All the Kings Men: Implementing The Castle Approach in Information Assurance Upside Down
"I like to turn things upside down, to watch pictures and situations from another perspective." -Ursus Wehrli
Two decades ago, companies began implementing security controls to protect their perimeter (or edge as it were) to internet-born attacks targeting their internet-facing services, such as their FTP, web, email, or DNS servers. This created what many have coined as the "hard candy exterior, soft gooey interior" of corporate networks where the edge was secure and hardened, but the interior of the network was all but ignored leaving flat networks and endpoints with few controls.
The threats at the time were far different than they are now. Back in the late 90s to early part of 2000, the biggest threat to corporations were mass web site defacements, like those conducted in 2001 by RaFa and and groups like World of Hell using auto-rooters. Today, the biggest threat to corporations is theft of data; whether that be PCI, PII, or other types of regulated/protected consumer data that could land the company and its brand in proverbial hot water sending stock prices plummeting after its disclosed.
Target was no stranger to this affect on its brand and stock price when its own stock dropped 1.7% in early morning trading following the 2014 announcement that 70 million customers were affected by its data breach when its cardholder data environment (CDE) was compromised. The compromise was in no small part a result of a flat, non-segregated network where HVAC systems resided on the same network as its payment processing traffic. The fact is, companies today are facing a new method of threats that are no longer coming through the front door. So why then are we continuing to implement security from the outside-in using the traditional "Defense in Depth" or "Castle Approach" in information assurance? We're using the same methodologies we used in 2001 in 2018 when the greatest threats are internal users or side-doors over a VPN to a supplier.
I propose that the days of securing networks from the outside-in needs to be flipped upside down and implemented from the inside-out. Further to this point, companies should first perform an IT risk assessment to identify their high value assets then implement the castle approach to building their security controls first starting around their high value assets. Let's look at this step-by-step.
Step 1: Identify your business critical data: Determine what the “center of gravity” is for your company. What is its competitive advantage and what data would be considered the “crown jewels” that if the confidentiality, integrity, or availability of that data was compromised, it would have an existential threat to the business and brand.
Step 2: Document the systems and applications it relies upon. Once the business critical data is identified in step 1, it's important to know what systems are responsible for transmitting, processing, or storing the data. Assets should include the users, servers, databases, software -- anything that falls within this definition. Additionally, you should make sure to document the system and application owners.
Step 3: Document the traffic directions once the data and systems have been identified.You'll want to meet with the system and application owners and review vendor documentation to map all ports and protocols required by the applications to communicate. This includes mapping the traffic direction (inbound and outbound) to the servers.
Step 4: Implement network segmentation. Once you know what systems are involved in the transacting or storing of the data as well as the traffic directions and required ports/protocols, move those systems to their own VLAN (RED ZONE) so separate endpoint and network security controls can be applied to those systems and network segment. The privileged users (YELLOW ZONE) of the data in the RED ZONE should then be moved to their own VLAN which is prevented from accessing the Internet and only systems inside the RED ZONE.
While I understand that implementing this in environments where the users of the data are all over the corporate network, in different departments, and remote locations may be challenging at scale, it’s not impossible.
The brutal truth here is that the corporate network can no longer be considered a trusted network and shouldn’t be offered cart blanche access to the data based off user authentication to the domain alone. The users should be moved to a segregated VLAN that is the only network allowed by the network access controls (firewall) to access the data and only over specific ports/protocols.
Step 5: Create separate VLANs for the other assets in the network and set the default route for those VLANs to the firewall. The firewall should be the central point where all traffic decisions between the VLANs are made. A separate VLAN should be created for the VOIP equipment, printers, internally-facing servers (internal DMZ), externally-facing servers (DMZ), and SCADA equipment for the facilities. Of course, all users should then be placed into a user VLAN (GREEN ZONE). This level of granularity in where assets by type are located enabling the creation of more granular set of firewall rules between network segments based on the function of the asset or the access the individual user will require.
