MEETING CSIP OBJECTIVES WITH AN AUTOMATED AND PREVENTIVE SECURITY APPROACH

Transcription

1 MEETING CSIP OBJECTIVES WITH AN AUTOMATED AND PREVENTIVE SECURITY APPROACH A Palo Alto Networks and Channel Partner Case Study Every day, the U.S. federal government experiences increasingly sophisticated and persistent cyberthreats. The government is expending significant resources to ensure the cybersecurity of federal networks, systems and data remains a top priority. Palo Alto Networks White Paper

2 Executive Summary Every day, the U.S. federal government experiences increasingly sophisticated and persistent cyberthreats. The government is expending significant resources to ensure the cybersecurity of federal networks, systems and data remains a top priority. This white paper: Gives a short backgrounder on the U.S. government s Cybersecurity Strategy and Implementation Plan (CSIP). Describes how the Palo Alto Networks Next-Generation Security Platform enables U.S. federal agencies to identify and protect High Value Assets (HVAs) and information and detect and rapidly respond to cyber incidents. Provides a case study on how one U.S. federal agency used Palo Alto Networks to help meet CSIP objectives. Background: The Cybersecurity Strategy and Implementation Plan (CSIP) The U.S. government s 2015 Cybersecurity Strategy and Implementation Plan (CSIP), which was published in response to an increase in information security incidents against U.S. government systems, highlights the need to secure U.S. federal High Value Assets (HVAs). 1 The definition of an HVA varies by agency, but any data whose unauthorized release could compromise the security of the United States or its citizens qualifies. The core issue which CSIP addresses is that: Across the Federal Government, a broad surface area of legacy systems with thousands of different hardware and software configurations contains vulnerabilities and opportunities for exploitation. Additionally, each Federal agency is responsible for managing its own IT systems, which, due to varying levels of cybersecurity expertise and capacity, generates inconsistencies in capability across government. 2 In pursuit of the goal of improving federal cybersecurity, CSIP focuses on the following five objectives: 1. Prioritized identification and protection of HVAs and information. Agencies must identify the value of the information on their systems and networks; the IT assets used to store, process and transmit that information; and the assets and capabilities that enable mission-essential functions and the delivery of critical public services. Protecting these assets and information includes tightening and monitoring privileged user policies, practices and procedures; implementing such services as encryption, mobile security, and network segmentation; addressing critical vulnerabilities; and scanning for indicators of compromise. 2. Timely detection of, and rapid response to, cyber incidents. The U.S. Department of Homeland Security (DHS) is accelerating the deployment of Continuous Diagnostics and Mitigation (CDM) and Einstein (netflow, intrusion detection and intrusion prevention) to all participating federal agencies and continuing to build advanced protections on these platforms. Some agencies are also sharing and receiving cyberthreat information with other agencies and the private sector, which allows network defenders to block intrusions before they cause damage. 3. Rapid recovery from incidents when they occur and accelerated adoption of lessons learned. The U.S. Office of Management and Budget (OMB) will issue incident response best practices for use by federal agencies and is providing guidance on how to recover from cyber events. 4. Recruitment and retention of the most highly qualified cybersecurity workforce talent the federal government can bring to bear. Here, CSIP efforts include compiling special hiring authorities (by agency) that can be used to hire cybersecurity and IT professionals across government. 5. Efficient and effective acquisition and deployment of existing and emerging technology. The U.S. government s CIO Council will facilitate efforts to rapidly deploy emerging technologies at federal agencies. How Palo Alto Networks Helps Agencies Meet CSIP Objectives The Palo Alto Networks Next-Generation Security Platform is comprised of our natively integrated Next- Generation Firewall, cloud-based or on-premises threat intelligence, and Advanced Endpoint Protection. Because these capabilities are natively built into the platform and designed to deliver highly automated preventive measures against cyberthreats, the platform ensures superior security compared to legacy point technologies, such as stateful inspection firewalls, Unified Threat Management (UTM), or endpoint security products. This approach reduces network complexity and saves time, money, equipment, bandwidth and, most importantly, the amount of people needed to perform the vital security functions. Through this platform approach, Palo Alto Networks facilitates integration with other technologies via robust APIs, supporting the plug-and-play dynamic. The Palo Alto Networks platform includes a range of capabilities that are helping agencies achieve CSIP objectives Palo Alto Networks White Paper 2

