APT Defense Puzzle

APT Defense Puzzle – Best-Practice & Controls

APT Strategy Series

Defensible Security Posture
Advanced Threat Defense
APT Detection Framework
APT Detection Indicators
APT Red Teams

In the last few years, protecting business assets has become much more difficult as the “bad” guys continue to evolve their attacks to evade IT defenses. When you add into the mix employee-owned mobile devices (BYOD) and cloud-based services, which require networks to be more dynamic than years past, traditional network security controls and practices are simply no longer enough to ensure protection.

 APT Defense Puzzle

A 2013 study by the Ponemon Institute found that 67 percent of organizations admit that their current security activities are insufficient to stop a targeted attack. Trend Micro found that 55 percent are not even aware of intrusions, and fewer know the extent of the attack or who exactly is behind it.

The Advanced Persistent Threat now more closely approximates the “Average” Persistent Threat, and the average organization is going to have to learn how to protect itself from this new and different form of cyber threat. Over the last few years, three factors have combined to attract organized criminal elements to hacking:

  1. There’s real money to be made –– in several different ways.
  2. There’s a very low risk of getting caught.
  3. There are readily-available hacking tools that anyone can modify to suit their purposes.

This APT Defense Puzzle blog, in the APT Strategy Series is a living and evolving blog that will be continually updated and extended with practical best-practice and controls that organizations can leverage to manage and defend against the real and increasing threat of APT. It complements the APT Threat Defense blog which focuses more on top-down Architecture and Strategy with a bottom-up focus on quick fixes and changes that enable tangible improvements in security posture.

Solving the APT Defense Puzzle

The blog is also complemented by a Linked-In group entitled, Solving the APT Defense Puzzle that bring together a virtual community of security professionals to share practical best-practice, controls, and tools together with analysis of APT attacks in the wild in terms of analysis and actionable steps.

See: Solving the APT Defense Puzzle Announcement

Defensible Posture Recap

As stated in the Defensible Security Posture blog, the basic idea of a Defensible Security Posture is that you aren’t striving for an absolute, but rather for a position (or posture) that is able to be defended even when it’s infiltrated.

“He who tries to defend everything defends nothing.”, Frederick II

Kill Chain Actions 2

There are a few basic things we need to understand:

  1. Defensible does not mean secure
  2. There are more things to defend than there are resources to defend
  3. Sometimes your defenses can become your weakness
  4. Defensibility requires understanding of what critical assets you’re defending
  5. Defensibility focuses on what, why, how, when and from whom

There is no silver bullet or single solution. APT attackers continually demonstrate their capability to compromise systems by using social engineering techniques, customized malware, and zero-day exploits that intrusion detection, anti-virus and patching cannot always detect or mitigate. Responses to APT intrusions require an evolution in analysis, process, visibility and technology.

A Call to Action

While there is no APT silver bullet there is much an organization can do with a well-designed and managed defensible posture. Given the inherently porous nature of richly inter-connected systems, it is quite likely that determined attackers will penetrate virtually any system. This does not mean there is no defense. It means there is a need to change the concept of defense from walling off the system to detecting, monitoring and mitigating attacks on the system.

The reality is that organizations actually have much more control over cyber attackers when attackers are inside their system than when attackers are on the outside selecting access points into it. Moreover, most cyber attacks are not successful when they merely penetrate the system.

Success for the attacker does not occur until they gather valuable information and then exit the system with it. If an enterprise can detect an unwelcome entity within the system, for example, and block its pathway back out, it can successfully mitigate the attack even if the system has been successfully breached.

Practical Best-Practice & Controls

Developing a Defensible Security Posture is very similar to a complex 5000+ piece jigsaw puzzle only organizations do not have the complete picture yet or always know what pieces are actually missing given the complexity. As we are all painfully aware, security is only as good as your weakest link so a missing piece or two enables the APT attacker to compromise and establish a base camp.

Defense Puzzle

Based upon experience conducting hundreds of network architecture assessments, vulnerability assessments, penetration testing, and social engineering assessments what are the common gaps in best-practice, controls and, tools … typical missing pieces or unseen flaws that are easily fixable yet enable a successful APT attack?

Based upon analysis of successful APT attacks and compromises in the wild, what were the techniques of exploitation and persistence used, what were the lessons learned? What can organizations do that are easily actionable and fixable to prevent a similar attack to evolve and improve posture?

The devil is in the details. The blog presents an ever evolving list of missing pieces and/or validation checks to complete a defensible security posture. Do you have that control or option configured? Is it configured correctly? Did the organization miss this gotcha that others missed?


IT security threats continue to become more targeted and more dangerous, security challenges are getting even more complex, and the costs of security failures keep going up. Business as usual can no longer protect enterprise networks against these threats –– much less what’s coming tomorrow.

IT needs to act now to address the challenges of ubiquitous mobile device access, for-profit hacking, Advanced Persistent Threats, application vulnerabilities and complex multi-vendor hyper-extended network management.

Thanks for your interest!

Nige the Security Guy.


Security Program Best-Practices 5

Security Program Best-Practices – Part 5

Security Program Best-Practices – Part 1
Part 2
Part 3
Part 4
Part 5

This blog continues our Security Governance Series with the next installment of recommended security program best-practices drawn from a broad sample of assessments. In this blog we will discuss the final and most critical Gap 10 – Develop Firewall Rule Lifecycle Management.

Firewall Rule Lifecycle

Gap 10: Firewall Rule Lifecycle Management

Business Problem

Firewalls are the first and continued line of defense for enterprises today, handling vast amounts of traffic across the network. On the perimeter alone firewalls filter millions of packets daily. The organizational security policy implemented in these firewalls requires the definition of hundreds and often thousands of rules and objects. Objects may include groups of servers, user machines, sub-networks in the data center, and networks in company branch offices or DMZs. The firewall rules define which type of applications and which network services are allowed to traverse between networks and which should be blocked.

Firewalls are Organic

Since business needs are dynamic, firewall policies are constantly being changed and modified. This continuous flux causes the firewall configuration to grow dramatically over time. A huge and subsequently complex firewall configuration is hard to manage and may require lengthy research in order to add or change a rule. Moreover, the complexity of the configuration decreases the firewalls performance and may lead to potential security breaches. For example, a rule was created to allow a temporary service to work for a limited time, but the administrator failed to delete the rule after the task was finished, introducing real security risks.

Complex Rules

Finding unused rules that have not matched any traffic, duplicate rules, and rules that are covered by other rules is a complex manual task for the firewall administrator. It may take days of investigating just to locate such rules in huge firewall configurations, while at the same time the firewall is continuing to change daily due to user requests.

Firewall Policy Vulnerability

Gartner noted in a recent research note that …

“Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”

Organizations need to develop a Firewall Rule Lifecycle Management process to clean up their firewall policies, easing the network security administrator’s job while boosting firewall performance and eliminating security holes.

