Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices in Security: Network and Infrastructure


Published on

  • Be the first to comment

  • Be the first to like this

Best Practices in Security: Network and Infrastructure

  1. 1. AberdeenGroup Best Practices in Security Network and Infrastructure June 2005 Sponsored by
  2. 2. Best Practices in Security: Network and Infrastructure Executive Summary Six primary business pressures are driving electronic security. Three are external pres- sures intimately linked to market performance and valuation. The others are linked with IT security and external audits that rely increasingly on more sophisticated automation tools to ferret out security and compliance gaps. The pressures are: 1) Agile access to information to support global trade; 2) Leakage of customer and confidential data; 3) Financial and operational losses from compromised and disrupted business operations; 4) Sharpened regulatory oversight and increasingly automated regulatory audits; 5) Risk posed by privileged access to information that’s not available otherwise; and 6) Risk posed by security incidents, hackers, compromised networks, and systems. On the one hand, the networks, devices, computing platforms, data storage systems, e- mail, web, and information that are employed to enable business operations must be available, often on a 24x7 basis. However, not all of the enterprise’s IT resources are un- der enterprise control. Currently, more than 80% of organizations outsource at least one administrative function that involves network, data, and systems or applications, including functions such as pay- roll and employee benefits administration. In addition, firms are outsourcing operational aspects of their business to partners along their value chains, from design and manufacturing, to sourcing, distribution logistics and customer service. Each of these partnerships, outsourced business arrangements, and re- verse business functions places additional strain on a company’s ability to verify and pre- serve the sanctity of the underlying networks and computing infrastructures that are em- ployed to operate the missions and business functions of the enterprise. The ability to maintain auditable control and security for these networks and systems is becoming more difficult and more important as external auditors expand the purview of their testing and are increasingly using automated test tools to root out problems. Key Business Value Findings Average revenue losses, not recovery costs, are driving firms to do something about the financial impact of Internet-based business disruptions. These disruptions result in losses of almost $2 million per incident. Since a company averages one incident per year, most firms are looking to solve this problem. The good news? Many firms are beginning to find ways to significantly reduce the impact of Internet security threats to core opera- tions. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • i
  3. 3. Best Practices in Security: Network and Infrastructure Our benchmark research shows 75% of firms are ratcheting up their customer sales and service operations over the Internet as a core business process. Although these firms are led by customer sales and service, respondents also indicate that their companies are in- creasing their use of the Internet for procurement and sourcing functions (55%), as well as for distribution and fulfillment (48%) business functions. Increasing use of the Internet for these core business activities, especially customer sales and service, means business disruptions from Internet security events are on a crash course with a chief business driver: revenue. It is no small wonder that Aberdeen’s research shows that best practices for security in an environment involving increasing dependence on the Internet and less direct control of some facets of the infrastructure means companies must dramatically improve procedures to verify the sanctity of the interconnected networks, systems, applications and underly- ing data throughout their value chains to operate their missions and business functions. This report showcases the best practices of leading firms in securing their networks and information infrastructures. The case study “winners” are listed on the left side of Table 1, with their solution providers on the right. The other two other editions in this series look at the practices that are making differ- ences in securing information and access, and best practices in security governance. Aberdeen was also able to qualify two solution providers as having best-in-class security operations and whose results place them in the winners’ circle as well. One is IBM, the other is McAfee. Information on McAfee is in this edition, while information on IBM is provided in the governance edition of the report. Table 1: Best Practice Winners and Their Solution Providers Enterprise Winners Solution Providers Used Nuclear Fuels Corporation StillSecure TeleCity Fortinet Telecommunications company nCircle Durable goods manufacturer SPI Dynamics US Army Norwich University Demarc Professional services firm McAfee Carreker Corporation Tipping Point Source: AberdeenGroup, June 2005 Aberdeen was also able to qualify two solution providers with best-in-class security op- erations and whose results also place them in the winners circle. One is IBM, and the other a well known security solution provider that preferred to remain anonymous. The anonymous security solution provider is covered in this edition while IBM is featured in the edition on governance. All print and electronic rights are the property of AberdeenGroup © 2005. ii • AberdeenGroup
  4. 4. Best Practices in Security: Network and Infrastructure All companies selected for this report use multiple automation tools to assist their secu- rity programs. This shows up in all domains, including network, infrastructure, informa- tion, access and governance. According to one respondent, “there is no silver bullet or a single-source for security, and there never will be.” Most organizations we interviewed share this sentiment. There is also variation among the showcased companies on the extent of their automa- tion. For example, some organizations have more fully automated security programs; most automate where they’re forced to because of speed, business cycles, or business seasonality. Many winners humbly admit that their security programs still have a long way to go before reaching their full promises. Despite the differences among the firms selected for this series, these sites share a few key metrics, including low loss rates, significantly low security incident rates, and a stra- tegic action that is focused on segmenting and limiting access to sensitive customer and corporate information. Most of the firms profiled in this report have preferred to remain anonymous. A reality of the world of security, many firms do not want to paint their own red target on the back of their company, by divulging their practices for fear that any additional information available to hackers and thieves will result in negative consequences. While preserving their anonymity, Aberdeen is also committed to improving the results that can be achieved by 72% of the organizations that are not operating at best-in-class levels. Recommendations for Action Aberdeen recommends that organizations take the following actions to improve perform- ance of their network and infrastructure security programs: • Segment and limit access to networked resources using multi-layered ring con- cepts and virtual LAN environments; • Consider implementing the practices of the organizations featured here; • Involve the internal controls group when making improvements; • Include business stakeholders on any security leadership council; • Implement risk assessment and management programs focused on business impact; • Deliver training and awareness programs; and • Focus on avoidance, then prevention, and finally, containment. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • iii
  5. 5. Best Practices in Security: Network and Infrastructure Table of Contents Executive Summary .............................................................................................. i Key Business Value Findings.......................................................................... i Recommendations for Action.........................................................................iii Chapter One: Issue at Hand.................................................................................1 What Are Security Best Practices? ................................................................ 3 Why Embrace Security Best Practices? ........................................................ 4 Pressures and Challenges............................................................................. 5 Responding to Pressure and Overcoming Challenges .................................. 5 Chapter Two: Key Business Value Findings .........................................................7 The Benefits of Network and Infrastructure Security...................................... 7 Chapter Three: Implications & Analysis...............................................................9 The Influence of Enabling Security Technologies ........................................ 10 Best Practice Framework: Organizational Structure and Strategy ............... 11 Best Practice Framework: Processes .......................................................... 13 Best Practice Framework: Data and Knowledge.......................................... 14 Best Practice Framework: Technology......................................................... 15 Best Practice Frameworks: Performance and Metrics ................................. 17 Aberdeen Recommendations ...................................................................... 18 Structure a layered defense posture ..................................................... 18 Segment the networks .......................................................................... 18 Detect, then prevent.............................................................................. 18 Take inventory and monitor continuously .............................................. 18 Consolidate security into black belt and green belt teams..................... 19 Keep to the standards ........................................................................... 19 Yield to executive sponsorship.............................................................. 19 Automation: business pressures, scope, scale, and speed................... 19 Strategically reevaluate service levels against third-party sources ....... 19 Classify, reclassify, and involve everyone ............................................. 20 Extend real-time processes and integration with technology platforms. 20 Focus on managing risk while delivering operational agility .................. 20 Don’t assume determine and verify the facts ....................................... 20 Measure twice, cut once ....................................................................... 20 All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup
