Cymbel selects information security solutions based on their abilities to (1) support its Zero Trust Principles, (2) minimize administrative and operational costs, (3) deliver value with a minimum of professional services, and (4) enable the InfoSec team to be more responsive to business needs. How you and your organization prioritize among these solutions is a function of your risk management program.
These solutions are meant to be assembled and integrated to create a Next Generation Defense-in-Depth architecture. Given that Cymbel’s first Zero Trust Principle is to balance investment in technical controls across Prevention, Detection, and Response types, it seems reasonable to classify our solutions using these categories as follows:
|Network + Logs|
The Internet represents the primary source of information security risks to the enterprise. Clearly the best risk mitigation strategy would be to cut the enterprise’s connection to the Internet. However, we all understand that’s not feasible due to business needs.
There are two basic constituencies that require the enterprise to be connected to the Internet – (1) employees and contractors and (2) customers, vendors, and other partners. Most organizations respond to these constituencies by creating two networks which I will call Corporate and Commercial, although there can be shared back-end services and databases. Historically, the primary network security technical control for the former is the firewall and for the latter it is the Web Application Firewall. Learn more.
Next Generation Firewall
Traditional stateful inspection firewalls and separate complementary firewall helpers like Intrusion Prevention, URL Filtering, and Proxy Systems are too expensive, too complicated, and simply do not enable organizations to control their users’ Internet activity or mitigate the risks of modern malware. In addition, network level control is needed not just at the perimeter but to control user access to internal applications. In late 2009, Gartner and Forrester began recommending that organizations move to what they are calling “Next Generation Firewalls.”
Unfortunately since then, many network security manufacturers have polluted the term “next generation” and “application-aware” firewalls. Simply adding application awareness as a separate module is not a bad thing, but it’s not a firewall unless it supports a Positive Control Model (allow what’s needed and block everything else) which is the defining characteristic of a firewall.
A Positive Enforcement Model enables you to reduce the organization’s attack surface which goes a long way to mitigating the risks of modern malware. Also you do not have to worry about new applications third parties are developing which you want to keep out of your organization. They are automatically blocked if they are not specifically allowed even if the firewall does not have signatures for them!
A Positive Control Model can only be achieved if the firewall can classify all traffic by application regardless of port, all the time, and at specified speed and latency. Palo Alto Networks is the only firewall that does this and provides best-in-class signature-based Intrusion Prevention/Detection, URL Filtering, and Zero-Day malware detection (WildFire). Furthermore Palo Alto Networks supports traditional port-based stateful inspection functionality to ease the conversion process. Learn more.
Web Application Firewall
Cymbel sees Web Application Firewalls as a required control in addition to the SDLC for web application security for the following reasons:
- Protects assets more valuable than credit cards, e.g. intellectual property.
- Provide immediate vulnerability mitigation
- Supports 3rd party applications whose update cycles you cannot control
Cymbel recognizes Imperva as the best-of-breed Web Application Firewall.
A leading edge Secure Email Gateway provides threat management, regulatory compliance, data governance, and secure communications. Proofpoint is 100% dedicated to email security. More specifically, in addition to traditional anti-spam and anti-virus, the Proofpoint’s Secure Email Gateway identifies phishing attacks, which have become for many organizations, the number one threat vector. Proofpoint has gone a step further with its “Targeted Attack Protection (TM)” service which protects against spear-phishing.
Cloud-based Web and Email Security
On premise appliance-based web and email security appliances may not be cost-effective for organizations with many small locations and/or remote and mobile users. The high-performance, low-latency, cloud-based solution from Zscaler requires no on-premise hardware could be the right solution. Laptop users can get the same level of protection when on the road by simply installing a lightweight agent that directs all web and email traffic through the cloud service. Learn more.
Content-Based Malware Detection and Forensics
In addition to traditional Intrusion Prevention Systems, organizations facing advanced persistent adversaries benefit from content-based malware detection systems. Content decoding enables a malware detection engine to look inside of hundreds of different file types for malware embedded in the documents using static (inspection-based) and dynamic (execution-based) methods. In addition, metadata can be extracted, stored, and queried that is much richer than netflow-based systems, and much more economical that full-packet capture systems. The Fidelis Security solution provides these capabilities and more.
Next Generation Honeynets
A honeynet is a non-signature-based method for detecting compromised systems when they attempt lateral movement in your network. Unfortunately, traditional honeynets are difficult to deploy and manage. They have required extensive work and scripting to make them look real and valuable to attackers. Furthermore sophisticated attackers who are monitoring network traffic will see the administration of honeypot hosts. Finally, there was always the danger of attackers using a honeypot host as a pivot to attack real production systems.
CounterTack has solved these problems with Event Horizon, an appliance running a hypervisor-based set of honeypot VMs which are (1) easy to configure and deploy, (2) cannot be detected as honeypots by attackers, and (3) cannot be used as pivots to production systems.
Another network-based method for detecting compromised devices is to monitor outgoing traffic for malicious Command & Control activity (sometimes referred to as C&C or C2). Damballa specializes in this detection approach. Damballa’s FailSafe tightly integrates (1) cloud-based, big data DNS analytics and malware reverse engineering, with (2) on-premise egress traffic flow analysis to detect compromised hosts. Damballa is an excellent complement to signature-based malware detection controls.
