Cost-effective Operational Reliable Efficient, C.O.R.E. Technology Security Series
Cost-effective Operational Reliable Efficient CORE Technology Security involves only what is required to manage technology risks specific to each organization, no more and no less. By emphasizing CORE, declare the objectives and build to those objectives. Regarding security, CORE enables organizations to have 100% accurate asset inventories, proactively manage vulnerabilities, detect threats to each technology, respond to exploits (accidental or otherwise), and maintain business operations while recovery activities are underway. After implementing the CORE Technology Security Inventory, Remediation, Detection, and Decision, focus on Operations.
Word to the wise: Organizations should build out their CORE Operations capabilities only after CORE Inventories, Remediation, Detection, and Decision capabilities are 100% complete. Organizations rely on these other CORE capabilities to be in place and automated to ensure successful Security Operations.
Security Operations
An organization’s centralized cybersecurity management and support function is called a security operations center or SOC. Within the SOC exists a team and technologies that manage technology inventories, remediation, detection, and decision-making related to technology security. Due to this scope of capabilities, the SOC ultimately depends on CORE Inventory, Remediation, Detection, and Decision capabilities being in place and functioning accordingly. However, once those CORE capabilities are in place, the organization must operationalize security. This document describes integrating the prescribed capabilities into an operations center, the team, and the supporting processes required for success.
A New Approach Using Common Standards
The practices included in CORE Operations are familiar. Instead, CORE introduces a plan, design, and deployment solution strategy to ensure any organization can have in-house cost-effective, operational, reliable, and efficient security capabilities. CORE's capabilities are very similar to the National Institute of Standards and Technology's (NIST) Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover, as this is evident throughout. Yet, don’t forget, CORE was not meant to be a list of requirements; it is intended to be a solution. Therefore, with CORE Technology Security as a solution, organizations can build successful security operations that align with industry standards, regulatory requirements, and best practices.
Centralized Operations
Security operations focus solely on security, and following the CORE theme, the SOC must be designed and built to be cost-effective, operational, reliable, and efficient. Centralizing the consolidation, analysis, decision-making, and response capabilities ensures consistency, in addition to a direct line of communication to and from the executive leadership within the organization. The following justifies security operations based on CORE.
Cost-effective security operations: Expertise, security data consolidation, analysis, and decision-making are all costly capabilities for any organization because these demand higher wages and technology costs. These costs include licensing, redundancy, and computing for advanced security orchestration and automated response technologies. Centralization proves to be cost-effective by keeping these costs at the center.
Operational security: Centralized operations forgo planning, engineering, and implementation of decentralized or hybrid models to ensure the company’s security function is quickly implemented and operationalized. For security to be successful, organizations must have their CORE Inventory, Remediation, Detection, and Decision capabilities built with supporting automation deployed. With these prerequisites, the organization’s security data are ripe for harvesting by the CORE.
Reliable security operations: Centralization limits the potential for procedural replicative fading that tends to occur due to breakdowns in communication and mismanagement of expectations between distinct and geographically separated teams. A single strong team working through the same reporting chains makes consistency easier to enforce and ensure. Also, a more robust technology resiliency capability can be deployed at the center, maintaining the alignment with cost-effectiveness. Therefore, security operations activities and technologies will be of higher quality and more reliable following CORE.
Efficient security operations: People’s ability to remove process impediments is at the heart of operational efficiency. Barriers to security operations are typically caused by poorly planned, engineered, and implemented (security) technologies and processes/unintentional sabotage. This condition exists due to organizations’ failures to design all security processes as a single machine with one centralized engine with intakes from all technologies in the organization, generating superpowers at the core. Instead, organizations make the mistake of applying patchwork methods for quick, tactical improvements everywhere and anywhere in these networks. The tactical approach costs more and is not CORE. CORE is efficient because technology security is included by design, not an afterthought.
Visualizing CORE Operations
Technology security, like any effective process, should include prescribed inputs, practical and repeatable processing, and formatted outputs to be effective. CORE cannot be, and does not have to be, an ever-changing and dynamic process to be successful. CORE improves the cybersecurity risk management philosophy to make this successful, making the risks instantly apparent and the decisions automatic. For this to work, CORE Operations require complete visibility and control over all technologies that exist in an organization.
According to NIST Special Publication (SP) 800-30r1, a typical example of a cybersecurity risk assessment process is captured below for explanation purposes.
The following manual steps can be seen in this NIST risk assessment process.