  6. 6. Best Practices in Security: Network and Infrastructure Table of Contents Be careful about segregation ................................................................ 21 Chapter Four: Recommendations for Action ...................................................... 22 IDS Improves Bandwidth, Reduces Security Incidents and Liabilities for Norwich University..................................................................................................... 23 U.S. Army Monitors Networks, Tracks Performance to Execute Its Avoidance and Prevention Strategy ..................................................................................... 25 A Different Kind of Firewall Improves Business Results and Drives a New Business for TeleCity................................................................................................... 27 Telecommunications Company Automates Network Security Details, Delivers Impressive Results ...................................................................................... 29 Web App Testing Helps Durable Goods Supplier Improve Supply Chain Results .................................................................................................................... 31 IDS and IPS Solutions Enable Carreker Corporation to Manage Security Exceptions, Not Events................................................................................ 33 Automating Network and Infrastructure Security Leads to Improvements for Services Firm............................................................................................... 35 Vulnerability Management, Intrusion Prevention Help Firm Manage Risk ... 37 Featured Sponsors............................................................................................. 39 Sponsor Directory .............................................................................................. 40 Author Profile ..................................................................................................... 41 Appendix A: Research Methodology .................................................................. 42 Appendix B: Related Aberdeen Research & Tools ............................................. 44 About AberdeenGroup ...................................................................................... 45 All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup
  7. 7. Best Practices in Security: Network and Infrastructure Figures Figure 1: Average Revenue Losses and Recovery Costs ....................................2 Figure 2: Framework for Best Practices in Security .............................................5 Figure 3: Maturity and Security Best Practices................................................... 10 Figure 4: Best Practices, Enabling Technologies................................................ 16 Tables Table 1: Best Practice Winners and Their Solution Providers............................... ii Table 2: Primary Pressures, Challenges and Responses: All Companies............6 Table 3: Benefits of Network and Infrastructure Security......................................8 Table 4: Best Practices in Security - Competitive Matrix .................................... 12 Table 5: PACE Framework ................................................................................. 43 Table 6: PACE and Competitive Framework Interaction..................................... 43 All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup
  8. 8. Best Practices in Security: Network and Infrastructure Chapter One: Issue at Hand • All companies that are ratcheting up security for their networks and infrastructures are Key Takeaways reporting better performance results. • An effective network and infrastructure security programs requires a holistic and inte- grated approach that reaches throughout the organization and across all disciplines. • Avoiding fallout from customer and corporate data leakages, sustaining regulatory audit, and maintaining agility in a rapidly changing global economy are making best practices for security a major improvement initiative for senior executives. T he economy is improving, but global competition, regulatory oversight, and em- barrassing publicity over data leaks are keeping companies focused on improving the performance of their electronic infrastructures. The results of Aberdeen’s research are stark: 84% of all firms report that Internet security events have disrupted and Competitive Framework disabled their business operations during the last three years. Key At one end of the spectrum, 16% of firms have not experi- The Aberdeen Competitive enced Internet business disruptions. At the other end, 15% of Framework defines enter- firms’ business operations have been halted and disabled prises as falling into one of more than seven times over three years. The average firm the three following levels of suffers an Internet business disruption almost once a year. practices and performance: The economic impact from revenue losses tied to these dis- Laggards (24%) —practices ruptions is staggering. Average revenue loss now ap- that are significantly behind proaches $2 million for each Internet-based business the average of the industry disruption. Industry norm (50%) — The median revenue loss rate from Internet business disrup- practices that represent the tions is 0.067%. For example, small businesses with annual average or norm revenues of $10 million are experiencing a loss of $6,700 Best in class (26%) — per incident. A mid-size firm with annual revenues of $500 practices that are the best million is experiencing a loss rate exceeding $335,000 per being employed and signifi- incident. For Global 5000 firms with revenues of $2.5 bil- cantly superior to the indus- lion, the losses are about $1,675,000 per incident. And, For- try norm tune 500 companies with $30 billion in revenue are experi- encing losses of $20.1 million per incident (Figure 1). Although costs to recover operations after Internet business disruption are real, they’re paltry when compared with revenue losses. Averaging $74,000 per incident, recovery costs hit firms differently. Smaller firms sustain both lower recovery costs and lower revenue loss rates. Large enterprises are experiencing higher revenue losses and corre- spondingly larger costs to recover business operations from Internet business disruptions. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 1
  9. 9. Best Practices in Security: Network and Infrastructure Figure 1: Average Revenue Losses and Recovery Costs Source: AberdeenGroup, June 2005 Companies operating at best-in-class levels are reducing financial losses that are much less than 1% of revenue. However, firms operating as industry laggards are experiencing loss rates that can exceed 5%. In an age of increased electronic access to information and offsite storage of core business data, even firms with stellar profiles and generally well- accepted procedures are scrambling to evaluate how they isolate core customer and cor- porate data while preserving authorized access to information around the clock, 365 days a year. Organizations operating at best-in-class levels for security are focusing on more than technology. Many respondents from Aberdeen’s benchmark security survey last year in- dicated that “50% of the job is about managing people.” Another stated: “Seventy-five percent of the reason for success is that people know what to expect and how they fit into the security effort.” Further, many respondent whose companies were selected for this series stated, “It’s all about information flow, in and out (of the organization) and what kind of information.” About five years ago, Aberdeen was regularly scoffed at by senior IT security managers when they were asked if their firms classified data. Not only did most firms not classify data, but many answered “we can’t afford to classify our data.” In contrast, all firms profiled in this report not only classify data, they classify it into multiple levels of sensi- tivity. The data classification is accompanied by classification of employees, business partners, suppliers and even customers, and is complemented by technical controls and procedures All print and electronic rights are the property of AberdeenGroup © 2005. 2 • AberdeenGroup
