A secure configuration can be designed to include many different features. In this video, you’ll learn about isolation, containment, segmentation, and SOAR.
Our latest generation of firewalls allows us to allow or deny certain applications from traversing the network. This means the firewall might allow access to a Microsoft SQL server application, but deny access to a web based application. But, of course, if we’re on our mobile phone or our tablet and we are not in our office, then our firewall is not going to be able to help us very much.
So we need to have rules on the mobile device that can allow or disallow access. And we can provide those types of policies through the Mobile Device Manager or MDM. This MDM allows the IT security administrator to set policies on all of these mobile devices. So no matter where you take your mobile phone or your tablet, it will always be protected from malicious software.
And another useful security function is DLP or data loss prevention. The DLPs role is to identify and block the transfer of any PII or personally identifiable information. This means that someone trying to transfer personal records, social security numbers, credit card numbers, or anything else that sensitive, could be blocked by the DLP.
A lot of what we do in our browser is visiting other websites. And those websites, of course, have a URL or uniform resource locator. That you URL can be used as a security control. If someone tries to visit a known malicious site, the URL filter can block access to that particular location. And if someone’s trying to access a known good location, the URL filter would still allow access to those sites.
Many of these URL filters can also be integrated with third party blocklists. These are blocklists that are updated constantly and can provide you with real time blocking of known malicious sites. For example, the first name on this particular blocklist is amazon.co.UK, which sounds fine, except it’s actually amazon.co.UK.security-check.ga. This is clearly a URL that’s trying to disguise what it’s doing. And you can see in the blocklist that it has been configured as a phishing site.
In larger environments, we might deploy certificates to all of our trusted devices and all of our trusted services. And if someone tries to connect to the network and they do not have a trusted certificate on that device, that device would not have any access to any network services.
The concept of isolation is one where we can move a device into an area where it has limited or no access to other resources. Isolation is a key strategy, especially when you’re trying to fight malicious software or software that’s constantly trying to communicate back to a command and control location. We often use isolation if someone’s trying to connect to the network and does not have the correct security posture on their device.
Perhaps they’ve not updated to the latest antivirus signatures. So their device will be put on a separate remediation VLAN that would give them access to update the signatures. And once those signatures are updated, they’re then allowed access to the rest of the network.
We can also implement process isolation. If we identify a process running on that device that seems suspicious, we can disallow any access from that process to the rest of the network. That means that the user would still be able to communicate using the normal trusted applications. And we would be able to communicate inbound to that device to provide additional support.
We can normally communicate from our local laptop to any of the other devices on our network. So the idea of providing some type of isolation is a useful security tool, especially if this device was to suffer some type of malicious software. Now that this device is infected, we may be concerned that this device could also infect other devices on the network.
With an isolation policy we can disable the connection between this laptop and the rest of the network. And we might also put this device on its own isolated VLAN, which means that it would be able to communicate to other devices on the isolated VLAN, but no one else inside of the organization. We might even configure a firewall rule that would allow the isolated VLAN access to known trusted sites on the internet. This would allow the laptop owner to download antivirus or anti-malware software from the internet in an effort to remove that from their machine.
One way to prevent the spread of malicious software is to prevent the software from having anywhere to go. One way you can implement this is through containment. And a popular way to do this is application containment, where every application that runs on your system is running in its own sandbox.
That means that every application is not aware of any other applications running on that device. And every application has limited access to the operating system and to other processes. This means that if you were infected with something like ransomware, the ransomware may be able to infect that particular application, but it would not have any way to jump outside of that application to infect the rest of the local machine or other devices on the network.
The containment might also be one that is reactive. Once ransomware is identified on anyone’s machine, we may change the security posture to disable any administrative shares on any one system, disable remote management of all devices on the network, and we would also disable any local account or administrator access. And we would change the passwords associated with our administrator accounts.
On many of our networks, we’ve created extensive security between the outside of the network, usually on the internet, and the inside, or our internal network. What we have not done is put a lot of security controls on the inside of the network, which means that devices who are all in the inside of the network can communicate with each other relatively freely. This also means that access from the outside, once it gets to the inside, is able to traverse the internal network without any concern of being blocked.
Many network administrators have started to create segmented networks where they would put different devices into their own segmented and protected areas of the network. In those cases, someone coming in from the outside might gain access to the internal network. But because all of these devices are on their own segmented network, there would be no way to communicate in or out of those protected areas of the network.
As you can see, there are a number of different security controls you can put in place to allow or disallow access for applications and data through the network. One of the challenges for security professionals is that in order to make all of these changes and be able to do it dynamically, you would need to automate this process. And a number of organizations have started to implement SOAR, which is security orchestration, automation, and response.
Using SOAR, an administrator can integrate multiple third party tools and have them all work together. This integration is based around what we call a runbook. A run book is a bit of a cookbook that has detailed steps on how to perform a particular task.
So there might be a runbook that describes how to reset a password. And it describes connecting to the Active Directory system, locating that particular user in the list, changing the password parameters, resetting the lock that might be on the password, and then sending the user a message. That particular set of steps is something that should occur automatically and should be relatively easy to automate.
These runbooks can be combined together to create a playbook. A playbook is a much broader description of tasks to follow should a particular event occur. For example, if you want to recover from ransomware, there needs to be a playbook written that can describe all of the different steps that need to occur in order to remove that ransomware.