SANS Critical Security Controls Featuring Lancope by Jody Ma Kissling

SANS Critical Security Controls Featuring Lancope

SANS has recently developed its Spring 2013 Critical Security Controls poster, listing each of the controls and the vendors that help organizations address them. Lancope is featured under four of the controls as a means of fulfilling their specific security requirements.

The SANS 20 Critical Security Controls, a set of standards established in 2008 by the National Security Agency and updated regularly by an international consortium, helps government agencies and large enterprises prioritize their cyber security spending. The controls enable organizations to more effectively and efficiently defend against cyber-attacks, protect critical assets, infrastructure and information, and improve risk posture.

Critical Security Controls

Lancope fulfills the following four critical security controls for effective cyber defense:

Control 13: Boundary DefenseControl the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines.

Lancope’s StealthWatch System provides several powerful features for securing the perimeter of a network. Out of the box, it supplies detection for common border problems such as network scans and denial-of-service attacks. Using anomaly detection, StealthWatch also excels at uncovering data exfiltration attempts and covert command channels.

Since the product can combine NetFlow from multiple sources, it provides context unavailable to other devices that monitor the perimeter. For instance, a small FTP transfer coming from one of the addresses in a NAT pool would not look suspicious to an IDS. A FlowCollector receiving flow records from both sides of a NAT device, however, would recognize that the internal address for that FTP connection is a financial server, and it should never talk to the Internet.

In addition to behavioral anomaly detection, users can leverage host groups and host locks within StealthWatch to detect unauthorized activity based on details such as country of origin or services used. Lancope’s StealthWatch Labs research team also provides an up-to-date threat feed for detecting botnet command-and-control connections. 

Control 14: Maintenance, Monitoring, and Analysis of Audit LogsUse detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines.

Audit logs are a valuable resource, but they have some serious limitations. First, each system must be configured to produce the network, service and user information recommended by SANS. This means either confiningvisibility to just a few key systems, or enforcing a network-wide logging policy.  Second, if an attacker or malicious code gains privileged access to a system, it can tamper with the logs. Third, log files are noisy and come in a variety of formats. As a result of this, SIEM solutions tend to preserve only the most basic information in a database. If a user needs more detailed information, he/she is often left digging through archived logs.

While NetFlow does not provide visibility into the internal actions on a host, StealthWatch is able to provide the recommended network audit trail for all of an organization’s systems without the difficulties of universal logging. StealthWatch receives NetFlow from switches, routers, firewalls and its FlowSensors rather than from individual systems. This allows it to 1) monitor systems even if they were not configured to produce logs, 2) log the network activity of all systems in a consistent format, and 3) provide an audit trail that cannot be altered by a compromised system. The compact nature of NetFlow also allows for long-term storage that is still searchable.

In addition to providing an audit trail, StealthWatch maintains behavior profiles for the systems on the network. Using these profiles, it detects maintenance-related issues like server outages or new systems. It also detects anomalies in network behavior that may indicate a compromise. This coverage is not a complete replacement for good logging practices, but it does create the recommended network audit trail for all of an organization’s systems – not just the ones that meet the criteria in Control 14.

Control 18: Incident Response and Management Protect the organization’s reputation, as well as its information.

StealthWatch is a very powerful tool for incident response and management. It can spawn investigations by detecting bots, data exfiltration, covert command channels or other suspicious behaviors. If a compromise is suspected, it provides unmatched network forensic capabilities.

In most compromises, there is a window of time between when a compromise occurs and when the victim is secured. This window can be very large depending on the sophistication of the attackers and the detection capabilities that are in place. Since log files on infected hosts are not reliable, it can be very difficult to determine the scope of the compromise and completely remove the attacker’s presence from an environment. 

With StealthWatch, organizations can quickly see all of the network activity for the compromised host during this window. They can easily follow leads from system to system to determine the scope of the attack, and can also rank the touched systems by how much their behavior has changed from learned baselines. Without StealthWatch, IT teams could spend days pouring through firewall logs, DHCP lease logs and system logs – without ever finding the information that would take only minutes to extract from the StealthWatch Management Console.

Control 19: Secure Network EngineeringKeep poor network design from enabling attackers.

The key to preventing a compromise due to poor network engineering is network visibility. Even with well-crafted policies, operators sometimes make configuration mistakes, and end users set up machines without notifying IT. One way to look for these issues is periodic scanning, but it isn’t always possible.  The IPv6 address range is too large to scan, results may be difficult to reconcile with policy, and scanning from a single vantage point is not going to tell the whole story.

With StealthWatch, organizations can gain visibility into their entire network. They can see the devices on their network, which services they are using, and with which other devices they are communicating. Even better, they can enforce network policies using StealthWatch. If a policy states that all Internet-facing servers must be in the DMZ, the IT team can receive an alert when a connection from the Internet is established to any host not in that group.

Using StealthWatch for network policy enforcement has other benefits as well. Normally, preventing systems from accessing each other requires the creation of multiple network segments and the implementation of firewalls or router access control lists between them. With StealthWatch, organizations can enforce network policies even if the systems are on the same segment. StealthWatch allows users to configure host groups and locks that are independent of physical networking infrastructure.

Learn More

By combining in-depth network visibility and advanced security intelligence, Lancope helps hundreds of organizations around the world stay a step ahead of the ever-evolving threat landscape. For more information on Lancope’s StealthWatch for thwarting sophisticated attacks, check out the SANS webinar and case study featuring Comcast.