Cyber security options to protect enterprises continues to evolve at a rapid pace. Zero Trust Architecture (ZTA) is emerging as the preferred method to ensure the security and integrity of data and systems accessed on-premises as well as from the cloud. ZTA encompasses many traditional defense in depth approaches and adds integration, automation and orchestration that makes the overall solutions feasible for the end user and operations staff.
Iron Bow recommendations take the customer use cases and pillars of ZTA into account to provide the best cyber security solution for clients that will meet their current needs and ensure that their security roadmap allows existing cyber security appliances to easily integrate into new solutions as they mature.
User Identity – providing strong verification of the user with dynamic reauthentication based on the sensitivity of resources that are being accessed including Multi-Factor Authentication (MFA) and Privileged Access Management (PAM), governance and authentication database normalization.
Device Identity – providing identification of an approved asset and validation of the security posture maintained on the endpoint to protect against malicious attacks as well as provide threat visibility into the actions on the device.
Network Access and Protection – providing access to sensitive applications and data across the network at a granular level while remaining focused on operational usability for end users and IT staff.
Application Security – controlling access to applications as granularly as possible from an end user and machine to machine perspective with microsegmentation concepts.
Data Security – limiting access data to only authorized users and machines is key to protecting data. Additionally, monitoring access to the data to understand data access behavior and trigger alarms on abnormal data access.
Monitoring and Analytics – providing insight for tool selection and integration to provide a cohesive view of the security posture of the environment, pinpoint potential vulnerabilities and identify the root cause of issues and attacks when they arise.
- Threat Visibility – provide visibility into traffic traversing the network to obtain a baseline of normal traffic flows and, from that baseline, be able to detect misconfigured devices and malicious attacks.
- Remediation and Response – the possibility of malicious attacks entering the network will always exist. It is critical to have the security tools in place before attacks happen to speed response time.
Programmability (Orchestration + Automation) – combining the functionality of similar products to create dashboards and enable a single action to be implemented across multiple products.
Vulnerability Assessment – providing a review of the network and security infrastructure and investigating potential vulnerabilities within the infrastructure.
Breach and Attack Simulation – providing a means to automate the testing of tools and appliances used within the security infrastructure to be tested for efficacy of attacks by leveraging the tactics, techniques, and procedures (TTPs) used by real adversaries. When a security gap is found, the configuration can be updated proactively.
Zero Trust Assessment – after gaining an understanding of the current cyber security infrastructure and current and future business requirements. This information is then tied into a workshop to provide an overview of the relevant technologies to gain a better understanding of the best technologies to use.
Commercial Solutions for Classified (CSfC) – creating solutions that leverage clearly defined and approved approaches to support specific U.S. government security requirements.
Policy Enforcement/Risk Management Framework – develop, automate and enforce authentication and authorization policies to control system and application access.
Cloud Security – meet compliance requirements and apply technical solutions that provide frameworks that can be used to ensure cloud solutions are secured.
Artificial Intelligence – there are too many tools and too much data to be effectively analyzed by hand. AI can shift the paradigm from investigating the past to reacting to the now and predicting the future.
Iron Bow in Action
Understanding Threats for Better Planning
Threat visibility is part of a Continuous Diagnostics and Mitigation (CDM) approach to security. Being able to see what threats are hitting your network allows for more effective security and budget planning. In one case, an Iron Bow client began using a threat visibility tool and immediately saw probes from foreign countries and traffic from the client network going to those countries. This visibility provided two critical functions. First, it was a graphical method of easily seeing when a breach has occurred. Second, it provided clear justification for further investment into the security budget. In this case, the attacks were unsuccessful, but the client learned they were being attacked on regular basis from places they never imagined. Examination over time brought to light a data exfiltration problem. It was not malicious but instead was tied to a user that was trying to make sure that the data they used was preserved by archiving records to an unapproved storage device. The user did not realize the security ramifications if this device was compromised. User education closed that vector. While that attack was really a non-issue, having the visibility into the threats coming at the network day in and day out, the IT team was able to better justify ongoing security investments.
Planning for the Worst
Remediation and response technologies and plans must be in place before an incident compromises data. Planning for the worst minimizes impact and speeds resolution. For example, a recent ransomware attack was identified and stopped using the tools in place. The organization could see that files on local computers and on file shares were being encrypted, but could not make sense of why those files were being targeted. Based on the traffic, the attackers were using an account that had full read write access as well as laptop and Active Directory rights. The organization was able to cut off a branch organization that appeared to be the source and at the same time limit write access for all users to stop the flow until the root cause was identified. Next Gen IPS was used to show where traffic was exfiltrated and look for matching signatures. Netflow-based tools provided visibility into all flows traversing the network and quickly identified the malicious flows. Anti-malware agents identified any files that were known malicious and quarantined them helping identify possible source computers. Once the initial computer and attack was identified, they implemented remediation for all machines that addressed the current attack as well as all machines to prevent any future attacks.
You Don’t Know What You Don’t Know
Most organizations have well-defined security practices that have been in place for years without a major incident. This does not mean they are completely secure. Our vulnerability assessments take a deeper look at network traffic to discover unknown anomalies that may not impact performance or security today, but pose a threat nonetheless. In one case, we discovered, through a combination of raw data and user interviews, a client was open to malicious actors via several well-known and well-used workarounds. The weakness had not been targeted yet, but posed a huge risk. Iron Bow provided a detailed network vulnerability assessment and was able to lay out a prioritized plan for increasing the client security posture that dramatically shrunk the potential attack vectors, increased visibility and stayed within the client budget.
In-depth knowledge on the latest attack methods and how to defend against them.
Customized cyber security reference architectures to meet domain and environment-specific needs.
Laser-focused on developing solutions that reduce risk and enable mission and business success.