Unified Enterprise Security

Transcription

1 WHITE PAPER Advanced Managed Security Unified Enterprise Security A HOLISTIC APPROACH TO INTEGRATED, BEHAVIORAL-BASED NETWORK SECURITY rev

2 Table of Contents Executive Summary 3 Introduction 3 The Current Approach to Securing Network: A False Sense of Security 4 Defense-in-Depth: The Market s Flawed Attempt to Address APTs 9 The Real Security Problem: Failure to Connect the Dots 11 Behavioral-Based Unified Security: A Holistic Approach to Detecting APTs 12 Masergy Unified Enterprise Security 14 Masergy Unified Enterprise Security Architecture 15 Masergy Solutions Overview 18 Masergy Unified Enterprise Security Configurations 21 Conclusion 23 About Masergy 24 2

3 Executive Summary Internet-based attacks are a serious threat to any public or private organization s information technology systems. Despite a substantial increase in spending for cyber security over the past few years, new and evolving Internet security threats remain widespread and most cyber defense solutions are woefully inadequate. While many powerful point solutions exist to protect specific pockets of vulnerability, industry analysts agree that the next evolutionary leap in security technology will focus on the development of a systemic cyber security architecture that s capable of providing true subsystem integration of disparate security applications within a unified threat management system. Masergy s Unified Enterprise Security (UES) is the industry s first fully integrated, network behavior analysis and correlation-based security platform. It is the premier threat management system on the market today because it is the only unified offering that combines the unique integration properties of a security architecture with the adaptive and predictive data sharing, tracking and analysis capabilities of a network behavior analysis and correlation engine. Masergy s UES solution provides true subsystem integration of industry-proven security applications network behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and vulnerabilities within a multi-layered, 21st century security architecture that spans premise-based, cloud and hybrid network environments. Finally, there s a unified security solution that works anytime, anywhere your business operates. Introduction In an era of increasing regulatory compliance, where the level of investment in best-of-breed corporate IT security technology is significantly higher than in any previous year, CIOs, Security Chiefs and IT Leaders are asking the same question: Why are high profile security breaches still so prevalent? To adequately answer that question, one need only review the data. Consider, for example, the recently published Verizon: 2014 Data Breach Investigations Report of high profile security breaches. It found that, for 95% of all breaches, readily available evidence existed in an organization s logs that it had been breached or was in the process of being breached. More importantly, the same report also found that: The time to compromise is shortening due to the success of APTs ability to infiltrate The time to discovery once a network has been compromised is increasing due to the fact that APTs are designed to evade detection The majority of breaches were discovered by a third party or law enforcement, not by the actual organization that was breached 3

4 Many organizations were deemed to be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS) Less than 10% of these organizations actually discovered the breach on their own. These are shocking statistics, especially when you consider that IT security budgets rose to 7.9 percent, 1 and Global IT security spending climbed to total $71.1 billion in With continuously evolving attack profiles and too many disparate applications and appliances requiring updates on a daily basis, it s virtually impossible for network administrators to stay ahead of the curve. This paper will highlight the flaws of a best-of-breed approach to network security, the underlying causes of recent high profile security breaches, and the emergence of Unified Enterprise Security a comprehensive, holistic approach to network security integration. The Current Approach to Securing Network: A False Sense of Security Postmortem analysis by Verizon Business investigators of the underlying causes for a security breach found that either the technology employed, processes in place, or dereliction of duty (though unintended) were often the main causes. 2 These findings are understandable given the current state of the network security market, where corporate IT security teams are challenged to implement their network security posture by cobbling together discrete security appliances and applications from a myriad of competing security companies. Such solutions focus on various specific aspects of network security, leaving the IT department responsible for selecting, integrating, managing, monitoring and correlating discrete security events, alerts, logs and reports into actionable security threats. To better understand the underlying reasons for these challenge(s), let s take a closer look at the typical approach organizations are taking to secure their enterprise. 1 Gartner: Don t Be the Next Target IT Security Spending Priorities Verizon: 2014 Data Breach Investigations Report 4

5 Most organizations focus on four main areas of network security; 1. Perimeter defenses (firewalls, intrusion prevention devices, etc.) 2. Log Management 3. Vulnerability Management 4. Endpoint security On the surface, a focus on these four defense disciplines seems to be a reasonable approach to securing an organization s network. After all, most highly respected data security standards (PCI, SOX, HIPAA, NERC CIP, NCUA, FISMA or SANS, etc.) require these four basic functions in their directives. However, a closer examination reveals some serious deficiencies: Perimeter Defense(s): Beyond provisioning a firewall (FW), the primary network security appliance deployed on virtually every organization s network is an intrusion prevention system (IPS). An IPS is a network security appliance that monitors network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and then report any detected activity. It is important to understand that there are two primary types of underlying technologies used in an IPS: 1. Signature-Based Detection: This method of detection utilizes attack patterns (signatures) that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability. 2. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with predetermined profiles of generally accepted definitions of benign activity. It s still a signature, but IT organizations often consider SPAD to be something different all together. It reduces false positives, but provides no more protection and can still be evaded. 5

