Cyber Security News

Book Review: How to Build Security with Strong Architecture

Struggling to keep up with today’s cyber security challenges? Read more on how CISOs or CSOs can develop a modern plan for cyber security.

September 1, 2013
Trans

Are you (and your enterprise) struggling to keep up with the pace of today’s cyber security challenges? You aren’t alone, but you aren’t without resources.

Michael S. Oberlaender has worked in executive security roles (CSO/CISO) in both the U.S. and EU (Germany) and in IT for more than 20 years. Most recently, he has been serving as Chief Security Officer for Kabel Deutschland AG, the largest European cable network provider, after working as Chief Information Security Officer for FMC Technologies Inc., a leading oil field services and engineering company in Houston, Texas.

Oberlaender’s new book, C(I)SO – And Now What?: How to Successfully Build Security by Design, covers a new CISO or CSO’s initial phases in the job, including setting expectations, base-lining, gap analysis, building capabilities and variances in organizational charts. For more advanced enterprise security leaders, the book leads you to define security architecture, addressing secure development processes, application security and security policy levels.

Additional topics include awareness programs, asset management, conducting audits, risk management, strategy development, ROI, developing trust relationships, incident response, forensics and crisis management.

The following is an excerpt from C(I)SO – And Now What?, provided by Michael Oberlaender.

 

Chapter 12: Security Architecture

The next item to tackle is the overall security architecture – and this includes several things. But let me first state the disclaimer that of course it is imperative that the correct governance and policies are in place and that technology can’t replace those things. But, it is also clear that however sophisticated, no paper document or process design will block an attack in the meantime until you have both the supporting policies and the enforcing technologies set up. It is therefore – as a reality check if you want – necessary to take care of the very basic things, to have the long standing “perimeter” (this is the “outer wall” so to speak, the common (logical) border line around your company’s infrastructure and network, the “first line of defense”) in place, and a few other common necessities such as antivirus filters, intrusion prevention, secure browsers and a SIEM (Security Information and Event Management) system as well. Here is why:

No matter what kind of business you have, no matter how sophisticated your processes and products are – your company most certainly will have a network using TCP/IP, it will exchange files with 3rd parties (inside and outside the perimeter), and it most likely will use the security-prone MS Windows products (at least at the user client side). So you don’t need to wait for any time-costing BIA or security audit (both are nevertheless indispensable though!), it is a matter of fact that you need “a” firewall (for the perimeter, I explain the “a” later), an AV solution, an IPS (prevention, not detection), and a secure browser as today’s most used interaction tool with the outside (and inside) world. Finally, the SIEM solution will provide you with the needed visibility into your network, and it will (if configured and managed properly) help you to discover unwanted traffic (or behavior) and to develop the awareness and later the strategy of what needs to be addressed and why.

So what I am telling you here is that you should not do it strictly “by the books” and wait for the BIA and other great analysis work to be done, but instead insist on having “a :=” state of the art firewall solution in place, and should you not have one, get one now! What do I consider as such? Well, I personally like the Palo Alto Networks solution, as I have done my research and real world test with that – it is a great improvement in comparison to the old world’s Checkboings, Jupyters and Cislos (and the like). The PAN device has been completely newly developed (from scratch) with the shortcomings of the traditional firewalls in mind, and the product is performing its role very well. When I predicted this already a couple of years ago, few seemed to listen – but Palo Alto Networks' growth and success over the last years speaks for itself, and I can only re-iterate my previous comments .

Talking about firewalls, I want to make it very clear once and for all: a network switch or router is a network switch or router and is NOT TO BE USED as a firewall, regardless of what the vendors will tell you. Keep this in mind, and make sure this is understood by any network administrator in your company. Make sure that the security tools are not in fact operated by network folks but instead by security folks reporting to you and not vice versa.

That doesn’t mean that you cannot, in addition, use a TCP/IP filter on your router or a “personal firewall” on your endpoint device – but those cannot be your single points of failures, as you will need the “in-depth” perimeter firewalls nevertheless. An additional benefit of the PAN solution is its integration of the IPS and a couple of other filters (even malcode:=”malicious code”, this is all kinds of code with a malicious purpose against you) as well, so you can simplify and consolidate some of the most necessary security functions in this choke point. Make sure though that you have its logs reported into your SIEM solution to get the security cockpit/dashboard informed about their blockings and effectiveness.

In case your company uses outdated browsers on the client-side, make sure these also get upgraded as soon as time allows. This will ensure that the most used (and therefore most attacked) interface to the Internet (and intranet, but the first one is where most of the attacks are coming from) is secured as much as possible – this will “strengthen” (to some extent) your perimeter approach. It can also have the nice side-effect to increase productivity in your company, depending on your browser usage and business type. With one of my previous employers I helped them to save ~$6.5 million per year just by upgrading the browser and increasing productivity/speed of their call center agents (see also chapter 21 “Building ROIs”). Not a bad thing to build your creditability at the C-level.

Once you have the most basic security technologies in place, and meanwhile hopefully your BIA and process analysis done, you should now have an idea what additional risks and areas of concern are out there in your realm. So you then need to develop a security architecture that addresses these findings per design. A few suggestions are:

  • A network separation (i.e. a separate administration network), a separate development (and test) network from production,
  • A multi-tier security in-depth approach (each layer of the TCP/IP model needs to have at least one security mechanism in place – see also chapter 20 “Strategy Development” and Figure 19: Security Stack),
  • A hardened operating system,
  • A compartmentalized virtualization environment,
  • Secured collaboration tools,
  • And certain security tools at the client side readily available, such as providing usable encryption (confidentiality), hash controls (integrity) and backups (availability).

There is certainly more than this, but it really depends on your specific situation and environment, and the BIA should help you to develop your business case for that. A good idea is to use the TOGAF reference model to define your overall enterprise (security) architecture and build in security from the ground level (see Figure A: [Security] Architecture Based On TOGAF) and covered by adequate and accompanying policies.

You can find out more about this book or purchase a copy at www.amazon.com or www.createspace.com   

www.createspace.com

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+