We can get so focused on the ever-evolving landscape of cybersecurity that we forget about the fundamentals. It’s time to get back to the basics.
With so much going on in the realm of cybersecurity, it is easy to become confused or get lost completely. Things change. Cyber-warfare evolves. Attacks are more frequent and complex. The bad guys are always one step ahead. It is our job as cybersecurity professionals to make sure we keep up with the latest tactics, techniques, and procedures that the bad guys are using so we can adequately protect the information and systems we are entrusted to protect. The fate of the systems and organizations we support depends on it. Although, thinking red and acting blue is a lot easier than it sounds.
Case in Point: Zero Trust or Bust?
In an effort to stay on top, sometimes we get so focused on the ever-evolving landscape of cybersecurity or the latest LinkedIn buzzwords that we forget about the fundamentals. Take zero trust for example: If you are in cybersecurity, you’ve heard it, and you may or may not understand what it ‘actually’ is. Like when everyone started adding “cloud” and “IoT” and “XaaS” and “Kubernetes” to their technological lexicons. You still have folks that repeat what they hear at a seminar or read online without truly understanding what the words mean. Yet, every enterprise in North America has been given directives to begin its journey in pursuit of achieving zero trust cybersecurity architecture. Most IT executives are being asked by their boards, superiors, and colleagues to produce a “Zero Trust Strategy” for their organizations. While zero trust network and infrastructure architectures are great, such frameworks are not realistic for organizations that do not have the fundamental components in place to begin with. Zero trust is NOT achievable if there are gaps in your cybersecurity stack to begin with.
What do I mean?
There are a handful of technological and security components that every organization MUST have in place in order to properly secure their environments. Most modern cybersecurity frameworks (like the cybersecurity framework, or CSF, from NIST) cover each of these fundamental components in-depth, so you don’t have to take my word for it.
BARE-MINIMUM MUST-HAVES:
- Modern/Next-Gen Firewalls (with IDS/IPS)
- Network Segmentation
- Modern Endpoint Protection
- Patch and Vulnerability Management
- Network Monitoring and Alerting (or SIEM)
- Multi-Factor Authentication
- End-User Awareness Training
Now don’t get me wrong, there are certainly many other components of a security stack that I did not mention, but we are sticking with the basics here. We’ll save the rest for another article…
You’ll notice that some of these are point solutions while others are design constructs and even operational components. The point here is that security is a process, not a product. You simply cannot buy security. It requires process, diligence, and regular care and feeding. No matter how much SOAR or AI we throw at it, the human element is necessary and will continue to be, at least until AI develops consciousness and dooms us all. But I digress…
“…Security is a process, not a product. You simply cannot buy security. It requires process, diligence, and regular care and feeding. No matter how much SOAR or AI we throw at it, the human element is necessary and will continue to be…”
There is a lot to unwrap here, and I’ll do my best to cover each one in subsequent articles, but for today we are going to focus on probably the two most important components that I mentioned. I’ve been consulting with customers for years, and I believe these are the most commonly overlooked or misunderstood components and constructs.
Firewall and Segmentation
Your firewall MUST have the ability to perform SSL decryption, deep packet inspection, and signature-based as well as heuristic threat detection. Whether it is deployed at your network edge, at your services layer, or collapsed core, it must have these capabilities. If you don’t have a Next-Gen Firewall, get one and buy the enhanced feature licensing and support. You need it.
Make sure the firewall stays updated with the latest signatures, definitions, and application definitions. It is generally acceptable by most organizations to automate signature and AppID updates regularly. So, make sure you configure your firewall to do so. Obviously, code updates and upgrades should be saved for a change-window, but definition updates have low to no impact on the network.
VLANs don’t cut it…
Your internal network must be segmented in a way that protects critical resources. A common misconception is that employing VLANs creates segmentation, which is completely false. This is especially applicable in collapsed-core environments, where multiple VLAN SVI’s or gateways are placed on the network distribution or core-layers with no Layer-7 inspection being performed between them. I know what you are thinking, but not only are Layer-3/4 ACLs a pain to manage, but they are also ineffective at stopping modern-day heuristic threats. ACLs make good screen doors and can help reduce noise or automated scans, but they will not stop a determined threat actor. In summary, VLANs consolidate broadcast and collision domains, they do not necessarily segment a network.
Segmentation 101:
There are many ways to skin the segmentation cat, but the goal here is to at least separate your operational technology (OT) and information technology (IT) networks. Create boundaries between your user networks and your server networks and place a Next-Gen Firewall between them. If your organization employs a collapsed-core network model, this type of segmentation can be achieved by migrating the VLAN interface/gateway of your server network from the core switching and routing infrastructure to your Next-Gen Firewall. This way, any traffic that wishes to traverse into the protected server environment must first pass inspection by the firewall. This does a fantastic job at containing threats that break out in the user zone or user VLANs.
To take it a step further, you can also place multiple protected networks into a purpose-built VRF at the network layer to effectively put a border around multiple networks and VLANs simultaneously. After that, it’s a simple routed transit connection to the firewall, with a few summary routes to boot, and Bob’s your Uncle. Or go crazy and add an IGP. I could talk about various ways to segment networks (with technology you may already have) for days. The point is these mechanisms force threat-actors to negotiate with one or multiple firewalls AFTER the initial compromise or detonation. Since the majority of attacks target end-users, it behooves every network or security admin out there to heed this advice.
Stay tuned for Part 2!
Written By:
Joel Schafer
Director, Information Security
Infrastructure Solutions Group
Sources:
Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture | The White House
What is a Collapsed Core in a Network Design? | EIRE Systems
NIST Cybersecurity Framework (CSF) | U.S. General Services Administration
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
