WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Then start by looking no further than the tools you already have.
Chances are there are quite a few security enhancements that you can make simply by making better use of what's almost certainly already on your system.
I have spent a significant amount of time over the years assessing the security of business applications, and one of the consistent problems that I've seen is that the security capabilities of the network, operating system, and/or the applications themselves are not being exploited to their fullest extent. For example, operating system file access controls are often either overlooked or not adequately fine-tuned to the needs of the application when installing the application.
Mistakes made at the operations security phase can completely undermine the application's security. But the converse also is true: improvements made in operations security can very much enhance the overall security of the environment. Start by protecting the application and its data, and proceed all the way through the operational aspects of effectively responding to security events.
Starting down at the network level, the key principles are compartmentalization and access control. Here's where most data centers generally do a pretty good job already, but it's likely that you can still find plenty of room for improvement. For example, consider further separating your applications on isolated network segments (or VLANs) and tightly configuring the network components to enforce the network-level policies concerning which network services are permitted both in and out of each segment.
Another high-value, low-cost tip is to provide a separate network segment for administrative traffic, such as system monitoring, actual system administration tasks, and event logging. This benefits both the performance of the production data segments, as well as the security of the environment, since administrative traffic is kept isolated from production, requiring an intruder to break through another layer of protection before he can compromise your application.
High-quality event logging and monitoring is the lifeblood of incident response operations. Many organizations have implemented pretty good event logging at the network and operating system level, but very rarely at the application level. There are opportunities here, as well, to enhance the overall security of the application for relatively little money.
The reason it's so important to log events all the way up to the application level is because, to the incident response analyst, each layer of logging brings its own perspective on a security event. And a full complement of those perspectives is necessary to really understand what took place at the time of an attack.
For example, when trying to forensically determine how a site was compromised, the network logs show the date, time, protocol, source, etc., of the attack. The operating system logs show what the intruder did and accessed on the host's operating system. The application logs provide insight into what data the intruder accessed, modified, deleted, etc., within the compromised application. Without that ''big picture'' view, it is exceedingly difficult to provide company executives with an accurate damage assessment so they can make the appropriate business decisions on how to proceed. It also is exceedingly difficult to distinguish between an IDS false alarm and a real, potentially company-threatening incident.
Next, the operating systems that are generally found in today's data centers almost always include security capabilities that go unused in the integration of the applications that are running on them. Principal among these are file access control and targeted event logging. Access control that is precisely tuned to the needs of the application takes time and it takes a deep understanding of the application and the operating system's capabilities, but the rewards are well worth it, for a multitude of good and valuable reasons.
The following is a checklist of a few things you can consider doing in your data center to improve both the protection mechanisms, as well as the tools available to support the incident response posture:
Most of these tips are not overly expensive to implement. Almost all of them, though, require a deep knowledge of each business application and how it functions. That will no doubt involve close collaboration between your application development and integration staff, networking staff, and security staff.
All of this is time well spent, as I see it.
Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.