6 Both of these detection methods are predicated on the notion that loading a small subset (approximately 1,500) of detection scenarios (also known as signatures ) from a large (over 60,000) library is the only effective means available to identify malicious activity. This leaves the organization 97.5% exposed to the known attack methods, and 100% exposed to any new emerging threats. To compound the problem, most organizations rely heavily on the IPS manufacturer to select the subset of signatures to load from their vast library. This conjures the imagination as to how the IPS manufacturer decide which signatures to select when they have absolutely no idea of what each organization s network vulnerabilities are? Obviously, network vulnerabilities will vary greatly from one organization to the next, and IPSs are not designed to detect network vulnerabilities. Given that less than 2.5% of the signature library can be loaded at one time, what is the likelihood the right set of signatures will be selected? There are other concerns to address as well. NSS labs reports that 85% of the IPS signatures loaded are typically disabled from blocking due to a high false positive rate. When you consider that IPSs are marketed, sold, and deployed in unintended operation mode, it s obvious that IT organizations have been lulled into a false sense of security. Further, IPSs are deployed at the edge of the network where traffic flows to and from the internet leaving the entire inside of the network unmonitored / unprotected. Protecting only the perimeter assumes that there is no other means of entry into the network, which does not take into account mobile devices (laptops, phones, USB drives, DVDs, etc.). It also does not take into account that users have direct access to the internet from inside the network, which provides an encrypted connection (i.e. HTTPS) directly into the middle of the network, and the stealthiest means (e.g. Advanced Persistent Threats) to bypass the organization s perimeter defenses. Given the aforementioned, when you think about the industry s reliance on IPSs to secure their networks, the approach seems so hopelessly flawed that it s a wonder that it ever made it to market or became so pervasive. Regardless, it s what is currently in use today, and provides a very compelling argument to consider a different approach. 6

7 Log Management: Most organizations are collecting and archiving system logs (syslog) in compliance with a data security standard directive(s) such as PCI, SOX, HIPAA, NERC CIP, NCUA, FISMA, or SANS. Since virtually all network elements (firewalls, switches, routers, production servers, 3rd party security appliances, etc.) produce syslog events, the objective of log management is to collect, retain, and regularly review logs (daily) as a means to identify unauthorized, irregular, or malicious activity. While there is little doubt that log information can be useful in determining what has already occurred, the notion of relying on historical log information to detect an attack in progress is undermined for several reasons: 1. Logs analysis relies on the reporting device s detection capability. For example, when a threat is able to successfully bypass perimeter defenses (as previously discussed) there typically will NOT be a log event generated. Thus, reliance on log information is inherently flawed. 2. Logs tend to be voluminous. Consider that a firewall is capable is generating 1,000,000 events each day. Since most organizations collect logs for hundreds or thousands of devices (FW, IPS, production servers, network infrastructure, etc.) the ability for an organization to adequately review these logs daily becomes unrealistic. 3. Though SIEMs can correlate log events to identify an incident, most IT departments lack the expertise to implement and maintain the heuristics. 4. Logs are historical in nature, and fairly useful for post mortem analysis of a breach. However, some modern attack vectors are designed to not log the fact that the malware/apt has manifested itself onto the host. Vulnerability Management (VSM): In compliance with most data security standards (PCI, SOX, HIPAA, NERC CIP, NCUA or FISMA, etc.) most organizations perform periodic vulnerability assessments to identify weaknesses in their network security posture, with the intent to remediate as time permits. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets. While functionality 7

8 varies between different types of vulnerability scanners, they share a common core purpose of enumerating the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of vulnerability management. While most vulnerability scanners are very good at detecting vulnerabilities, there remain several challenges that undermine their usefulness: 1. Vulnerability scanning should be performed on a weekly basis to ensure that any new vulnerabilities are identified and remediated before emerging threats are able take advantage of them. However, since vulnerability scanners are typically priced by the number of IPs and the frequency of scans, IT organizations tend use these scanners judiciously in an effort to economize. 2. Scan reports contain a mountain of vulnerabilities to remediate with no prioritized list or relevance to current threats seen on their network. Given that IT organizations are undermanned and underfunded, effort to remediate detected vulnerabilities typically takes a backseat to maintaining business services. 3. Vulnerability Management reports are NOT utilized by any 3rd-party security devices (IDS, IPS, etc.), and consequently provide no compensating controls to protect those vulnerabilities. Endpoint Security: The last line of defense for most organizations is endpoint security. Virtually all customers deploy some form of Antivirus/Anti-Malware software on PCs, laptops, and their trusted computing base (TCB). Some customers have also deployed Host Intrusion Detection/Prevention agents (HIDS/HIPS) on TCB servers. Beyond Antivirus/Anti-Malware software, a much smaller percentage of customers (<15%) will employ a more sophisticated endpoint security solution designed to validate endpoint security compliance prior to allowing client/user machines access to the network. Here too we have some serious challenges, as Advanced Persistent Threats (APTs) are purposely designed to leverage zero day exploits and polymorphism to evade signature detection based technology, and subsequently infiltrate systems by exploiting the inherent trust between operating system components. As a result, it is well 8

