Defense in Depth Benefits
Times have certainly changed. Long gone are the days when information security consisted mainly of making sure that everyone had a hard-to-guess password and appropriate access to sensitive data. No more is your greatest security concern from internal threats (a.k.a. disgruntled employees), and it's probably been a long time since you were able to clearly define the perimeter of your network.
IT managers and CIOs have trouble sleeping at night, wondering if their companies' networks are safe and how much a breach might cost the company, and they have every reason to be nervous. By now, there are over 30,000 hacking-oriented web sites on the Internet, many of which provide easy-to-use tools that people with limited technical skills and even fewer ethical values can use to wreak all kinds of havoc. They can do everything from defacing web sites and making them unavailable to stealing credit card information. And the costs to the infiltrated companies can be enormous. The CodeRed worm alone are believed to have caused at least $2½ billion in damages.
It's not just IT professionals who worry about security anymore, either. Security vulnerabilities and breaches have become so commonplace lately-and so many non-business computer users are becoming vulnerable to them-that even general newspapers, magazines and TV news programs report on new viruses and threats with alarming regularity.
I. Defense-in-Depth Solution
What would really be nice is a simple solution to this growing problem, but the only truly uncomplicated answer would be to disconnect from the Internet, turn all of your computers off, lock the doors and go home. It's not very useful, but it's certainly secure. Otherwise, your security solution needs to have the same breadth as the security problems themselves, which has become very significant indeed!
Such an approach is often referred to as "defense-in-depth" since it involves creating multiple layers of protection around your computers and valuable data. The reason that such an exhaustive approach is required is that there are new and innovative types of security threats, and what's worse is that some of them use multiple methods and techniques to propagate themselves. Symantec calls these "blended threats," and a good example is the recent Nimda worm. Nimda tries many ways to propagate itself: through vulnerabilities in IIS web servers, through infected attachments to e-mail, through default Windows disk shares, and through previously infected machines (see the diagram below).
Then, like any other worm, a machine once infected will begin using all of the attack methods to find more machines to infect.
There simply is no one-size-fits-all approach that can save you from such a versatile attack. Protection from blended threats like Nimda requires at the very least security tools in the following four areas: Vulnerability Management, Antivirus and Content Filtering, Firewalls and VPNs, Intrusion Detection and Disk Imaging.
II. Vulnerability Management
There are two types of Vulnerability Management (VM) approaches. One is a host-based approach, which is like a night watchman who roams each of your buildings periodically and makes sure that everyone locked their doors, shut their windows, etc., since all of the locks in the world do you no good if they aren't used or if another entry point is available. The other is a network-based approach, which is like hiring an ex-cat burglar to see if he can break into anything from the outside. These kinds of tools can warn you about weaknesses in your system configurations that leave you vulnerable to attacks.
Products like Symantec Enterprise Security Manager (ESM) and Symantec NetRecon provide host-based (night watchman or "inside-out") and network-based (ex-cat burglar or "outside-in") approaches to VM respectively. Their job is to help you avoid being successfully attacked in the first place by pointing security holes that you can fill. For example, they point out missing patches, unnecessary services, weak password settings, insecure disk shares and much more that would help to thwart threats. Clients who used Symantec's VM products and followed the recommendations blocked Nimda from coming through their web servers and anonymous Windows shares.
It is important to check such settings regularly, and since OSes and applications tend to ship with most-if not all-of their security features disabled (constant monitoring is required to keep on top of new systems and applications), users often find security features frustrating and turn them off (keep them honest over time), and vendors periodically provide updates and patches to resolve discovered security problems(keep them up to date).
III. Anti-virus and Content Filtering
Despite your best efforts at hardening systems by plugging security holes, a good security solution must also provide protection from files that come into the network via e-mail, Internet downloads, floppy disks, etc. Anti-virus software that automatically checks for newly discovered threats, periodically scans systems for those threats, and also watches in real time while new files are downloaded from the Internet or detached from e-mail messages to make sure nothing unsafe gets through is invaluable. Symantec AntiVirus products can protect not only your workstations and servers, but also your firewalls and important applications like web and e-mail servers so that you can stop many problems where they enter your enterprise before they have a chance to spread to the rest of it.
IV. Firewalls and VPNs
Firewalls protect your network by controlling who has access to and from it. If your firewall is a layer 7, full inspection firewall like Symantec Enterprise Firewall, it can also control what can be sent to and from your network since such firewalls track not only the source and destination of communications but also the content of the data packets sent and received. VPNs keep your mobile employees safely connected to your network by providing a secure channel through which they can communicate with the network from outside of the firewall.
V. Intrusion Detection
Unfortunately, no matter how hard you try to avoid problems with preventive measures like those described above, someone still might find their way into someplace they shouldn't be (whether it's a hacker coming in from the Internet or an employee accessing something they shouldn't), so you always have to be watching for suspicious activity.
Intrusion Detection solutions come in the same two flavors as Vulnerability Management: host-based and network-based. Returning to the night watchman metaphor, these products act as motion sensors that alert security, and both play important roles in detecting security breaches. Network-based solutions like Symantec NetProwler watch the network for suspicious traffic, and host-based solutions like Symantec Intruder Alert watch for suspicious activity on systems like unauthorized accesses of logins, files, registry keys, etc. These products report suspicious activity for further investigation.
VI. Disk Imaging
Even after you have exercised appropriate due care in implementing security safeguards, some extremely determined or imaginative hackers or tools may work their way around your defenses and into some of your systems. Sometimes it's hard to be certain of the extent of the compromise, and it's simply easier to start from scratch. Symantec Ghost Corporate Edition can help you do just that by completely replacing your computer's data and returning it to a previous and trusted state.
VII. The Solution? All of the Above!
There is no single solution for the information security problems we face today. A combination of many different kinds of security tools is required to protect yourself from modern threats like Nimda and CodeRed. Symantec is uniquely positioned to help you in your security endeavors since we are the only company that provides solutions for all of the different products you will need to implement a broad set of security solutions for your enterprise.
AntiVirus and Content Filtering
Firewall and VPN
More on how Symantec products can be used to protect enterprises from:
Other articles of interest: