UNIFIED ENTERPRISE SECURITY

Transcription

1 WHITE PAPER UNIFIED ENTERPRISE SECURITY A HOLISTIC APPROACH TO INTEGRATED, BEHAVIORAL-BASED NETWORK SECURITY BY: DEAN A. TRUMBULL

2 WHITE PAPER Table of Contents EXECUTIVE SUMMARY 3 INTRODUCTION 3 THE SECURITY PROBLEM: FAILURE TO CONNECT THE DOTS 4 BEHAVIORAL-BASED UNIFIED SECURITY: A HOLISTIC APPROACH 5 CHALLENGES FACING BEHAVIORAL-BASED UNIFIED SECURITY 6 MASERGY UNIFIED ENTERPRISE SECURITY 7 MASERGY PRODUCT OVERVIEW 10 UNIFIED ENTERPRISE SECURITY CONFIGURATIONS 12 UNIFIED ENTERPRISE CLOUD SECURITY CONFIGURATIONS 15 HYBRID NETWORK CONFIGURATIONS 18 CONCLUSION 19 2

3 UNIFIED ENTERPRISE SECURITY EXECUTIVE SUMMARY Internet-based attacks are a serious threat to any public or private organization s information technology systems. Despite a substantial increase in spending for cyber security over the past few years, new and evolving Internet security threats remain widespread and most cyber defense products are woefully inadequate. While many powerful point solutions exist to protect specific pockets of vulnerability, industry analysts agree that the next evolutionary leap in security technology will focus on the development of a systemic cyber security architecture that s capable of providing true subsystem integration of disparate security applications within a unified threat management system. Masergy s Unified Enterprise Security (UES) is the industry s first fully integrated, network behavior analysis and correlation-based security platform. It is the premier threat management system on the market today because it is the only unified offering that combines the unique integration properties of a security architecture with the adaptive and predictive data sharing, tracking and analysis capabilities of a network behavior analysis and correlation engine. Masergy s UES solution provides true subsystem integration of industry-proven security applications network behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and vulnerabilities within a multi-layered, 21st century security architecture that spans premise-based, cloud and hybrid network environments. Finally, there s a unified security solution that works anytime, anywhere your business operates. INTRODUCTION In an era of increasing regulatory compliance, where the level of investment in best-of-breed corporate IT security technology is significantly higher than in any previous year, CIOs, Security Chiefs and IT Leaders are asking the same question: Why are high profile security breaches still so prevalent? To adequately answer that question, one need only review the data. Consider, for example, the recently published Verizon Business: Y2009 Data Breach Investigations Report of high profile security breaches. It found that, for 82% of all breaches, readily available evidence existed in an organization s logs that it had been breached or was in the process of being breached. Further, the same report also found that: 71% of breached organizations already had log collecting solutions in place; 30% of breached organizations already had a intrusion detection/prevention system (IDS) in place; 69% of breaches were discovered by a 3rd party, not by the actual organization that was breached; 19% were deemed to be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS); and Only 6% of these organizations actually discovered the breach on their own. These are shocking statistics, especially when you consider that IT security budgets rose to 12.6 percent, and Global IT security spending climbed to $14.7B in With continuously evolving attack profiles and too many disparate applications and appliances requiring updates on a daily basis, it s virtually impossible for network administrators to stay ahead of the curve. This paper will highlight the flaws of a best-of-breed approach to network security, the underlying causes of recent high profile security breaches, and the emergence of Unified Enterprise Security a comprehensive, holistic approach to network security integration. Forrester Research: State Of Enterprise IT Security: Verizon Business: Y2009 Data Breach Investigations Report 3

4 WHITE PAPER THE SECURITY PROBLEM: FAILURE TO CONNECT THE DOTS Postmortem analysis by Verizon Business investigators of the underlying causes for a security breach found that either the technology employed, processes in place, or dereliction of duty (though unintended) were the main causes. These finding are understandable given the current state of the network security market, where corporate IT security teams are challenged to implement their network security posture by cobbling together discrete security appliances and applications from a myriad of competing security companies. Such products focus on various specific aspects of network security, leaving the IT department responsible for selecting, integrating, managing, monitoring and correlating discrete security events, alerts, logs and reports into actionable security threats. An all too common misconception is that a network breach is a singular event that occurs during a brief period of time. In reality, Verizon Business investigators found that 82% of successful breaches were actually preceded by a series of successive reconnaissance activities, intentionally spanning days weeks and even months in an effort to avoid detection. These intrusion detection evasion techniques are able to bypass detection by creating different states on the perimeter defenses and/or on the targeted computer. The attacker accomplishes this by manipulating either the attack itself or the network traffic that contains the attack. In this manner, attackers are able to slowly develop techniques, methods, and even the timing to successfully breach perimeter defenses. Even though much of this reconnaissance activity can be detected by perimeter defenses, it tends to be overlooked because 1) the number and frequency of these events appear to indicate a cessation of hostile activity, leaving the IT staff with the impression that perimeter defenses are working, or 2) they simply go unnoticed due to inadequate security monitoring. Aside from the obvious silo-effect of deploying discrete security appliances, it s important to note that most network security technology relies heavily on signature detection to identify malicious traffic. Since security appliances are only able to load a mere 5% of currently available signatures (~1500), this leaves network security analysts guessing as to which signatures to load. It also leaves the network 95% exposed to well known attack methods regardless of analyst s signature selection and completely vulnerable to any new stealth attacks. 4

