Building the Airtight Financial Institution: Risk-Aware Network Visualization

Transcription

1 A UBM tech white paper FEBRUARY 2013 Building the Airtight Financial Institution: Risk-Aware Network Visualization Financial institutions face an increasingly difficult challenge from persistent and virulent attacks. Drawing on limited resources, IT security teams have to protect complex networks that are growing in size and complexity. A new approach to network device and access management is helping IT security teams detect vulnerabilities, prioritize mitigation approaches and enable a safer deployment of configuration changes to network devices. Brought to you by

2 Building the Airtight Financial Institution: Risk-Aware Network Visualization Financial institutions face an increasingly difficult challenge from persistent and virulent attacks. Drawing on limited resources, IT security teams have to protect complex networks that are growing in size and complexity. A new approach to network device and access management is helping IT security teams detect vulnerabilities, prioritize mitigation approaches and enable a safer deployment of configuration changes to network devices. 2 All it takes is one misconfigured port. One afternoon in a distant branch office of a global financial institution, an overworked network administrator makes a small change to a server located in the DMZ, a term (derived from demilitarized zone ) that refers to a physical or logical subnetwork that provides a buffer zone between an organization s private network and the Internet or other public networks. By design, systems in the DMZ are maintained separately from systems behind the corporate firewall. Customer-facing applications in the DMZ are isolated in a separate subnetwork from core enterprise systems, and can access enterprise data only through carefully defined channels. External-facing systems are subject to a constant barrage of attacks, and it s not always possible to maintain an airtight defense. There are simply too many urgent change requests from the business, too many developers, too few QA testers, and too immature a deployment process to prevent all vulnerabilities. One of the purposes of maintaining a DMZ perimeter is to limit the exposure resulting from attacks, making sure that a compromised external system does not lead to a compromised internal system. When implemented correctly, a secure DMZ denies an attacker internal access even if the first lines of defense are breached. Yet, when the branch-office network administrator makes that small change to a firewall or server configuration, the barrier between the DMZ and the internal network can potentially be left unlocked. Suppose an attacker had already breached the initial lines of defense undetected and had introduced a hidden process designed to probe for any of a long list of common server configuration errors. By automatically detecting the server configuration change, the hidden process could seize the opportunity to introduce a viral payload into the internal enterprise network. Even if the network vulnerability were fixed the next morning by an alert member of the IT security team, the damage would have already been done. Unfortunately, that scenario is no longer hypothetical. Time and again, major enterprises have suffered financial losses, operational difficulties, information leakage and reputational damage as a result of exploits that take advantage of network security vulnerabilities of this type. The attacker may not even be after money. In addition to the financially motivated theft of data or information, hacktivism, which combines technological sophistication with a political agenda, is on the rise. Driven not by profits but by the intent to inflict financial or reputational harm to targets, hacktivists have many ways to inflict damage beyond simple theft. Personal financial data released to the public causes crises of confidence; leaked internal memos cause irremediable reputational damage; and havoc in the data center constrains a bank s operational abilities and provides a useful diversion for a variety of fraudulent activity until well after a problem has been brought under control.