Prepare for Assessment
Identify Threat Sources and Events
Identify Vulnerabilities and Predisposing Conditions
Determine the Likelihood of Occurrence
Determine the Magnitude of the Impact
Determine Risk
Communicate Results
Maintain Results
Notice that in the NIST risk assessment, each step is a manual activity designed to either feed into the next step or deliver a report to someone for decision-making purposes. If one attempts to see this process through from start to finish, it becomes apparent that it can be subjective and inefficient. To make this risk assessment effective and automated, CORE addresses and mitigates these subjectivity and inefficiency concerns accordingly.
Use pre-defined parameters for inputs to each risk assessment step, restricting the scope to only data that can be captured from a trusted source. I.e., data is not manufactured or assumed to facilitate risk assessments.
Define input methodologies prioritizing using automated technologies where a person is not needed. I.e., Ensuring that necessary data are structured and rationalized.
Design automated technologies to function according to the CORE-prescribed capabilities.
CORE Technology Security has accounted for these mitigations in the prerequisite CORE processes, including Inventory, Remediation, Detection, and Decision. Each of these NIST risk assessment activities is activated by CORE, as described in the table below.
The CORE Operations considers certain security activities that could impact the organization's overall posture, as explained below.
New technologies should be categorized and added to the inventory before being added to operations.
Operations will immediately identify Old technologies and flag them for removal.
Operations will have visibility into networking architecture configurations and be able to manage these architectures over time.
Operations can view current technology configurations to ensure all are remediated.
Operations will be able to identify new software vulnerabilities to prioritize remediation activities.
Operations will detect potential exposures to exploitation by threat actors and prioritize corrective actions through architecture or technology configuration or vulnerability remediation.
Operations will detect cyberattacks immediately and prioritize remediation activities.
As one can see, each of these activities includes a trigger for CORE Operations to perform a task. The SOC must be designed with technology mechanisms providing both view and control for the operations team to view the triggers and manage these activities.
The technology solutions for CORE Operations are depicted below.
Here are a few examples of how security activities are enabled by the CORE Operations model above.
An unauthorized New technology was added to the operational network and detected by the SOC. A risk-based decision was made to remediate the security concern by disconnecting the technology, categorizing it, adding it to the inventory, and performing configuration and software remediation activities. Finally, the technology was brought back online in short order.
An operating system vulnerability was detected on a Mature technology asset. A risk-based decision was made to prioritize the vulnerability for the next patching cycle. Remediation occurred due to patching, and the inventory was updated to reflect the software revision change.
An end-of-life (EOL) Common Vulnerability Enumeration (CVE) identification (ID) was discovered on multiple technologies running outdated operating systems in one network segment. A risk-based decision was made to initially remediate by architecture configuration, adding additional boundary segmentation around the EOL technologies. The inventory was updated by adding “RETIRE DATE” to the CORE TAG for each technology. This enabled the mitigation plan for replacing these technologies by automating the scheduling and monitoring/notification processes.
A potential indicator of compromise was discovered from outside threat intelligence, which included the organization's critical infrastructure segment, specific technology types, and one region of the world where the organization operates. The organization quickly made a risk-based decision to remediate the technologies that fell in scope based on relevant data on the CORE Tag by islanding them off through architecture configuration. The inventory was updated, and the updates to the architecture are visible through detection, preventing a potential cyberattack.
Anomalous networking activity was detected and matched to a malware signature in the security information and event management technology. The automated decision mechanism commanded remediation with an immediate quarantine to prevent the malware from spreading further. All quarantine technologies were limited due to the rapid quarantine and replaced with spares. The inventory was updated to reflect the changes, and the organization rebuilt the infected technologies, adding them back to the spares.
The organization undergoes a regulatory audit in which the technology security plans are in scope. The auditors visit the SOC and are presented with the inventories and status of remediation. Auditors perform a spot check of inventories and discover they are 100% accurate and useful. Auditors also inspect the detection and decision-making capabilities in the SOC and determine that the organization should win the technology security contest.
The examples above are typical areas where organizations struggle to manage. However, CORE Operations makes them simple because security is planned, designed, implemented, and managed as a complete, end-to-end program.
Security Operations Capabilities and Integration
CORE Inventory, Detection, Remediation, and Decision define blueprints for solutions necessary to ensure data are available to feed into CORE Operations. This section explains how to integrate those solutions technically and procedurally into a security operations center.
Inventory
Every technology security program begins with the inventory; inventories should be 100% complete. CORE Inventory defines multiple data points necessary to ensure the inventories are manageable, while CORE Detect defines how to use the software tagging on each technology to support security activities. An example of the CORE Tag is shown below.
With this information on each technology as a software tag, the organization
can periodically read and update the tag as necessary for inventory, detection, decision-making, and remediation. Therefore, the SOC must be able to create and deploy software tags to all technologies and read those tags to ensure the success of inventory management.