5 UNIFIED ENTERPRISE SECURITY Simply put, the primary reasons why high profile security breaches are still so prevalent is that: There are too many vendors too many disparate security systems too many alerts not enough actionable root-cause and resolution information. With most security products, there is an inability to connect the dots between an impending attack and its related reconnaissance activity, which can span hours, days, weeks, and even months. Most security products are reactive and focused on explaining what happened, instead of tracking reconnaissance activity and detecting threats before they happen. In addition, the deployment of organizational resources necessary to successfully operate in such an environment further stresses IT departments that are already challenged with squeezing the most out of their minimalist security budgets. These disparate product, process and budget issues are contributing to a growing movement within the security industry one that supports the convergence of security requirements as part of an extensible systemic architecture. It is this type of approach that analysts believe will enable disparate applications to be seamlessly integrated into a single system, with unified administration, operations and reporting. BEHAVIORAL-BASED UNIFIED SECURITY: A HOLISTIC APPROACH The concept of a systemic, architectural approach to network security is increasingly gaining traction among leading security companies. In fact, Cisco Chief Executive John Chambers predicts the end of pinpoint security applications and believes that, in order to stop online threats, security should be integrated throughout the network with an underlying architectural approach, and that SMEs should be focusing now on how their security pieces integrate. There is also a growing realization that signature-only detection cannot adequately address the current state of network security attacks. A behavioral approach to deep packet analysis is now a requirement in order to address zero-day attacks and compensate for the limited number of signatures that IDS/IPS appliances can actually load (~1500),which leaves networks 95% exposed to well known attack methods. The following quotes from Gartner, Aberdeen and Yankee Group analysts further highlight the industry s alignment with network behavioral analysis and correlation as a must-have component of an extensible, architecture-based security program: After an organization has successfully deployed firewalls and intrusion prevention systems (IPS) with appropriate processes for tuning, analysis and remediation, they should consider network behavior analysis (NBA) to identify network events and behaviors that are undetectable using other techniques. By Paul E. Proctor, Research Analyst, Gartner Inc. The industry is moving toward a more holistic and integrated approach to security and the key to realizing the benefits of such an approach lies in how effectively integrated technologies are able to share, correlate, and analyze information, according to Derek Brink, Vice President and Research Fellow for Aberdeen s IT Security Division. Solution Providers who incorporate NBA most effectively will enable their customers to improve protection by predicting and preventing emerging threats before they cause harm, rather than by merely explaining events that have already ensued. 5

6 WHITE PAPER Traditional signature-based security products can t stop zero-day attacks, says Andrew Jaquith, a senior analyst with Yankee Group. Our research shows that while 99% of corporations have deployed antivirus software, nearly two-thirds (64%) nonetheless suffered virus or worm outbreaks that disrupted at least one business unit. Behavioral security solutions are an increasingly important part of a balanced security program. CHALLENGES FACING BEHAVIORAL-BASED UNIFIED SECURITY As alluded to earlier, the state of the enterprise security market is highly fragmented, with point solutions designed to address distinct security requirements. Many larger security firms Cisco, McAfee, and Symantec, among others are now trying to address the unified security software space by acquiring disparate applications with a promise to integrate them down the road. Many vendors are telling the unified security story, but instead are delivering a SIM/SEM solution, as in the case of Cisco MARS. The challenges facing a true behavioral-based unified security implementation are three-fold: Unified security is a relatively new product category, and the work of category creation is challenging and expensive. It is imperative that the industry overall ensures that incumbent competitors do not use their enormous advertising budgets to water-down the true definition of a unified security platform. Existing network security incumbents are pitching a solid unified security story, but what they are actually delivering is a collection of disparate point solutions that are loosely integrated, usually for reporting purposes. In most cases, these are stand-alone signature detection products, separately administered, and they do not share security information in real-time to enhance detection. This is creating confusion with customers as well as a significant market gap, since many businesses are now taking a wait and see attitude with regard to security integration. Since IT organizations have historically implemented a security posture by cobbling together discrete security solutions, this investment in appliances, time, and resources makes the prospect of deploying a unified solution difficult, especially where there is an overlap in applications. Organizations are reluctant to request additional budget dollars to replace investments that have not yet been fully depreciated, regardless of the efficacy of the new solution. 6