3 3 Network Complexity and Talent Constraints Two significant factors affect the state of IT security: increasing network complexity and continued constraints on the availability of talent. Both factors inhibit the visibility of network risks. IT networking technology has enabled organizations to expand domestically and internationally, allowing remote employees to work in ad hoc teams and to communicate through a wide range of devices and channels. A single employee may juggle a PC, laptop, tablet and smartphone to connect with dozens of applications specific to a given location, a given business unit or department, or the enterprise as a whole. Each device and application represents a separate host system, which for a large enterprise may number in the hundreds of thousands. Behind the scenes, these hosts are supported by perhaps tens of thousands of network devices, including physical devices with their own power supplies (think network routers, switches and hubs), virtual devices (firewalls and load balancers), and hybrid devices that bridge hardware and software capabilities. Time and again, major enterprises have suffered financial losses, operational difficulties, information leakage and reputational damage as a result of exploits that take advantage of network security vulnerabilities. IT staffing of networking professionals can t keep pace with the expanded deployment of network devices. In addition to budget and headcount constraints, IT departments are experiencing the graying of their network workforce. According to the InformationWeek 2012 U.S. IT Salary Survey, networking and data center staff have a median 17 years experience, while managers have 20. Yet networking is unlikely to attract a huge influx of new talent to replace the seasoned veterans. Although these jobs are relatively stable compared to other IT positions, more than 50 percent of networking and data center IT professionals received raises of less than 5 percent last year or have had their pay frozen. With the top IT talent heading to application development and other areas with high base salaries and good prospects, it may become difficult to ensure a pipeline of qualified networking professionals without relying more on outside contractors or on-the-job training for less-seasoned employees. The prospect of an aging workforce without an adequate supply of replacement workers should raise alarms for CIOs responsible for maintaining the integrity of enterprise networks. Making and fixing mistakes may be an essential part of the learning process, but enterprises can ill afford to place critical network infrastructure under the care of untested personnel, especially when one small mistake can lead to massive exposure. The challenge is particularly acute for financial institutions in the wake of the global financial crisis. Adding to the pressure from financial losses, the resulting regulatory efforts have eliminated revenue streams while mandating extensive changes to existing business processes. As a result, IT resources at large banks are stretched extremely thin as IT organizations cut headcount to meet cost-reduction targets. At the same time, banks remain under attack from criminals, hacktivists and even state-sponsored attackers. Risky Change-Control Processes Financial services organizations need a way to increase the overall safety of the IT network, so that configuration errors and other vulnerabilities are detected and prevented before they re deployed. Because the human resources can t scale at the same rate as network resources, IT departments must find ways to automate deployment and management. Technology must supplement the inevitable transition to fewer or less-experienced network professionals. The core problem is that it s so easy to introduce an error when taking advantage of the capabilities of powerful network devices. Each network device has its own parameters and protocols; getting the most out of them requires a certain amount of expertise and experimentation. Furthermore, the potential for error grows dramatically given a heterogeneous pool of networking equipment running on an endless variety of hardware devices and network topologies. As complexity increases, it becomes more difficult to avoid introducing an out-of-date patch level on a device, the use of a default password, or any other such errors or deviations from best practices. Deploying new network equipment and making changes to existing configurations is a time-consuming and expensive endeavor for network security experts. As part of the typical change-control process, an IT specialist has to wait for a maintenance window to make changes, during which time affected systems are down. In financial services, this is a particularly challenging