Yes, at scale this is not going to happen over night. The exercise to document all the applications, ports, and protocols required by the systems and applications running on them is going to be an exercise in of itself that will take quite a long time and should be done through review of vendor documentation, stakeholder interviews to gather their tacit knowledge, and finally, verification of information through packet sniffers if all else fails. All of the results of these interviews should be documented into a knowledge management system, especially any tacit knowledge that could leave with an individual exiting the business.
Step 6: Implement endpoint security controls. Implement a file integrity monitoring solution, Host IDS/IPS, and behavioral anomaly detection for anti-malware on the servers responsible for the transmission, processing, and storage of the data.
Step 7: Implement network security controls. A firewall should be implemented responsible for inspecting and making decisions on what traffic should be allowed into and out of the network. Additionally, network IDS/IPS should be implemented responsible for inspection and the alerting of anomalous traffic into and out of the environment. The IDS networks and rulesets should be tuned to match the inside network VLANs used as its “home network” and any applications/services not in use should be turned off to lower the number of false positives.
Step 8: Implement necessary services to maintain the servers. WSUS and other update servers should be implemented in the environment and allowed to go out to Microsoft or other vendors to retrieve the updates that would then be responsible for updating just those servers. The corporate WSUS or other update servers in the “general population” segment of the corporate network should not be allowed to update the servers inside the red zone.
Step 9: Perform penetration testing. A penetration tester should be given a network port in the privileged user VLAN, the regular user VLAN, and also come from the Internet attempting to breach the castle security architecture from each vantage point. The firewall rules should be “firewalked,” to check the specificity of the rules as well as attempt to gain access to the data and exfiltrate it out of the protected VLAN. This should be done routinely (at least annually) to confirm that all security controls work as expected. The penetration tester should also then be given access to the servers running the data should all other attempts fail to then try and exfiltrate the data successfully to test DLP functionality and egress firewall rules.
Step 10: Training. This is the most commonly overlooked step – training. The new network architecture is user-impacting. Security should never be an impediment to the business, rather it should enable it to run smoothly and efficiently. User training is critical to ensuring that the integrity of the new architecture is maintained and that users understand how to work within the new environment.
You can’t secure data when you don’t know everywhere it resides, don’t know what ports or protocols it relies on to communicate, nor control what can go in and out from the systems hosting it.
In summary, whether you call it defense in depth, the castle approach, or just plain cybersecurity, you can’t secure data when you don’t know everywhere it resides, don’t know what ports or protocols it relies on to communicate, nor fail to put any controls on what can go in and out from the systems hosting it. You can’t fully control the entire corporate network, so create a new network you can trust and only allow access into your red zone from the new user VLAN because you’ll never be able to get the entire corporate network to a point it can be fully trusted. You must implement your cybersecurity controls upside down (from the inside-out) instead of putting so much money, time, and effort into securing your borders.
Just as the lessons learned from the 12th to 18th centuries, while castles were once garrisoned behind thick high walls and protected by moats, it doesn’t prevent the enemy from not coming, it simply slows them down to give you more time to identify and counter the threat from being successful.
About Alissa Knight
I am the Group CEO of Brier & Thorn, where we serve many of the world’s most innovative companies and prominent institutions across our member firms in North America and Europe. Previously, I was the CEO of Applied Watch and Netstream; companies I sold in M&A transactions to publicly traded companies in international markets.
In 2018 I started a venture capital fund focused on early-stage investments in the IoT, connected car/autonomous vehicle, and cybersecurity markets.
My passion professionally is meeting and learning from extraordinary leaders around the world and sharing my views on the disruptive forces reshaping the global cyber security market. My long-term goal is to help as many organizations as possible focus on their areas of increased risk, bridge silos to effectively manage risk across organizational boundaries, and pursue intelligent risk taking as a means to long-term value creation.
I am currently attending the Fox School of Business at Temple University in pursuit of my long-term goal to earn my Master's Degree in Economics, taking courses on strategic thinking at Dartmouth, while also pursuing my Chartered Financial Analyst (CFA) Level 1 designation from the CFA Institute.
Read my entire professional bio at https://www.brierandthorn.com/alissaknight and learn more about me and my personal interests on my homepage at http://www.alissaknight.com