  10. 10. Best Practices in Security: Network and Infrastructure that are segregating access to data. For example, virtual LANs (VLANs) and multiple segmented networks are forming part of the technical controls being deployed to accom- modate authorized access to information based on job- and function-based classification by business units. The network and infrastructure controls are being accompanied by ad- ditional software controls noted in the edition covering information and access. PACE Key — For more detailed descrip- The swing from “no classification” to classi- tion see Appendix A fying users and resources is a huge turnabout in such a short period of time. Unfortunately, Aberdeen applies a methodology to benchmark research that evaluates the business pressures, there’s a little secret, well understood among actions, capabilities, and enablers (PACE) that the security-cognoscenti, that has not yet indicate corporate behavior in specific business been resolved. The secret is: Few firms are processes. These terms are defined as follows: actually placing controls on data that will enforce access to corporate and customer Pressures — external forces that impact an organization’s market position, competitive- data. This is a practice common to the mili- ness, or business operations tary and intelligence agencies, yet such con- trols have been, and remain, slow in being Actions — the strategic approaches that an adopted by commercial businesses. organization takes in response to industry pressures Almost all respondents interviewed for this Capabilities — the business process report say security automation technologies competencies required to execute are improving performance results. These corporate strategy firms say the difficult part about security is Enablers — the key functionality making sure it’s aligned with the organiza- of technology solutions re- tion’s needs, its business missions, and exter- quired to support the organiza- nal regulatory pressures. To achieve this bal- tion’s enabling business prac- ancing act, practitioners are active members tices of IT steering committees, which are made up of senior members of the organization, in- cluding legal, finance, IT, business lines, sales, customer service, manufacturing, logis- tics, distribution, and other business functions. In addition, these managers have dotted-line interactions with internal audit and controls, while managing people that are most often not part of the “security team.” Some organi- zations have installed “security teams” into new application development projects to bake security into all new applications that carry out business procedures. Many other organi- zations are taking the opportunity to improve security by aligning team members with internal controls and Six Sigma black-belts as part of the remediation process for Sar- banes-Oxley deficiencies and inefficient business procedures. What Are Security Best Practices? Best practices for network and infrastructure security are largely invisible to most people in the organization, until something goes wrong. Network and infrastructure security only become visible when business operations are disrupted, breaches found, or theft and fraud detected. Firms Aberdeen classifies as industry laggards tend to under fund this aspect of electronic security programs, or focus primarily on implementing the technical controls without heeding other factors that are even more important for successful net- work and infrastructure security programs. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 3
  11. 11. Best Practices in Security: Network and Infrastructure Aberdeen’s research shows that firms operating at best-in-class levels emphasize repeat- able procedures, effective management of data and knowledge, efficient and transparent organizational structure and strategy, and enabling of automation technologies to im- prove performance results for network and infrastructure security. Furthermore, these firms place a strong emphasis on standards and policies to ensure eve- ryone in the organization understands what’s expected of them, and the role everyone plays in improving security for the organization. Moreover, firms performing at best in class for network and infrastructure security define their performance objectives and measurement metrics, continually measure performance against these objectives, and up- date them to keep pace with changing business pressures. The best practices for network and infrastructure security include far more than the tech- nology. Based on Aberdeen’s ongoing research, the fundamental balancing issue for most security programs is how much unfettered access they will provide to resources to deliver business results against the risk and regulatory audit requirements involved. To achieve optimization, best-in-class firms are placing more emphasis on holistic approaches to the security program, including governance (Figure 2). Achieving this balance between unfettered and appropriate access is not possible for a firm that operates its security program on an ad-hoc basis, where organizations are react- ing to one security event after another. Rather, almost all firms that operate security pro- grams on an ad-hoc basis are operating as industry laggards, with financial loss rates that are between 8 and 12 times higher than organizations with best-in-class security pro- grams. Why Embrace Security Best Practices? Best practices are also enabling best-in-class firms to reduce business cycles, respond to local market conditions more aggressively and timely, and manage their supply chains more efficiently. Security best practices result in lower financial losses in operations, little, if any, visible publicity that can harm the organization, and make it relatively easy for the organization to sail through regulatory audits. Secondly, the fruit of security best practices for these firms is operational improvement, increased customer loyalty and retention, and decreases in product costs and time-to- market. Lastly, companies implementing security best practices are more successful in dealing with changes in company structure, including mergers, divestitures, and new legal enti- ties. These firms also leverage information and access best practices to reduce costs for plant, equipment and labor. Further, these companies are laser-focused on increasing cus- tomer self-service sales and higher retention rates for existing customers. In short, companies implementing best practices for governing security are more success- ful in dealing with the business pressures impacting their organizations and in overcom- ing the challenges they face. All print and electronic rights are the property of AberdeenGroup © 2005. 4 • AberdeenGroup
  12. 12. Best Practices in Security: Network and Infrastructure Figure 2: Framework for Best Practices in Security Source: AberdeenGroup, June 2005 Pressures and Challenges Organizations face unique pressures when it comes to network and infrastructure. These include business disruptions that occur due to network outages, business disruptions from Internet security events, compromises of customer and corporate data, and human error. The primary challenges to cope with these pressures include a lack of funding, inade- quately trained staff, and technology immaturity. Responding to Pressure and Overcoming Challenges The major response to overcoming challenges begins with a strategy of avoiding and pre- venting Internet security threats from harming the business. Firms are responding by try- ing to contain security incident outbreaks from spreading and causing further harm, as well as cleaning up and restoring business operations and activities (Table 2). As the data shows, network and infrastructure security is something that assists directly with continuous business operations, a critical factor in always-on operations for global companies that must optimize the supply chain to meet local market demand. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 5
  13. 13. Best Practices in Security: Network and Infrastructure Table 2: Primary Pressures, Challenges and Responses: All Companies Business % of All Business % of All Business % of All Pressure Companies Challenges Companies Response Companies Compromises Lack of Avoidance to data integrity 92% adequately 84% and 58% trained staff prevention Lack of Containing Business 82% funding 79.5% further 38.6% disruptions from business network damage outages Technology Cleanup after Business harm 70% immaturity 79.5% the mess 21.6% from Internet security events Source: AberdeenGroup, June 2005 All print and electronic rights are the property of AberdeenGroup © 2005. 6 • AberdeenGroup