9 documented that endpoint security solutions catch < 30% of malware. Lastly, we must also address the risks imposed by the end-user. With the proliferation of web, and social media, users are simply one click away from compromising their desktop. When you consider that laptops operate outside of corporate network defenses, users are even further exposed. In an era of mobile computing, employees often visit questionable websites and/or utilize free software associated with social media and web applications that provide fertile ground for the introduction malware, which is then subsequently hand-carried inside the network when they return to work. The deficiencies of this current approach to network security can be no better evidenced than by the rise of advanced persistent threats (APTs) in recent years. The so called APT is an acronym commonly applied to any breach that seemingly emerges from within an organization s network by targeting the path of least resistance, the mobile end-user. Once the APT is hand carried into the middle of the network on a compromised laptop, it s able to replicate peer-to-peer, roam around the network undetected, and stealthily establish an encrypted connection back to a hacker s command and control website. While APTs are generally associated with many high profile breaches (Home Depot, USPS, Target, etc.), they are far more prevalent in than you might think. In a 2013 survey conducted by the Information Systems Audit and Control Association (ISACA), one in five enterprises have experienced an APT attack. This growing awareness of APTs throughout the IT industry has provided inspiration to augment traditional defenses with advanced threat protection (ATP) solutions as part of a Defense-in-Depth strategy. Defense-in-Depth: The Market s Flawed Attempt to Address APTs As previously discussed, there are many challenges with the current approach to securing a network best-ofbreed point solutions alone. In response, the marketplace has introduced several additional point solutions in an attempt to address some of these shortcomings under a strategy of Defense-in-Depth. The idea behind the defense-in-depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security. 9

10 Defense-in-Depth is originally a military strategy that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and direct attacks against critical systems. The challenge for Defense-in-Depth is that it relies on the efficacy of the underlying security applications to detect security events and report upstream to a master controlling entity (presumably a SIEM) that will then analyze and correlate these disparate events into a deterministic incident. As previously discussed, this notion is flawed due the inherent limitations of disparate perimeter focused signature-based solutions. In response to the shortcomings of these signature-based solutions, the marketplace has introduced a number of promising solutions and technologies intended to augment traditional point solutions currently in place, in support of the defense-in-depth approach. While these product introductions seem to hold great promise initially, they have all come up short in the wake of the constantly evolving advanced malware development community. Let s take a look at some of these noble attempts to address Advanced Persistent Threats (APTs): Network Sandboxing solutions such as Dhamballa and FireEye are designed to detect infiltration from targeted attacks, after the attack is in the network. Unfortunately this does not stop or remediate threats to endpoints, and requires expert-level security personnel to continuously monitor reported events. Breach-detection systems also require constant tuning to ensure that IT security staff members aren t being overwhelmed with alerts, which was reported to be the case when Target Corporation was breached, despite its use of a breach-detection product from FireEye. This may necessitate adding highly trained staff that can dedicate time to the product, adding to its overall cost. 3 Further, advanced malware developers of APTs have become adept at detecting sandbox environments and employ polymorphism to escape the sandbox undetected. Analysis of the high profile breach at Target Stores is clear evidence that APTs have learned to evade network sandboxes like FireEye. Software Sandboxing solutions such as Invincea, Sandboxie, and Trustware are designed to create sandbox environments within the Windows operating system to analyze execution of untrusted applications. They do so by restricting memory and file system resources of the untrusted application and intercepting system calls that could lead to access to sensitive areas of the system being protected. However, advanced malware (APTs) can bypass any sandbox to take advantage of kernel-mode vulnerabilities. Additionally, user-mode malware can escape from any sandbox, permitting it to raise its privileges and disable/bypass other forms of endpoint protection to compromise endpoints, including data theft. Web Content Filtering (WCF) solutions are intended to block access to known malicious websites in an effort to protect against web exploits and Trojan attacks. However, they only block known malicious IP addresses, and protection is diminished for mobile users and partners accessing the network. Network Access Control (NAC) is meant to ensure that only trusted systems access the network, to quarantine vulnerable systems, and to enforce network segmentation as designed. However, they tend 3 TechTarget Article: Breach-detection systems growing more popular despite high costs by Brandon Blevin, November 18,

