NED Cybersecurity Report Part 2: Defending Your Digital Castle

Feb. 9, 2016
This exclusive series examines what you should know about cyber security in 2016, from the threats to defenses. This chapter offers a powerful strategy to fortify your network defenses.

As the unofficial cyber world police, Cisco, the market leader in security, has developed a defense grid to shut down illegal cybercrime actives, such as the ransomware that makes you pay to unlock your computer.

In October 2015, the Talos Security Intelligence and Research Group, which is like Cisco’s NSA, shut down the Angler Exploit Kit, a virulent operation that was making $30 million a year, because 3% of the infected paid the $300 “inoculation.”

Busts like this barely dent the lucrative profit margin of the Internet of Thieves, whose motivations remain as murky as its members’ identities, and whose profits may reach $1 trillion, as described in Part 1 of this series. A company or entity can be attacked for financial gain, corporate sabotage, cyberterrorism, or even hacktivism.

These shrouded threats have led to festering fear. Less than half of the organizations Cisco surveyed for its 2016 Annual Security Report feel confident about their defenses. The report also found that 92% of Internet devices run known vulnerabilities. With a projected 50 billion Internet-connected devices by 2020, that means several hundred million endpoints could be at risk to hackers.

As smart as hackers are, their methods are predictable, says Andrew Peters, a senior manager for product marketing for Cisco.

“Hackers break through the barrier, remain undetected and find the treasure trail to the goods, to steal or destroy info, to manipulate, monitor, or ransomware a system,” he says. “Whatever the evil deed, they pivot, attack, and move from device to device, or endpoint to endpoint, until getting to the good they want.”

Cisco’s security software acts as the shield to block these paths and guard your crown jewels. By calling cyber criminals “evil” and referring to hackers as “miscreants” in security reports, you get the feeling Cisco’s security group fancies themselves as your IoT network’s sworn protectors, its Interknights if you will.

Instead of catapults and cauldrons of hot oil to stop the barbarians at the gate, they employ the Cyber Threat Defense Solution. It starts with a policy management platform called Identity Services Engine, or ISE. The newest version is 2.0.

“ISE was formed to create a contextual identity to access the network,” says Peters, who started working on the security software in 2000. “It moved far beyond the initial concept as a means to control contractor access. ISE identifies what a device is, where and when it is and what user is associated with it.”

ISE takes the contextual data and assigns a role-based access control policy, like different wristbands at a dance club. Some devices are VIP, and some are stuck in the lobby.

And what if a device appears suspicious?

“We treat them as guilty until proven innocent,” Peters says. Depending on the policy configuration, the device is either allowed in, kicked off, or quarantined. If a once legitimate host becomes compromised and starts acting maliciously, ISE demotes its access level to mitigate a potential breach.

Cisco’s strategy also leverages TrustSec, which is built into more than 40 Cisco product families. This technology segments a network by a user’s contextual identity, such as device type, location, time, and policy compliance, and also the assets the user is entitled to access versus more complicated means of creating virtual LANs (VLAN) and access control lists (ACLs), Harrell explains.

This would allow a certified company laptop to access an ordering system, while a BYOD (Bring Your Own Device) could only get access to BYOD-authorized services, even if they both used the same wired port or wireless access.

Another component, Stealthwatch, comes from Cisco’s $452.5 million acquisition, Lancope. This analytical tool creates a behavior profile for devices, such as a thermostat or laptop. ISE can supplement this surveillance with the contextual identity of the device.

If a thermostat does something out of the ordinary, like trying to connect to the server with payroll info, that means it was probably corrupted by malware. SteathWatch tells ISE to change its policy, which is like ripping off that wristband. TrustSec comes in to contain the suspicious device until it’s repaired or removed.

“From a manufacturing perspective, you’re using the network as a sensor, and then enforcer,” Peters explains.

This stops lateral movement and blocks the malware from that treasure trail. TrustSec doesn’t impede the productivity of your business, though.

“That’s key because you don’t want to screw up the benefits you sought for IP-to-IP connectivity,” Harrell adds.

In other words, you don't want your castle so impenetrable that normal commerce can't be conducted within its walls. And in other, more Middle-Earthian terms that only your IT department may understand, you don't want to be like Helm's Deep; shoot for Minas Tirith.

Beef up Your Defense

Beachbody LLC, famous for fitness regiments including P90X and 21 Day Fix, has grown as rapidly as its customers have slimmed down. More people in the company means more devices seeking network connections.

Beachbody needed a scalable security solution to control network access in the short term and to possibly be integrated into the call centers later. The company’s solution included a virtual version of ISE, which can posture up to 5,000 devices. Some configurations can go up to 10,000.

“What was interesting about ISE is that it gave a single point of port authentication, and a little bit more,” says William Dugger, Beachbody’s senior network engineer. “It’s very firewall-like from a policy perspective, so it’s easy to understand and deploy.”

That was important for Dugger and his lean IT team.

“I needed to be able to support it with the limited staffing resources that I had,” Dugger explains. “You save on the back end with the number of people you need to support it.”

One immediate advantage was segmenting by an operating system as opposed to IP address. The company computers don’t use Windows 10, so Dugger’s team wrote a one-line configuration policy to block any device with Windows 10 from the network.

Currently, Dugger is building a BYOD policy for workers who may be working off three devices at the same time, such as a laptop, tablet, and PC. With ISE, he says, this will be fast and easy.

“You need the flexibility to have them connect and determine what they’re trying to do, based on the user input, without having to open up a ticket.”
ISE will display its full capabilities when integrated into Beachbody’s call centers.

“The customers are trusting us to protect their information, to protect their credit cards. It’s protecting that relationship and our name that keeps customers coming back and lets them know they can trust us. A credit card breach or security breach could be devastating for our business, or anybody’s business.”

Big-time breaches (which we cover in Part 3), such as Target’s and Home Depot’s, get big-time attention, but these attacks are happening more often than you think.

Harrell says breached companies with 200 to 300 employees aren’t obligated to report breaches. He says the result is even worse than the bad press or lack of consumer confidence.

“Many times it is a catastrophic event for the company,” he says. “They can be put out of business. Those do not get widely reported or tracked. We know from engagement this is happening just as much as with the big guys.”

Keep reading our special series on cyber security with Part 3: Once More Unto The Breach.