Organizations need to identify and address, as follows:

  • Unused rules: Rules that have not matched any packet during a specified time. Either the use of Cisco ACL hit counters, central ‘syslog’ logging or, commercial tools can be used for analysis to look at the firewall logs compare the actual traffic to the rules in the policy. Unused rules are ideal candidates for removal. Often the application has been decommissioned or the server has been relocated to a different address.
  • Covered or duplicated rules: Rules that can never match traffic because a prior rule or a combination of earlier rules prevents traffic from ever hitting them. During firewall cleanup such covered rules can be deleted since they will be never used. Covered and Duplicated rules cause the firewall to spend precious time for free and decrease its performance.
  • Disabled rules: Rules that are marked “disabled” and are not in operation. Disabled rules are ideal candidates for removal, unless the administrator keeps them for occasional use or for historical record.
  • Time-inactive rules: Rules that were active for a specified time in the past and that time expired. Rules that were active for a specific period can become active again at the same time next year. Retaining such rules may create security holes.
  • Rules without logging: Rules that are defined not to generate logs. Usually security best-practice guidelines dictate to log everything. Since log information consumes a large amount of disk space, administrators often configure highly used rules that control low risk traffic not to generate logs. Listing the rules without logs will help the administrator verifying that the lack of audit for these rules is not in contradiction to policy.
  • Least used rules and most used rules: Rules that matched the smallest number of packets or the largest number over a predefined and configurable period of time. The rules usage statistics helps the administrator in the cleanup process for performance improvement: he may want to reposition most used rules in higher places in the configuration and least used rules in lower places. Rules with zero hit count may be removed.
  • Rules with empty comments: Rules not documented, i.e., without a text explanation or reference # to the original change management request. Often policy requires an explanation for each rule so defining rules without comments are a violation of the policy. Some companies require entering a ticket number of the help desk trouble-ticketing application into the rule comment.
  • Unattached objects: Objects that are not attached to any rule or unattached global object.
  • Empty objects: Objects that do not contain any IP address or address range.
  • Duplicate objects: Objects that already exist but are recreated contributing to the policy “bloat”.
  • Unused objects: Objects whose address ranges didn’t match any packet during a specified time or unused global object.

By removing the unnecessary rules and objects, the complexity of the firewall policy is reduced. This improves management, performance increases, and removes potential security holes.

Cleanup Phase 1: Validation

The Validation phase involves manually (or with the use of public domain or commercial tools such as Algosec or Tufin) reviewing the Firewall Rules and performing a static analysis.

Algosec Example

Items to be reviewed in this step are, as follows:

  •  Unattached Object / Unattached VPN User- Group – An object that:
    • Does not appear in any rule
    • Every group it belongs to does not appear in any rule
    • In any policy on any firewall
  • Empty Objects:
    • Do not refer to any IP address
  • Unattached VPN Users:
    • Do not appear in any user group and have no access
  • Unattached access-list (Cisco)
    • Not connected to any interface
  • Expired VPN users
    • No longer have access
  • Disabled Rules:
    • Maybe it’s time to delete them?
  • Time-Inactive rules:
    • Timed Rules are active on a certain days of the month, days of the week, or times of the day…
    • … But you cannot set a year.
    • Identify the expired rules before they will become active again next year.
  • Duplicate Rules
    • Firewalls process the rules in-order “first match”
    • If “early” rules match every packet that a “late” rule could match – the “late” rule is covered (== useless clutter!)
    • Easy cases:  single rule covers another rule  the object names match exactly
  • Duplicate Objects:
    • Most FW Vendor consoles cannot answer the question “does this definition already exist with another name?”
    • Result:  Administrators often define the same object (Host, Subnet, or Group) multiple times

Cleanup Phase 2: Unused Rules

The Unused Rules phase involves Usage-based Analysis, i.e., focusing on what has changed recently and ensuring that the Firewall Rules are kept up-to-date and those rules that are no longer needed are flagged and/or removed so that the Firewall does not become unwieldy and risk conflicts or duplicates.

Rules Cleanup

This step allows us to identify key and useful data, as follows:

  • Unused Rules:
    • have not matched traffic in the last NNN days
  • Unused Objects:
    • Do not belong to any rule that matched traffic in the last NNN days
  • Most / Least used rules
  • Last date that rule was used
    • Even if it is listed as “unused” due to logging configuration settings

These considerations and notes should be borne in mind for this step, as follows:

  • Over time:
    • Applications are discontinued
    • Servers are relocated to other IP addresses
    • Test environments move to production
    • Business partnerships change
    • Networks are re-architected
    • Routing is changed
  • Result: Firewalls still have the rules – but the traffic is gone
  • Idea: Track and flag rules and objects that have not been used “recently”
  • Firewalls can log each matched packet
  • Log includes rule number, timestamp, and more
  • Basic approach:
    • 1) Filter the logs based on rule number
    • 2) Find the missing rule numbers and delete those rules
  • Challenge #1: Logging is configured per rule
    • Some rules are not configured to produce logs
  • Solution #1: List rules that do not produce logs separately
  • Challenge #2: Rule Insertions & Deletions change the rule numbers!
    • Which rule corresponds to what was used to be called rule 101 in Nov’07?
    • Makes long-term statistics unreliable
  • Solution #2: Vendor attaches a unique “rule_id” to each rule, such that:
    • Reported to log
    • Remains with rule through any rule add/remove/modify
  • Cisco Firewalls & Routers maintain a per-rule hit-counter
  • Advantages:
    • Unrelated to logging: un-logged rules are counted too
    • Rule insertions & deletions do not affect the hit-counters
  • Challenge:
    • Hit-counters are reset to zero when device reboots
  • Solution:
    • Take periodic snapshots
    • Attach pseudo rule_uids, homogenize the snapshots
    • Make sure not to double-count …
  • Some rules only work occasionally or rarely
    • High-shopping season
    • Disaster recovery rules – tested semi-annually
    • Need usage information of many months
  • Challenge:
    • Log files can become huge – querying extended historical data can have a real impact on product log server
    • Logs are discarded or rotated
    • Hit-counters are occasionally set to 0
  • Solution:
    • Process the raw usage information frequently (daily)
    • … But keep concise summaries available (forever)

Cleanup Phase 3: Performance Optimization

In order to provide a measurable attribute for firewall performance that will show the improvement of the policy optimization, there is a metric called Rules Matched Per Packet (RMPP).

Rule Optimization

RMPP is simply a calculation of the average number of rules the firewall tested until it reached the rule that matched a packet (including the matched rule). For example:

If the firewall policy consists of only one rule (allow or deny all) that matches everything – RMPP will be 1. If the firewall policy consists of 100 rules, such that rule #1 matches 20% of the packets, rule #10 matches 30% and rule #100 matches 50% of the packets:

RMPP = 1 * 20% + 10 * 30% + 100 * 50% = 0.2 + 3 + 50 = 53.2

Firewalls do in fact test the rules in sequence, one after another, until they reach the matching rule, and each tested rule contributes to the firewall’s CPU utilization. Therefore, optimizing the policy to decrease the RMPP score will decrease the firewall CPU utilization and greatly improve overall performance.

Building on the previous example, if rule #100 (that matches 50% of the packets) can be relocated to position #50 – without modifying the firewall policy decisions – the RMPP will be reduced significantly:

RMPP = 1 * 20% + 10 * 30% + 50 * 50% = 0.2 + 3 + 25 = 28.2

This simple change, which can be achieved by reordering the rules, can produce a 47% improvement in firewall performance.


Firewall administrators can achieve significant and measurable performance improvements for their complex firewalls by using these cleanup, lifecycle management and, policy optimization (with rule reordering) techniques. There are many commercial tools available that help in policy cleanup identifying rules that are unused, covered and disabled and should ideally be removed. This is in addition to unattached, empty, duplicate and unused objects. The tools help to eliminate security risks and keep the firewall policy well managed by alerting administrators.

The more veteran firewall audit vendor list includes: Tufin Software Technologies, AlgoSec, Secure Passage and Athena Security — and then RedSeal Systems and Skybox Security, which are primarily risk-mitigation tools, and so go beyond firewall audit to feature risk-assessment and risk-management capabilities.

Thanks for your interest!

Nige the Security Guy.

Security Program Best-Practices 4

Security Program Best-Practices – Part 4

Security Program Best-Practices – Part 1
Part 2
Part 3
Part 5

This blog continues our Security Governance Series with the next installment of recommended security program best-practices drawn from a broad sample of assessments.

As a refresher, in Part 1 we shared some typical gaps, deficiencies or, need for improvements summarized in the Opportunity Matrix below. The Opportunity Matrix can be used as a capability maturity assessment and iterative planning tool to present proposed next steps to executive management for approval and funding.