7 UNIFIED ENTERPRISE SECURITY MASERGY UNIFIED ENTERPRISE SECURITY To address these challenges, Masergy has developed a security solution that actually combines the exceptional integration capabilities of a security architecture with the adaptive and predictive data sharing, tracking and analysis capabilities of a network behavior analysis and correlation engine. This uniquely integrated approach is at the heart of Masergy s Unified Enterprise Security (UES) solution, and enables all security applications to take advantage of patented, leading-edge behavioral technology. Other advantages of the UES architecture a single console and unified reporting, administration, and operational ease-of-use make this technology particularly attractive to over-burdened and under-resourced IT departments. The Unified Enterprise Security architecture provides an extensible platform to incorporate ever expanding security applications. In fact, Masergy has leveraged the UES architecture to incorporate several new security applications, including behavioral network access policy monitoring, log management and monitoring and emerging Cloud security applications. Further, Masergy s Unified Enterprise Security architecture is very cost-effective since it overlays and complements a company s existing network security infrastructure. This modular approach allows customers to mix-n-match applications, adding additional modules over time, as needed, which helps to maximize their current security investment. Enterprise UTM Architecture Unified Enterprise Security Architecture Unified Administration, Monitoring, Reporting Trusted Computing Base Protect Monitor Alert Report Internet IDS IPS NBA AV NAC AS CF Firewall BLOCKING Users Servers Firewalls Syslogs Switches Routers Policies Threats Intrusions Suspicious Traffic Viruses Trojans Vulnerabilities Vendor Alerts Stealth Attacks Access Violations Resource Violations Threats Discover Alerts Compliance Prioritized Threats Policy Violations Access Violations Network Traffic Suspicous Traffic Network Behavioral Analysis and Correlation Server 7

8 WHITE PAPER UNIFIED ENTERPRISE SECURITY ARCHITECTURE True Subsystem Integration Masergy s Unified Enterprise Security product portfolio enables true subsystem integration and intelligent, adaptive information sharing/correlation of detected threats and alerts with detected vulnerabilities between all application subsystems and appliances. It is this level of architecture-based integration that provides long-term context to threats and enables early warnings of threats and attack reconnaissance that other products cannot see. Industry-proven application modules network behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and vulnerabilities can be deployed as part of a complete security infrastructure or they can be added incrementally, over time, as an organization s business and network requirements change. Further, Masergy s holistic approach to compliance ensures that customers can efficiently achieve and maintain ongoing regulatory compliance within their unique vertical markets, whether it s for PCI, SOX, HIPAA, NERC CIP, NCUA or FISMA standards. Unified Enterprise Security Software Architecture Detected Vuln. Risk Analysis Engine Unified Security Console, Adminstration, Reports, Forensics, Events Correllation Engine Threats SYSLOG Scanner, ThreatData, Firewalls, Servers, AV, AS, IPS, IDS, Other Sources Raw Packet Data Sources Policy Violations Policy Rules Deep Packet Analysis Behavior Analysis Engine NetFlow Security Heuristics sflow Routers, Switches, Sensors, Probes, Mirrored Raw Packets At the heart of Unified Enterprise Security (UES) is a proprietary behavioral correlation engine that is actually the foundation upon which all other applications are built. This basic tenet of UES enables each security application to leverage the rich data derived from the correlation of weeks of raw packet data, detected vulnerabilities, signature detection applications, posted vendor alerts, globally detected threats, logs from 3rd party security devices, as well as network access policy violations. A true behavioral analysis and correlation requires: Packet data, IDS/IPS alerts, scans, vendor threats, and tracked resources are data feeds to be analyzed and correlated continuously, and tracked over long periods of time. Use of raw packet data vs. log files for behavioral analysis. Packets have more data for analysis. Data is used for analysis spanning days, weeks and months, which is necessary to correlate seemingly discrete events intentionally spaced-out to avoid detection. The longer the timeframe, the better the analysis can be. Analysis is relative to an individual network and adapts to that network. A behavioral system becomes customized to that network without human intervention. A behavioral system has learned intelligence, can measure increasing hostility from progressive reconnaissance activity, and predict behaviors that enable it to track developing threats leading up to a breach. 8