Network and Logs
Supply Chain Monitoring
As organizations improve their information security controls, attackers are increasingly shifting their focus to organizations’ suppliers. An attacker uses an organization’s supplier as a pivot into the targeted organization. A large organization can easily have thousands of suppliers who may not have adequate controls in place. Information Security audits may be an option, but aside from the expense, audits only provide periodic points-in-time analysis.
Seculert provides a cloud-based service that intercepts and collects data from live botnets to detect compromised devices at your suppliers without requiring the supplier to deploy controls they might not be able to afford or manage. For a more comprehensive analysis, the supplier can provide proxy or web security gateway logs to Seculert be correlated with the data collected from the botnets.
Seculert would also be appropriate for organizations like insurance companies who want to monitor their brokers and agents.
Shadow IT Detection, Analysis, and Control
Employee teams are increasingly using cloud services on the own to improve their effectiveness and efficiency. These cloud services are easy to use, have a fast time to value, and use a pay-per-use (OpEx) pricing model. In most cases, these employee teams do not feel the need to ask for IT’s permission to deploy them. The result is that management has no visibility or control over these “Shadow” IT services. This introduces security, compliance, and legal risks.
SkyHigh Networks‘ service (1) rapidly discovers the cloud-based services an organization is using, (2) uses statistical and behavioral models to expose inconsistencies in firewall and proxy policy enforcement, identify opportunities to consolidate the number of services in a category based on risk or cost, reduce “shelfware” by tying subscriptions to actual usage, and (3) detect anomalous usage that may indicate a security breach, i.e. data exfiltration.
Flow Analysis – Behavior Anomaly Detection
Network flow analysis is another excellent method of detecting compromised devices that are missed by signature-based malware detection methods. Lancope leverage Netflow, sFlow, and other flow data from installed routers, switches, and firewalls. Lancope baselines normal device behavior and then alerts on anomalous behavior. Lancope provides extensive tuning capabilities to minimize false positives. In addition, Lancope offers its own network-based flow sensors which are particularly useful to security analysts looking to construct full session activity from an inside host, through a proxy server, out to the Internet.
Managed Security Services Providers
Maintaining a Security Operations Center on a 25x7x365 basis is difficult and expensive. Many organizations prefer to use a Managed Security Service Provider to either completely outsource the SOC function or to complement their internal resources. Solutionary is an MSSP industry Leader recognized by both Gartner and Forrester. They are large enough to support large enterprises and have multiple Service Level Agreements which enables them to adjust to the needs of any organization.
There is a new category of security log analysis products specifically designed to address the Zero Trust era we are in. Security analysts do no want to be constrained by pre-defined database schemas, or specific log types and fields. They are looking for flexibility, scalability, and performance.
Click Security is 100% focused on Real-time Security Analytics. Their core technology is a Stream Processing Engine designed for Complex Event Processing. In addition to building your own log processing applications from scratch, Click Security provides building block analytic and visualization modules. And Click Security provides complete applications using its Stream Processing Engine and modules. Finally, Click Labs will work with organizations to design and build modules and/or complete applications.
Splunk started out as a generic “machine data” storage and analysis company. They are best known for tremendous log storage scalability and full-text indexing of the logs. Many organizations have adopted Splunk for security log analysis. Recently Splunk has stepped up its efforts in the information security domain. It is now on version 2.0 of its Splunk for Enterprise Security. In addition, due to its open architecture, third parties are building security analytics applications on top of Splunk.
Next Generation Whitelisting
During the last several years it has become apparent that traditional the anti-virus signature-based malware detection method is not getting the job done. The sophistication and persistence of most organizations’ cyber adversaries have rendered blacklisting almost useless. For more background: A Quiet Assumption, Antivirus Tool Fail: Blocking Success Varies by 58%, Symantec Gets A Black Eye in Chinese Hack of the New York Times.
Therefore a variety of white listing approaches have come to market. Attempting to simply define your white list using file hashes has shown to be very difficult and administratively time consuming.
Bromium is taking another approach to white-listing. It starts with the premise that any untrusted task should not be allowed to do anything. Then, by policy, you enable just the required functionality. For example, if you are browsing the web, the specific tab in which you are browsing cannot communicate with any other part of your device – no internal communications, no external communications to other domains, etc. Rather than simply use software sandboxing to enforce policy, Bromium leverages Intel iCore chips’ Virtual Technology instruction set to isolate tasks.
Trusteer takes a completely different approach to achieve whitelisting. It concentrates on understanding the “normal” memory states of the seven applications which are responsible for more than 99% of the malware causing device compromises. It can therefore detect “abnormal” memory states indicating malicious I/O behavior. What’s interesting is that at present (March, 2013) this is a greater number of applications than Bromium supports. Of course Trusteer has been doing this since 2006 and has 40 million endpoint agents deployed worldwide.
SafeNet data encryption and control solutions focus on sensitive data, providing persistent protection throughout its lifecycle, wherever it resides. Information is protected at every moment—when it is created by an employee on a company laptop, shared with a business partner by e-mail, stored in an enterprise database, processed by an application, and accessed by a field employee on a mobile device.
Data encryption and control solutions cover data center protection for databases, applications, virtual and cloud-based systems, and mainframes as well as endpoint protection for files and full disk encryption.
If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.