Opportunity Matrix Summary

Part 1 through Part 3 of the Security Program Best-Practices series covered an overview as well as Gap 01 through Gap 07 inclusive. In this blog we will discuss Gap 08 – Integrate Central Security Logging through Gap 09 – Establish Network Security Operations, per summary below.

  • GAP 01 – Identify Requirements: Security Policy, Regulation and, Laws
  • GAP 02 – Develop Security Governance Program
  • GAP 03 – Establish Network Security Organization
  • GAP 04 – Establish Security Collaboration Working Group (WG)
  • GAP 05 – Develop and Maintain Network Security Standards
  • GAP 06 – Develop Network Security Architecture (3-5 Year Objective)
  • GAP 07 – Develop Network Security Roadmap (with Annual Plans)
  • GAP 08 – Integrate Central Security Logging
  • GAP 09 – Establish Network Security Management & Operations
  • GAP 10 – Develop Firewall Rule Lifecycle Management

Gap 08: Integrate Central Security Logging

Business Problem

To enable and deploy a defensible security posture pervasive and mission-critical information technology and hyper-extended networks must be more scrupulously monitored to detect anomalies and threats. High traffic volumes are also associated with higher threat levels, making automated network monitoring, alerting, and response indispensable. Automated monitoring improves system security, performance, and availability by allowing management by fact. Automation also frees the IT team to focus on exceptions, which in turn simplifies holistically managing large amounts of event data.

Vulnerability Types

Being able to monitor various instrumentation telemetry data sources and event logs gives an administrator a substantial advantage in identifying threats early on – rather than investigating them after the fact. A sound logging strategy is the centerpiece in any organization’s “big picture – big data” network security plan. The presence of event monitoring within its log strategy helps distinguish a proactive plan from a reactive plan.

It is well established among network security professionals that the greatest threats to network security are in fact internal – they often originate in the same building, the same floor perhaps, and often right down the hall. The source may be a disgruntled employee, a curious staff member in the payroll department, or a bored sales representative. For several years, this threat was overlooked for the sexier external threat – the hackers working in dark home offices late at night or a competitor’s agent of corporate espionage.

To a network security administrator, event logs are like a history book or the gauges of an automobile. Event logs allow administrators to look back at the recent history of a server or network device and see trends, failures, successes, and other vital information to the organization.

Botnet Army

Our richly interconnected online world has faced an ever increasing volume of malware and worm variants — even botnets. They exploit vulnerabilities in, for example the Windows operating system and systematically reproduce across the organization. All the while, servers, routers, and other network devices quietly log these events across LANs and WANs. For administrators, these log files gave them a snapshot of a window (excuse pun) in time that showed when, where, and most of the time, how the infection or compromise entered their controlled space.

Event logs also hold potentially valuable forensic evidence. In the aftermath of a network security breach, event logs hold all of the information about the breach. How it happened, when it happened, and in the end, the keys to preventing another breach. This data is key to enable the ability to Detect, Contain and, Eradicate as well as investigate the root cause analysis, address and prevent recurrence in the future.

Gap 09: Establish Network Security Operations

Business Problem

The problem with network security is not the lack of good security tools; it is the management of those tools and the exposure to human error. Large networks generate an overwhelming amount of logs and security events. Firewalls, intrusion detection systems, web servers, authentication devices, and many other network elements contribute to more and more logs which need to be analyzed and produce actionable information.

Holistic Logging

There is a lot of noise, at first and false positives that need to be resolved and addressed through profiling network traffic and tuning network security technologies to customize them to the organizations business – to detect anomalies and leverage the true potential and value from the technology or technologies. Too many organizations deploy the solution out-of-the-box and stop there, disappointed by all of the noise and overwhelmed by the task at hand.

However this on-going effort and its optimization can reduce the amount of alerts from thousands per day to dozens. When a correlation occurs, a simple message that says a particular server has been attacked with a technique which is likely to succeed can be sent to system owners, operations people, and other places. The operator starts to realize value from the technology and its automation to focus on those alerts and events that need action as to whether they are a breach or not – thus need further investigation.

Attackers typically create a smoke screen, a set of decoys that obscure the actual compromise or infection so that it is lost in the noise and any security operators are so overwhelmed they do not detect the stealthy attack. This is validated by the recent spate of DDoS attacks that not only seek to deny normal service but also seek to compromise servers under the cover of the attack. Many SEIM solutions generate a lot of noise out-of-the-box and need tuning to weed out and optimize.

Detection and Response

Systems fail and intrusions occur. At some point compromise is inevitable. Therefore, detection and containment is imperative. The earlier an intrusion or infection is detected, the greater the ability of the organization to mitigate the risk. Intrusion detection is considered the second line of perimeter defense, after the firewall. Intrusions can lead to malicious acts such as: identity theft; compromise of confidential information; and unauthorized changes in files, systems, and device configurations.

Threat Landscape

An organizations ability to detect and prevent intrusions adds more depth to its defensive security posture. Organizations must be aware that intrusion detection alone will not mitigate the risk of an intrusion. Mitigation can only occur with a timely and appropriate response. A prudent  response program incorporates people and processes in addition to technology, and starts with the creation of a computer security incident response team (CSIRT) that will be the initial responder when an incident is identified. In addition to the CSIRT, policies must be developed to guide the organization and team in responding to an event. Types of events and the specific procedures to be followed also need to be defined. The development of an incident response program is typically mandated by regulation, international standards or, industry best-practices.

The timely detection of an intrusion coupled with being prepared to respond is vital to minimizing financial, production, and operational losses. Specific actions and responsibilities need to be pre-assigned and the appropriate training provided. In addition, containment and restoration strategies need to be outlined that address the: isolation of the compromised system; increased, monitoring, collection and preservation of evidence; and notification to law enforcement, regulators, and other affected parties.

Continuous Improvement

Monitoring and updating the security program is essential to maintaining the effectiveness of the program. A static program will be ineffective over time and can leave the organization with a false sense of security. Monitoring should include both non-technical as well as technical issues.

Plan Do Check Act

Non-technical issues would include changes in business processes, policies and procedures, locations, sensitivity of data, key personnel, and organizational changes.

Technical issues include monitoring for vulnerabilities, changes in systems, service providers, configuration, users, products, and services. When changes do occur, it is imperative that they are reviewed for accuracy and legitimacy and the program is adjusted to reflect the changes and ensure continued security and operational success.

Accidental changes can be just as damaging as malicious or fraudulent change activities – resulting in increased costs for remediation and potential losses or negative affect on the organization’s top-line revenue. Best practices mandate the monitoring of all changes, intended and unintended, that will create an audit trail that details when, what, and how the change occurred. The use of automated change control and audit tools will also enhance operational efficiency by increasing the effectiveness and productivity of your security personnel.

Each change can potentially create a vulnerability or weakness in the security program if not properly evaluated, tested, and deployed. Therefore, strong change control procedures and monitoring are critical to reduce the exposure to financial losses, reputation damage, and loss of productivity.

Validation: Trust but Verify

To assure that its security strategies are adequate, each organization must test its controls against the risks events that were identified through its formal assessment of risks. The higher the probability and negative affect of a risk event, the greater the need to validate the effectiveness of the security controls. The type of test to perform and the frequency should also be based on risk.

Risk Management

Prior to testing, detailed test plans need to be developed to ensure testing is appropriate and controls are established to reduce the risk to data integrity, confidentiality, and ensure availability. Test results need to be measurable and traceable to provide assurances that the security strategy is meeting security objectives.

There are a variety of testing methodologies and tools available, many of which can be automated to improve efficiency and enable independence. Independent diagnostic tests include penetration tests, audits, and gap assessments that are performed by credible individuals who are considered independent of the design, installation, maintenance, and operation of the test subject area. Examples of resources that will help support and streamline the testing efforts include: log and audit files generated via security event management systems, change management reports, automated audit tools coupled with penetration testing, prior security gap assessments findings and recommendations, and internal IT audit findings and recommendations from prior audits.