  14. 14. Best Practices in Security: Network and Infrastructure Chapter Two: Key Business Value Findings Key Takeaways • Network and infrastructure security programs focused on avoidance and prevention of- ten pay for themselves after a company avoids the first security breach. • Lack of publicity and reduced downtime are delivering business benefits in the form of more confident consumers and business customers. • Firms operating at best-in-class levels are reducing fraud, theft, and data-leakage. T he network is the business, now that companies are operating on global scales to manage their supply chains to meet local market demand. In fact, one of the big- gest changes during the past five years is the makeup of the enterprise network. Instead of leased lines and private networks, the Internet has become the dominant net- work of choice for interconnecting business operations across the enterprise’s value chain. Internet-based virtual private networks (VPNs) have largely supplanted the use of non-Internet networks. In addition, regional data centers have been largely consolidated into one corporate data center. Five years ago, 50% of all firms employed multiple data centers to support busi- ness operations. Mostly based on a hub-and-spoke system, regional data centers were the workhorses used to serve local markets and manage local supply chains. Today, only 17% of firms are employing the hub-and-spoke approach involving one or more regional data centers, in addition to the corporate data center. Eighty-three percent of firms are using one data center, located at corporate headquarters. This has resulted in managing a global supply chain from corporate headquarters, complemented by Internet interconnections to the supply chain and to local sales and customer service operations. Despite the consolidation and the dependence on the Internet, the enterprise’s network is anything but homogeneous, largely due to the significant increase in outsourcing of non- core, IT, and business functions that business partners and suppliers are performing. Al- though the Internet’s worldwide reach is considered critical to accelerating information flow that’s helping to reduce business cycles, even network operations are being out- sourced to best-in-class operators. The Benefits of Network and Infrastructure Security What is unique about network security is that it operates in its own world, including technology buzzwords, that too often separates it from business and other IT security dis- ciplines - including those used for information, access, and governance. For example, the world of network security is made up of jargon that includes “up to layer 3”, protocols, services, ports, behavior analysis, viruses, Trojan horses, and denial of service attacks. Infrastructure security focuses on the intersection of network services, computing and web platforms, PC laptops and desktops, personal information tools, and networked busi- ness applications on which the organization relies. Infrastructure security also has its spe- All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 7
  15. 15. Best Practices in Security: Network and Infrastructure cial jargon with such terms as vulnerability assessment, operating systems security, and host intrusion detection and prevention tools. The business value of security is always invisible, until something goes wrong. The im- pacts of poorly managed infrastructure and network security include business operations that are down, customer dissatisfaction, stolen customer and corporate data, and com- promised information systems. For a company operating at best-in-class levels, the bene- fits of network and infrastructure security include improved operating margins, better brand management, less struggle and less spending on audits and lower expenses (Table 3). Table 3: Benefits of Network and Infrastructure Security Measurement Measurement Best Practices of Improvement without Measurement Area of Impact Overall Technology with Technology Continued availability of Business uptime and Negative results Best results are less than network and infrastruc- resumption objectives include ranges of one hour per year of lost ture resources for main 10, 20, and as much business business operations as 50 hours per year lost. Results include lost business, in- creased costs and lost customers Business losses from Percentage of Negative results Losses depend on strat- Internet security events revenues egy: avoidance, contain- that compromise infor- ment, or clean-up. Losses mation assets and re- range from 0.01% to as sources much as 1% of revenue. Cleanup costs after Direct expense More than $50,000 Less than $5,000 per Internet security events reductions per incident incident Number of Internet Company productivity, More than 10 events Less than 5 events annu- security events and revenues, customers, annually ally. Best in class are ex- incidents causing busi- and expenses periencing less than one ness harm every two years. Audit Number of deficiencies More than 100 2 to 4 at time of audit Sensitive data leakage Number of events Averaging 2 per Less than one every (publicly reported or year five years not) Source: AberdeenGroup, June 2005 All print and electronic rights are the property of AberdeenGroup © 2005. 8 • AberdeenGroup
  16. 16. Best Practices in Security: Network and Infrastructure Chapter Three: Implications & Analysis Key Takeaways • Make sure to select security incidents and their business impacts as the primary per- formance metric to track. • Segment and manage the networks by placing sensitive data at the center. • Manage the ins and outs of your networks and infrastructure across the value chain, especially where access is non-public. A s the global economy continues to spread, best-in-class companies are looking at effective network and infrastructure security programs to reduce risk while im- proving operations. Because of the clear correlation between performance results among best-in-class performers, security best practices focused on network and infrastructure are areas of process automation drawing increased attention among many firms. Perhaps the most important finding from Aberdeen’s research is the influence different maturity levels have on security performance results. The measure for security program effectiveness covers these four levels: • Ad-hoc systems and procedures; • Defined systems and procedures; • Managed systems and procedures; and • Optimized systems and procedures. What’s common among the firms implementing security governance programs is that their performance results place them at a managed systems and procedures level, at minimum. All sites listed here operate at this level; many operate at optimized levels. Aberdeen’s research clearly indicates that it’s nearly impossible for an organization to leap from operating at an ad-hoc maturity level to the characteristics of firms operating at managed and optimized levels. Nevertheless, the journey toward well-managed optimiza- tion - through security best practices - starts with taking steps toward these best practices. Thus, organizations implementing imbalanced security programs at ad-hoc or defined levels should consider the next steps to improve their operating results before making the leap to security governance. Companies already operating at managed levels are primed to consider implementing security governance programs. For companies operating at slightly different maturity levels, the practices being implemented for procedures, data, and knowledge, the organ- izational structure and enabling technologies are lower, at defined and ad-hoc levels (Figure 3). All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 9
  17. 17. Best Practices in Security: Network and Infrastructure Figure 3: Maturity and Security Best Practices Source: AberdeenGroup, June 2005 The Influence of Enabling Security Technologies Although much of this report focuses on security best practices, security technologies for network and infrastructure reduce the unnecessary costs and inefficiencies enterprises encounter in monitoring risk, responding to events, and mitigating future outcomes, while avoiding business disruption, theft, fraud and costly expenses to resume operations. Security technology solutions for networks and infrastructure are also responsible for enabling business agility by ensuring that authorized people have access to resources and information needed to fulfill company missions when needed. Unfortunately, there are more than 500 suppliers pushing security solutions and a lot of marketing noise. Aberdeen’s research clearly shows that firms operating at best-in-class levels are deploy- ing and relying on more than one solution supplier and more than one enabling technol- ogy solution in each of the three main areas: network security and infrastructure, infor- mation and access, and governance. The research also shows that best-in-class companies operate with more than one solution in each area. By contrast, the research also shows that firms operating at industry norm are typically operating at managed to defined levels, are relying on more than one solution supplier, and deploying more than one enabling technology for network and infrastructure and at least one for information and access. Aberdeen’s research shows that it’s rare for these firms to be implementing highly automated technologies in security governance. All print and electronic rights are the property of AberdeenGroup © 2005. 10 • AberdeenGroup
  18. 18. Best Practices in Security: Network and Infrastructure Lastly, companies operating as industry laggards often depend on one to two key tech- nology providers for network and infrastructure, are rarely deploying automating tech- nologies for information and access, and never consider the influence governance plays in performance outcomes. Best Practice Framework: Organizational Structure and Strategy A best-in-class company exhibits the following traits for network and infrastructure security: • Low loss rates, • Low incident rates, • A laser focus on classifying and limiting access to customer and corporate data, and • More mature processes, organizational structure, management of data and knowl- edge, and broader technology usage. Best-in-class firms in network and infrastructure security practices are leveraging secu- rity programs for two distinct purposes: enabling business operations to function at full throttle, and mitigating business risk (Table 4). Management of the security function at most firms covered by this research is based on the ISO 17799 Code of Practice for Information Security Management, a de-facto stan- dard framework. In addition, European firms covered by this research adopted the earlier version of this framework: the BS 17999 standard. Despite minor differences in these frameworks, all companies in this report look at these frameworks for guidance and cus- tomize the implementation of their security programs to meet their organizations’ busi- ness needs. For government organizations in the U.S., the standard framework for secu- rity management is dictated by FISMA. Like their commercial counterparts, management teams at government sites are using this framework for guidance and to “implement the intent of the framework.” For day-to-day operations, network and infrastructure security is currently implemented on the backs of the front-line troops: the network, systems and network administrators. However, each of the firms listed as a best practice winner em- ploys an organizational approach that involves the following kinds of roles: • Management; • Chief researchers and second-line respondents; • Developers and software deployment QA liaisons; and • Help desk and IT administrative staff. The jobs of chief researchers and second-line respondents are considered crucial. They must uncover new exploits, rationalize their impacts on the firms, provide training to less-seasoned front-line administrators, and assist management with emergency response procedures. The developers’ and QA liaisons’ jobs are to “get ahead of the curve” by baking security into new network, platform, application, and information deployments, and test them for compliance against the firms’ standards. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 11