11 to be too complex to deploy and manage, and NAC false-quarantines are very common. Additionally, NAC does not address remote/mobile users very well. Hardware enhanced detection solutions such as McAfee s Deep Defender are designed to load as a boot driver and check for rootkit behaviors before the operating system loads. While this method is fairly effective at detecting and blocking some kernel-mode rootkits, it does NOT block user-mode rootkits. Additionally, the hardware enhanced detection process poses a significant burden on the processor, while only providing limited protection. Application Whitelisting solutions are designed to control which applications are allowed to install and run on an endpoint, which is accomplished by matching authorized programs (the whitelist) to a database of sanctioned applications. While whitelisting can be an effective way to block execution of malicious executables, they inhibit users from downloading and using new tools and programs without IT involvement, are not integrated with other security tools, and they make it difficult to comply with business process change requirements. Thus, application whitelisting tends to be more effective for the trusted computing base (TCB) servers where changes are manageable, and it remains largely unusable on end-user systems. Security Information / Event Management (SIEM) is a key component in the defense-in-depth strategy. In a security posture comprised of many discrete point solutions, the SIEM is supposed to collect and analyze the logs events of all of subordinate devices using complex user-specified heuristics. Though SIEMs would provide real-time security operation center (SOC) alerting, they are completely reliant on each disparate point solution s ability to detect and report meaningful events. Given the inherent flaws identified earlier in this paper, SIEMs are simply unable to report on events missed by best-ofbreed point solutions. Thus, SIEMs tend to generate enormous amounts of historical data that must be interpreted in to actionable intelligence. Since most IT organizations lack the necessary skills to develop and maintain the SIEM heuristics required to produce actionable intelligence, most SIEMs are eventually utilized to be nothing more than very expensive log management repositories. The Real Security Problem: Failure to Connect the Dots Beyond the limitations of each of these point solutions, there are additional considerations worth mentioning. An all too common misconception is that a network breach is a singular event that occurs during a brief period of time. In reality, Verizon Business investigators found that 82% of successful breaches were actually preceded by a series of successive reconnaissance activities, intentionally spanning days weeks and even months in an effort to avoid detection. These intrusion detection evasion techniques are able to bypass detection by creating different states on the perimeter s defenses and/or on the internal targeted servers. The attacker accomplishes this by manipulating either the attack itself or the network traffic that contains the attack. In this manner, attackers are able to slowly develop techniques, methods, and even the timing to successfully breach perimeter defenses. Even though much of this reconnaissance activity can be detected by existing defenses, it tends to be overlooked because: 1. The number and frequency of these events appear to indicate a cessation of hostile activity, leaving 11

12 the IT staff with the impression that existing defenses are working, or 2. They simply go unnoticed due to inadequate security monitoring Simply put, the primary reasons why high profile security breaches are still so prevalent is that: There are too many vendors, too many disparate security systems, too many alerts with not enough actionable root-cause and resolution information. With most security solutions, there is an inability to connect the dots between an impending attack and its related reconnaissance activity, which can span days, weeks, and even months apart. Most security solutions are reactive and focused on explaining what happened, instead of tracking reconnaissance activity over long periods of time and detecting threats before a breach occurs. An attack is a complex series of events, and unless someone is monitoring the system, an attack will likely go unchecked. In addition, the deployment of organizational resources necessary to successfully operate in such an environment further stresses IT departments that are already challenged with squeezing the most out of their minimalist security budgets. These disparate product, process and budget issues are contributing to a growing movement within the security industry one that supports the convergence of security requirements as part of an extensible systemic architecture. It is this type of approach that analysts believe will enable disparate applications to be seamlessly integrated into a single system, with unified administration, operations and reporting. Behavioral-Based Unified Security: A Holistic Approach to Detecting APTs The concept of a systemic, architectural approach to network security is increasingly gaining traction among leading security companies. There is also a growing realization that perimeter focused signature-only detection cannot adequately address the current state of network security attacks. A behavioral approach to deep packet analysis is now a requirement in order to address zero-day attacks and compensate for the limited number of signatures that IDS/IPS appliances can actually load. THE CHALLENGE: IN SEARCH OF A FRESH APPROACH One of the most important developments in evolution of cyber security is the growing acceptance that cyber-attacks will continue to evolve and successfully evade traditional detection methods. The notion that developing defenses derived from the study of successful network security breaches and malware to identify specific behaviors and attributes (also known as digital signatures ) so we can interrogate real-time network traffic is so hopelessly 12