No one control or solution can ever guarantee 100 percent security. High-performing organizations understand that business and technology risk management best practices mandate a defense-in-depth security approach that includes multiple controls and can be validated with internal and external audit resources. When properly aligned with the organization’s risk profile, all of the controls discussed above help to establish a practical and prudent risk-based security posture.

Balancing Security

When properly aligned with the organizations’ business goals, audit personnel and tools can validate the appropriateness of these controls and help to ensure operational excellence and a secure infrastructure.

Coming Soon

Security Program Best-Practices – Part 5 will complete this Security Governance Series with a significant topic that warrants its own blog, Gap 10 – Firewall Rule Lifecycle Management for discussion and helpful advice on key components.

Thanks for your interest!

Nige the Security Guy.

Security Program Best-Practices 3

Security Program Best-Practices – Part 3

Security Program Best-Practices – Part 1
Part 2
Part 4
Part 5

This blog continues our Security Governance Series with the next installment of recommended security program best-practices drawn from a broad sample of assessments.

As a refresher, in Part 1 we shared some typical gaps, deficiencies or, need for improvements summarized in the Opportunity Matrix below. The Opportunity Matrix can be used as a capability maturity assessment and iterative planning tool to present proposed next steps to executive management for approval and funding.

Opportunity Matrix Summary

Part 1 and Part 2 of the Security Program Best-Practices series covered an overview as well as Gap 01 through Gap 05 inclusive. In this blog we will discuss Gap 06 – Develop Network Security Architecture through Gap 07 Develop Network Security Roadmap, per summary below.

  • GAP 01 – Identify Requirements: Security Policy, Regulation and, Laws
  • GAP 02 – Develop Security Governance Program
  • GAP 03 – Establish Network Security Organization
  • GAP 04 – Establish Security Collaboration Working Group (WG)
  • GAP 05 – Develop and Maintain Network Security Standards
  • GAP 06 – Develop Network Security Architecture (3-5 Year Objective)
  • GAP 07 – Develop Network Security Roadmap (with Annual Plans)
  • GAP 08 – Integrate Central Security Logging
  • GAP 09 – Establish Network Security Management & Operations
  • GAP 10 – Develop Firewall Rule Lifecycle Management

Gap 06: Develop Network Security Architecture

Business Problem

From the earliest days of networking, security manifested itself in strong information security perimeter defenses. As long as the perimeter was secure, the assets being protected didn’t need to be monitored or managed because the command and control environment gave people assurance that core data was safe because unauthorized access was prevented.

Today’s hyper-extended connected enterprise faces a security paradox. The very openness and ubiquity that make the Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to share, not to protect. The ports and portals that welcome remote sites, mobile users, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others who would misappropriate network resources for personal gain.

Most companies didn’t design their current security architecture; rather, they built it over time, based on need: a firewall here, an intrusion prevention system there.

As a result, many businesses rely on a bewildering collection of stand-alone security systems. That’s a problem in two ways. First, without a clear understanding of how all your defenses fit together, it’s impossible to know if they provide complete protection. Second, managing and integrating all those systems costs time and money. Security integration into a holistic architecture that enables but manages role-based access is critical to success.

Chart Course

That’s why many organizations desire ways to simplify their security architectures.

“Security done right is the key to Anywhere Anytime by Any Device Access”

Developing a Framework

Network security architecture is defined as the desired structure of an enterprise’s technology components and technical safeguards. With network security architecture in place, an enterprise has a framework for more informed decision making and a guide for ongoing planning, design, and implementation activities.

Establish Coordinates –

  • Pinpoint your Business Requirements and Vision
  • Analyze Current State in terms of Infra and Services

Harmonize –

  • Establish an Holistic yet Defensible Network Security Architecture
  • Identify Organization Stakeholders and Seek Consensus

Chart your Course –

  • Develop a Security Roadmap (Adaptive Iterative Evolution)
  • Deliver Prioritized Action Plans

A Defensible Network Security Architecture provides a conceptual, physical, and procedural framework of best recommendations and solutions for network security. It serves as an important reference guide for IT professionals responsible for designing and implementing secure networks.


Architecture typically provides, as follows:

  • A way to evaluate applicability of new technologies, products, and services
  • A blueprint for future applications and infrastructure growth
  • A framework for security technology decision making
  • A framework that guides the security implementation
  • Decomposes into modular and flexible components (enables reuse of proven modules as organization grows, e.g. remote office module)
  • A method of cost avoidance
  • A macro view of security-relevant systems and components
  • A method for creating and documenting consensus
  • A statement of direction for IT

A Defensible Network Security Architecture is realistic.

It assumes that all components of an IT infrastructure are targets … that even internal users could be network threats … attacks are inevitable … network performance cannot be compromised by processing intensive security measures … and IT budgets are constrained.

The Network Security Architecture should consider and include, as follows:

  • Business Requirements
  • Regulatory Requirements
  • Security Policy Requirements
  • Current Network Security Architecture
  • Goal-State Network Security Architecture
  • High-level gap assessment

The Defensible Network Security Architecture promotes a process, rather than an endpoint. Effective security is not achieved through a one-time initiative. This architecture outlines measures for strong ongoing policy management, reflecting both human and technical factors. For more details see the Security Architecture Series, referenced below.

The above set of blogs takes the reader through a detailed step-by-step development of a network security architecture with the latter blogs presenting an Architecture Realization Case Study. Future blogs will present network architecture and design templates that make use of security zones to enable Access Anywhere Anytime by Any Device.

Gap 07: Develop Network Security Roadmap

Business Problem

“A good plan executed today is better than a perfect plan executed at some indefinite point in the future.”

—General George S. Patton Jr.

Computers and the environments in which they operate are dynamic. System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat.

Sample Roadmap

In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare, and procedures become outdated over time.

These issues make it necessary to periodically reassess security architecture and the supporting plans in a feedback loop that both addresses tactical exceptions as well as updates and refreshes the vision and objectives.

Adaptive Security Roadmap

What is required is a systematic business risk approach to security that integrates and drives security into the network as an operational service. This is accomplished with an Adaptive Security Roadmap and iterative lifecycle process that refreshes the architecture on an annual or quarterly basis to establish, implement, operate, monitor, review, maintain, and improve network security.

The first step in the process is to develop the current state (see figure below). The results of the security baseline and assessment (current infrastructure environment) are analyzed. Factors such as the network security perimeter, Virtual Private Networks (VPNs), intranet, extranet, partner connections, remote access, and access to assets, are considered to develop the current state and security risk profile.

Adaptive Lifecycle

The network security architecture (from Gap 06) creates the goal state. This process takes the current state and security-risk profile and adds the business drivers, prioritized requirements, policy, legal constraints, and so on. From this step, an updated and finalized network security architecture is developed and shared with the stakeholders to gain consensus.

The final step is to compare the current state with the goal state and to identify the projects that are required to transition the current infrastructure and realize the architecture goals. From a migration strategy workshop, together with the business units and stakeholders, the viable projects are selected based upon their dependencies, priorities, available resources, and budgets forming the annual plan of infrastructure improvements.

During the next planning year, the process is repeated and the architecture updated with new business requirements, new technologies, new solutions, and so on. A follow-on assessment of the current infrastructure captures improvements together with any new threats, vulnerabilities, and exposures, and documents the new current state and security-risk profile. Performing a gap analysis and migration strategy planning workshop contrasting the new current state and goal state allows an updated plan to be developed for that year.

Architecture Evolution

Over time, it can be seen (see figure above) that the security architecture is used as a baseline for consensus and direction but that it is active and capable of being updated. This process allows the security architecture to adapt to support the needs of the business. It evolves and sets future objectives.