  19. 19. Best Practices in Security: Network and Infrastructure The help desk staff is employed for first-level support and the alerting of security inci- dents is reported by users to second-line respondents for follow-up. Management typically reports directly to the CIO and is responsible for the enterprise’s entire electronic security program. At most firms, responsibility is divided between the physical security team responsible for cameras and badge access systems and the elec- tronic security team, responsible for all things related to information. Despite this Table 4: Best Practices in Security - Competitive Matrix Industry Average Best in Class Organizational Organizational structure and fund- Formal organizational structure, funding and Structure and ing are either ad-hoc or loosely un- on-going risk assessments, complemented by Strategy defined at best. Often, the respon- managed and optimization. sibility moves from one group of Organization is kept in place to maximize long- people to another - defeating the term knowledge and data; individual transfers experience, data and knowledge of staff occur in and out of the security function that are critical to performance re- to improve overall performance for the sults. organization. Processes Processes are only loosely defined Processes are aligned by business and mission and standards don’t exist. need, and implement the firm’s standards, poli- cies and procedures Data and Knowl- Knowledge depends on whatever Formalized training and education programs edge the local systems administrator are implemented for security staff, senior man- brings to the task and is often per- agement, all employees, contractors, suppliers, formed on an as-needed basis and business partners. Technology No segmentation of networks, no Use of technology automation across all three VLANs, and no usage of IDS/IPS. domains. Automation mix depends on the spe- No classification of data to drive cific business requirements. Network and infra- network segmentation. Limited use structure security is the most automated of all, of technology to automate security followed by information and access, then by beyond the minimum of firewalls governance. and antivirus software. Performance Very few metrics tracked consis- Most aspects of the security programs are and Metrics tently. The result: highest rates of tracked, with special emphasis on key perform- financial losses from theft, fraud, ance metrics (KPIs) at multiple levels, including business disruptions, and internal dashboard views for finance, IT operations, se- expense to resume business curity, business lines, etc. The result: lowest operations. rates of financial losses from theft, fraud, busi- ness disruptions, and internal expenses to re- sume business operations. Source: AberdeenGroup, June 2005 division, a few best practice firms are integrating some physical and electronic security systems. All print and electronic rights are the property of AberdeenGroup © 2005. 12 • AberdeenGroup
  20. 20. Best Practices in Security: Network and Infrastructure Despite the common practice of separating the security staff from the day-to-day IT ad- ministrative staff, one best practice not commonly employed is the integration of the se- curity team with IT operations. The effect of this alignment has been reduced friction between the front-line, day-to-day operations and the security function. One of the notable practices is a continual cost-benefit analysis as it applies to perform- ance results, organization, and automation. For example, at two firms covered in this re- search, the security staffs are very lean. These organizations have decided to automate as much as possible, opting to replace people with technology automation tools and aggre- gate as much information and knowledge as possible into multiple dashboard views to provide a near real-time state of risk posture of exceeded risk thresholds and the business impact of these exceptions. This approach to automation has resulted in effective work- flow controls dedicated to change management between the security function and the much larger operations staff responsible for network, database, and systems administra- tion. At the other end of the spectrum, one of the sites uses an organization with six levels of security staffing, from management to front-line troops. In this organization, controls for network and infrastructure security have been automated as much as possible, whereas other areas remain largely manual and paper-based, and depends on the interdiction of a large staff. Although these two extremes are unusual, they represent the tradeoff best-in-class firms are making as part of their organizational structures and strategies. Best Practice Framework: Processes Most of the processes implemented by the sites covered in this research revolve around ISO 17799 or the BS 7999 equivalents that have become the de-facto standard frame- works for implementing and managing effective security programs. For example, all sites in this report implement ongoing asset classification programs that involve some form of electronic discovery and verification of electronic assets that are connected to the enterprise network. The importance of this activity cannot be stressed enough; categorizing and capturing what’s connected is critical to performance results for security programs. For some of these companies, the asset registration occurs monthly. For others, the frequency of scanning and populating the asset base occurs every day, while for some it’s twice per day. For others, the seasonal business swings, especially in the retail sector, mean the frequency of asset collection is adjusted to accommodate changes in the business cycle. For most of the firms, the scope of asset registration includes all devices connected to the enterprise network, including hosts, laptops, PCs, network switches, and routers. In addi- tion, many firms place snort pre-processors and nessus scanners to scan network connec- tions and hosts that connect to their networks from business partners, suppliers of out- sourced IT systems, applications and services; contractors, and any other third party that connects to the enterprise network. Although many firms are implementing some form of “minimum security profile” re- quired for any end-point device that connects with the network, only a few are ready to implement automated inspection, analysis, and online remediation for employees, busi- ness partners, and suppliers. These few firms are planning to move forward with auto- All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 13
  21. 21. Best Practices in Security: Network and Infrastructure mated, inline inspection and remediation programs this summer for employees and busi- ness partners. Under these programs, devices and network interconnections that do not meet minimum standards or are out of threshold will be refused access to the corporate networks until the devices are remediated. The current state-of-the-market for security best practices is to take corrective action by notifying line management, IT administrators, employees, business partners, and suppli- ers that a remediation must take place within a certain time window (usually between 24 and 72 hours) or the systems in question will be prevented from connecting thereafter. For most firms, getting ahead of the security-curve has resulted in a very active outreach program that places security specialists at the front-end of the software development and deployment stage. Covering any change to existing software or the introduction of any new device with embedded software requires the security team’s signoff. Working di- rectly with the software development and QA staff is enabling these organizations to minimize downstream vulnerabilities that cost more money and time to remediate after- the-fact. In addition to testing new software and changes to software, the function of this group includes testing of existing Web and other front-line portal applications that are accessi- ble to customers, business partners, suppliers, and employees. Involving everything from code reviews to in-line analysis of the production systems, some of these sites are out- sourcing this work effort while others have brought this function in-house to perform frequently. Incident response teams are made up of selected members of IT operations, the security team, business unit leaders, IT management, legal, PR, senior executives, and human re- sources, giving the team a dual-edged focus. On the one hand, the processes the team implements are calculated to respond to threshold levels. Where business operations are not in danger, the focus of the security incident response team is contained. On the other hand, when threshold levels are exceeded, the team becomes part of a larger team that is directed by seasoned senior management staff. In addition, the processes being implemented to respond to business disruptions, security breaches and compromised systems now commonly involve state and federal government agencies as well as legal and forensic specialists. The rules of engagement differ signifi- cantly between business disruptions and potential criminal events. The processes being implemented for business resumption involve a much larger cross section of the business, whereas those implemented for potential electronic criminal activity involve a very few selected individuals in the organization. Best Practice Framework: Data and Knowledge All respondents cite data and knowledge as their most critical weapon for improving the performance of their security programs. The stance these sites take is “what you don’t know is much more important than what you know.” The most oft-cited practices for managing data and knowledge include: • Leveraging data and knowledge from external feeds covering software vulner- abilities, security exploits, and system-levels bugs; All print and electronic rights are the property of AberdeenGroup © 2005. 14 • AberdeenGroup