9 UNIFIED ENTERPRISE SECURITY Architecturally Layered Security Applications It s important to not mistake Unified Enterprise Security for a SIM or SEM (SIEM) implementation. A SIEM is a noble attempt to integrate a collection of security appliances that were never intended to work together. Consequently, they don t. The SIEM approach has proven to be a complex, limited, and expensive approach to very loose integration that has relegated most SIEMs to nothing more than log management platforms. The Unified Enterprise Security offering is not the aggregation of log information from disparate security appliance logs/alerts. Instead, it provides twelve (12) unparalleled layers of fully integrated security: % PASSIVE SECURITY IMPLEMENTATION introduces absolutely no additional network latency, and no single point of failure. In practice, network traffic is mirrored to detection devices, allowing easy installation without disruption to network activity. 2. EXTERNAL INTRUSION DETECTION & PREVENTION detects increasing external hostility from reconnaissance activities, external threats, and other malicious traffic. 3. INTERNAL INTRUSION DETECTION & PREVENTION monitors potentially suspicious employee activity, evidence of malware infections, and security policy violations. 4. NETWORK BEHAVIOR ANALYSIS AND CORRELATION analyzes and correlates all suspicious network traffic received from both internal and external IDS sensors, spanning days, weeks and months. Detects sophisticated intrusion evasion techniques, anomalous patterns, and even new stealth attack methods for which there are no published signatures. 5. BEHAVIORAL-BASED NETWORK ACCESS POLICY CONTROL & MONITORING behaviorally detects and blocks both internal and external access policy violations in real-time. This capability utilizes shared information between intrusion detection and network behavior analysis subsystems to secure critical assets without deploying any additional hardware or host agent software. 6. UNIFICATION OF EXISTING SECURITY INFRASTRUCTURE provides real-time monitoring of 3rd party security events and automatic / manual blocking of malicious traffic via native integration with all commercially available firewalls, switches and routers. 7. NETWORK RESOURCE VIOLATION MONITORING resource violation alerts occur automatically when unrecognized IP addresses (internal or foreign) are detected, and/or when a well-known IP address attempts to access a device for which they have no history of accessing. 8. INTEGRATED VULNERABILITY SCANNING & REPORTING provides automated vulnerability scanning for detected vulnerabilities in the network infrastructure, critical assets, application servers, client PCs, etc. Detected vulnerabilities are then shared with other subsystems for real-time correlation. 9. REAL-TIME CORRELATION OF SUSPICIOUS NETWORK TRAFFIC WITH DETECTED VULNERABILITIES activity reported by the integrated vulnerability scanner subsystem is automatically shared with intrusion detection, threat management, network behavioral analysis and network access control subsystems for real-time correlation between disciplines. This capability adds context to potential threats that would otherwise go unnoticed. 10. COMPREHENSIVE REAL-TIME LOG ANALYSIS, ARCHIVAL, AND MONITORING processes log events from firewalls, switches, routers, 3rd party security devices, and application servers using sophisticated policy-based rules to detect anomalous events, security policy violations, changes to account privileges, and the like. 11. LOG MANAGEMENT AND ARCHIVAL functionality, including comprehensive log searching, reporting, and 1.5Tb of network access storage (NAS) is available to help meet regulatory compliance. 12. COMPREHENSIVE THREAT MANAGEMENT automatically detects, correlates, and prioritizes detected network threats, global threats, and posted vendor threats with detected vulnerabilities. The resulting prioritized threat remediation list is designed to focus IT remediation teams on the most pressing threats to network security, providing detailed remediation steps, links to patches, vulnerability reports, CVEs, etc. The system is also designed to provide a complete graphical rendering of your entire network security posture, which is automatically updated once the system has empirically verified that the requisite remediation has been completed. 9

10 WHITE PAPER For those organizations following the widely accepted defense-in-depth network security strategy, Masergy s Unified Enterprise Security portfolio economically delivers a security layer that augments and holistically provides oversight of an organization s security environment without the need to uproot or disrupt its existing security infrastructure. This self-reliant approach combines real-time flexibility, long-term correlation, and historical trending, with no maintenance and security business intelligence requirement. This revolutionary behavioral approach is quickly becoming the industry standard for next generation network security architectures. MASERGY PRODUCT OVERVIEW As previously mentioned, the Unified Enterprise Security (UES) system is built from the ground up using a modular architecture. It provides a simple and affordable migration strategy because it allows for extensive customization. For example, a customer may initially choose to mix-n-match components to address gaps or holes their security posture, then add additional applications or components incrementally, over time, in response to their evolving network environment. Unified Enterprise Security - Customizable By Design Solutions This modular approach also enables Masergy to cost-effectively introduce new components / applications that address new and emerging security threats, enabling a company to keep its security infrastructure up to date. The core Unified Enterprise Security components include: A MASTER CONTROL UNIT (M-4000-G) The MCU module is a browser-based monitoring console, signature server, cluster manager and Web server that utilizes plug-and-play installation. It contains the custom Web portal that houses all the reports and graphs for the appliance suite, including the security dashboard, intrusion detection and vulnerability scanning reports. The Security Risk Management (SRM) Managed Services can also be provisioned through the MCU for thorough and economical risk management on-demand. 10