4 4 limitation, as customers have grown to expect 24/7 availability to initiate payments, check balances and perform other banking services. As part of the changes implemented during the maintenance window, security implications are assessed through a comprehensive security scan. For each change implemented, an IT specialist has to conduct a manual scan to detect whether any hosts have been exposed, which can take four to five hours of hands-on work. Given the risks involved, the task requires high levels of expertise, and the risks associated with a mistake at this stage are large. Building a Better Network Map Network professionals have access to a range of diagnostics tools. Some tools poll the network to create a map of enterprise network resources, whether for inventory control, access management or troubleshooting. Other tools monitor network traffic across a given set of nodes, whether to detect anomalous behavior for security purposes, or to maintain quality-of-service for employees, customers and partners. However, to date the available tools have not yet solved the fundamental safety problem: the difficulty of change-control processes in increasingly complex enterprise networks. As complexity increases, it becomes more difficult to avoid introducing an out-of-date patch level on a device, the use of a default password, or any other such errors or deviations from best practices. A promising new approach to network security from RedSeal Networks makes network management safer and more secure by using a staged approach to network device configuration management, which protects against inadvertent introduction of errors into public-facing networks. Like previous generations of network visualization tools, the RedSeal 6 Platform builds a visual model of the entire enterprise network. The visualization shows in a single, expandable enterprise view all of the devices contained within the network layer and transport layer (layers 3 and 4 of the OSI model), including firewalls, routers, load balancers and wireless controllers. The key innovation is that on top of this network visualization, RedSeal overlays host vulnerability data, using information sourced from leading vulnerability management solutions (such as Rapid7 and ncircle). This vulnerability overlay turns the network visualization into a powerful threat-modeling tool that generates actionable recommendations. Each and every network device is analyzed in terms of how well it conforms to best practices in security and network management, with any known configuration errors quickly identified. By performing a risk-focused network assessment, RedSeal can identify directly exposed vulnerabilities in the network and discern the presence of a chain of vulnerabilities that, unaddressed, would allow an attacker to leapfrog through multiple network devices, networks and applications. The vulnerabilities identified are then rankordered in terms of severity and their topographical location in the network, allowing remediation to be prioritized to address the most exposed issues first. From a diagnostic and remediation standpoint, the RedSeal approach offers tremendous security benefits in its ability to identify complex vulnerabilities involving multiple devices, and then give network managers precise, ordered instructions on how to proceed. The Benefits of Virtual Management of Network Devices Once existing problems have been thoroughly remedied, the important next step is to avoid new problems. RedSeal gives financial services IT organizations an entirely new approach to the change-control model for network device management. As a general principle, IT shouldn t make edits to production code without testing those changes on a development server first, then on a test server (ideally, a replica of the production server that simulates production workload and equipment). That way, any problem in the new code can be fixed before the code goes live. Yet it s still common practice for network managers to make changes to configuration files on network devices that are actively in production. The same bank that would go through a tightly scripted, months-long, staged process for deploying a new set of features on the bank website may rush through a list of risky router configuration changes during a four-hour overnight maintenance window. RedSeal adds a staged deployment process to these network device configuration changes. Instead of tinkering with online network components, network managers can work offline using a simulated enterprise network. The offline approach preserves network performance for

5 5 active applications, while reducing the opportunity for attackers to take advantage of temporary network security exposures. Offline configuration enables what-if analysis for making changes. For example, a network manager might simulate opening a port on a firewall, and then perform a virtual scan to detect which hosts might be exposed as a result. Such problems can be discovered and mitigated before the configuration changes are propagated to the live network. Creating a staged deployment process for configuration changes also helps to ensure that internal and external policies and procedures are being followed. For the first time, IT departments can create and enforce effective policies for installing, configuring and changing network devices, based on the sound principle that changes should be thoroughly tested in an offline setting before going online. From a resource and training standpoint, the ability to make safe and auditable device configuration changes means that new employees can get up to speed on the available technology without the pressure of working on live equipment. Furthermore, experienced networking professionals should be able to get the most from existing equipment, deploying advanced features that can be more thoroughly tested in an offline environment. By improving capacity at reduced levels of risk, enterprises will benefit from increased productivity, higher bandwidth and greater flexibility in enterprise networks. The Airtight Network Attacks on financial institutions aren t going away. From a network security point of view, the soundest approach is to make sure that enterprise networks are completely airtight, protected at each and every network device against virulent vectors of attack in a hostile operating environment. New technology from RedSeal visualizes the entire network, identifies potential host vulnerabilities, prioritizes mitigation efforts and enables offline validation of configuration changes before they re exposed to the world. This disciplined approach to network device management provides proactive protection against security breaches, frees up the time of IT security professionals and unlocks the power of IT networking hardware. To find out more about the RedSeal 6 Platform, visit ABOUt redseal redseal Networks is the leading provider of proactive enterprise security management solutions that enable businesses and government agencies to visualize their security posture, continuously audit and monitor IT compliance and eliminate risks associated with cyber-theft. RedSeal delivers the industry s most powerful network and security operational insights using patented network visualization and predictive threat modeling. For more information, visit RedSeal at UBM LLC. All rights reserved.