  22. 22. Best Practices in Security: Network and Infrastructure • Leveraging external data covering the latest security incidents and outbreaks by geography; and • Leveraging knowledge from consistent monitoring and scanning of the enterprise network and all systems connecting to it. In addition, best-in-class sites track and aggregate data into near real-time risk manage- ment dashboards. Additional information on this is covered in the Governance edition of this Best Practices in Security series. Best Practice Framework: Technology Every site covered in this research is implementing a layered defense model when it comes to its network and infrastructure. These sites abandoned the notion of a perimeter quite awhile ago. The multi-ringed nature of the network defenses being implemented by these sites are complemented by network isolation and segmentation, many of which are using VLANs. The most common method employed for this ring architecture is based on the sensitivity of the information, whereby the most sensitive data and applications are placed in the center of the ring. For additional information, see the companion edition of this series, Best Practices in Security: Information and Access. Each ring implements a variety of choke-devices and controls. Some of the sites have taken this to another level by con- ducting ongoing analysis of network events to discover variances from expectations. The most commonly employed security devices, controls and techniques include fire- walls, network address translation, VLAN assignments, intrusion detection, intrusion prevention, asset identification, change management, network protocol and service re- strictions, bandwidth analysis, outbound flow analysis, inbound flow analysis, and net- work call assignments. The major focus for much of this effort is focused on limiting in- bound and outbound information flow to conform to security policies and standards di- rectly related to the processes involved in relevant missions and business operations. The primary determinant of the ring structures is focused on placing core customer and sensitive corporate data onto isolated inner rings of the defense, and placing less sensitive public information in the outer rings. In between, business partners and suppliers are pro- vided with access to some corporate information not available to the public that’s acces- sible at intermediate rings (Figure 4). While some firms are implementing four or more rings of defense, others are implement- ing only two segmented networks. In some cases, firms are implementing as many as five, six, and even seven rings. The specific implementation of the layered ring structure at each company is geared to the business processes and mission, along with the com- plexity of the business value chains the networks must enable, and the business or mis- sion uses of the information. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 15
  23. 23. Best Practices in Security: Network and Infrastructure Figure 4: Best Practices, Enabling Technologies Source: AberdeenGroup, June 2005 One of the more interesting observations across many of these sites is the automation of detection by using intrusion detection, most of which is deployed at the forefront of the segmented network rings, facing the public side of the hypothetical perimeters between the enterprise network and the Internet. In addition, these sites are placing prevention and avoidance controls within each of the segmented rings, and especially in the center as data and systems become more sensitive. All firms using these approaches report very significant declines in network security events over the past three years. Sites with less than three years of experience using this approach report similar declines. More importantly, only a few of the selected sites report one, or maybe two, serious Internet events – over the past few years, whereas the major- ity of the sites report none. This is not to say that the principals at all these sites are leading charmed lives. Indeed, at a few, damage did occur from worms that were launched from inside the enterprise net- work. In all three cases, the culprit was found to be non-employees (contractor, visitor, etc.) that had been granted access to the internal networks and whose laptops were in- fected. The use of intrusion prevention solutions, combined with active alerting and re- sponse procedures, limited the damage to a few PCs connected to the VLAN sub- segment these contractors logged onto. The research clearly indicates that, in addition to segmented networks, these organiza- tions have become very rigorous about configuration change management on the produc- All print and electronic rights are the property of AberdeenGroup © 2005. 16 • AberdeenGroup
  24. 24. Best Practices in Security: Network and Infrastructure tion networks. Areas of automation for change management routinely include network discovery, configuration databases, repeated inventory scans, vulnerability analysis, and remediation change management processes. Driven by compliance audit findings and actual results from automated tools that show what’s actually occurring on the network, these firms are employing automation tools to assist the change management processes. For example, one organization scans the entire environment twice a day; another does it daily, while many opt to scan weekly, using new device entry and changes to automate a pinpointed scan for a specific device. In addition, the research shows that the use of open source network security solutions is widespread among these firms, including such tools as nessus and snort among others. Although widely employed, these tools are being used by experienced network security specialists, most of whom are few and far between, are expensive to retain and who, despite their experience and credentials, cannot hope to keep pace with electrons flowing through the network. Many respondents for this research said commercially supported network sniffing and scanning software tools are being used in conjunction with the open source tools. For some situations, the commercial tools are preferred over open source alternatives for three primary reasons: • Commercial tools have improved significantly during the past three years and are further ahead of the open source alternatives; • The usability of commercial tools has made it possible for the organization to scale coverage through less skilled network and systems administrators; and • Employing lower skilled administrators lowers costs. Despite a preference for commercial tools to scale operations with the use of lower skilled personnel, many sites continue to employ what they consider “best of breed” open source tools, albeit by the most experienced of network security personnel to investigate security events that exceed acceptable risk thresholds or that represent exceptions. Best Practice Frameworks: Performance and Metrics The most important and most consistently tracked performance metrics for network and infrastructure security among best-in-class firms include: • Number of security incidents; • Frequency of security incidents; • Business impact and severity of these incidents; • Number of audit deficiencies and compliance gaps; and • Number of vulnerabilities. Best-in-class organizations also track performance results against the following: down- time, business disruptions, business resumption objectives, open trouble tickets, patches, changes in network bandwidth, modifications and changes to devices and software, the number of security events and threats having a business impact, risk and business agility posture, satisfaction with service delivered to customers, costs, quality of service, changes in scanning, and vulnerability profiles. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 17
