Why do so many organizations maintain essentially open, “flat” networks, leaving thousands of users and devices with network-layer reach to their “crown jewels”? Especially in light of what we know with data breaches, theft, and loss? One possibility may be that some organizations simply grew too quickly, and the tools in the tool chest to implement network segmentation were onerous. Other tools or point products were deployed, making it easy to say “we have Identity and Access Management Systems” for that.
But this argument falls flat in the face of a massively-increased attack surface. How did organizations become so vulnerable? Easy – the combination of enterprise mobility trends, the exponential proliferation of devices, and the dramatic increase in workloads made possible by virtualized data centers. Combine that with advanced threats – the notion that with just one social engineering attack, an adversary can quickly move across systems until he finds valuable information – and organizations quickly start to realize that network segmentation and restricting network reach are more than just “nice-to-have,” but rather, an imperative.
Limiting who and what have network-layer reach to sensitive resources to those that truly have a need to know makes a lot of sense. The trouble has been that traditional methods of implementing network segmentation and network access control are generally cumbersome and entirely dependent on how the network is architected. Need to change or maintain the policy? You may be in for major network changes and massive resource hours – whether to redesign VLANs and IP-based ACLs, or simply to rewrite thousands upon thousands of firewall rules (in many of locations). Ouch.
Fortunately, there’s a readily available technology to apply secure access policy independent of network topology. If you can (1) classify the users and devices that access resources, (2) classify the resources themselves, and (3) specify the access permissions between these classifications, then Cisco TrustSec can enforce that policy within the network – it’s that simple.
Take a look at the example above. Here, we show a simple policy that specifies how different classes of users can access various resources in the data center. Changing this policy by changing a permission or adding a new class of users or resources is really straightforward and easy-to-understand. There’s no need to redesign VLANs, carve up the IP address space and (re) subnet the network, and/or re-write IP-based ACLs or firewall rules.
To learn how TrustSec can help protect your organization’s crown jewels by limiting the reach of who and what has access to sensitive resources, check out www.cisco.com/go/trustsec.
Follow @CiscoSecurity on Twitter for more security news and announcements, and, if you’re in Milan, Italy, during the last week of January, come visit us at Cisco Live! Milan! We’d love to see you!
With encouragement from customers, Cisco has submitted the TrustSec protocol that we use to exchange role and context information between network devices to the IETF. Chris Young, Senior Vice President of Cisco Security, shared the news during his keynote address at Cisco Live! Milan.
The Source-group tag eXchange Protocol (SXP) has been submitted to the IETF as an informational draft, in order to open up TrustSec capabilities to other vendors. In our experience, defining access controls and segmentation functions using logical policy groups, instead of IP addresses and subnets, removes operational complexity for customers. When we authorize a user device or a server as a member of a policy group, SXP allows us to propagate that information to devices that reuse that intelligent classification and apply security policies based upon it.
We have published SXP to enable interoperability with TrustSec functions in widely deployed Cisco products, so customers can not only simplify security policy management in diverse networking environments, but also use the classification for other purposes beyond security. For that reason, we have used the term source-group, instead of the more familiar security group designation, in the draft.
Last week, following the release of the 2014 Cisco Annual Security Report, my colleague Levi Gundert and I took questions from you, our partners and customers, about the report and its most interesting findings.
This year’s report highlighted a number of new trends and found unprecedented growth of threat alerts, which reached the highest level we’ve seen in more than a decade of monitoring.
Although the report paints a grim picture of the current state of cybersecurity, we are optimistic that there is hope for restoring trust in people, institutions, and technologies. This must start with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations and their methods – before, during, and after an attack.
Here is a link to view the recording of the broadcast. If you have any questions that didn’t get answered, please leave them in the comments, and Levi or I will get back to you.
I spent a good deal of time last week supporting the launch of the Cisco 2014 Annual Security Report. I’m one of the Cisco executive sponsors for the report, which means that while I cannot take credit for writing it, I am significantly involved in setting course, providing advice, and reviewing its findings. The report represents months of collaboration among threat researchers and other cybersecurity experts at Cisco and Sourcefire. Much of the data comes from both our own experience and what we have learned from willing customers. As promised, it provides a “warts-and-all analysis” of security news from 2013 and our perspective for the year. I also commend the writers, editors, and document producers for their hard work, clear thinking, and ability to lead a very complex project over the finish line in good order.