3 THREAT INTELLIGENCE CLOUD AUTOMATED CLOUD NATIVELY INTEGRATED NET WORK ENDPOINT EXTENSIBLE NEXT-GENERATION FIREWALL ADVANCED ENDPOINT PROTECTION Figure 1: Palo Alto Networks Next-Generation Security Platform Architecture Identifying and Protecting High Value Assets and Information Most firewalls focus on protection and offer limited functionality at a discrete point on the network perimeter. Every Palo Alto Networks platform includes vulnerability protection, antivirus, anti-spyware, URL filtering, and zero-day threat prevention. The platform also includes file type identification to identify, categorize and log all files traversing the HVA. These capabilities all communicate with each other, improving security efficiency and effectiveness. When a never-before-seen threat is discovered, the platform creates a new signature to block it and pushes it to every deployed platform within five minutes. However, three unique capabilities supported by every Palo Alto Networks Next-Generation Security Platform enable agencies to 1) easily identify and then 2) control the content, applications and users on their network in a very granular way. They are: Traffic classification technology, with a feature called App-ID, automatically identifies and categorizes applications on your network. It recognizes more than 2,000 applications, including web applications. With App-ID, agencies can see which HVA applications are used or unused, unauthorized applications on the network, and whether applications are using custom or default ports. Identification of content that could be malicious on your network, a capability called Content-ID, uses multiple advanced threat prevention technologies, including IPS, anti-malware including unknown malware URL filtering, etc. in a single, unified engine. Using Content-ID, agencies can limit unauthorized data and file transfers; detect and block exploits, malware, and dangerous or unauthorized web surfing; and detect and block targeted and unknown threats. User identification, called User-ID, verifies user identities not just IP addresses using enterprise directories, terminal services offerings or Microsoft Exchange. While not required for HVA identification and protection, User-ID can provide additional context around who is accessing those HVAs. Using the information provided by App-ID, Content-ID and User-ID, agencies can simplify policy controls tying privilege and permissions contextually for all three while building a Zero Trust environment where only those things required for the mission are allowed. Beyond these capabilities available for every Palo Alto Networks platform, agencies often take advantage of a Security Lifecycle Review (SLR) to identify and protect HVAs. The SLR passively gathers data gathered from an agency s network to identify and summarize security risks, informing new security policy and controls. Common discoveries include unauthorized applications, access of malicious websites, non-work-related activity, and malware and spyware violations. Timely Detection and Rapid Response to Cyber Incidents The threat intelligence capabilities of Palo Alto Networks are designed to automatically detect and prevent cyberthreats, and inform an agency s ongoing response to cyberthreats. In addition to using the platform to identify known threats, agencies use WildFire to identify and protect HVAs and critical information against newly discovered threats in near-real time. WildFire offers advanced protection from unknown threats. WildFire automatically discovers previously unknown threats and deploys protections against threats throughout our customer base within five minutes of discovery. Palo Alto Networks White Paper 3