  25. 25. Best Practices in Security: Network and Infrastructure Some of the sites covered by this research have automated the tracking of performance metrics and thresholds that are built into real-time risk management dashboards. Addi- tional information on this is covered in the Governance edition of this series. Aberdeen Recommendations Aberdeen views a holistic approach to security and infrastructure security encompassing five key process steps: 1. Objectives, which establishes the organization’s objectives, standards, proce- dures, structure, and knowledge; 2. Measurements, which are used to identify profiles and gaps, from business pro- cedures to enabling technologies; 3. Analysis, which is aggregated to financial and public image impact by business operations, lines, and divisions; 4. Education, which is used to make a security program effective for business and organizational missions; and 5. Refinement, which is used to recalibrate objectives, measurements, analysis, spending, processes, organizational structure, and knowledge management. Aberdeen’s recommendations, based on our research, encompass these 5 steps. Structure a layered defense posture Whether it is described as rings or choke points, a layered, multiple-moat environment, where the least damage will be caused, must take the frontal assaults from the Internet. In addition to the other enabling technologies that are commonly deployed, best-in-class companies are also using honey-pots to deliver a false view for hackers and privileged insiders to see. All of these organizations are structuring the rings to protect from least valuable on the outside to the most valuable data and applications in the core. Segment the networks The lessons from the masters include segment your networks using a VLAN or similar solutions. Moreover, place firewalls at every entry and exit through the layered rings. Also, use address translation and hiding wherever possible; hide the actual addresses for the domain name servers and other common network service servers that, if compro- mised, could cause serious consequences. Detect, then prevent Most companies selected for this report utilize a primary detection process backed up by secondary prevention methods. Again, the advice from the winners: Make sure these are scanned daily, if not more frequently, to eliminate accidental and malicious change. Take inventory and monitor continuously The best advice from the leaders: Take inventory daily because the profile of the enter- prise network and the configuration data on the attached devices change each day. Ac- All print and electronic rights are the property of AberdeenGroup © 2005. 18 • AberdeenGroup
  26. 26. Best Practices in Security: Network and Infrastructure cording to these practitioners, these measurements are the absolute bedrock upon which everything else resides. Consolidate security into black belt and green belt teams Similar to the terminology used in the world of Six Sigma, best practice firms recom- mend finding and keeping your best possible master black belts to build your team around. After this, they recommend inculcating security knowledge and training for green belts that are responsible for day-to-day IT and network administration. A note to the uninitiated: Credentials such as CISSP and CSA are seen as useful for green belts. You’re trying to improve the knowledge base across the company through the use of this and related training. Your black belts should be 10-year veterans who are operat- ing at levels far beyond the minimum baselines measured by these and other common certification programs. Keep to the standards The surest path to failure, according to all, is to waver or modify company policies and standards in the face of negative reaction from within. The standards may have to be up- dated, but if they’re properly informed and arrived at with input and review from the steering committee, there’s no reason to quickly change them. Yield to executive sponsorship At this stage, in the era of Sarbanes-Oxley and increasing regulatory and audit review, finding and retaining executive sponsorship among the best-in-class practitioners is no longer an issue. However, if your company is not operating at best-in-class levels, the practitioners recommend starting here, and ensuring an executive-level steering commit- tee meets regularly. It’s important to recognize when to compromise and at least make the risks known than to take an adversarial position without reasoning and facts to back up the expected result of decisions that are likely to increase risk. Automation: business pressures, scope, scale, and speed Almost all respondents agree that network and infrastructure security needs the most automation. However, several respondents note that business pressures dictate where automation throw-weight is most useful. For example, automation is frequently cited as the key contributor for business procedures that involve large numbers of people, sys- tems, and segmented networks; where business cycles are seasonally based; and where heterogeneous populations of suppliers and customers cannot be managed within accept- able risk thresholds economically by using manual methods. While some respondents are currently operating some aspects of their network and infrastructure security programs manually, most are on a patch toward full automation. Strategically reevaluate service levels against third-party sources Almost all respondents say there are plenty of opportunities to lower costs and deliver higher service levels for security by reevaluating which aspects can and should be farmed out. For example, one respondent outsourced all monitoring, scanning, risk analysis, and remediation activities involving business partners and suppliers. Another outsourced monitoring and scanning of outsourced IT functions, networks, and systems. In these in- All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 19
  27. 27. Best Practices in Security: Network and Infrastructure stances, the firms are actually better off and are redeploying limited talent to more critical projects. Classify, reclassify, and involve everyone One of the major reason the firms in this report are performing as well as they are is their organizations’ focus on classification, including that of data, information, networks, sys- tems, applications, business partners, suppliers, and even customers. Classification is also done for major business operations, business processes flow, infor- mation flows needed to support operations, and a continual reevaluation of them to keep pace with changing business conditions. Moreover, the success of these organizations is due largely because every stakeholder is asked to participate and help with program success. Outside of IT, this includes human resources, legal, finance, business unit managers, internal audit and controls, public rela- tions, local and federal law enforcement, and, of course, the peer network. Lastly and perhaps most important, all these firms routinely operate and deliver security awareness training for employees, business partners, suppliers, and even customers. By leveraging more eyes and ears, these firms have encouraged everyone who interacts with the organi- zation to think of security as a part of his or her job. Extend real-time processes and integration with technology platforms Reducing financial losses and incidents involves spending more on automation. Lower- ing loss rates by even 0.5% of revenue is a significant savings that drops to the bottom line. Equally important, it reduces or eliminates public embarrassment, customer losses, and difficulties in recruiting customers who might otherwise be leery doing business with the firm because of news reports regarding data breaches and lax security procedures. Focus on managing risk while delivering operational agility If nothing else, the best-in-class organizations focus on quantifying and qualifying risk that, if not mitigated, will result in negative consequences. However, this must be coun- terbalanced by any impact on business operations. The ideal position, according to the best practice companies: improving business agility with an optimization of managed risk. Don’t assume determine and verify the facts The advent of fact-based investigation, analysis, and quantification is one of the hall- marks of all the best practice firms in this report. None assumes its skills and knowledge are better, faster, and more powerful than mistakes, omissions, carelessness, and wily hackers. Measure twice, cut once All of the best practice firms recommend employing a “measure twice, cut once” ap- proach. Measuring twice is used to cover all technical and the business issues involved. In some cases, this may take awhile depending on the knowledge of the business process involved. Cutting once may involve notifications to line managers, legal, human re- All print and electronic rights are the property of AberdeenGroup © 2005. 20 • AberdeenGroup
  28. 28. Best Practices in Security: Network and Infrastructure sources, or denial of service, depending on the nature of the event and company standards. Be careful about segregation The audit world is aglow and focused on segregation of duties, and for good reason. Moreover, many executives Aberdeen has interviewed over the years have stated that when it comes to security, they’re as afraid of what the experts operating internally could do as what they could not do. For these reasons and others, it’s proper to place controls that will segregate duties and roles. However, too much segregation will result in negative consequences. If the controls make it impossible to respond to seasonal business changes, sudden trading volume spikes, and access to historical business information, the organization will be defeating its very objectives and abilities to execute. Therefore, before introducing any controls in the environment that segregate duties and roles, evaluate the business impact of the controls for worst-case boundary conditions beforehand. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 21
  29. 29. Best Practices in Security: Network and Infrastructure Chapter Four: Recommendations for Action Detailed Aberdeen research, covering more than 70 security programs, has identified the Key Takeaways following enterprises as demonstrating best practices for network and infrastructure security: • Norwich University • Nuclear Fuels Corporation • TeleCity, a managed security services company • A large telecommunications company • U.S. Army • A durable goods manufacturer • A professional services company • Carreker Corporation Case studies of these enterprises follow in this chapter. All print and electronic rights are the property of AberdeenGroup © 2005. 22 • AberdeenGroup