13 flawed, it s almost funny. Not only is it unrealistic to compare traffic against all known signatures (60,000+), the ability of attackers to simply modify their behavior to alter the digital signature renders the method impotent. Even the application of sandboxing and anomaly detection techniques are narrowly applied to identify anomalies to rigidly defined behaviors such communications protocols, while totally ignoring the infinite complexities of human behavior. Understanding these facts, cyber attackers intentionally space out related reconnaissance activities, modify their techniques, and utilize multiple attack platforms to routinely evade detection. Further, both signature and anomaly detection methods are completely unable to deal with complex behaviors unwittingly introduced via social engineering techniques, mobile computing, and an ever increasing array portable communication devices. Therefore, a new detection method capable of analyzing complex systems is required to overcome the limitations of traditional signature, sandboxing, and anomaly detection methods. A better method would be to develop a system with the ability to detect emerging behavior(s) within an unknown population sample where normal and abnormal behaviors are not known, yet they are discernable. THE BASIS OF EMERGENT BEHAVIOR DETECTION: EXPECT THE UNEXPECTED The basis for emergent behavior detection is rooted in the simple understanding that if you go in looking for specific signatures and behaviors you re likely to only find what you re looking for. Conversely, you re likely to totally overlook new signatures and/or behaviors you have not anticipated. Basically, when you re trying to anticipate an adversary s next move, it is wise to expect the unexpected. THE ADVANCED PERSISTENT THREAT (APT): AN ESCALATION OF THE CYBERSECURITY ATTACK An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry. Companies such as Sony, Apple, Target, Home Depot, USPS, and Chase Financial have all become victims of APTs. In a simple attack, the intruder tries to get in and out as quickly as possible in order to avoid detection by the network s intrusion detection system. In an APT attack, however, the goal is not to get in and out but to achieve ongoing access. To maintain access without discovery, the intruder must continuously rewrite code and employ sophisticated evasion techniques such as polymorphism. Some APTs are so complex that they require a full time administrator. An APT attacker often uses spear-fishing, a type of social engineering access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door, gather valid user credentials (especially administrative ones), and move laterally across the network installing more back doors. The back doors allow the attacker to install bogus utilities and create a ghost infrastructure for distributing malware that remains hidden in plain sight. 13

14 TRADITIONAL SECURITY APPLICATIONS ARE INSUFFICIENT Although APT attacks are difficult to identify, the theft of data can never be completely invisible. While some might then be drawn to conclude that anomaly detection would be sufficient to detect APTs, the post mortem forensic analysis of APTs clearly indicates a working knowledge of traditional anomaly detection methods and techniques, and the ability to evade detection. Traditional anomaly detection is based upon linear systems theory. Where superposition theory is valid for linear systems, APTs are complex systems that mix specialized utilities and human behavior. Since systems engineers like to divide and conquer in order to work on complexity at a more manageable level through decomposition, evasion is possible by avoiding common behaviors. Additionally, systems engineers like to study the behavior of the elements in order to understand the behavior of the system through reconstruction. However, none of this is valid when dealing with non-linear (or complex) systems, and the developers of APTs know this. EMERGENT BEHAVIOR ANALYSIS THEORY By definition, APTs are best characterized as emergent behavior. By the philosophy as well as the science of systems theory, emergence is the way complex systems and patterns arise out of a multiplicity of relatively simple interactions. Therefore, emergent behavior is that which cannot be predicted through analysis at any level simpler than that of the system as a whole rendering traditional anomaly detection methods impotent. Better stated, emergent behavior, by definition, is what s left after everything else in a complex system has been explained. Recognizing that a complex network is a form of a self-organizing system, Masergy s network behavioral analysis technology uses advanced analysis techniques including isomorphic connectivity patterns in state spaces, evolutionary combinatorial optimization theory and particle swarm optimization theory, to find the high-level network activities that emerge from complex systems operating within defined rule sets. This provides a higher-level set of meta-data that can be used to find unusual or altered operation of lower-level systems that make up the whole, allowing detection of very low level activities that are the indicators of an APT. Masergy Unified Enterprise Security To address these challenges, Masergy has developed a security solution that actually combines the exceptional integration capabilities of a security architecture with the adaptive and predictive data sharing, tracking and analysis capabilities of a network behavior analysis and correlation engine. This uniquely integrated approach is at the heart of Masergy s Unified Enterprise Security (UES) solution, and enables all security applications to take advantage of patented, leading-edge behavioral technology. Other advantages of the UES architecture a single console and unified reporting, administration, and operational ease-of-use make this technology particularly attractive to overburdened and under-resourced IT departments. The Unified Enterprise Security architecture provides an extensible platform to incorporate ever expanding security 14

15 applications. In fact, Masergy has leveraged the UES architecture to incorporate several new security applications, including behavioral network access policy monitoring, log management and monitoring and emerging Cloud security applications. Further, Masergy s Unified Enterprise Security architecture is very cost-effective since it overlays and complements a company s existing network security infrastructure. This modular approach allows customers to mix-n-match applications, adding additional modules over time, as needed, which helps to maximize their current security investment. Masergy Unified Enterprise Security Architecture True Subsystem Integration Masergy s Unified Enterprise Security product portfolio enables true subsystem integration and intelligent, adaptive information sharing/correlation of detected threats and alerts with detected vulnerabilities between all application subsystems and appliances. It is this level of architecture-based integration that provides long-term context to threats and enables early warnings of threats and attack reconnaissance that other solutions cannot see. Industry-proven application modules network behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and 15