As one could imagine, tagging each technology individually could be a daunting procedure to manage long term if not carefully planned out. Therefore, CORE prescribes that these tags be rolled out in configuration scripting and security policies. This way, all common attributes can be shared with other technologies, while unique attributes are pulled from system variables to the local device.
Below is a list of all CORE Inventory attributes and their prescribed tagging methods.
In the instructions above, the CORE process relies heavily on the presence of the Microsoft Active Directory (AD) domain. Each technology must be added to the domain and accessible through “Active Directory Users and Computers.” This is the easiest way to tag technologies, and it allows for a marrying between security groups created for CORE Inventory and security Group Policies that will be used for the remediation of technology configurations. Additionally, Microsoft ADs support the name translation and authentication services for Unix-based networking devices. Therefore, all non-Microsoft technologies can be added to the domain and grouped accordingly.
For organizations not using Microsoft domains, the inventory tagging can still be pushed out from the center through scripting. In many cases, the administrators of non-Microsoft domain environments are already accustomed to creating unique scripting of support and management.
The inventory tagging information can be collected using the event log and syslog functionality built into technologies. This allows organizations to use the same tools to collect, forward, and analyze inventory tagging information that they use for security information and events. This SOC Inventory dashboard can exist as a function of the SIEM.
The end-to-end SOC solution for inventory management is depicted below.
Notice that the inventory data is forwarded from the endpoint to the center. This allows relays from technologies in segmented networks to block certain types of inbound communications. The method for tagging is done entirely with a different solution, as CORE recommends using group policies to ensure the separation of duties. Non-connected technologies will have to be manually inventoried. In most cases, technologies not connected to corporate networks are either more difficult to attack or do not introduce threats into that environment.
For more information about inventory detection criteria, refer to CORE Detection.
Note: When inventories require updates, the organization must decide how to proceed. This typically includes disconnecting New technologies to add them to the inventory and hardening or removing Old technologies while limiting operational impacts.
Remediation
CORE Remediation defines three key remediation activities in the forms of network architecture security, endpoint/technology configuration, and software vulnerability patching. Each activity utilizes different technology capabilities to provide the data necessary for the SOC to manage overall remediation efforts.
Architecture Secure Configuration
As a component of CORE Remediation, architectures should be securely configured to provide physical and logical boundaries between networks to restrict data from being transferred in one, two, or multiple directions. This form of security allows for increased visibility and control over the communication links between all technologies that exist in the networks.
The SOC needs visibility and control over the network architectures, monitoring the network security devices' logs and utilizing the security functionality to provide automatic protections. Architecture visualizations are a form of a digital twin. This digital twin visualizes the physical and logical architecture design, much like a network drawing. To do this, use a network mapping solution.
Networking mapping solutions are dedicated applications with three features that must be in place to function according to the CORE Operations requirements.
Passive network scanning to detect devices and communication ports, protocols, and services.
Active network device querying to match networking technologies (i.e., layer 2, layer 3, firewalls, and intrusion detection/protection devices) to CORE inventories.
Static network mapping visualizations that can correlate live network traffic with networking devices from the inventory and depict the current network architecture.
These networking mapping tools are commonly used for network administration and security and should be available to the SOC. The additional step necessary to ensure complete end-to-end quality assurance is provisioning a mechanism to ensure automated inventory reconciliation with the network maps. Finally, unlike the inventory solution, this architecture solution relies on queries made to the networking technologies, meaning it is a privileged access technology. This will be considered when designing the SOC technology zones.
The end-to-end SOC solution for architecture configuration management is depicted below.
For more information about architecture detection criteria, refer to CORE Detection.
Note: When architectures require updates, the organization must decide how to proceed. This typically includes deciding the best time to reconfigure or install new boundary protection devices based on security severity and potential operational impacts.
Endpoint Secure Configuration Management
As a component of CORE Remediation, endpoints should be securely configured using security benchmarks like the Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG) or the Center of Internet Security (CIS) benchmarks. These benchmarks must be applied to each endpoint through scripting or Active Directory security group policies. Align security policies with inventory groups wherever possible to simplify technology security management. Finally, most commercial software vulnerability scanners support benchmark scanning. Organizations should purchase a solution that can perform both vulnerability and benchmark scanning.
The end-to-end SOC solution for endpoint configuration management is depicted below.
For more information about benchmark scanning and detection criteria, refer to CORE Detection.
Note: When poor security configurations are discovered, the organization must decide how to proceed. This typically includes deciding the best time to reconfigure based on security severity and potential operational impacts.