11 UNIFIED ENTERPRISE SECURITY BEHAVIORAL CORRELATION MODULE (A-5000-G, A-5110G) The Behavioral Correlation Module (BCM) identifies and tracks typical network traffic and packet behaviors over long periods of time and automatically sends out alerts for any anomaly. The BCM identifies reconnaissance activity, unknown attacks and zero-day attacks. It also guards against threats from within, providing alerts for resource violations, abuse of privileges and misuse of corporate assets. Its behavioral analytics employ raw packet information through layer 4, detecting early threat activity and maintaining alert logs and behavioral profile information for at least six months enabling constant monitoring of global attacks and vulnerabilities. The Behavioral Correlation Module (BCM) is available in two models; A-5000-G for 10/100/1000Mb networks and A-5110-G for 10 GB networks. SECURITY DASHBOARD MODULE (I-6000-G) The Security Dashboard Module (SDM) provides immediate single-source access to all threat data, including an easy-to-use, instant view of prioritized security threats and the underlying data that created them. The Security Dashboard Module (SDM) correlates data and prioritizes security threats from multiple security, network and server sources, including behavioral alerts from packet data analysis; signature IDS alerts; and vulnerability scans against assets and global alerts. The SDM instantly identifies the most critical network threats, determines the best path for remediation and gathers the data for forensic reporting. Because of its extensible architectural design, the SDM requires no tuning or correlation rules. This means that time is not wasted attempting to integrate complex SIM software with third-party security products or implementing, updating and maintaining multitudes of SIM correlation rules. DETECTION + PREVENTION MODULE (N-1001-S, N-1010-S, N-2100-S, N-2101-S, AND N-2110-S) The Detection + Prevention Module (DPM) is a 100% passive network sensor hosting an intelligent packet inspection and capture system that selects and transfers suspicious packets to the Behavioral Correlation Module (BCM) for further behavior analysis. By employing signature detection technology, deep-packet inspection of layers 1 7 and tunable signatures on a 24x7 basis, the DPM provides for automatic alert analysis and correlation, as well as alert escalation and prioritization; detection of unauthorized access to network resources; countermeasures for denial-of-service attacks; termination of attack sessions via a TCP reset or ICMP unreachable message; probe prevention (defeats or confuses scanning techniques with false responses); and enterprise threat correlation and global threat correlation. Detection + Prevention Modules (DPM) are available in several models: N-1001-S for copper LAN/WAN speeds up to 10Mb N-1010-S for copper LAN/WAN speeds up to 100Mb N-2100-S for copper LAN/WAN speeds up to 1000Mb N-2101-S for fiber LAN/WAN speeds up to 1000Mb N-2110-S for LAN/WAN speeds up to 10Gb VULNERABILITY SCANNER MODULE (V-3001-G) The Vulnerability Scanner Module (VSM) provides the full benefit of regular security scans that are integrated and correlated with data and alerts from the other appliances, as well as extensive research capabilities. The Vulnerability Scanner module s extensive reporting includes individual vulnerability reports for each device, with associated risk levels (informational, low, high, and severe) and appropriate links to remediation steps. This module also includes: Summary and management reports for easier risk mitigation; On Demand Scanning options: Light limited port scans that identify common vulnerabilities such as those within DNS, Web, or FTP and SMTP; Heavy full port scans that look for all known vulnerabilities and potential risk areas; and DOS scans that identify all dangerous vulnerabilities on the appropriate ports; A Scan Scheduler with customizable scanning options for immediate, daily, weekly, monthly, quarterly and annual scans; and A Private Customer Web Portal -- that allows customers to view alerts, scans, and run reports in real-time. 11

12 WHITE PAPER FIREWALL/SYSLOG MODULE (N-2800-G) The FSM module provides real-time rules-based syslog analysis for commercially available firewalls and syslog compatible systems, applications and devices. The FSM is integrated with the Unified Enterprise Security monitoring console and reports. It can match multiple rules based on Boolean logic, time and frequency to develop sophisticated policy oversight and alert on violations. The FSM is configured with 1.5TB of network access storage (NAS) to collect and maintain up to one (1) year of logs per logging source; provides automated back-up to long-term network storage devices; offers log management searching and reporting, and supports up to 150 syslog devices per FSM; The FSM can also be tightly integrated all commercially available firewalls, switches and routers to enable automatic and manual blocking of malicious traffic. NETWORK SECURITY ZONES (Z-1000-G) The Network Security Zones (NSZ) feature defines secure boundaries for managing and monitoring access to information and applications across multiple systems and disciplines simultaneously delivering unimpeded online services to employees, customers and suppliers. Simply put, the NSZ system defines what an individual can access within the network, at what time and from which location. Any violation of established boundaries will generate an unauthorized access alert. The NSZ system also supports DHCP environments where it s necessary to track individual users or hosts independent of their IP addresses; protects against various network intrusions and illicit access, whether from inside or out; provides a clear path to enhanced compliance and auditing requirements; handles security and access for remote and mobile workers; and works with drag-and-drop simplicity. ON-DEMAND MANAGED SECURITY SERVICES Masergy s Security Risk Management (SRM) Managed Services provides the flexibility to choose between centrally managed or co-managed services, or a combination of the two based on outsourcing requirements at any point in time. It provides immediate turnkey access to the UES solution with no contract required. SRM Managed Services allows an enterprise to cost-effectively allocate internal resources, while outsourcing network security requirements based on demand. Outsourcing by contract is also available, providing an economical and flexible way to augment a company s IT security staff with 24x7 managed security services whether it s for off-hours, holidays or customized timeframes based on peak management requirements. With or without a contract, SRM Managed Services provides visibility, control and oversight of the entire enterprise security environment; enables actionable remediation information to prevent network security problems as well as dealing with immediate security issues; and offers significant cost savings through reduced capital expenditures, training and staffing. UNIFIED ENTERPRISE SECURITY CONFIGURATIONS To start, each UES solution is deployed with one (1) Master Control Unit (MCU) providing a private web portal access to unified administration, monitoring, ticketing and reporting for all deployed UES subsystems. Secure facilities typically have a limited number of internet connections and should install at least two (2) Detection + Prevention Modules (DPMs) to perform signature detection (IDS), prevention (IPS), and behavioral packet analysis capture. Additional DPMs can be installed to provide coverage for additional internet connections, whether collocated or geographically remote locations. It is important to note that DPMs are installed as 100% passive devices receiving mirrored traffic from monitored network segments, and there is no requirement to integrate any 3rd party devices. The first DPM is installed outside the firewall to monitor network activity at the perimeter. The external DPM is deployed to detect reconnaissance activity leading up to an attack, initially performing signature detection and then collecting suspicious network packets for further analysis by the Behavioral correlation Module (BCM). 12

13 UNIFIED ENTERPRISE SECURITY It is recommended that a second DPM be installed inside the firewall to monitor suspicious internal network traffic, outbound traffic to the internet, and correlate with inbound network traffic that makes it through the firewall. Like the external DPM, the internal DPM performs signature detection and then collects suspicious network packets for further analysis by the Behavioral correlation Module (BCM). Additionally, the DPM will correlate suspicious network traffic with detected vulnerabilities reported by the Security Dashboard Module (SDM) to identify malicious traffic targeting vulnerable devices and applications (for example, detecting SSH-1 network traffic targeting a device vulnerable to a SSH-1 type attack). Customer Premise-Based Unified Enterprise Security Configuration The diagram above depicts an example of fully configured Unified Enterprise Security system deployed as Customer Premise Equipment (CPE) at a secure facility. Operating within each deployed DPM is a network access policy monitoring feature, used to define secure policies for managing and monitoring access to information and applications across multiple systems and disciplines. The Network Security Zones (NSZ) feature defines secure access policies for what employees and groups can access within the network, at what times, and from which location. Any violation of established policies will generate an unauthorized access alert. The NSZ system also supports DHCP environments where it s necessary to track individual users or hosts independent of their IP addresses; protects against various network intrusions and illicit access, whether from inside or out; provides a clear path to enhanced compliance and auditing requirements; handles security and access for remote and mobile workers; and works with drag-and-drop simplicity. As DPMs perform signature IDS and IPS, suspicious network packets are collected and transmitted to the Behavioral Correlation Module (BCM) for further analysis and behavioral correlation along with the previously collected data for the past days. Initially behavioral correlation is performed on the data collected within each 13

14 WHITE PAPER DPM. Secondly, behavioral correlation is performed on the data collected across all deployed DPMs at each secure facility. Finally, behavioral correlations are performed on the sanitized external data collected across all Masergy customer secure facilities, and this information is fed back into each UES system to provide awareness for global threats that your network is vulnerable to, but have yet not occurred on your network. Each secure facility should also have at least one Vulnerability Scanner Module (VSM) deployed to identify and report vulnerabilities to the Behavioral Correlation Module (BCM) the integrated threat management system known as Security Dashboard Module (SDM), as well as the Master Control Unit (MCU) for reporting purposes. This is important to proactively identify vulnerabilities to critical infrastructure at each facility in an effort to remediate ahead of any potential exploit, as well as to provide visual context and correlation of suspicious network activity against vulnerable assets. A key UES component for integrating and unifying existing IT infrastructures, 3rd party security appliances, and application services is the Firewall Syslog Module (FSM). The primary role of the FSM is to process and archive log events from any log producing device or application based on customized policy-based rules, as well as generate alerts to the monitoring console for ticketing and incident response. All log events are archived and stored for one year and are available for searching and analysis via the 1.5Tb of onboard storage. Additionally, the FSM is able to natively integrate with commercially available firewalls, switches, and routers to automatically and/or manually block and quarantine malicious traffic. The last and most effective component to deploy at each secure facility is the Security Dashboard Module (SDM), which acts as a fully integrated threat management system, designed to collect, correlate, and prioritize global network alerts, local network alerts, posted vendor alerts, and detected network vulnerabilities with enterprise assets. In this manner, threats are assessed, ranked and prioritized to intelligently focus IT resources on remediation activities. Each prioritized threat provides access to forensic information, a comprehensive list of vulnerable assets, associated vulnerability reports, and remediation instructions. It is important to note that the Security Dashboard requires no integration with any third-party products, as it correlates the raw packet level information collected/ analyzed by DPMs, FSMs and BCMs, with the detected assets, vulnerability reports, and posted vendor alerts. Further, the SDM is fully automated, requires no complex correlation rules to setup, and requires no configuration and tuning to enable. 14