At the same time, the annual plan sets the stage for the projects that need to occur that year, and the improvements begin to track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.

Technology Roadmap

It is an organizational approach to network security with the appropriate network security architecture, governance, policy, standards, compliance verification and, audit.

From an operations perspective, time is money. This is why project management is an important process domain. It helps ensure that the outcomes of information technology projects are on time, within budget, and deliver the expected outcomes.

For more details on developing a Network Security Roadmap together with lifecycle management process see the Adaptive Security Lifecycle blog.

Coming Soon

Security Program Best-Practices – Part 4 will complete this Security Governance Series with the next set of gaps for discussion and helpful advice on key components.

Thanks for your interest!

Nige the Security Guy.

Architecture Case Study – Part 1

Architecture Case Study – Part 1

Architecture Case Study – Part 2

In the Security Architecture Series of blogs we have shared all of the steps involved in requirements gathering, baseline, product and solution selection and, through to realizing the architecture. This blog presents an Architecture Case Study that uses those principles and recommendations as a practical example. The illustration provides a conceptual simplified view of the program use case.

Defense in Depth Part 1 (this blog) takes the reader from Architecture development through to the Technical Recommendation then Part 2 takes the reader from Design to Deployment strategy with Implementation and Migration.

Program Overview

The overall goal of the project was to seek to standardize across the organization and all of the 20+ business units. The business units are primarily autonomous with different types of technology and infrastructure and at varying degrees of maturity and security. The status quo presented a series of risks to both the organization as well as each of the business units.

The cost/benefits were multiple not just in terms of standardization but also the total cost of ownership (TCO) and Return on Security Investment (ROSI) to purchase technology at volume discount while gaining increased visibility and support from the vendor(s). However, the primary goal and benefit was to establish and foster a spirit of collaboration, sharing and, cross-pollination to work together towards a common vision.

Architecture Case Study

The overall high-level approach is defined, as follows:

  • Develop Architecture
  • Requirements
    • Specify Functional Requirements (RFI)
    • Request Information from the vendor community (Distribute RFI)
    • Review RFI responses
    • Select vendors for product/solution evaluation
  • Vendor/Product Selection
    • Conduct bake-off testing with business unit participation
    • Review evaluation scorecard results
    • Conduct pilot of highest ranked solution
    • Review pilot results
    • Technical Recommendation
  • Develop Design
  • Develop Implementation Program
    • 4 Phases
    • Alpha Test
    • Beta Test
  • Deploy/Execute
    • 9 Step Program

Baseline Network Standard Architecture

I worked on the project as a consultant in the role of Program Technical Architect as part of the overall Architecture Governance and Steering Committee. My role was both to guide the direction and act as a technical lead as well as perform a lot of the detailed work to develop the actual deliverables based on collaboration and interaction.

Network Security Working Group (WG)

The first step was to develop an Network Security Working Group (WG) that included stakeholders from the various business units to contribute at two levels, as follows:

  • Level 1 – A small representative sample of core members who were involved in the brainstorming sessions to represent their business unit and contribute input on both the architecture as well as unique requirements
  • Level 2 – A stakeholder from every business unit who was involved in monthly or quarterly (as appropriate) review and approval of the emerging work product and progress to enable consensus and buy-in.


Collaboration was key to the success of the project. We wanted to involve stakeholders in every stage of the process and to ensure that their contribution was captured and recorded. Brainstorming sessions were used extensively at various locations with preparation to seed and stimulate the discussion with a facilitator as well as scribes to record and document.

Architecture Draft Review

A series of review cycles were used with a broader and broader audience to ensure that the architecture aligned with both current and future strategy and needs for the business units. The architecture document contains the following sections:

  • Architectural Principles
  • Network Models
  • Physical Layer Design
  • Supported Protocols
  • Network Performance Architecture
  • Network Security Architecture
    • Areas
    • Perimeters
    • Zones
    • Controls
    • Management
  • Network Management Architecture
  • Enabling Services
  • Appendix
    • Profiling BU Network Traffic
    • Modeling Steps
    • Example of Modeling a BU Network

The finalization and ratification of the Network Baseline Standard Architecture was a major accomplishment for the organization because not only did it lay the groundwork for the success of this specific program it also laid the framework for future projects across initiatives such as Wireless and Evolving Security.

Requirements Specification (RFI)

The RFI – Network Security Functional Requirements document was developed next by the Network Security Working Group. The team worked closely together to identify the functional requirements and assign a relative priority of High, Medium, or Low.

RFI Evaluation Criteria

Once RFI was completed and reviewed the Network Security Working Group convened a meeting to establish the RFI response evaluation criteria and scorecard to be used for the analysis of response from bidding vendors. The functional requirements that were originally identified as High were further examined and 19 requirements were selected and rated as MUST by the group. A functional requirement with a MUST designation implied that the associated security device would be eliminated from further consideration if it did not comply.

RFI Requirements Sample

All functional requirements were then scored with either a maximum possible score of 10, a maximum possible score of 5 or, a maximum possible score of 3 respectively.

Evaluators and Decision-makers

To ensure that the RFI responses were analyzed in an independent and objective manner the Network Security Working Group assigned an Evaluation Team, which comprised primarily of consultants. The Evaluation Team was solely responsible for conducting the RFI response analysis to select vendors and solutions and also performed the network security equipment testing. However the team did not participate in any decision-making and only acted as advisors. The Decision-maker Team is comprised of members of the extended Network Security Working Group (Level 2).

RFI Evaluation Scorecard

The Evaluation Team developed an Evaluation Scorecard that took all response format files from bidding vendors and consolidated them into the Consolidated Vendor Response Form file. This consolidated file contained macros to process the entries from all of the bidding vendors and to create two worksheets, as follows:

  • Product Stack Ranking – summary of scores based upon device category
  • Vendor Stack Ranking – summary of scores by vendor

Vendor Evaluation

RFI Evaluation Methodology

The Evaluation Team adopted an objective method of evaluation focused on the functional requirements as defined by the Network Security Working Group development team, and communicated to the vendors in the Security RFI. It led to the following step procedure.

  1. Evaluate ‘Best of Breed’ responses to derive the top 3 vendors in each of the following four categories – Firewall, VPN, IPS, and Management.
  2. If possible, select the 4 most populous vendors from these rankings for inclusion in the network security equipment testing.
  3. Evaluate ‘Integrated Portfolio’ responses, if any, from all remaining vendors to derive the top 3 portfolio vendors.
  4. Select the best vendor from this ranking for inclusion in the network security equipment testing.

For quality control a Conformance Check was also conducted to ensure that all ‘Yes’ or ‘Partial’ responses had an associated supporting Response Reference Section and/or comment to backup the statement by the vendor.

Vendor / Product Solution Selection

Of the fifteen network security equipment manufacturers that responded to the RFI, five vendors who best met the functional and operational requirements were invited to participate in the bake-off.  Each vendor brought and installed equipment in the lab to allow members of the working group to conduct technical evaluations.

Bake-Off Testing Methodology

The primary goal of the bake-off testing was to further measure the fit of the proposed solutions, with a focus on holistic integration against the functional requirements that were documented in the Network Security RFI. It is interesting to note that most vendors acknowledged that this was the first time ever they had deployed and integrated their solutions holistically and operated them in a real-world scenario. Most vendors had only participated in one-off point solution evaluations.

The bake-off testing objectives sought to identify, test and select one or more manufacturers of network security solutions (Firewalls, IDS/IPS, VPN and, Management/Monitoring) to proactively meet the following goals:

  • Secure core business unit network infrastructure devices
  • Add network security components to protect and segregate critical assets
  • Integrate security components to current network management systems (NMS)
  • Develop a Network Security Management System (NSMS).

