Cisco Blogs


Cisco Blog > Government

Evolving Continuous Monitoring to a Dynamic Risk Management Strategy

Organizations implementing Continuous Monitoring strategies are remiss if they are not taking into account the value of network telemetry in their approach. NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations provides guidance on the implementation of a Continuous Monitoring strategy, but fails to address the importance of network telemetry into that strategy. In fact the 38 page document only mentions the word “network” 36 times. The SP 800-137 instead focuses on two primary areas: configuration management and patch management.  Both are fundamental aspects of managing an organizations overall risk, but to rely on those two aspects alone for managing risk falls short of achieving an effective Continuous Monitoring strategy for the following reasons

First, the concepts around configuration and patch management are very component specific. Individual components of a system are configured and patched. While these are important the focus is on vulnerabilities of improper configuration or known weaknesses in software. Second, this approach presumes that with proper configuration control and timely patch management that the overall risk of exploitation to the organization’s information system is dramatically reduced.

While an environment that has proper configuration and patch management is less likely to be exposed to known threats, they are no more prepared to prevent or detect sophisticated threats based on unknown or day-zero exploits. Unfortunately, the customization and increase in sophistication of malware is only growing. A recent threat report indicated that nearly 2/3 of Verizon’s data breach caseload were due to customized malware. It is also important to keep in mind that there is some amount of time that passes between a configuration error is determined and fixed or the time it takes to patch vulnerable software. This amount of time can potentially afford an attacker a successful vector.  For these reasons organizations looking to implement a Continuous Monitoring strategy should depend on the network to provide a near real-time view of the transactions that are occurring. Understanding the behavior of the network is important to create a more dynamic risk management focused Continuous Monitoring strategy.

Network telemetry can consist of different types of information describing network transactions in various locations on the network. Two valuable telemetry sources are NetFlow and Network Secure Event Logging (NSEL). NetFlow is a mechanism that organizations can use to offer a more holistic view of the enterprise risk picture. NetFlow is available in the majority of network platforms and builds transaction records of machine-to-machine communications both within the enterprise boundary as well as connections leaving the enterprise boundary. These communication records provide invaluable information and identify both policy violations and configuration errors. Additionally, NetFlow also provides insight into malicious software communications and large quantities of information leaving an enterprise. Network Secure Event Logging uses the NetFlow protocol to transmit important information regarding activities occurring on enterprise firewalls. This is valuable data that can be aggregated with other NetFlow sources to bring additional context to the network behavior occurring.

Coupling the configuration and patch management guidance in SP 800-137 with an active NetFlow monitoring capability will provide organizations with a Continuous Monitoring strategy that is more system focused and more apt to fostering a dynamic risk management environment. Cisco will be discussing NetFlow, NSEL and other security topics at the March 21st,  Government Solutions Forum in Washington, D.C. If you’re interested in learning more, click on the following URL:

www.cisco.com/go/gsf

Tags: , , , , , , , , ,

No Traffic with Application Visibility and Control

I love my job, but I really don’t enjoy my commute….and the unpredictable traffic. Living on the west side of San Francisco and working on the east side of San Jose, Google Maps tells me my journey is a hefty 47.2 miles and 1 hour and 1 minute (without traffic.) Holidays, rain, and accidents can add minutes and sometimes hours.

Twice a day, to and from work, I start asking the questions:

  • How busy is it on the road right now? Is the road full of tired commuters, semis, or concert traffic?
  • Which lane should I be in? If I’m in the fast lane, what are the odds of it coming to a screeching halt while I watch the other three lanes go by?
  • Do I need to detour to another interstate or highway due to an accident or concert?

Read More »

Tags: , , , , , ,

Correlating NetFlow Data for Proactive Security: Network Notoriety

Prelude

In this short article the reader will first learn what NetFlow is and how it works. Next the reader will understand how it can be as an important security tool. Finally, a technique for correlating NetFlow results with public sources of Internet reputation, along with the tool “Netoriety,” which implements the technique, will be introduced and explained.
Read More »

Tags: , ,

Virtual Switching: Fundamentals of VSS

December 14, 2011 at 6:22 am PST

Cisco’s been doing virtualization in various forms on the network side for quite a long time. One incredibly powerful feature that I think is still amazingly under utilized is the Cisco VSS or Virtual Switching System.

The ability to make two 6500′s look like a single switch so that you can have your cake and eat it too.  Its the epitome of giving us the redundancy and availability we need while simultaneously allowing us to use the extra capacity that could normally sit unused. Easier management and configuration make this a no-brainer that more network managers should consider as ‘required’ in their design. Check out our ‘Fundamentals of VSS‘ to get yourself started.

Even more after the jump…

Read More »

Tags: , , , , , , ,

Objective – Net Superiority

I’ve had some recent discussions with colleagues in the armed forces regarding cyber security and how they consider “cyber” to be the fourth warfighting domain along with land, air, and sea. They describe how cyber has its own terrain made up of computing resources. As I further thought through this concept I saw a striking resemblance between the network and air warfare. To elaborate on this thought I must first set the context around the concept of air supremacy.

There are probably many different variations of the definition of air supremacy but let’s just use “the degree of air superiority wherein the opposing air force is incapable of effective interference” for the purpose of this blog.  I borrowed this definition from NATO.  There are two key words in the definition, “degree” and “effective.” Prior to achieving supremacy one must first move from parity, through superiority to eventually supremacy. Air parity is the lowest degree in which a force can control the skies above friendly units. In other words, prevention of opposing air assets from overwhelming land, air, and sea units. Read More »

Tags: , , , , , , , , , ,