Our report that the cyberthreat and risk landscape has only grown stronger and more complex over the past year is not exactly a revelation, perhaps, but we can perceive some clear trends in the evolution. We now can see that because the cybercrime network has become so mature, far-reaching, well-funded, and highly effective as a business operation that very little in the cybersecurity world can—or should—be trusted without verification.
We also expect adversaries to continue designing campaigns that take advantage of users’ trust in systems, applications, and the people and businesses they know. It’s an effective strategy. How do we know? Because 100 percent of the networks analyzed by Cisco, despite the best efforts of their IT and Security teams, have traffic going to known malware threat sites. Not all traffic going to bad sites means bad things are happening, but as the old saying goes, where there’s smoke there’s usually fire.
The Cisco 2014 Annual Security Report highlights three key challenges organizations will face in the year ahead. These issues are:
A growing attack surface area: New ways of doing business—such as cloud computing, mobility, and rapid growth in the number of connected devices—are rapidly expanding the attack surface available to cybersecurity adversaries. Adversaries have myriad inroads to bits and pieces of useful information that pave the way to big time pay dirt. Quite often, they have a very easy path from there to the ultimate destination: the data center, where high-value information resides that can be exploited and monetized.
The proliferation and sophistication of the attack model: Companies have become the focus of targeted attacks that are hard to detect, remain in networks for long periods, and exploit network resources to launch attacks elsewhere. Even basic Internet infrastructure services—including web hosting servers, nameservers, and data centers—have become key targets for hackers who want to launch increasingly larger campaigns.
Complexity of threats and solutions: Monitoring and managing information security has never been more difficult for security teams. Solutions countering well-understood types of attacks—viruses, worms, data leaks, denial of service, etc.—long relied upon by organizations for cybersecurity, are simply inadequate in today’s complex threat environment where many attacks are not only stealthy, but also relentless.
Just to make things even more difficult, we’ve learned that counterfeit and tampered IT products are a growing security problem. The problem is more serious than phony gear masquerading as premium brand gear. Tampered and bogus goods often include hacker-friendly backdoors and other exploitable weaknesses. Like water pressing against a poorly engineered dam, bad actors will seek out and exploit any security weakness—known vulnerabilities and intentional backdoors—in the technology supply chain.
I’ve written a lot in the past year about what it takes to develop trustworthy systems: building security from the ground up, from the beginning to the end of a product’s life cycle. I’ve also explained how Cisco has invested considerable time, effort, and money in the effort to make our products robust enough for deployment as trustworthy systems. When I talk about trust, my concern goes beyond a narrow focus on our ability to trust technology. Society now depends on information technology to deliver essential services. When that technology ceases to work, or when we can’t trust the services delivered through technology, our social, economic, and cultural fabric unravels.
I wouldn’t be in the security business, however, if I thought the security situation was irrevocably hopeless. As we learn more about how our adversaries work and what they seek to achieve, we improve our ability to limit damage to socially tenable levels. While the Cisco Annual Security Report is a sobering read, it fills me with added determination to contain today’s threats and preempt tomorrow’s traps and pitfalls. I certainly hope it has the same effect on you.
This post was also authored by Andrew Tsonchev and Steven Poulson.
Update 2014-05-26: Thank you to Fox-IT for providing the Fiesta logo image. We updated the caption to accurately reflect image attribution.
Cisco’s Cloud Web Security (CWS) service provides TRAC researchers with a constant fire hose of malicious insight and now that we are collaborating with Sourcefire’s Vulnerability Research Team (VRT) we have additional capabilities to quickly isolate and prioritize specific web exploit activity for further analysis. Thus when we were recently alerted to an aggressive Fiesta exploit pack (EP) campaign targeting our customers, we quickly compared notes and found that in addition to the typical Java exploits, this EP was also using a Microsoft Silverlight exploit. In the Cisco 2014 Annual Security Report (ASR) we discuss how 2013 was a banner year for Java exploits, and while updating Java should remain a top priority, Silverlight is certainly worth patching as threat actors continue to search for new application exploits to leverage in drive-by attacks.
Image provided courtesy of Fox-IT
Over the past 30 days this specific Fiesta campaign was blocked across more than 300 different companies. The attacker(s) used numerous dynamic DNS (DDNS) domains – that resolved to six different IP addresses – as exploit landing pages. The chart below depicts the distribution of hosts used in this attack across the most blocked DDNS base domains.