Saturday, March 07, 2009

Requirements for Defensible Network Architecture: Monitored

Last year I posted Defensible Network Architecture 2.0, consisting of 8 (originally 7, plus 1 great idea from a comment) characteristics of an enterprise that give it cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best chance to resist an intrusion.

In this post I'd like to define some specifics for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 8 characteristics: monitored. At some point in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future it would probably make sense to think of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se characteristics in terms of a capability maturity model. Right now I'd like to capture some thoughts for use in later work. I will approach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirements from a moderate point of view, meaning I will try to stay between what I would expect from a low-capability operation and a high-capability operation.

Like my related posts, this is a work in progress and I appreciate feedback.

A Defensible Network Architecture is an information architecture that is:

  1. Monitored. Monitored can be described using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following categories, which collectively can be considered intrusion detection operations. (Add in Response or Resolution, depending on your IRT's mandate, and you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAER model for security operations.)


    • Collection. The following technical data is collected and available to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security operations team.


      • Network Security Monitoring (NSM) data from passive sensors; note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM data must depict true source IP and true destination IP (i.e., monitoring traffic between a NAT gateway and a proxy means seeing only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NAT gateway and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 destination IP of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proxy, radically decreasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 observed traffic)


        • Alert data from devices making judgements while inspecting network traffic

        • Statistical data summarizing network traffic

        • Session data describing conversations in network traffic

        • Full content data providing traffic headers and payloads

      • Infrastructure Security Monitoring data from routers, firewalls, switches, so-called intrusion prevention systems, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r network infrastructure that actively manipulates network traffic, or provides fundamental network services; by "fundamental services" I mean services that, without which, nothing much else works, e.g., DHCP, DNS, BGP


        • Access Control logs that report on allowed and denied traffic

        • Infrastructure logs that report DHCP address assignments, DNS queries and responses, BGP routing tables, etc.

      • Platform Security Monitoring data from nodes (laptops, desktops, non-infrastructure servers, etc.)


        • Operating system security logs, like Windows Event Logs

        • Application logs, like Web server logs, Web application logs, etc.

        • Platform memory, preferably exposing memory segments as needed (think retrieving a live system registry) or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire memory (think ManTech DD plus Volatility)

    • Analysis.


      • A dedicated team analyzes technical data collected in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous stage.

      • The team has access to subject matter experts who can answer questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of threats, vulnerabilities, and assets in order to better understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk posed by monitored activity.

      • Analysis is understood and supported by management as a creative task that cannot be "automated away." If automation were possible for detecting intrusions, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same automation could be applied to preventing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. ("If you can detect it, why not prevent it?") Assuming everything detectable is preventable, by definition cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis team is left to identify activity which is most likely not easily detectable, or at least not easily validated as being malicious.

    • Escalation.


      • The team has defined categories to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of intrusions and non-intrusions.

      • The team has defined severity levels describing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of various types of intrusions.

      • The team has an escalation matrix summarizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stes to be taken given an intrusion of a specific category and severity.

You should monitor at trust boundaries, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent you perceive risk and have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical and legal resources to do so. (For more on trust boundaries with respect to monitoring please see NSM vs Encrypted Traffic, Plus Virtualization and NSM vs Encrypted Traffic Revisited.

I will stop here, but continue with Inventoried when I have time.


Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.

3 comments:

dre said...

A Scalable, Defensive Network Architecture uses agentless monitoring that is wide-reaching and consistently gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365red.

A Defensive Non-Network-based Architecture is really what I would racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r see happen. We can't rely on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network anymore. It's going away! VNET is here!

I would focus on a Defensive Data Architecture, where DLP, DAM, ADMP and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r technologies focus on specific data which has been or could have been breached. The network and logging tools don't understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 applications or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 associated data around those applications (especially multi-tier architectures such as modern web applications, where we have browsers, databases, application servers, middleware, web services, ajax proxies, directories, metadirectories, message queues, gridspaces, et al).

We need tools that "sink in" to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data and work well with it. See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post and comments up at our TSSCI blog on this recent post for furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ideas. Cheers!

Richard Bejtlich said...

Dre, I'm using "network" in a generic sense here, as in "something that processes data." If you don't like that term, replace it with "enterprise" or "data" or something similar.

Anonymous said...

Hi Richard,

This is a great post! Thank you for spreading your knowledge on network security!

Sincerely,

Fredrik Björck
Security.dj