The evaluation team designed and deployed an inherently insecure Network Security Evaluation Lab that simulates a typical business unit network and provides both the network areas and security zones that need to be protected with sample assets. The testing viewed potential threats and attacks from External (outside the border perimeter) as well as from Internal/Insider (business unit networks) towards Data Center Zone and Management Zone(s) targets.

Test group scenarios were developed that made use of various typical threat and attack categories (e.g., signature based, anomaly based, DoS). The controlled attacks were initiated by a penetration tester from both external and internal sources. In addition, a traffic generation load/stress testing tool was utilized to exercise functionality and simulate normal traffic (client connections and sessions).

Network Security Evaluation

The above diagram provides a simplified illustration of the test groups and targets across the Functional Requirement categories, as follows:

  • Detection
  • Response
  • Alert / Logging
  • Correlation
  • Reporting
  • Management

These are the functional requirement categories that are documented in the Network Security RFI and the reference codes refer to the specific line item requirements.

The goal of the bake-off testing was to initiate multiple discrete sets of tests as ‘triggers’ that initiate a sequence of events that then flow through the functional requirements categories and elements in the diagram. The Evaluation team asked the manufacturer to demonstrate if/how the proposed security solution detected, responded, alerted, logged, correlated (where appropriate), and reported as a consequence of these sequences, and how any generated events are managed. The testing also evaluated the utility of the solution as well as factors, such as integration, management and, monitoring. Decoys and scans were used to generate noise while stealthy attacks were employed.

The Evaluation Team was restricted to performing the testing and to providing an objective report to the Network Security WG attendees, in addition to an independent and objective report from the penetration tester and traffic generation tester. The attendees made use of an Evaluation Scorecard and each stakeholder contributed a score.

Evaluation Scorecards

The Evaluation Team developed a set of scorecards that would be used by Network Security WG and business unit stakeholder attendees to the bake-off sessions. There were two scorecards used across two days, as follows:

  • Objective Scorecard – Validate Compliance to Requirements
  • Business Unit Scorecard – Validate Fit to Business Unit

For the Objective Scorecard the Evaluation team reviewed both tests and vendor demo together with Q&A to determine if the functional requirements were met by the implemented solution as cited by the Vendor in their RFI response. The team referenced the Vendor Summary and RFI Response sheet.

For the Business Unit Scorecard the attendees individually assessed how well the solution satisfies the requirements and fits the needs of their business unit and determined the total category score, per section.

RFI Scorecard

Technical Recommendation

The technical evaluation had consisted of more than 100 evaluation criteria and over 50 repeatable tests conducted on four network security components: Firewall, VPN, IDS/IPS and Management/Monitoring.  The RFI was designed to allow the option to select either the best suite of tools from a single manufacturer or to select the ‘best of breed’ (the best components from multiple vendors).

The Evaluation Team’s technical scores were tallied and submitted as a Technical Recommendation to complement the financial total cost of ownership analysis.  The Technical Recommendation and Financial Analysis were provided as a summary of the findings and recommendations as an outcome of this evaluation process.

Technical Recommendation

Implementing network security equipment on a business unit network is a large and challenging proposition.  The group recommended that there be Alpha and Beta deployments to validate technical elements and further understand the integration complexity with the proposed solution.  In addition, the Alpha and beta process helped to develop a deployment methodology which will allow for a deliberate approach for addressing important business unit and organization-wide security concerns.

Next Steps

Architecture Case Study – Part 2 will continue this series to take the reader from the Technical Recommendation on into Baseline Network Standard Design as well as the Deployment strategy with Implementation and Migration process.

Think You’re Secure? Think Again.
Security Architecture Primer
Security Architecture Baseline
Risk-Aware Security Architecture
Develop Security Architecture
Product and Solution Selection
Security Architecture Implementation
Adaptive Security Lifecycle

Thanks for your interest!

Nige the Security Guy.

Threat and Vulnerability Management

Threat and Vulnerability Management

The best way to ensure a fighting chance of discovering and defeating information exploitation and theft is to take a disciplined, programmatic approach to discovering and mitigating threats and vulnerabilities. Threat and Vulnerability Management is the cyclical practice of identifying, assessing, classifying, remediating, and mitigating security weaknesses together with fully understanding root cause analysis to address potential flaws in policy, process and, standards – such as configuration standards.

Vulnerability Management

Vulnerability assessment and management is an essential piece for managing overall IT risk, because:

  • Persistent Threats
    • Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to dominate headlines.
  • Regulation
    • Many government and industry regulations, such as HIPAA-HITECH, PCI DSS V2 and Sarbanes-Oxley (SOX), mandate rigorous vulnerability management practices
  • Risk Management
    • Mature organizations treat it as a key risk management component.
    • Organizations that follow mature IT security principles understand the importance of risk management.

Properly planned and implemented threat and vulnerability management programs represent a key element in an organization’s information security program, providing an approach to risk and threat mitigation that is proactive and business-aligned, not just reactive and technology-focused. Threat and vulnerability management programs include the following 4 major elements:

  • Baseline
  • Assess
  • Remediate
  • Lifecycle Management

Each of these elements individually benefits the organization in many ways, but together they form interlocking parts of an integrated, effective threat and vulnerability management program.



The threat and vulnerability management life cycle begins with the definition of policies, standards and specifications that define access restrictions, and includes configuration settings that harden the IT infrastructure against external or internal threats. Security configuration policies and specifications should be based on industry-recognized best practices such as the Center for Internet Security (CIS) benchmarks or National Institute of Standards and Technology (NIST) recommendations.

The development of security configuration policies and specifications is an iterative process that starts with industry standards and best practices as a desired state. However, many organizations may also need to define exceptions in order to accommodate specific applications or administrative processes within their environment and track them for resolution.

Closed Loop Policy

Organizations should also consider a mapping of organization-specific configuration policies and operational processes to industry-recognized control frameworks and best practices. Organizations that take the extra step of mapping the policies that are implemented by vulnerability management to control standards and best practices can strengthen their posture with auditors and reduce the cost of compliance reporting through automation. The mapping enables compliance reporting from configuration assessments.

Asset Inventory

To protect information, it is essential to know where it resides. The asset inventory must include the physical and logical elements of the information infrastructure. It should include the location, business processes, data classification, and identified threats and risks for each element.

This inventory should also include the key criteria of the information that needs to be protected, such as the type of information being inventoried, classification for the information and any other critical data points the organization has identified. From this baseline inventory pertinent applications and systems can be identified to iteratively develop and update an Application Security Profile Catalog. It is important to begin to understand application roles and relationships (data flows, interfaces) for threat and risk analysis since a set of applications may provide a service or business function. This will be discussed in more detail in a future blog.

Service Dependency Mapping

Classification of assets according to the business processes that they support is a crucial element of the risk assessment that is used to prioritize remediation activities. Assets should be classified based on the applications they support, the data that is stored and their role in delivering crucial business services. The resource mapping and configuration management initiatives within the IT operations areas can begin to provide the IT resource and business process linkage that is needed for security risk assessment.

IT operational areas need service dependency maps for change impact analysis, to evaluate the business impact of an outage, and to implement and manage SLAs with business context. IT operations owns and maintains the asset groupings and asset repositories needed to support service dependency mappings.

Asset Discovery and Catalog

This information is typically stored in an enterprise directory, asset management system or a CMDB. Further details will be provided in the forthcoming Application Architecture Taxonomy blog.

The security resource needs the same information in order to include business context in the risk assessment of vulnerabilities, to prioritize security incidents, to publish security metrics with business context and to publish compliance reports that are focused on the assets that are in scope for specific regulations.

Security resources should engage IT application operations areas to determine the sources for IT service dependency maps and should configure security assessment functions to dynamically access or import this data for risk analysis, security monitoring and compliance reporting functions. The security team should also participate in CMDB projects as a stakeholder and supporter.