4 Palo Alto Networks AutoFocus contextual threat intelligence service analysis tool provides security teams with the ability to rapidly screen out all but the most important threats and indicators of compromise (IOCs) to the organization s mission and function. AutoFocus enables analysts to focus on the IOCs and threats most relevant to the government organization instead of chasing irrelevant threat information. Unit 42 is a team of cyberthreat researchers and industry experts analyze the latest cyberthreats and actors and share the results of their analysis with customers and the broader community. The Cyber Threat Alliance, a group of the market s leading cybersecurity vendors and co-founded by Palo Alto Networks, have come together to share threat intelligence on advanced attacks, their motivations, and the tactics of the malicious actors behind them. Rapid Recovery From Incidents and Accelerated Adoption of Lessons Learned The identification and prevention capabilities of Palo Alto Networks dramatically reduce the likelihood that an organization will need to undergo a large-scale recovery from a cyber incident. However, the integrated tools also stop and contain cyber incidents and provide a significant foundation to launch a recovery, if needed. By leveraging both our human (Unit 42 and the Cyber Threat Alliance) and automated (WildFire) intelligence analysis with near-real time protection against unknown threats, agencies benefit from a self-learning, self-healing ecosystem that discovers previously unknown threats in near-real time, produces the mitigations for those threats, and deploys the protections to every member of our client base worldwide every five minutes. This not only helps you rapidly recover from threats knocking on your organization s door but also immunizes you against those of any client of Palo Alto Networks or any other contributing members of the Cyber Threat Alliance. Federal Customer Case Study Infrastructure and Challenges Palo Alto Networks and channel partner Squadra Solutions combined technology and operational expertise at a large U.S. federal cabinet-level agency to assist in its CSIP implementation. The project focused on the first two of the five CSIP objectives: identifying and protecting HVA, and enabling timely prevention and recovery from cyber incidents. The agency s traditional data center architecture had the following characteristics: A large, centralized collection of various legacy systems with widely varying levels of security. A data center perimeter protected with external-facing firewalls. A DMZ, which enabled access to select systems by citizens, other agencies, business partners, and other non-employees. CSIP Objective #1: Identify and Protect High Value Assets To identify and protect HVAs, the team adopted a three-phase approach: 1. Environment Analysis 2. Application Identification and Policy Development 3. Policy Enforcement and Protection of the HVA Stage One: Environment Analysis Documentation Review The Palo Alto Networks team reviewed existing data center infrastructure documentation such as the current systems security plan and network and system diagrams to better understand the existing architecture. This included gathering data from the existing environment, such as network configurations, reports from monitoring tools, and flow data to baseline and understand the traffic. This is an important step for capacity planning and to access any possible network re-architecture. The team discovered that, due to the proliferation of legacy systems, enterprise-wide system patching was a challenge, and that documentation of the as-is environment was incomplete and poorly organized. Even more significantly, there was no easy way to identify existing traffic or implement network segmentation to secure HVA within the data center. Security Lifecycle Review The first step of a Palo Alto Networks Security Lifecycle Review (SLR) risk assessment report involves deploying the Palo Alto Networks Next-Generation Security Platform in tap mode 3, which passively monitors network traffic without preventing or blocking any connections. For a week, the platform profiled all traffic in and out 3 For more information, see How to Configure a Palo Alto Networks Device for Tap Mode Operation. Palo Alto Networks White Paper 4

5 of the HVA environment for application, threats and traffic usage. The SLR also makes it possible to verify applications and threats that have been identified during the documentation review. Collecting and analyzing network traffic enabled the Palo Alto Networks team to immediately start profiling the environment and detecting threats in real time. Using the data from the SLR, the team created a customized report that identified: All applications used on the network Source and destination networks of all communications Total scope of unknown threats observed Percent of malware undetected by third-party antivirus solutions Zero-day malware and advanced persistent threats identified by WildFire Application threat vectors and malicious file types Report and Alert Creation Once the team collected and analyzed the data center s network traffic data, they created alerts for commonly seen threats. The Palo Alto Networks Next-Generation Security Platform offers robust logging and reporting capabilities that enable real-time analysis of the environment and historical reporting and trending capabilities for traffic validation. The team used a variety of default and custom reports to begin the process of comprehensive, advanced policy development. Stage Two: Application Identification and Policy Development Once Stage One collected sufficient data, the team reconfigured the platform to run in virtual wire (VWire) mode by installing it on a network segment with two ports bound together. An advantage to this approach is it does not require any changes to adjacent network devices, IP addresses, or VLANs. To enable HVA policy development, the team configured data center distribution or core switches to selectively forward only HVA traffic (via VLANs) to the Palo Alto Networks platform. Using the information gathered during Stage One, the team created security rules for inbound and outbound communication from the HVA environment, grouping similar approved applications such as database, web apps, Microsoft, management, infrastructure and others together per traffic direction. For additional security visibility, the team configured threat protection, URL and data filtering profiles. To ensure the firewall would not block any essential communication, the team implemented a Catch All Allow security rule to explicitly allow all communication not defined by other rules. The team also created custom reports, such as Top Applications, Top Ports by Application, Top Sources and Destinations, Top Security Rules, Traffic matching the Catch All Allow rule, and more. These reports provide valuable data for baselining and allow the agency to efficiently profile traffic without time-consuming manual log reviews. Any applications using non-standard ports or protocols, or unknown applications, were reviewed with system owners. If allowed, new policies were developed for these valid applications. Continuous monitoring and review of logs and custom reports allowed the team to fine-tune policies. Identify Source and Destination Once the majority of the application communications were identified, the next step was to continue traffic profiling to include filtering by source and destination IP addresses while maintaining ports and protocols from the previous phase. By the end of this phase, the security policy identified and approved authorized applications, ports and protocols, as well as source and destination networks affecting the HVA environment. Stage Three: Policy Enforcement and HVA Protection Entering Stage Three, all approved application traffic was associated with its specific security policy and only unapproved traffic triggered the Catch All Allow rule. To enforce active protection of HVAs, the agency discontinued simple alerting and shifted to active blocking of known threats (antivirus, zero-day malware reported by WildFire, anti-spyware, and URL category). Disabling the Catch All Allow rule and creating a new Explicit Deny rule at the end of the policy list served to block and log all denied traffic. With this change, the platform enforces a Zero Trust policy and performs positive security enforcement by denying all traffic that is not expressly allowed while maximizing the visibility and prevention of threats. This stage also included developing recommendations and implementing architecture changes, such as IP address changes and integrating with third-party products. Palo Alto Networks White Paper 5

