RATS in the Data Center, a recent blog post by Cisco’s Tom Hogue, highlighted the current threat landscape for data centers. Tom was referring to Remote Access Toolkits, not the disease-carrying vermin that likely started the plagues that ravaged Europe in the Middle Ages. However, the destructive effect of modern-day RATS can be devastating.. They provide a novice hacker the tools to craft a successful attack, lowering the skill and proficiency needed while increasing the volume and likelihood of attacks. And RATS attacks will likely target the data center because that is where the most valuable information is stored – whether it’s credit card numbers, social security and other personally identifiable information (PII), financial records, intellectual property, or trade secrets.
Many organizations secure the perimeter of their network. But once network access is granted, there are minimal controls in place for authorized users. They are completely trusted on the network. The underlying problem in today’s threat environment is these users may not be in control of their device due to malware infection. Or they may not be who they say they are due to stolen credentials/passwords. A new model is needed to continually protect the critical assets of the business and to minimize complexity while supporting new data center services and business models.
Cisco developed the Secure Data Center for the Enterprise Solution portfolio of validated design guides to create a comprehensive and modular approach to securing data centers. The newest Cisco Validated Design (CVD) to be added to this portfolio is Threat Management with NextGen IPS -- First Look Design Guide. This new CVD builds on the capabilities introduced in the Single Site Clustering with TrustSec CVD by integrating the FirePOWER NextGen IPS to provide a true threat management system. The FirePOWER appliance provides threat protection capabilities beyond what a traditional IPS offers, resulting in a comprehensive solution for today’s malicious environment using highly capable threat management workflows. These workflows provide a different approach: the point of view of a cyber-attacker.
A First Look from a Different Viewpoint
That’s what makes this CVD intriguing—and, we hope, very useful. By looking at the “Attack Chain” where the capabilities to execute a successful attack are developed, this information can arm cyber-defenders with the tools and knowledge to effectively protect their networks and the business-critical information contained in their data centers.
The Threat Management with NextGen IPS First Look Design Guide also introduces a new security model, the attack continuum, which identifies each of the critical processes integral to a complete security system. This model addresses the cyber threat problem by looking at the actions to take before, during, and after an attack, across a broad range of attack vectors such as endpoints, mobile devices, data center assets, virtual machines, and in the cloud. Where most security solutions tend to address threat protection at a single point in time, it is important to look at it as a continuous cycle with key actions to take at each point in time.
Before an Attack: Organizations need complete visibility of their environment, including but not limited to the systems, services, users, endpoints, operating systems, applications, and network behavior models. From this visibility, ongoing monitoring and actionable alerts must be in place so informed decisions may be made in a timely manner.
During an Attack: Awareness is critical to identify the attack at the earliest possible point in time, ideally before the critical systems are compromised and valuable data is accessed. A security system should aggregate and correlate data using historical patterns and global attack intelligence to provide context to distinguish between active attacks, exfiltration, and reconnaissance using continual analysis and decision making.
After an Attack: Retrospective security is a big data challenge. With an infrastructure that can continuously gather and analyze data to create security intelligence, security teams can, through automation, identify indicators of compromise, detect malware that is sophisticated enough to alter its behavior to avoid detection, and then remediate it.
The attack continuum model provides a view of how to address threats, and helps build a framework of capabilities so organizations can start implementing robust security controls to protect their data centers. This new Cisco Validated Design, Threat Management with NextGen IPS, provides fresh tools and technologies needed to develop a comprehensive response to today’s threats affecting not only the data center, but also the entire enterprise.