In response to the new information security risks created by the five forces of change – business needs, technology, threats, compliance requirements and the economy, Cymbel has developed a Next Generation Defense-in-Depth architecture, shown in the diagram below, focused on protecting information.

By deploying these products and processes, we have been able to:

• Accelerate the shift from protecting devices to protecting information
• Increase visibility and control
  • Devices, Operating Systems, Applications, Configuration Changes
  • User Activity – Applications, Sites, Files, Databases
  • Zero-day threats, Botnet Command & Control Communications
• Integrate security needs and compliance requirements
• Manage Information Security from an IT/Business Service Management perspective
• Improve Information Security responsiveness to business needs
• Reduce the costs of meeting ever increasing compliance requirements
• Reduce Information Security administrative and operations costs

Cymbel’s Next Generation Defense-in-Depth Architecture

Next Generation Firewall – Traditional firewalls and separate complementary firewall helpers like Intrusion Prevention, and URL Filtering are too expensive, too complicated, and simply do not sufficiently reduce today’s risks created by social networking, SaaS collaboration services, and the hundreds of other Internet based applications and services people are using. Gartner and Forrester are both using the term “next-generation” firewall to describe a network security appliance which includes (1) Standard first-generation firewall capabilities, (2) Integrated rather than merely co-located network intrusion prevention, (3) Application awareness and full stack visibility, and (4) Extrafirewall intelligence like integration with directory services for user group policies. Based on Gartner’s definition, Palo Alto Networks is the only qualifying next-generation firewall.

0-Day / Behavioral Intrusion Prevention – Given the prevalence of 0-day vulnerabilities, there is a need for behavioral intrusion prevention. Earlier products had limited success due to the high number of false positives. We recommend FireEye because it uses a two-step process which practically eliminates false positives. The first step is detecting anomalous behavior. The second step is to actually execute the suspicious code in a virtual machine “sandbox” right on the appliance. Only after this second step is completed are you alerted.

Cloud-based web/email security – For organizations with many small locations and/or laptop users, providing protection against web and email malware has been problematic until now. Zscaler provides a high-performance, low-latency, proxy-based web and email security service which requires no on-premise hardware. Laptop users can get the same level of protection when on the road by simply installing a lightweight agent that directs all web and email traffic through the Zscaler service.

Security Information & Event Management - Collecting and reporting on logs is a requirement of virtually all regulatory compliance regimes and is a SANS Critical Security Control. As organizations seek to balance their security investment among Prevention, Detection, and Response controls, SIEM becomes the primary detection control. When comprehensive contextual information is correlated including application-aware flow data, SIEM can provide truly actionable security intelligence. Q1 Labs’ QRadar’s next-generation SIEM, Log Management, Network Activity Monitoring, and Risk Management technologies are built on the industry’s only Security Intelligence Platform. As a result, QRadar helps security teams to detect and analyze exploits and policy violations, and perform risk assessments through one unified console.

Network Forensics – Full packet capture is essential to providing response teams the information they need to properly investigate security incidents. As the trend toward surveillance in the physical world continues to grow, the need for complete visibility of all network activity (active and historical) is becoming a business necessity, especially as networks become exponentially faster and more complex. However, full packet capture can be extremely expensive at scale. Cymbel selected Solera Networks because it provides all of the needed investigative functions and scales very economically.

Virtual Machine Firewall/IDS – Trend Mico’s Deep Security provides a hypervisor-based security solution consisting of firewall, intrusion detection, VM Introspection, security automation, and compliance assessment. Because Trend Micro Deep Security is hypervisor-based, it not only sees the ingress and egress traffic of each VM coming in from and going out to the real network, but also the traffic among the VMs on each host. Altor also provides a compliance dashboard and alerts on non-compliance.

Links to Explore

Cymbel’s overview of the first 15 Controls designed for automation and grouped into 12 categories and the individual pages for each:

Discovery Configuration Management Boundary Defense Log Management Application Security User / Account Controls Vulnerability Management Malware Defense Wireless Device Control Data Loss Prevention

Cymbel’s Services related to the SANS Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines: Secure Network Engineering, Penetration Testing, Incident Response Capability, Data Recovery Capability, Security Training.