16 policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and vulnerabilities can be deployed as part of a complete security infrastructure or they can be added incrementally, over time, as an organization s business and network requirements change. Further, Masergy s holistic approach to compliance ensures that customers can efficiently achieve and maintain ongoing regulatory compliance within their unique vertical markets, whether it s for PCI, SOX, HIPAA, NERC CIP, NCUA or FISMA standards. At the heart of UES is a proprietary behavioral correlation engine that is actually the foundation upon which all other applications are built. This basic tenet of UES enables each security application to leverage the rich data derived from the correlation of weeks of raw packet data, detected vulnerabilities, signature detection applications, posted vendor alerts, globally detected threats, logs from 3rd party security devices, as well as network access policy violations. A true behavioral analysis and correlation requires: Unified Enterprise Security Software Architecture Packet data, IDS/IPS alerts, scans, vendor threats, and tracked resources are data feeds to be analyzed and correlated continuously, and tracked over long periods of time. Use of raw packet data vs. log files for behavioral analysis. Packets have more data for analysis. Data is used for analysis spanning days, weeks and months, which is necessary to correlate seemingly discrete events intentionally spaced-out to avoid detection. The longer the timeframe, the better the analysis can be. Analysis is relative to an individual network and adapts to that network. A behavioral system becomes customized to that network without human intervention. A behavioral system has learned intelligence, can measure increasing hostility from progressive reconnaissance activity, and predict behaviors that enable it to track developing threats leading up to a breach. 16

17 Architecturally Layered Security Applications It s important to not mistake Unified Enterprise Security for a SIM or SEM (SIEM) implementation. A SIEM is a noble attempt to integrate a collection of security appliances that were never intended to work together. Consequently, they don t. The SIEM approach has proven to be a complex, limited, and expensive approach to very loose integration that has relegated most SIEMs to nothing more than log management platforms. The Unified Enterprise Security offering is not the aggregation of log information from disparate security appliance logs/alerts. Instead, it provides twelve (12) unparalleled layers of fully integrated security: % PASSIVE SECURITY IMPLEMENTATION introduces absolutely no additional network latency, and no single point of failure. In practice, network traffic is mirrored to detection devices, allowing easy installation without disruption to network activity. 2. EXTERNAL INTRUSION DETECTION & PREVENTION detects increasing external hostility from reconnaissance activities, external threats, and other malicious traffic. 3. INTERNAL INTRUSION DETECTION & PREVENTION designed to automatically align signatures with detected CVEs from the latest vulnerability scan report. Monitors potentially suspicious employee activity, evidence of malware infections, and security policy violations. 4. NETWORK BEHAVIOR ANALYSIS AND CORRELATION analyzes and correlates all suspicious network traffic received from both internal and external IDS sensors, spanning days, weeks and months. Detects sophisticated intrusion evasion techniques, anomalous patterns, and even new stealth attack methods for which there are no published signatures. 5. BEHAVIORAL-BASED NETWORK ACCESS POLICY CONTROL & MONITORING behaviorally detects and blocks both internal and external access policy violations in real-time. This capability utilizes shared information between intrusion detection and network behavior analysis subsystems to secure critical assets without deploying any additional hardware or host agent software. 6. UNIFICATION OF EXISTING SECURITY INFRASTRUCTURE provides real-time monitoring of 3rd party security events and automatic / manual blocking of malicious traffic via native integration with all commercially available firewalls, switches and routers. 7. NETWORK RESOURCE VIOLATION MONITORING resource violation alerts occur automatically when unrecognized IP addresses (internal or foreign) are detected, and/or when a well-known IP address attempts to access a device for which they have no history of accessing. 8. INTEGRATED VULNERABILITY SCANNING & REPORTING provides automated vulnerability scanning for detected vulnerabilities in the network infrastructure, critical assets, application servers, client PCs, etc. Detected vulnerabilities are then shared with other subsystems for real-time correlation. 9. REAL-TIME CORRELATION OF SUSPICIOUS NETWORK TRAFFIC WITH DETECTED VULNERABILITIES activity reported by the integrated vulnerability scanner subsystem is automatically shared with intrusion detection, threat management, network behavioral analysis and network access control subsystems for real-time correlation between disciplines. This capability adds context to potential threats that would otherwise go unnoticed. 17

