you have varying levels of access and different services that are needed, internally and externally, for business to execute. I know that I have fought hard to get users and the director/C-level crowd to understand that the edge of our network extends to everything it is connected to: your phone, tablet, laptop and those we do business with electronically. It is not always a bold black line that marks the end of our network and the beginning of the Internet.
We have two important jobs: monitoring daily and anomaly tracking.
By monitoring our traffic profile daily, we can see the who, what, where, when and why of traffic on the network. This helps us build a profile of likely points of egress and ingress, both of which we look to monitor both source and destination (DNS!) and content so that we are aware of data flow both in and out so that we can say we know where are data is and where it is going.
Tracking events that fall outside our typical traffic profile looks at incoming traffic — our external customers accessing needed information and getting it in a timely fashion — but also unwanted traffic that we can inspect on ingress and make determination that it is not legitimate and drop.
This is the important investment everyone should be making in security, machine learning and AI, and whatever the next trend is. However, they all have difficulty pattern matching and need the security professional to vet, test, audit and reassure that this process is working appropriately. As a security professional, we are only as good as the information that we have, so we have to remain open to new sources and be vigilant to ensure their validity and timely reporting.
About our contributors:
|Paul Carter, an information security engineer and Fuel member, has been using Palo Alto Products since 2013.||Phil De Meyer, a senior network administrator and Fuel member, has been using Palo Alto Products since 2013.|
Check Out Our Next Cybersecurity Question of the Month
Weigh in with your opinions and we'll share your answers in a roundtable format on Fuel for Thought. It's an easy, quick way for you to share your expertise and make a contribution to the Fuel community!Topic:
Cybersecurity professionals are expecting ransomware to grow more aggressive in the coming years, including higher ransom payments and attempts to go beyond attacking data — by shutting down entire computer systems to utilities or factories. However, a key concern is that ransomware will start targeting critical infrastructure.
Too many important computer systems are also connected to the internet — when they shouldn’t be. Businesses are also failing to properly segregate their computers from other processes. When a ransomware infection hits, it has the potential to shut down the entire operation.
How do you think ransomware attacks will evolve further? What steps have you taken within your organization to formulate a recovery plan to avoid downtime?
Share your answer in the May 2017 Cybersecurity Question of the Month thread on the forum.