15 UNIFIED ENTERPRISE SECURITY UNIFIED ENTERPRISE CLOUD SECURITY CONFIGURATIONS Beyond the traditional challenges customers face in securing their premise environments (CPE), IT security teams must now deal with issues arising from the emergence of corporate Cloud computing services. The prospect of Cloud Computing offers companies a compelling financial cost savings in annual IT hardware and software expenditures. While offering companies an attractive pay-only-for-what-you-use utility model to deploy business applications, Cloud computing environments may further burden IT departments with the challenge of providing security within an environment for which they may not even have access. As depicted in the graphic below there is a virtual machine instance hosting each element of the Cloud Guard offering: Unified Administration, Monitoring, and reporting is encapsulated in the virtualized Master Control Unit (MCU) Network Behavioral Analysis is encapsulated in the virtualized Behavioral Correlation Module (BCM) Threat Management is encapsulated in the virtualized Security Dashboard Module (SDM) Network Access Policy Monitoring is encapsulated in the virtualized Network Security Zones (NSZ) Intrusion Detection Service is encapsulated in the virtualized Detection + Prevention Module (DPM) Security Event Monitoring & Log Management encapsulated in the virtualized Firewall Syslog Module (FSM) Vulnerability Scanning / Management is encapsulated in the virtualized Vulnerability Scanner Module (VSM) Masergy Unified Cloud Security Architecture Signature Based Analysis Alert Engine Classify Prioritize Vulnerability Scan Console Human Intelligence Normalize Correlate Alert Release Behavioral Analysis EC1 The diagram above depicts an example of fully configured Cloud Guard Unified Enterprise Cloud Security (UECS) system deployed as Software-as-a-Service (SaaS) within a customer Cloud account. Analysis Engine Resource Threshold Pattern Matching Protocol Traffic Sessions Statistical 15

16 WHITE PAPER To start, each Cloud Guard system is deployed with one (1) Master Control Unit (MCU) that provides private web portal access to unified administration, monitoring, ticketing and reporting for all deployed UECS subsystems. Each Cloud account is then configured with a number of individual virtual machine instances that operate as virtual services to host Cloud applications. although each virtual machine instances within the Cloud account typically has its own virtual firewall configuration to facilitate internet access, only one (1) Detection + Prevention Module (DPM) is installed to provide intrusion detection services for all Cloud application instances. DPMs perform signature detection (IDS), prevention (IPS), and behavioral packet analysis capture. It is important to note that virtualized DPMs are 100% passive devices that receive mirrored traffic from all other monitored application instances that are running Linux and Windows operating systems. Additionally, the DPM will correlate suspicious network traffic with detected vulnerabilities reported by the Security Dashboard Module (SDM) in order to identify malicious traffic targeting vulnerable devices and applications (for example, detecting SSH-1 network traffic targeting a device vulnerable to a SSH-1 type attack). Operating within each deployed virtual DPM is a network access policy monitoring feature, used to define secure policies for managing and monitoring access to information and applications across multiple Cloud instances. The Network Security Zones (NSZ) feature defines secure access policies for what employees and groups can access within the network, at what times, and from which location(s). Any violation of established policies will generate an unauthorized access alert. The NSZ protects against various network intrusions and illicit access, whether from inside or out; provides a clear path to enhanced compliance and auditing requirements; handles security and access for remote and mobile workers; and works with drag-and-drop simplicity. Masergy s Cloud Packet Analysis Approach Signature Based Analysis Alert Engine Classify Prioritize Vulnerability Scan Console ECn EC3 EC2 Data Gathering Signature Alerts Human Intelligence Normalize Correlate Alert Release Behavioral Analysis Raw Packet Data EC1 Analysis Engine Resource Threshold Pattern Matching Protocol Traffic Sessions Statistical Customer EC2 Account Hypervisor Virtual Interface(s) Customer Security Groups Firewall Physical Interface Masergy s unique proprietary cloud technology overcomes EC2 restrictions to provide signature detection and network behavior analysis (NBA) & correlation. In addition, Masergy Cloud Guard System Modules operate as EC2 instance(s)within each customer cloud account while the integrated Vulnerability Scanner ensures full regulatory compliance. 16

