You are here: Home / APPROACH / CYMBEL’S 12 BEST PRACTICES

CYMBEL’S 12 BEST PRACTICES

Due to the changes we’ve seen during the last several years in Business Needs, Technology, Threats, Compliance Requirements, and the Economy, Cymbel has developed a set of nine best practices to mitigate the risks of modern malware.

  1. Application-level Positive Enforcement Model Firewall Policy – Implementing an application-level Positive Enforcement Model (default-deny) reduces the organization’s attack surface by limiting the web-based applications to which users have access to only those necessary to the organization. To simplify policy management, the firewall must have access to the organization’s directory service. Traditional URL Filtering is still necessary but no sufficient. More sophisticated end users can bypass URL Filtering by using external proxies. In addition, organizations can (a) enable their sales and marketing teams to leverage social media while preventing them from playing games and (b) block other groups from using social media at all.
  2. Firewall Management - Firewalls are the number one technical security control for virtually all organizations. Managing and auditing firewall policies is a time consuming effort. Over time, firewall policies become ever more complex. Firewall rules are added, but rarely deleted. We recommend a firewall management system to (a) reduce administrative and audit costs, (b) reduce errors and unplanned downtime, and (c) improve responsiveness to business needs.
  3. Multi-layer, Application Aware Threat Detection / Prevention- Once application usage is controlled, the remaining traffic must be monitored for threats. We recommend four complementary threat prevention methods:
    1. Application Aware signatures to provide virtual vulnerability patching
    2. Web site reputation services and blacklists
    3. Heuristic analysis with sandbox testing of suspicious executables
    4. Behavior anomaly analysis
  4. Remote and mobile worker protection – Controlling and protecting the ever increasing remote and mobile work force can be a daunting challenge. When working from home, coffee shops, or hotels, host-based controls (anti-virus and port-based firewalls) simply cannot provide the protection and control of leading edge network security controls. However, Next Generation Firewall vendors and cloud-based proxy services do provide the additional layer of control and protection. Finally, the exploding use of smartphones requires a Mobile Device Management solution to provide security and meet compliance requirements.
  5. Application and User Aware Log and Flow Analysis - Today, more than ever, information security must include Threat Detection as well as Prevention controls. While Security Information and Event Management (SIEM) solutions have been used to meet compliance requirements such as Sarbanes-Oxley, GLBA, PCI DSS, FERPA, and NERC, today they must play the additional role of the organization’s primary Detection control. In order to do this the SIEM solution must include integrated, application and user aware, log and flow analysis. For organizations who don’t have the resources for 24×7 monitoring, we recommend a Managed Security Service Provider (MSSP).
  6. Internal Network Segmentation at the Application and User Level – The difficulties of Data Center Network Security continue to increase in the face of seemingly conflicting goals – prevent threats, meet regulatory compliance compartmentalization, and maintain application performance and availability. While VLANs were used for performance reasons, their security capabilities cannot stand up to the current threat landscape and compliance requirements. Next Generation Firewalls with Application-based Traffic Classification functionality enable application- and user-based segmentation using a “default deny” model.
  7. Web Application Protection – While most organizations have adopted a Secure Development Life Cycle for their web applications, there is simply no such thing as a bug-free application. We recommend black-box application vulnerability scanning complemented by a Web Application Firewall, especially because these two controls can be integrated. In other words, you can use the output of the application vulnerability scanner as input to the web application firewall. This simplifies the administration of the WAF.
  8. Encryption - While encryption is not new, it is as important as ever in a layered defense-in-depth architecture. There are five types of encryption we recommend:
    1. Certificate-based Two-Factor Authentication
    2. Database encryption, tokenization, and data masking
    3. Files
    4. Email
    5. Wide Area Network Traffic
  9. Wireless LAN Security - The use of wireless local area networks continues to increase due to their flexibility, affordability, and ease of installation. For these reasons and because the medium for transmitting data is air, WLANs creates new and different security and compliance risks. In fact, even if your organization has a policy against WLANs, a wireless monitoring solution is needed to enforce the policy! The required functionality includes rogue elimination, intrusion prevention, forensic analysis, vulnerability assessment, legacy protection, 24×7 policy monitoring, and where necessary, regulatory compliance reporting.
  10. Virtualization and Cloud Security – While the cost savings and increased flexibility of virtualization and cloud computing drive increased usage, we cannot lose sight of the new risks created by the deployment of these technologies. Also simply installing traditional host based security controls in virtual machines can severely impact performance and reduce the cost savings.
  11. Device Visibility, Configuration and Access Control - At a fundamental level, an organization must have complete visibility of all devices on its network and assure that their configurations are consistent with security and compliance policies. Patch management now must go beyond operating systems as attackers have shifting their focus to vulnerabilities on commonly used applications like Java and Adobe Flash and Reader. In addition, mobile devices must be evaluated before gaining readmittance.
  12. Application and User Aware Full Packet Capture – Due to the inevitability of security incidents, full packet capture provides vital forensics information to support incident analysis.