Network Security

Network Security Management

ACI markets security management services to client organizations that present a broad spectrum of network topologies, from very small and simplistic, to very large and complex. Support needs vary tremendously depending on size and maturity of the network, but network security in general starts with basic system configurations: firewalls, routing, spam filtering, Internet filtering, role-based user accounts (in the domain as well as on local devices), file/directory security, anti-malware defenses, and even printer security. Once all of these basic protections are in place and configured properly, an advanced security management program can be built upon that foundation.

In any network, the two most important elements to control are the user accounts and endpoint devices (servers and computers). HIPAA and PCI security requirements call for individual accountability (no shared or generic accounts) and restricted access, almost all of which can be controlled through network domain management (i.e. Active Directory or equivalent role-based access controls). You must protect your network resources against your insiders, to fend off malicious user activity as well as malware attacks that are mounted from a compromised machine within your perimeter using an insider's credentials. HIPAA requires healthcare facilities and providers to exert 'reasonable precautions'; certainly these two areas would be part of any reasonable efforts to protect PHI and PII, yet this area is overlooked or oversimplified far too often.

Once you have visibility and control over all of the basics noted above, you can now begin to address the two most critical threats to your enterprise: Intrusion (unauthorized inbound network access) and exfiltration (unauthorized outbound removal of data). Intrusion detection (IDS) or intrusion prevention (IPS) systems analyze network traffic, primarily through Internet portals and firewalls, to alert on suspicious activity and (with some products) cross-reference the intruders's origin and/or automatically block these inbound threats. Exfiltration is a much tougher nut to crack, as it requires knowledge of where your critical data is stored, how and where it is used, and even when it is used. Monitoring outbound traffic has to be done on several levels, including file transfers, web traffic, mail servers and other types of messaging apps. To be thorough, outbound traffic monitoring must also inspect encrypted/SSL packets, which requires proxy servers and/or modern firewalls that act as middlemen in establishing secure tunnels out of your organization, while still giving the company visibility into the content, context and data being transmitted. PCI-DSS standards mandate an intrusion protection solution as one of the required methods to ensure security of cardholder data.. Products that protect against intrusion or exfiltration are costly to install and complex to configure, yet the impact of not protecting your enterprise can be far greater in terms of fines, litigation, loss of business and regulator's attention.

Incident management is another required feature of a network security program, being mandated by HIPAA regulation and PCI-DSS requirements. Effective response begins far before an incident occurs, starting with the methods outlined above, and enhanced with rich detail available in audit and system/event logs. Recognizing a true incident often requires collating and correlating the logged data flooding in, to make it relevant to the reviewer so malicious patterns stand out from normal activity. Responding to an incident includes more than simply isolating and eliminating the threat, it involves thorough documentation on all incident components for learning, training and follow-up, including:

Timestamps for incident startup, discovery, resolution and escalation/reporting stages.
Locations affected, resources affected, and contact info for incident handlers and response team.
Incident source data such as IP address and/or hostname, attack vectors, indicators of compromise.
Incident handler data such as actions taken, evidence gathered, facts and/or opinions on cause.
Management data such as prioritization factors, mitigating circumstances, organizations contacted.
Administrative data such as incident costs, business impact and follow-up/reporting steps.

ACI can help your organization at any level of need for network security management, from simple auditing, to advanced configurations, up to total support. With today's global vendors, mobile workforce and cloud-based operations, organizations need assurances their assets are protected and their security processes are solid.

Resources:

NIST Information Security Handbook for Managers

NIST Guide to Computer Security Log Management

NIST Technical Guide to Security Testing

Defenses Against Zero-day Exploits for Various-sized Organizations

Detecting and Preventing Exfiltrations

Infrastructure Security Architecture for Effective Security Monitoring