18 10. COMPREHENSIVE REAL-TIME LOG ANALYSIS, ARCHIVAL, AND MONITORING processes log events from firewalls, switches, routers, 3rd party security devices, and application servers using sophisticated policy-based rules to detect anomalous events, security policy violations, changes to account privileges, and the like. 11. LOG MANAGEMENT AND ARCHIVAL functionality, including comprehensive log searching, reporting, and 2.0Tb of network access storage (NAS) is available to help meet regulatory compliance. 12. COMPREHENSIVE THREAT MANAGEMENT automatically detects, correlates, and prioritizes detected network threats, global threats, and posted vendor threats with detected vulnerabilities. The resulting prioritized threat remediation list is designed to focus IT remediation teams on the most pressing threats to network security, providing detailed remediation steps, links to patches, vulnerability reports, CVEs, etc. The system is also designed to provide a complete graphical rendering of your entire network security posture, which is automatically updated once the system has empirically verified that the requisite remediation has been completed. For those organizations following the widely accepted defense-in-depth network security strategy, Masergy s Unified Enterprise Security portfolio economically delivers a security layer that augments and holistically provides oversight of an organization s security environment without the need to uproot or disrupt its existing security infrastructure. This self-reliant approach combines real-time flexibility, long-term correlation, and historical trending, with no maintenance and security business intelligence requirement. This revolutionary behavioral approach is quickly becoming the industry standard for next generation network security architectures. Masergy Solutions Overview As previously mentioned, the Unified Enterprise Security system is built from the ground up using a modular systemic architecture. It provides a simple and affordable migration strategy because it allows for extensive customization. For example, a customer may initially choose to mix-n-match components to address gaps or holes their security posture, then add additional applications or components incrementally, over time, in response to their evolving network environment. UNIFIED ENTERPRISE SECURITY - MIX-N-MATCH SOLUTIONS Available in virtual appliance (VMware enabled), physical appliance, or hybrid configurations, this modular approach enables Masergy to cost-effectively introduce new components / applications that address new and emerging security threats, enabling a company to keep its security infrastructure up to date. The core Unified Enterprise Security components include: A MASTER CONTROL UNIT The MCU module is a browser-based monitoring console, signature server, cluster manager and Web server that utilizes plug-and-play installation. It contains the custom Web portal that houses all the reports and graphs for the appliance suite, including the security dashboard, intrusion detection and vulnerability scanning reports. The Security Risk Management (SRM) Managed Services can also be provisioned through the MCU for thorough and economical risk management ondemand. 18

19 The Master Control Unit (MCU) is available in three models; M-4000-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or M-4000-G 1U appliance for typical 10/100/1000Mb networks. BEHAVIORAL CORRELATION MODULE The Behavioral Correlation Module (BCM) identifies and tracks typical network traffic and packet behaviors over long periods of time and automatically sends out alerts for any anomaly. The BCM identifies reconnaissance activity, unknown attacks and zero-day attacks. It also guards against threats from within, providing alerts for resource violations, abuse of privileges and misuse of corporate assets. Its behavioral analytics employ raw packet information through layer 4, detecting early threat activity and maintaining alert logs and behavioral profile information for at least six months enabling constant monitoring of global attacks and vulnerabilities. The Behavioral Correlation Module (BCM) is available in four models; A-5000-V virtual appliance for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), A-5000-G 1U appliance for typical 10/100/1000Mb networks or A-5110-G 1U appliance for newer 10GbE networks. SECURITY DASHBOARD MODULE The Security Dashboard Module (SDM) provides immediate singlesource access to all threat data, including an easy-to-use, instant view of prioritized security threats and the underlying data that created them. The Security Dashboard Module (SDM) correlates data and prioritizes security threats from multiple security, network and server sources, including behavioral alerts from packet data analysis; signature IDS alerts; and vulnerability scans against assets and global alerts. The SDM instantly identifies the most critical network threats, determines the best path for remediation and gathers the data for forensic reporting. Because of its extensible architectural design, the SDM requires no tuning or correlation rules. This means that time is not wasted attempting to integrate complex SIM software with third-party security solutions or implementing, updating and maintaining multitudes of SIM correlation rules. The Security Dashboard Module (SDM) is available in three models; I-6000-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or I-6000-G 1U appliance for typical 10/100/1000Mb networks. DETECTION + PREVENTION MODULE The Detection + Prevention Module (DPM) is a 100% passive network sensor hosting an intelligent packet inspection and capture system that selects and transfers suspicious packets to the Behavioral Correlation Module (BCM) for further behavior analysis. By employing signature detection technology, deep-packet inspection of layers 1 7 and tunable signatures on a 24/7 basis, the DPM provides for automatic alert analysis and correlation, as well as alert escalation and prioritization; detection of unauthorized access to network resources; countermeasures for denial-of-service attacks; termination of attack sessions via a TCP reset or ICMP unreachable message; probe prevention (defeats or confuses scanning techniques with false responses); and enterprise threat correlation and global threat correlation. 19