17 UNIFIED ENTERPRISE SECURITY As the virtual DPM performs signature IDS, suspicious network packets are collected and transmitted to the Behavioral Correlation Module (BCM) for further analysis and behavioral correlation along with the previously collected data for the past days. Initially, behavioral correlation is performed on the data collected within each instance. Next, behavioral correlation is performed on the data collected across all deployed Cloud instances within the Cloud account. Finally, behavioral correlations are performed on the sanitized external data collected across all Masergy Cloud customer accounts. This information is then fed back into each UECS system to provide awareness for global threats that the customer network is vulnerable to, but have yet not occurred within the customer account(s). For reporting purposes, each secure facility should install one (1) virtualized Vulnerability Scanner Module (VSM) in order to identify and report vulnerabilities for all deployed Cloud applications to the Behavioral Correlation Module (BCM), the integrated threat management system (known as the Security Dashboard Module), and the Master Control Unit (MCU). Although vulnerability scanning is strictly prohibited in Cloud computing environments (according to most Cloud Vendor agreements), the virtualized VSM is specifically provisioned to only scan applications within a specific customer s Cloud account. This important feature helps to proactively identify vulnerabilities and provide remediation capabilities in advance of any potential exploits, ensure and maintain regulatory compliance (PCI, HIPPA, SOX, etc.), as well as provide visual context and correlation of suspicious network activity against vulnerable applications. A key UECS component used to integrate and unify virtualized Cloud Firewall and application services is the Firewall Syslog Module (FSM). The primary role of the FSM is to process and archive log events from any log producing Cloud application based on customized policy-based rules, as well as generate alerts to the monitoring console for ticketing and incident response. All log events are archived and stored for 1 year and are available for searching and analysis on the 1.5Tb of elastic block storage (EBS). Additionally, the FSM is able to natively integrate with Cloud firewall APIs in order to automatically and/ or manually block and quarantine malicious traffic. The last and most compelling component to deploy at each Cloud account is the virtualized Security Dashboard Module (SDM), which acts as a fully integrated threat management system that s designed to collect, correlate, and prioritize global Cloud alerts, local Cloud alerts, posted vendor alerts, and detected Cloud application vulnerabilities. In this manner, threats are assessed, ranked and prioritized to intelligently focus IT resources on specific remediation activities. Each prioritized threat provides access to forensic information, a comprehensive list of vulnerable assets, associated vulnerability reports, and remediation instructions. It is important to note that the Security Dashboard requires no integration with any 3rd party applications, as it correlates the raw packet level information collected/analyzed by virtualized DPMs, FSMs and BCMs, and correlates this information with the detected Cloud instances, vulnerability reports, and posted vendor alerts. Further, the SDM is fully automated, requires no complex correlation rules to setup, and requires no configuration and tuning to enable. 17

18 Signature Based Analysis Alert Classify Engine Prioritize Normalize Correlate Alert Release Analysis Engine Human Intelligence Behavioral Analysis Resource Threshold Pattern Protocol Traffic Statistical Matching Sessions WHITE PAPER HYBRID NETWORK CONFIGURATIONS Though Cloud Computing services makes obvious sense for small internet based companies and/or startup operations, the lure of Cloud Computing is just as compelling to existing brick-and-mortar companies desiring to expand into what is commonly referred to as a Hybrid Cloud Computing environment. Masergy Unified Cloud Security Architecture Masergy Cloud Packet Analysis Vulnerability Scan Console ECn EC3 EC2 Data Gathering Signature Alerts Raw Packet Data EC1 Customer EC2 Account Hypervisor Virtual Interface(s) Customer Security Groups Firewall Client Segments Physical Interface Trusted Computing Base A single, high-availability Masergy Unified Cloud Security appliance on your network delivers all of these features: Packet and logfile analysis IDS/IPS Adaptive behavioral analysis Vulnerability scanning Vendor alerts Correlation of data between disparate subsystems Asset database Unified security dashboard Internet Core Switch DMZ Within a hybrid deployment environment, the Masergy Virtual Detection + Prevention Module (DPM) connects to the Master Control Unit (MCU) and Behavioral Correlation Module (BCM) for true unified network security. Like most corporations today, these companies are now faced with the prospect of securing their traditional customer premise equipment (CPE) as well as their new Cloud account. For hybrid environments, Unified Enterprise Security (UES) is provisioned to enable virtualized UECS subsystem elements to be connected back to the physical appliance UES system securing the customer premise equipment. In this manner, a single system can be deployed to unify their CPE and Cloud environments holistically. 18

19 UNIFIED ENTERPRISE SECURITY CONCLUSION For a growing number of organizations concerned by the prevalence of high profile network security beaches, the answer to the high cost, complexity and uncertainty surrounding network security is within reach: a unified, behavioral-based security architecture that is extensible, modular, centrally manageable, and scalable. These capabilities and more are inherent in the Masergy Unified Enterprise Security (UES) solution. CONTACT MASERGY TODAY For more information regarding our Unified Enterprise Security and Unified Cloud Security solutions, contact us at 1 (866) or visit us online at Best Products & Services Reader s Trust Award Network Products Guide has awarded Masergy the 2009 Best Products and Services - Readers Trust Award for Unified Security Global Product Excellence - Customer Trust Award Masergy is a winner of the Info Security Products Guide 2010 Global Product Excellence-Customer Trust Award for Behavioral Security. The company also won this award in 2009 for Integrated Security Tomorrow s Technology Today Award Masergy is a winner of 2006, 2007, 2008 and 2009 Tomorrow s Technology Today awards from Info Security Products Guide Best Deployment Scenario Award Info Security Products Guide has named Masergy a winner of the 2009 Best Deployment Scenario Award for Managed Security Services Product Innovation Award Masergy s Enterprise UTM++ and All-n-One Security Module for Enterprise UTM have received 2008 and 2009 Product Innovation awards for unified security from Network Products Guide Masergy, Inc. All Rights Reserved. All product and company names are the property of their respective owners. 19

20