Software Vulnerability Management
Vulnerability-scanning technologies are highly mature in security, meaning this functionality exists in many organizations today. Organizations that do not have these tools can rest assured that they are easily accessible and not overly complex to figure out. As mentioned in the previous section, organizations can save engineering and licensing fees by procuring vulnerability scanning tools supporting configuration benchmark scanning. This solution is the same as endpoint secure configuration management for this dual purpose, including an additional dashboard for software vulnerabilities.
The end-to-end SOC solution for software vulnerability management is depicted below.
For more information about software vulnerability detection criteria, refer to CORE Detection.
Note: When software vulnerabilities are discovered, the organization must decide how to proceed. This typically includes deciding the best time to apply the security patches based on security severity and potential operational impacts.
DETECTION
All solutions listed in remediation operations are defined in CORE Detect, as these are all tools with a discovery function. The distinction here is that those other activities are proactive within security operations and intend to prevent cyberattacks before they occur. Security operations must also be able to monitor for network intrusions and other indicators of compromise. This is done through specialized tools designed specifically for detecting cyberattacks, notifying security operations, and initiating response activities as quickly, efficiently, effectively, and safely as possible.
These tools are as follows.
Event log and system log collectors and forwarders
Intrusion Protection / Detection Device (IPDS)
Security Information and Events Management (SIEM)
Security Orchestration and Automated Response (SOAR)
CORE ensures that these technologies are aligned with those used for inventory and remediation management. This means that if an organization follows the instructions in CORE, that organization will have integrated security operations.
The end-to-end SOC solution for cyberattack detection is depicted below.
All endpoints forward events or system logs to the Log Collector / Forwarder in the drawing above. This is the same process and solution suggested as support for automated inventory earlier in this section. These logs are typically what are called “flat files.” This means that they are text-based and do not require a lot of bandwidth on the network. Within these technologies is an Intrusion Detection / Prevention Device, a specialized endpoint. These devices can be installed inline on network trunks and between boundaries. They can also be installed on endpoints like the servers that are present. The connection can be automatically dropped if an authorized intrusion is detected when installed and configured.
All logs are forwarded to the SOC SIEM tools for signature-based anomaly detection. SIEMs are consolidators and analyzers that rapidly parse big data and determine if a cyber event has occurred or is occurring. The more sophisticated SOC utilizes the SOAR. A SOAR introduces machine learning that can be configured based on tolerance thresholds to allow for organization-wide response, if necessary. This means that if an intrusion is detected in a branch office on one side of the world, the SOAR can command reconfiguration of all network and endpoint firewalls to add rules to block traffic everywhere else.
Word to the Wise: Security detection and response technologies are highly specialized and costly. This end-to-end model allows organizations to apply the most cost-effective approach for a complete end-to-end automated security response. If the organization cannot afford all technologies, CORE recommends forgoing the SOAR solution. This being stated, open-source technologies are available to provide 100% of this functionality if the organization is willing to spend more on upfront development and integration. Once in place, however, the solution will provide a complete automated response for only the cost of the local staff.
Finally, according to CORE Detect, proactive threat management decisions can be accomplished with SOC solutions designed as such. This includes utilizing the MITRE ATT&CK® framework as a comparative mechanism for anomaly detection and proactive response to activities occurring on endpoints and networks. This proactive threat management process is depicted below as a function of the SOC in the CORE Threat Intelligence Engine.
The above model is designed to prioritize cyberattack-related activities when they are detected. For more information, refer to CORE Detect.
Decision
The decision-making process is enabled with CORE Inventory, Remediation, and Detection, fully integrated into the SOC through technology and automation. Each CORE practice has an automated process and tools, presenting individual dashboards to the security operations teams. This console can look something like what is depicted below.
While this might seem overly simplistic, bear in mind that with visibility into these CORE solutions, the SOC personnel can quickly be notified when these decisions need to be made.
Inventory:
New technologies are detected and decide to harden.
Old technologies are detected and decide to retire.
Remediation:
Network architectures require updates; decide to reconfigure.
Endpoint configurations are not secure; decide to configure.
Software vulnerabilities are discovered; decide to patch.
Detection:
Cyber intrusions are detected; decide to contain them.
Note: Most organizations can benefit from these activities alone as, with the ability to gather the information necessary automatically, technology support teams can focus on anomalous behaviors that require more investigation time instead of wasting time manually running network and endpoint scans.
Summary
Integrating CORE Inventory, Remediation, and Detection into security operations ensures that organizations can build technology security capabilities that provide visibility and control over all technologies. This level of sophistication allows for integrated risk management, threat intelligence platform integration, and fully automated security compliance. Technology security does not have to be difficult, and it isn’t with CORE.
Comentários