Configuration Standards by Device Role

A vulnerability management program focusing only on vulnerability assessment is weak regarding a crucial vulnerability management program objective — making the environment more secure. Although vulnerability assessment excels at discovering security weaknesses, its reporting isn’t optimized for the mitigation work performed by operations areas. Chasing individual vulnerabilities often does not eliminate the root cause of the problem. A large percentage of vulnerabilities results from underlying configuration issues (missing patches, ports that shouldn’t be open or services that shouldn’t be running).

Infrastructure Integrity

The security resource should work with IT operations to define security configuration standards, and should use the security configuration assessment capability within their incumbent vulnerability assessment tool (if the vulnerability assessment tool provides it) to drive implementation of security configuration standards in desktop, network and server provisioning processes.

Threat and Vulnerability Analysis

To perform threat analysis effectively, it is important to employ a consistent methodology that examines the business and technical threats to an application or service. Adversaries use a combination of skills and techniques to exploit and compromise a business process or application, so it is necessary to have in place a similarly multipronged approach to defend against them that decomposes and analyzes systems.

Vulnerability Assessment

The next step is to assess the environment for known vulnerabilities, and to assess IT components using the security configuration policies (by device role) that have been defined for the environment. This is accomplished through scheduled vulnerability and configuration assessments of the environment.

Network-based vulnerability assessment (VA) has been the primary method employed to baseline networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and accurate vulnerability assessments can be accomplished for managed systems via credentialed access. Unmanaged systems can be discovered and a basic assessment can be completed. The ability to evaluate databases and Web applications for security weaknesses is crucial, considering the rise of attacks that target these components.

Database scanners check database configuration and properties to verify whether they comply with database security best practices.

Web application scanners test an application’s logic for “abuse” cases that can break or exploit the application. Additional tools can be leveraged to perform more in-depth testing and analysis.

All three scanning technologies (network, application and database) assess a different class of security weaknesses, and most organizations need to implement all three.

Risk Assessment

Larger issues should be expressed in the language of risk (e.g., ISO 27005), specifically expressing impact in terms of business impact. The business case for any remedial action should incorporate considerations relating to the reduction of risk and compliance with policy. This incorporates the basis of the action to be agreed on between the relevant line of business and the security team

Risk Analysis

“Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing the risk by applying remedial action, which could be anything from a configuration change to implementing a new infrastructure (e.g., data loss prevention, firewalls, host intrusion prevention software).

Elimination of the root cause of security weaknesses may require changes to user administration and system provisioning processes. Many processes and often several teams may come into play (e.g., configuration management, change management, patch management). Monitoring and incident management processes are also required to maintain the environment.

For more details on threat and risk assessment best-practices see the blogs: Risk-Aware Security Architecture as well as Risk Assessment and Roadmap.

Vulnerability Enumeration

CVE – Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

CVSS – Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores.

CWE – Common Weakness Enumeration

The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability they represent. For more details see: Common Weakness Enumeration.

Remediation Planning


Vulnerability and security configuration assessments typically generate very long remediation work lists, and this remediation work needs to be prioritized. When organizations initially implement vulnerability assessment and security configuration baselines, they typically discover that a large number of systems contain multiple vulnerabilities and security configuration errors. There is typically more mitigation work to do than the resources available to accomplish it.


The organization should implement a process to prioritize the mitigation of vulnerabilities discovered through vulnerability assessments and security configuration audits, and to prioritize the responses to security events. The prioritization should be based on an assessment of risk to the business. Four variables should be evaluated when prioritizing remediation and mitigation activities:

  • Exploit Impact  – the nature of the vulnerability and the level of access achieved.
  • Exploit Likelihood – the likelihood that the vulnerability will be exploited.
  • Mitigating Controls – the ability to shield the vulnerable asset from the exploit.
  • Asset Criticality – the business use of the application or data that is associated with the vulnerable infrastructure or application.


Security is improved only when mitigation activity is executed as a result of the baseline and monitoring functions. Remediation is facilitated through cross-organizational processes and workflow (trouble tickets). Although the vulnerability management process is security-focused, the majority of mitigation activities are carried out by the organization’s IT operations areas as part of the configuration and change management processes.

Separation of duties dictate that security teams should be responsible for policy development and assessment of the environment, but should not be responsible for resolving the vulnerable or noncompliant conditions. Information sharing between security and operations teams is crucial to properly use baseline and monitoring information to drive remediation activities.

For more details on remediation planning and execution see complementary blog: Vulnerability Assessment Remediation

Vulnerability Lifecycle Management

Vulnerability management uses the input from the threat and vulnerability analysis to mitigate the risk that has been posed by the identified threats and vulnerabilities. A vulnerability management program consists of a continuous process, a lifecycle as follows:

Vulnerability Lifecycle

Monitor Baseline

While a threat and vulnerability management program can make an IT environment less susceptible to an attack, assessment and mitigation cannot completely protect the environment. It is not possible to immediately patch every system or eliminate every application weakness. Even if this were possible, users would still do things that allowed malicious code on systems.

In addition, zero-day attacks can occur without warning. Since perfect defenses are not practical or achievable, organizations should augment vulnerability management and shielding with more-effective monitoring. Targeted attacks take time to execute, and the longer a breach goes unnoticed, the greater the damage. Better monitoring is needed to detect targeted attacks in the early stages, before the final goals of the attack are achieved. Use security information and event management (SIEM) technologies or services to monitor, correlate and analyze activity across a wide range of systems and applications for conditions that might be early indicators of a security breach.

Root Cause Analysis

It is important to analyze security and vulnerability assessments in order to determine the root cause. In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and maintenance processes of IT operations or within their development or the procurement processes of applications. Elimination of the root cause of security weaknesses may require changes to user administration and system provisioning processes.

Root Cause Analysis


In 2012, less than half of all vulnerabilities were easily exploitable, down from approximately 95 percent in 2000. In addition, fewer high severity flaws were found. The number of vulnerabilities with a score on the Common Vulnerability Scoring System (CVSS) of 7.0 or higher dropped to 34 percent of reported issues in 2012, down from a high of 51 percent in 2008.

Unfortunately, there are more than enough highly critical flaws to go around. In 2012, more than 9 percent of the publicly reported vulnerabilities had both a CVSS score of 9.9 and a low attack complexity, according to NSS Labs. Vulnerabilities disclosed in 2012 affected over 2,600 products from 1,330 vendors. New vendors who had not had a vulnerability disclosure accounted for 30% of the total vulnerabilities disclosed in 2012. While recurring vendors may still represent the bulk of vulnerabilities reported, research shows that the vulnerability and threat landscape continues to be highly dynamic.

Thanks for your interest!

Nige the Security Guy.

Security Program Best-Practices 2

Security Program Best-Practices – Part 2

Security Program Best-Practices – Part 1
Part 3
Part 4
Part 5

This blog continues our Security Governance Series with the next installment of recommended security program best-practices drawn from a broad sample of assessments. As a refresher the typical gaps, deficiencies or need for improvements are summarized in the Opportunity Matrix which is used as a planning tool.

Opportunity Matrix Summary

In part 1 of the series we covered an overview as well as Gap 01 – Identify Requirements and Gap 02 – Develop Security Governance Program. In this blog we will discuss Gap 03 through 05 per below.

  • GAP 01 – Identify Requirements: Security Policy, Regulation and, Laws
  • GAP 02 – Develop Security Governance Program
  • GAP 03 – Establish Network Security Organization
  • GAP 04 – Establish Security Collaboration Working Group (WG)
  • GAP 05 – Develop and Maintain Network Security Standards
  • GAP 06 – Develop Network Security Architecture (3-5 Year Objective)
  • GAP 07 – Develop Network Security Roadmap (with Annual Plans)
  • GAP 08 – Integrate Central Security Logging
  • GAP 09 – Establish Network Security Management & Operations
  • GAP 10 – Develop Firewall Rule Lifecycle Management

Gap 3: Network Security Organization

Business Problem

Over the past few years, as security organizations have had to grapple with an increasingly complex threat landscape and a much more visible role in the organization, the expectations of the business have also significantly increased. The business expects that security will do all this and take on additional responsibilities while keeping its headcount almost static. As a result, there is often a disconnect between what a security organization can realistically deliver and what the business perceives it can deliver. Security organizations today must be agile and high-performing — capable of addressing a multitude of responsibilities and needs simultaneously.