  30. 30. Best Practices in Security: Network and Infrastructure IDS Improves Bandwidth, Reduces Security Incidents and Liabilities for Norwich University Business Challenge Norwich University faces a significant Best Practices in Security: Network and Infrastructure challenge twice each year: when students Company Name return from their holiday and summer breaks, they re-infect the university’s net- Norwich University works and systems with all the junk they’ve downloaded onto their laptops while Solution Providers they’ve been away. Demarc Ongoing problems include worms, viruses, Trojan horses, spyware, and peer-to-peer Business Challenges file sharing, among many other security problems. Unsafe learning environment, compromised business systems, and unstable operating Strategy environments that threatened the use of Norwich decided to segment its networks, technology in the learning environment. keeping the networks in the dormitories separated from the other networks for in- Strategy structional uses, administration laborato- • Rethink and redeploy security to eliminate ries, and IT — among others. the problem In addition, the university decided to em- • Automate as much detection, prevention, ploy a multi-ringed defensive “moat” with avoidance and quarantine as possible its most sensitive systems and data at the center and the student networks at the outer Value Achieved edge. • Network bandwidth reclaimed for business It also implemented an intrusion prevention purposes system to protect the data and systems in • Illegal copyright violations eliminated the center, while acquiring and deploying • Security incident metrics dramatically an intrusion detection system for use be- down tween the rings to provide for an early warning signal for security events that cross certain thresholds, banned protocols such as peer-to-peer file sharing of copyrighted ma- terials, and detection of root-kit hunters floating throughout its networks. For the intrusion detection system, the university chose solutions from Demarc. Deployment Experience The initial deployment of the Demarc solution took two weeks, allowing for integration with snort filters and detection rules. Once operational, the solution was turned on and started finding problems immediately. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 23
  31. 31. Best Practices in Security: Network and Infrastructure Results The initial result: rapidly identified peer-to-peer file sharing protocols, enabling Norwich to shut them down using integrated snort rules connected to the Demarc solution. This resulted in a significant network bandwidth improvement for the 32-Megabits per second (Mbps) pipe. The pre-Demarc readings were 2- to 4-Mbps for management and admini- stration and 28- to 30-Mbps (inbound and out) among the students. After the Demarc solution was in place for two months, the bandwidth usage changed dramatically to 25 Mbps among management and administration and 2 Mbps among the students. Not only were the university’s networks reclaimed for additional growth and instructional purposes, but the administration was less concerned about liability because it had taken the steps needed to eliminate illegal online activities. Other benefits derived from the use of the Demarc solution include the ability to identify, in real-time, security threats that exceed thresholds. This has resulted in much better re- sponse, more time to dedicate to more important projects, and resource allocations that previously could not be delivered. Lessons Learned Standards such as ISO 17999 help with governance, but adequate tools are still needed to turn governance into action. In this case, the tool was instrumental in making improve- ments that were not expected initially. Future Outlook In addition to all of the actions already implemented, the university will soon be deliver- ing “acceptable use” standards to all students upon their return next semester. The uni- versity plans further investments in security automation tools to maintain a safe and vi- able learning environment for faculty and students. Aberdeen Conclusions This university’s metrics and performance results are reflective of many organizations that have crossed the Rubicon into serious security management programs. Its perform- ance results enable it to qualify for inclusion and its security program enabled it to be selected for its performance results and practices. All print and electronic rights are the property of AberdeenGroup © 2005. 24 • AberdeenGroup
  32. 32. Best Practices in Security: Network and Infrastructure U.S. Army Monitors Networks, Tracks Performance to Execute Its Avoidance and Prevention Strategy Challenge The 1114th Signal Battalion, Directorate of Best Practices in Telecom Total Cost Management Information Management, operates security Organization for the U.S. Army. Conforming to U.S. DoD regulations that require the separation U.S. Army of classified from unclassified data and networks, decision-makers found that, de- Solution Providers spite their best efforts, viruses, Trojan • Intrusion, Inc. worms, spyware, peer-to-peer software, • IBM Tivoli pornography, and other undesired software were routinely showing up on computing Challenge devices that were authorized to connect with their local networks. Huge infection rates and unknown software exploits occurring on one Army base Strategy The first problem identified, according to Strategy one decision-maker Aberdeen interviewed, was that they had no accurate inventory of This organization decided to document what what was connecting to which of the was actually occurring and move to its stated Army’s networks at this base. strategic position: avoidance and prevention Instead of continuing to clean up messes after discovery, “we vowed to find out what Value Achieved we did not know.” That meant continually • Significant reduction in the number of tracking the base’s networked inventory of largely unseen software exploits networks and interconnecting systems, • Better isolation and safety between classi- measuring and assessing performance re- fied and unclassified networks sults, and acquiring tools to assist their ef- • Less time dedicated to cleanup, which has forts at moving to an avoidance and preven- led to a refocus on more strategic issues tion strategy. Solutions that Delivered Results The first area the Army folks had to define was obtaining an accurate inventory of the network and its attached content; the deployment team opted for software solutions from IBM Tivoli. Identifying classified networks from unclassified networks, the Tivoli solu- tions tracked everything attached to the networks. Moving beyond the inventory, the organization undertook the real focus of its perform- ance improvements: quantifying the number of unknown malicious software agents run- ning loose on its networks. Peer-to-peer, instant messaging, spyware, and assorted vi- ruses were all identified as malicious software. All print and electronic rights are the property of AberdeenGroup © 2005. AberdeenGroup • 25
  33. 33. Best Practices in Security: Network and Infrastructure Working with a population of 15,000 desktops on the unclassified network, 4,000 on the classified network, and only three people on staff for network security, the decision- makers were looking for a solution that was repeatable, required low effort, and could eventually be placed on autopilot. To obtain initial insight, the Army brought in solutions from Results The solutions were deployed in two phases. The first phase was deployed to automate the task of identifying what the people at this base did not know: the number and kind of software exploits that were sailing through the network undetected. The sec- ond follow-up phase expanded the deployment, and placed detection and prevention on autopilot within the base, and to prevent further external software breaches from making their way into the Army networks. At the beginning of the exercise, soon after the solutions were placed in service, the security staff was routinely counting in excess of 500,000 security events per week spread across more than 10 types of spyware. Remediation activities focused on: • Patching and plugging exploits in the infrastructure; • Hardening some of the infrastructure; and • Delivering training, awareness, and responsibility training for Army staff. Security issues and events decreased dramatically. Running at 500,000 a week initially, the number of exploits first declined to 300,000 and then to 50,000. Now the number is down to a manageable level, largely due to the automated capabilities of identifying, con- taining, and preventing spyware, software exploits, and unwanted network protocols and services. Lessons Learned The decision to deploy solutions from IBM Tivoli and proved the need to at least inventory the network block continuously. In addition, the deployment group learned that to be effective it needed a solution that could automate the identification and isolation process — and then take action without human intervention. In addition, the experience of this site confirmed the significance of the “human factor”: in short, the biggest security problems stemmed from Army personnel who, not knowing any better, were routinely bringing software exploits back into the network through basic web browsing activities. The combination of automated security tools and user aware- ness training is making a significant difference at this Army site. Future Outlook The outlook seems assured. Pests and worse are being identified and crushed. The out- look beyond this base is less certain because the Army has not yet standardized on its procedures, tools, and practices related to network and infrastructure security. All print and electronic rights are the property of AberdeenGroup © 2005. 26 • AberdeenGroup