Cybersecurity of enterprise networks has been top-of-mind with both business and technology leaders for quite some time now. What is changing the dynamics of the threat landscape is both current technological trends in the work place and, more importantly, the rate at which the technologies are getting deployed. While IOT, BYOD and remote access are not new trends, the rate of their growth is exponential. This type of digital network evolution increases complexity in the infrastructure and requires new and innovative service delivery systems. Each of the corporate-owned, BYOD or personal devices, as well as how they connect to the services, may become either a direct or an indirect entry point for malicious traffic. An attacker may not only attempt to launch malicious traffic against different parts of the infrastructure directly, they may also target a vulnerable zone as entry point of attack, which can then pivot and infect other areas. Security and data protection in today’s businesses cannot be implemented based on a “check-it-and-forget-it” approach and it cannot be just a mandate to train and comply with security policies and safeguards.
The security posture of businesses is based on three fundamental pillars. Those pillars are Protection, Detection and Response against attacks. It is crucial that enterprises have proper platforms that can provide proactive, in-depth and timely assessments of these elements alongside the training, awareness, and policies that are in place to withstand the current and emerging threats. To have an intelligence-driven security posture, it is also essential that these assessment platforms have linkages with the enterprise lifecycle tools and systems to automatically feed, track and initiate the next course of action. Without such tools, enterprise security would remain in defensive posture indefinitely. Let’s consider characteristics of cybersecurity assessment platforms more in-depth.
Enterprise Network Security Assessment Solutions
An effective way to illustrate essential capabilities needed for cybersecurity assessment solution is to cover those functionalities in the context of prevalent use cases. The salient points of typical use cases, as well as attributes of an effective cybersecurity assessment solution, are listed below.
Ability to deploy agents in a production network that will carry out the assessment of security zones
Flexibility in selecting network domains or zones that are source and targets for attack providing a proof positive of security efficacy
Ability to control scheduling that enables assessments to take place at a specific time of the day, such as non-peak hours, or be triggered by an event such as security incident resolution or availability of zero-day attack scenario
Access to a continually updated database of recent, zero-day attack and malware scenarios to assess with the latest vulnerabilities
Ability to control viewing, editing and running the assessment on a per user basis for enterprises with diverse organizational authorization
Flexibility in having attack vectors that are customized by user, context-based (network domain operating systems, applications, …), or reconnaissance-based that can guide the user to uncover vulnerabilities in the network
Ability for controlling attacks in terms of flow direction, segment sequences as well as evasion techniques that may be applied on top of attack plans elevating the assessment of security postures deployed in the network
Assess Data Loss Prevention policies with real sensitive data in formats that are prevalent in deployment (e.g., bank account numbers included in PDF files) that get transported across the network in order to validate and assess Data Loss Prevention policies
Linkages with enterprise lifecycle tools would allow security assessment-driven steps that can be enforced and tracked. Examples are:
Integration with Security Information and Event Management (SIEM) that would allow analysis of events triggered by the security platforms due to particular attack
Interoperating with Incident Tracking Systems (ITS) which would allow direct triggering of tickets for issues uncovered as well as ability to revalidate upon ticket resolution
Integration with security platforms would enable auto—provisioning for new policies when vulnerabilities are uncovered
Providing detailed live reporting as assessment is taking place that can expose overall vulnerability finding trends as well as individual attack attributes (e.g., description, CVE ID, start time, mitigated by blocking it or not, …)
Having access to final reports of past assessments that would contain information from live ones, as well as more detail (e.g., call flow sequences, packet captures, …)
Engines that would provide emulation of entire attacks during assessment would be significantly more effective than other techniques such as simulation or replay in order to avoid getting false sense of security or possible false positives
Above capabilities in a cybersecurity assessment solution can be invaluable and a great complement for organizations and businesses that are simply relying on traditional approaches such as pen testing (red team assessments), defensive posturing (blue team assessments), or hybrid solutions (purple team assessments). These approaches generally lack depth and continuous comprehensive view that are critical for today’s businesses. A new solution offered by Spirent Communications provides continuous, in-depth and automated assessment of network security vulnerabilities.
Spirent CyberFlood Data Breach Assessment (CF DBA)
Let’s spend a few minutes looking at CF DBA that provides comprehensive network security assessment capabilities, including attributes that were described in the previous section. This is accomplished with light weight and secure agents that can be embedded in enterprise network segments capable of emulating attack vectors. To illustrate essential capabilities of CF DBA, please consider below screenshot of test configuration followed by a few of its extensive capabilities listed.
As part of test configuration, high level topology, including CF DBA agents in each of the network zones, as well as devices under test (such as firewalls, …) with sources and targets of attacks across those zones are defined
Extensive scheduling capabilities allow launching assessment with particular time frequency, specific timestamp, when a vulnerability issue is resolved, or as soon as new vulnerability profile becomes available
Test configuration can be authorized to be viewed, edited or run by individuals or groups
Attacks that are launched between zones and across devices under test can be based on user customization, reconnaissance, or all attacks that are available
The attacks may be launched with evasion techniques (e.g., obfuscation) executed sequentially, in-parallel, or mixture of sequential and parallel
There are options for adding sensitive data with popular file types (such as MS-WORD/EXCEL/PPT, adobe PDF)
In addition to linkages with SIEMs such as Splunk, IBM QRadar for event analysis, there is the option to configure ITS management with solutions such as JIRA, Zendesk, ServiceNow, and Redmine.
CF DBA may also leverage security platform (e.g., firewall) API for auto-provisioning of new policies to mitigate the detected attacks that were not blocked.
The live reporting, as well as the final reporting, have extensive detail on assessment including:
Snapshots of incident and ticket tracking trends
Overall attack-topology status
Inter-zone attack finding summaries
Inter-zone attack vector detail including attack description, category/CVE ID, start timestamp, attacker and target IP and port as well as issue status and initial reporting timestamp, attack severity, if attack was blocked and if attack triggered an event that was matched on the SIEM
Detail of each attack mitigation such as call flow can be obtained from final reports
CyberFlood Data Breach Assessment provides actionable insights into the health of your security posture on an incidental or continual basis. The visibility gained by safely stressing your security policies can help reduce risk while improving network operational efficiencies.
Furthermore, Spirent Communications’ SecurityLabs can assist directly to ensure efficient and accurate installation of CF DBA solution in network deployments if customers decide to do so.
Please visit us atto learn more about how Spirent CyberFlood Data Breach Assessment can help in validating enterprise network infrastructure security postures.