Securing Enterprise Perimeter – A starting point to secure your business

If you ask a customer “Will you be OK to deal with an enterprise that had a security breach in the past?” the obvious answer will be NO.

The answer is what the organizations should be worried about which directly impacts their business and indirectly the brand and reputation in the market. The answer is also a strategy for the competitors to beat the competition.

This paradigm change is triggered by increased dependency of businesses on IT systems and ease of leveraging technology to reach a potentially large customer base. With exponential growth of customers reaching the Internet with newer devices and channels to get required services quickly and economically, enterprises have to be more accessible and reliable to meet these needs. One major way customer’s look at an organization as “reliable” is when it is a known brand in the market which allows them to access services easily and securely.  When it comes to reliability, here is where Information Security or IT Security plays a major role.

With the today’s dynamic security landscape and ever evolving threats IT departments need to be ahead of hackers and at the cutting edge of the technology all the times. The IT department now has to move over the image of a “facilitator” to “Protector” of organization’s IT infrastructure. Enterprises are moving ahead of “Detect and Remediate” approach to a “Prevent and Analyze” approach.

For an IT Security department the security starts at the ever changing perimeter of the enterprise. This is the first line of defense and needs to be the most effective to thwart the threats before they enter the enterprise. The enterprise perimeter, traditionally, has been the firewall as the Internet connections from ISP terminate here and is the ingress/egress point for the enterprise traffic. The firewalls were gradually replaced by UTMs which are now being replaced by Next Generation Firewalls.  With the advent of cloud services, mobile devices, public networks and multiple ways to access information the enterprise boundary has been changed from a physical one to a logical one. However, there need to be a starting point where we define the enterprise perimeter and the ingress/egress point is a good place to start with. So when securing the perimeter few things that need to be considered are

• Define “The Enterprise”: The first step is to define the organization. This may include the datacenter, branch offices, HQ, Cloud based services, end user devices. Not only the physical locations, list the business verticals and functions and the various business processes in the organization. Remember, only if you know what needs to be protected, you can protect it.
• Identify all the possible entry / exit points : Based on the assessment identify all physical and logical entry/ exit points where the organization data is generated, stored, transmitted, used, stored and archived / deleted. The complete lifecycle of the enterprise data needs to be understood to clearly demarcate the entry/exit points or as they are known “gateways”.
• Analyze the traffic flowing through these points: Once the gateways are defined, the next step is to analyze the data that is traversing through these gateways. This will require a set of tools as well as inputs from the business to get the context to the data that is traversing.
• Calculate possible risk associated with the data traversing: Once the content and context is analyzed, associate risks with the data that is traversing. Ask questions like “Is there any threat if this data leaves the organization without authorization?” Or “Can the data traversing through the gateway be leveraged to create a channel for entry of malware?”
• Secure the gateways: The next steps would be to implement enough security controls on these gateways. There are lots of solutions available in the market to meet the requirements e.g. Web Security Gateway for HTTP traffic, Email Security Gateway for SMTP traffic, NGFW with AV, IPS, URL Filtering etc. for the traffic at the datacenter gateway. The important point to remember is to have visibility into the traffic that is traversing through the gateway like SSL Decryption (as today 50-60% traffic is SSL) or Application Identification which allows the administrators to understand the applications being used (or misused) in the organization.
• Enable Alerting: On gaining visibility the next step is to enable alerting. The alerting can be to the administrators, ISOs, server owners, business owners to enable them to initiate the remediation. The alerting can also be enabled on end user interfaces to remind them that their actions are being monitored.
• Action Plan for security alerts: Prepare and keep handy the remediation plan / SOP that needs to be triggered in case any alert is received by the respective individuals. The action plans should clearly have RACI matrix defined with timelines for any action to be initiated.
• Forensic Analysis: Once the incident is controlled have a detailed forensic analysis done on the incident. This will enable the security team to identify the possible vulnerability in the infrastructure and take corrective actions to prevent future occurrences of similar nature.
• Ongoing Monitoring and Control : The systems need to be continuously monitored, alerts acknowledged and corrective actions taken, prevention strategies implemented should be part of the IT security operations.
• User Training: Most importantly educate the end users in an ongoing cycle to enable them to act as combatants to the hackers by fortifying the perceived weakest link in the entire security chain.
• Management Reporting: This is probably the bit that will allow the businesses to acknowledge the IT Security team’s efforts to ensure businesses are running and any possible losses due to breaches are averted. Most of the organizations miss this bit and causes the business to debate the budgets allocated to IT security.

Everyone knows that there is no 100% security. However, there needs to be a place where we begin to reach as close as possible to the same. Definitely, enterprise perimeter is the best place to start because remember only if you know what needs to be protected can be protect.