Manage Security Where the Data Resides

NERD ALERT:  This particular blog is a technical discussion rather than executive roadmapping.  That said, I still look forward to any comments from the Pointy Haired Bosses.

As I've ranted... er... discussed in my previous blogs;  we, as an industry, have spent the past two decades building logical security controls at the perimeter where our corporate network interfaces with either the Internet or Business Parner networks.

This model, although supported and backed by our friends in Risk/Compliance/Audit, assumes that everything inside those pearly gates is protected. 

This is a risk statement that you cannot accept. 

  With today's move to virtualization, convergence of Data Center and Cloud Services, and a greater ability for Business Units to outsource/offshore development and hosting of critical applications, the line between Inside and Outside of your perimeter is vanishing.

(Read:  2013: The year to forget everything you know about Perimeter Security!  )

Additional threats facing us daily include un-patched and legacy systems, zero-day malware attacks, advanced persistent threats, malicious insider breaches, as well as administrator human error.

According to the 2012 Verizon Data Breach Investigations Report , and contrary to popular belief, 94% of all data compromised involved servers.

Moving forward, we must assunme that our internal network has already been compromised, or at minimum is quite vulnerable, and that to protect the corporate data assets, we must move our security controls as close as we can to that data.

  

This not as onerous a task as it sounds.  There are many good vendors in this space already, and the field has matured significatly over the past five years.  All commercial solutions are centrally managed, come with a library of out-of-the-box templates, integrate seamlessly with your logging/reporting systems and provide for flexible workflow.

 Before we discuss the players and what they bring to the table, lets talk about what we need to do, and how it can be achieved.

1. Prevent Unauthorized Access to critical assets.
2. Prevent Unauthorized  Changes to critical assets even for those with legitimate access.
3. Protect against Zero-Day Malware attacks.

To achieve this you need to have something that manages local security policies across all servers that can provide:

• File Integrity Monitoring
• Process Monitoring
• System Registry Monitoring
• Local Firewall
• Intrusion Detection
• Intrusion Prevention
• Comprehensive Logging
• Security Policy Management

Note: This discussion is completely agnostic to whether a server is physical or virtual. The requirements are identical.

To start, create specific server "roles".  A server role, defines it's function or purpose within your network. A role does not have to be OS specific - Windows/UNIX/Linux all provide for every role in the stack.

 Any particular server could be an Authentication Server such as an Active Directory Domain Controller.  It could be an Infrastructure Server, such as mail, ftp, or DNS.  It could be a Database or File Server.  It could be An Application or Web Server.  

Typically, you will find that any one server may host several roles.  In any case,  you will want to create and apply a consistent Policy Template that will define the protection model for each role. In the template, you would identify resources to protect, such as directories, files, registry keys that are used to configure, maintain, and operate that application. (All commercial products in this space provide hundreds of such templates "out-of-the-box")

Once you have identified the roles, you will want to group your server assets into units, possibly by Line of Business (My line of business depends on these servers), or by Application (this application uses these web servers, these app servers, and this database server), or both.  This way, you can create policies establishing the allowed channels of communication.
 (App1 webservers can only talk to App1 application servers on tcp ports 80 and 443, and App1 application servers can only talk to App1 database servers on tcp port 1433)

Any attempt at communication outside of these rules would be prevented/denied, and result in alerts sent to the appropriate security focal through any of a number of channels (email, snmp, SMS...). 
By putting the security policies locally on the servers, close to the data, you significatly reduce the potential for data exfiltration.  That said, this is not a Data Loss Prevention solution unto it's own, as it is not aware of the context of the data it is protecting, but can provide valuable feeds into your DLP infrastructure.

Of course this would not be complete without talking about the basics of creating a hardened server in the first place.  

• Patch, patch, and patch....
• Disable/remove/rename default administrator accounts - at the OS, Application, and Database layer
• Turn off / Disable / Uninstall all services not required for the role of the server
• Place your Application Server / Database Server files on a separate volume from your OS
• Where possible, enable logging for everything
• Consult your vendor for additional recommendations per server role.

Examples of like Server Roles:  (Apologies if I left out your personal favorite!)

Authentication and Directory Services Servers:  

• Active Directory Domain Controllers  / LDAP Servers
• Radius Servers / Reverse Proxy
• NIS/Yellow Pages servers / RACF/ACF2
• Domino Name and Address Book
• VPN / Access Gateways (Citrix) / RSA 2 factor

Infrastructure Services:

• DNS / DHCP / NTP
• Mail Services SMTP, POP/IMAP, Exchange Server, Domino
• FTP / SFTP / ESB

File and Database Servers:

• Microsoft SQL / Oracle / DB2 / Sybase
• MySQL / PostgreSQL / NoSQL
• CIFS / SBM / Samba

Application Servers:

• CRM / ERM / SCM
• Oracle / WebSphere / JBoss / Tomcat / .Net / Weblogic

Web Servers:

• Microsoft IIS / Apache / Zeus

 So?  Who are the players in this field? 

Symantec Critical System Protection   - To date, Symantec CSP provides the widest coverage for server roles across the most Operating Systems - Both Physical and Virtual.  Their System Protection Console cleanly integrates their Security and Malware product suites into a single pane of glass.

TripWire Enterprise File Integrity Monitor - TripWire has been the industry leader in this space for over a decade, and is perfect for small to medium enterprises.
McAfee File Integrity Monitor - McAfee provides a suite of tools that are well integrated for protecting Windows Based Servers and Databases..
IBM Tivoli Virtual Server Protection - VMware ESX protection suite.

SafeNet Data Protection Suite
NewNetTechnologies NNT
Splunk Change Monitor

Cimtrak File Integrity Monitoring

nCircle File Integrity Monitoring 

Further Reading:

http://www.infosecurity-magazine.com/view/30067/51-of-uk-networks-compromised-by-byod
http://www.novell.com/docrep/2010/03/Log_Event_Mgmt_WP_DrAntonChuvakin_March2010_Single_en.pdf
http://www.acunetix.com/websitesecurity/webserver-security/
http://www.symantec.com/page.jsp?id=protection-center
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/09/25/protect-objects-from-accidential-deletion-in-windows-server-2008.aspx
http://eval.veritas.com/mktginfo/enterprise/white_papers/ent-whitepaper_protecting_active_directory.pdf

http://technet.microsoft.com/en-ca/magazine/2006.05.smarttips.aspx

http://msdn.microsoft.com/en-us/library/ff648657.aspx  

 http://www.sans.org/reading_room/analysts_program/mcafee-server-protection-june-2010.pdf
http://www.newnettechnologies.com/tripwire-alternative.html?gclid=CO3A8cn1uLUCFShgMgodLloAtw

3rd party List of System Integrity Tools:
https://mosaicsecurity.com/categories/83-system-integrity-tools?direction=desc&sort=products.name