6 CSIP Objective #2: Rapidly Detect and Respond to Cyber Incidents With the above policies in place, the agency was able to rapidly detect and respond to incidents. Only explicitly allowed traffic enters the HVA environment while the security platform blocks and logs all other traffic for further forensic analysis. Both known (signature-based) and unknown (zero-day) malware is blocked, as well as attempts by attackers to infiltrate the system with the command and control elements of a botnet. This new security environment sends custom reports and alerts to network administrators in near-real time so that they can quickly evaluate threats and take appropriate action. Applicability to Continuous Diagnostics and Mitigation (CDM) As a part of our CSIP support, the Palo Alto Networks Next-Generation Security Platform also helps government agencies meet many requirements of the Continuous Diagnostics and Mitigation (CDM) program 4. One of the key goals of CDM is to establish agency- and government-wide dashboards that: Enable network administrators to know the state of their respective networks at any given time. Inform them about the relative risks of threats. Make it possible for system personnel to rapidly identify and mitigate flaws. Palo Alto Networks Panorama TM network security management enables administrators to centrally manage the process of configuring devices, deploying security policies, performing forensic analysis, and generating reports across an agency s entire network of virtual or physical appliances. Available as either a virtual appliance or a dedicated management platform, Panorama and individual device management interfaces share the same web-based look and feel, ensuring workflow consistency and minimizing any learning curve or delay in executing the task at hand. Palo Alto Networks is committed to reducing the burden of manual integration on customers by providing tools that integrate into the broader network operations and the larger cyber ecosystem. Our technical partnerships with select companies and technologies including Splunk, VMware, Proofpoint, Tanium, Amazon Web Services, and Microsoft Azure complement the core capabilities of our platform. Customers leverage our REST APIs to integrate our platform with other technologies. Whether satisfying the common requirements under the various phases of CDM, meeting broader needs defined by the CSIP, or delivering tailored capabilities set by individual agencies, Palo Alto Networks leverages automation and integration to help customers defend their networks more efficiently. Summary With the publication of the Cyber Security Implementation Plan, securing a government agency s HVA environment is no longer optional. Products and services from Palo Alto Networks are helping agencies develop a prevention-first mindset and a roadmap to meet the requirements of the CSIP and CDM programs. With complete visibility into applications, content and users, agencies can grant employees access to the content and applications they need to perform tasks in support of the mission while proactively detecting, preventing and, when necessary, responding to cyber incidents. For more information on Palo Alto Networks support for government, please visit government. To learn more about CSIP support from Palo Alto Networks, our Security Lifecycle Review, or how to best prepare your agency to protect HVAs, please contact Palo Alto Networks or your local account representative Great America Parkway Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. pan-csip-wp