20 The Detection + Prevention Module (DPM) is available in seven models; N-1001-V virtual appliance for VMware enabled environments As a software component of the N-2520-S All-n-One Security Module (ASM) N-1001-S 1U appliance for remote Small Office / Branch Office (SOBO) locations N-1010-S 1U appliance for 100Mb networks N-2100-S 1U appliance for 1000Mb networks N-2101-S 1U appliance for 4000Mb fiber networks N-2110-G 1U appliance for newer 10GbE networks. VULNERABILITY SCANNER MODULE The Vulnerability Scanner Module (VSM) provides the full benefit of regular security scans that are integrated and correlated with data and alerts from the other appliances, as well as extensive research capabilities. The Vulnerability Scanner module s extensive reporting includes individual vulnerability reports for each device, with associated risk levels (informational, low, high, and severe) and appropriate links to remediation steps. This module also includes: Summary and management reports for easier risk mitigation; On Demand Scanning options: Light limited port scans that identify common vulnerabilities such as those within DNS, Web, or FTP and SMTP; Heavy full port scans that look for all known vulnerabilities and potential risk areas; and DOS scans that identify all dangerous vulnerabilities on the appropriate ports; A Scan Scheduler with customizable scanning options for immediate, daily, weekly, monthly, quarterly and annual scans; and A Private Customer Web Portal -- that allows customers to view alerts, scans, and run reports in real-time. The Vulnerability Scanner Module (VSM) is available in three models; V-3001-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or V-3001-S 1U appliance for typical 10/100/1000Mb networks. FIREWALL/SYSLOG MODULE The FSM module provides real-time rules-based syslog analysis for commercially available firewalls and syslog compatible systems, applications and devices. The FSM is integrated with the UES monitoring console and reports. It can match multiple rules based on Boolean logic, time and frequency to develop sophisticated policy oversight and alert on violations. The N-2800-G FSM is configured with 2.0TB of network access storage (NAS) to collect and maintain up to one (1) year of logs per logging source; provides automated back-up to long-term network storage devices; offers log management searching and reporting, and supports up to 1000 syslog devices per FSM; For larger organizations, the N-2810-G FSM is configured with 8.0TB of Raid 10 storage, supporting up to 5000 devices per FSM. The FSM can also be tightly integrated all commercially available firewalls, switches and routers to enable automatic and manual blocking of malicious traffic. 20

21 The Firewall/Syslog Module (FSM) is available in three models; N-2800-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or N-2800-S 1U appliance for typical 10/100/1000Mb networks, and/or N-2810-S 1U appliance for larger 10GbE networks. NETWORK SECURITY ZONES (Z-1000-G) The Network Security Zones (NSZ) feature defines secure boundaries for managing and monitoring access to information and applications across multiple systems and disciplines simultaneously delivering unimpeded online services to employees, customers and suppliers. Simply put, the NSZ system defines what an individual can access within the network, at what time and from which location. Any violation of established boundaries will generate an unauthorized access alert. The NSZ system also supports DHCP environments where it s necessary to track individual users or hosts independent of their IP addresses; protects against various network intrusions and illicit access, whether from inside or out; provides a clear path to enhanced compliance and auditing requirements; handles security and access for remote and mobile workers; and works with drag-anddrop simplicity. ON-DEMAND MANAGED SECURITY SERVICES Masergy s Security Risk Management (SRM) Managed Services provides the flexibility to choose between centrally managed or co-managed services, or a combination of the two based on outsourcing requirements at any point in time. It provides immediate turnkey access to the UES solution with no contract required. SRM Managed Services allows an enterprise to cost-effectively allocate internal resources, while outsourcing network security requirements based on demand. Outsourcing by contract is also available, providing an economical and flexible way to augment a company s IT security staff with 24x7 managed security services whether it s for off-hours, holidays or customized timeframes based on peak management requirements. With or without a contract, SRM Managed Services provides visibility, control and oversight of the entire enterprise security environment; enables actionable remediation information to prevent network security problems as well as dealing with immediate security issues; and offers significant cost savings through reduced capital expenditures, training and staffing. Masergy Unified Enterprise Security Configurations As depicted below, each Unified Enterprise Security (UES) system is typically deployed on one All-n-One Security Modules (ASM) hosting any number of selected virtual machine modules to meet your desired level of security. Each UES system must contain one (1) Master Control Unit (MCU) providing a private web portal access to unified administration, monitoring, ticketing and reporting for all deployed UES subsystems. Secure facilities typically have a limited number of internet connections and should install at least one (1) Detection + Prevention Module (DPMs) at each internet connection to perform signature detection (IDS), prevention (IPS), and behavioral packet analysis capture. Additional DPMs can be installed to provide coverage for additional internet connections, whether collocated or geographically remote locations. It is important to note that DPMs are installed as 100% passive devices receiving mirrored traffic from monitored network segments, and there is no requirement to integrate any 3rd party devices. 21