Security Alignment

According to Forrester, maintaining existing systems and applications consumes 73 percent of the IT budget, leaving only 27 percent available for new project investment. This finding is corroborated by a study from AT Kearney, which reports that 70 percent of business executives believe that technology innovation is critical, yet 80 percent of actual IT expenditures are spent on infrastructure and core operations. Forty-five percent of business executives strongly agree that IT groups focus on day-to-day IT requirements at the expense of strategic goals. Add to this burden the voluminous security, regulatory, and legal issues that enterprises now face—and IT is stretched to the limit.

Recommended Solution

When it comes to data breaches, hackers and organized crime garner most of the headlines, but most data breaches are caused by human error and system glitches–application failures, inadvertent data dumps, logic errors in data transfer and more. Organizations with strong security posture and incident response plans experienced breach costs 20 percent less than others and so, the importance of a well-coordinated, holistic approach is clear.

Many organizations typically have resources who are trying to wear too many hats and may govern, manage, engineer, operate and support the network security infrastructure. This also results in a lack of checks and balances increasing the risk of human error, in that the same administrator can review, approve, implement, test and, monitor a policy. Security governance, management and operations all have very different functions, and clarity among them is fundamental to the performance of each.

Security Organization

A key part of the role of security governance is to ensure that business and security processes have sufficient internal segregation of duties (SOD) to avoid a conflict of interest. Organizations should carefully develop their charter and participation of a security governance team so that it does not become mired in operational issues, but gives the necessary direction and oversight. The security governance team should have sufficient separation from security management and operations so that a conflict of interest is avoided.

When companies perceive GRC as one team’s responsibility, it undermines the real value that a coordinated program can deliver; risk and compliance professionals can’t possibly identify and measure all risks or enforce all policies across the organization. They need to rely on their colleagues for support, which means enterprises must lay out clear expectations for every user. Conversely, enterprises must explain the benefits users should expect based on their active involvement.

GRC Overview

Organizations should adopt a process-driven approach to security governance, management and operations that includes formally defined process flows, responsibility charts and decision accountabilities. At a high-level the organization should support, as follows:

  • Strategy: Develop GRC readiness by assessing maturity against peers through key use cases, identify gaps and build roadmaps; rationalize and prioritize GRC initiatives by tightly integrating information and infrastructure imperatives with business obligations.
  • Design: Design GRC programs and governance models and align with policies; quantify and classify exposures and weaknesses and compare to well-defined metrics, develop treatment options to manage risk and optimize rewards.
  • Implement: Implement processes, policies, controls and technology solutions that monitor operations and key metrics. Measure exposures in people, processes and technology controls in the context of IT infrastructure interdependencies.
  • Operate: Treat exposures by continuously enforcing policies; detect violations and measure gains against desired states; continuously improve processes to maximize synergies and move up the maturity curve.

Best-practices set expectations that all employees in the organization will play a part in managing risk and meeting compliance obligations.

Security Roles

All systems have critical processes that, if subverted through human error or malicious intent, will significantly impact the objectives they enable. No one person should have absolute control over a critical network security process, asset or, system. Instead, processes should be segregated into discrete tasks that can then be assigned to parties who do not have a conflict of interest with safeguarding the sub-process. Through segregation of duties, an engineer cannot readily disrupt production by mistake or intent.

Gap 4: Security Collaboration WG

Business Problem

In a rapidly developing organization it is easy to get out-of-touch and for groups to develop at different paces in different directions, working in silos and generating fragmented security. While hybrid distributed security organizations with dotted line reporting relationships are a best-practice it is also key to collaborate closely together, working towards a common goal, integrate security architecture, seek compliance to policy and regulation and, automate process and systems.


Security governance requires a set of oversight processes to ensure that reasonable and appropriate actions are taken to protect the organization’s information resources in the most effective and efficient manner, aligned to business goals. The role of security governance within the cross-organizational and cross functional Collaboration Working Group (WG) is to work closely with all stakeholders, including senior executives, line-of-business managers, the IT organization and others to establish, as follows:

  • Establish Effective Governance Framework
  • Develop Meaningful Risk Assessments
  • Focus on Enterprise Risk Management
  • Establish Measurable Controls
    • Map to all relevant regulations and standards

The Security Collaboration WG is a critical component in setting the overall direction of the security program implemented by the CISO, taking into account the strategic needs of the business, the risk appetite of the organization, other non-IT and information security issues (such as physical and personnel security), and broader IT and information initiatives beyond the security realm.

Practical Security

The responsibilities of a Security Collaboration WG may include:

  • Acting as a steering committee for significant projects
  • Tracking the progress of remediation on risk items (audit report findings)
  • Reviewing metrics reporting
  • Monitoring operational performance
  • Enabling the CISO to guide security efforts within business units
  • Establishing and maintaining effective lines of accountability, responsibility and authority for protecting information assets
  • Acting as a mediation or arbitration for reconciling conflicting security requirements

A Security Collaboration WG that connects the various organizational silos and integrates with governance in terms of policy, compliance and, internal audit enables the alignment of controls and measurements with an evolving baseline security standard so that the various parties work together in lock step. There is also a high return on security investment through collaboration and sharing, generating ideas for improvement via cross-pollination, and so on.

Gap 5: Network Security Standards

Business Problem

A new model of assurance has emerged as the foundation for an enterprise information integrity, security, and compliance strategy. This domain is infrastructure integrity enabled by configuration management (assessment and change auditing). Change auditing ensures the integrity of all infrastructures in a network — in essence ensuring that the infrastructure remains in a “desired secure state” throughout the implementation of the changes necessary to keep pace with the dynamic demands of the business.

ITIL Basics

Infrastructure integrity is the foundation or anchor upon which IT infrastructures should be built. When there is no infrastructure integrity, the internal process controls put in place to manage this infrastructure fail. Like a structure built upon sand, when the ground underneath shifts, the building will crack. In essence, without infrastructure integrity, an enterprise’s investment in operations management and information security technologies can be compromised at best and wasted at worst.

Infrastructure integrity results in operational efficiency

Security Hardening

Network security baseline standards are key to translating applicable but often vague regulations and security policy into actionable statements that can be applied by network security technologies and those policies verifiably enforced, to work towards and support compliance. The standards also allow the security organization to define, review and, approve the ‘technical policy’ so that it is sanctioned and in conformance with the risk tolerance of the organization. Finally, standards provide a measurable baseline that can be used to ensure infrastructure integrity as well as audit against those standards – so that the security posture is known.

Closed Loop Policy


The stakes are too high for organizations to ignore anchoring their IT infrastructures by maintaining infrastructure integrity. The infrastructure is too complex, too critical to business success, and too vulnerable to attack. For these reasons the IT asset configurations must be standardized and closely controlled. Controlling the infrastructure has presented challenges for IT management and administrators in both large and small companies. Hoping for success is an exercise in futility if grounded on an environment in which the core information assets and the infrastructure do not have integrity. If the integrity of the core information assets, infrastructure, and procedures is in question, so too is the overall confidence in the security system. In IDC surveys, over half of IT professionals and managers at large enterprises are only somewhat confident or not confident about their companies’ enterprise security systems.

Coming Soon

Security Program Best-Practices – Part 3 will continue this Security Governance Series with the next set of gaps for discussion and helpful advice on key components.

Security Program Best-Practices 1
Part 3
Part 4

Thanks for your interest!

Nige the Security Guy.