Introduction
The analysis of the After Action Reports related to the security incident that occurred in Sifers-Grayson requires further elaboration on the defense strategies needed for the corporate security posture improvement. Herewith, it is important to provide the relevant strategic recommendation that is based on the multiple layers of security policies, business processes, organizational standards, and technological specifications. Anticipating previous results of the forensic investigation, two defense strategies respectively focused on the layered and in-depth approaches were chosen as a complex, security-driven mechanism.
The first defense strategy relates to the need of building the demilitarized zone (DMZ) for an R&D Center, which will host servers accessed by the engineers through teleworking. To implement the strategy, it will be required to have a business-class router, firewalls, as well as detection and prevention systems consolidated per specific attack types. The second defense strategy is more global and will be implemented on the enterprise-wide level to ensure robust protection from both external and internal attackers. It includes the necessity of implementing measures that control access to software source code and related technical characteristics, identity management tools, and a specific tool for Event Management or Unified Threat Management. Based on the above assumptions, a set of products that could be used for security optimization are analyzed in-depth, following the recommendations pertaining to the organizational needs of the Sifers-Grayson.
Security Strategies
The two defense strategies chosen for the Sifers-Grayson case are based on layered and in-depth approaches. The difference between these strategies is best explained by the level of details and overall design philosophy. The logic behind layered security is that any single defense mechanism has its flaws, meaning that a series of defenses are required to create an integrated and comprehensive solution for network protection. A common example of layered security is a network protected by an application suite that includes antivirus applications, a firewall, and anti-spam software, as well as optimized with appropriate parental and privacy controls (Perrin, 2008). In commercial terms, it means that corporate vendors often found themselves in a conflicting situation, where vertically integrated stacks of network solutions or applications should be provided to ensure complete security protection. Meanwhile, the layered security strategy should not be mixed with multiple implementations of specific security tools, such as having two antiviruses or three firewalls installed on the same system. Such efforts are commonly characterized as redundancy and therefore do not represent layering, where each security effort is aimed to protect the network from different cyberattack vectors.
Unlike layered security, the defense-in-depth strategy stems from the philosophy that there is no real opportunity to have complete protection against threats, even if the most advanced collection of protective mechanisms is implemented. Rather, it postulates that layered security hinders the progress of the threat until some specific resources are intimidated, which could be either technological or non-technological (Perrin, 2008). Furthermore, the in-depth strategy articulates that on the corporate level, it is important to step away from the singular focus on the particular category of attacks that target desktop systems or home computing environments. Instead, the strategy assumes the importance of emergency response activities, disaster recovery approaches, criminal activity reporting, and forensic analysis (Perrin, 2008). Rapid notification and response are critical for designing in-depth security strategies, assuming that security analysts should have sufficient time for analyzing, mitigating, and avoiding network damages. However, both strategies include many common risk aversion approaches and should be considered as complementary rather than contradictive.
Based on the above comparison, it is feasible that the strategy of building the DMZ for an R&D Center primarily relates to the layered security approach. Meanwhile, the strategy of implementing Enterprise-wide Protective and Detective Measures relates to a strategy-in-depth. The first choice is explained by the fact that the R&D Center is a satellite facility that has a mix of hardware and software solutions supported by junior engineers, as reported in the previous penetration test report. It means that layered security will eventually decrease the risks of personal data acquisition and accessibility to the corporate headquarters, as was successfully performed by the Read Team. Meanwhile, the consequent attacks on the mail server and corporate accounts probed by the Read Team require an in-depth strategy implementation to avoid non-technical issues, such as leaving workplace notes in a public area. Nevertheless, both approaches are mutually integrated and require sufficient attention prior to the deployment stage.
Product Evaluations
Solutions for the First Strategy
For the first defense strategy, which is building the DMZ for an R&D Center, the following product evaluations have been performed. The first category is the business class router with WAP and VPN capability that will address the needs of remote facility services and the use of personal computers with incompatible operation systems. For these purposes it is recommended to use the NCS 500 Series router models produced by CISCO corporation, for instance, the NCS 540 Fronthaul Router (Cisco, n. d.). Given the emerging capabilities of the R&D Center, the router will be advantageous in terms of its data timing capabilities, ultra-low latency, high productive capacity, and support of the newest technologies such as CRPI and the Radio over Ethernet (ROE) (Cisco, n. d.). Since the routers are available in both fixed and singular factors, they could be used for 5G connectivity, Remote PHY, Carrier Ethernet, and FTTx protocols to maintain efficient productivity and information accessibility (Cisco, n. d.). The choice logic is supported by the view of the R&D Center’s importance as a facility that provides innovative solutions for the Sifers-Grayson but is not yet integrated with the main facility.
For the business class network firewall, the recommendation is to use the products of SonicWall as a cost-effective opportunity. Since the company is seeking for providing real-time breach detection and protection by leveraging the single space of access for secure connections, the use of cloud and on-premise environments remains a feasible solution. The SonicWall perfectly meets these objectives as a firewall that guarantees secured connectivity and prevention of malware distribution across the multi-cloud network, blocks intrusive actions, and prevents the system from malicious execution of operating commands (SonicWall, n. d.). Furthermore, SonicWall has scalability options, which is useful for optimizing firewall protection mechanisms for R&D Center systems that operate on the various hardware platforms while still adhering to the layered security design specifications.
Finally, for intrusion prevention and detection purposes, it is proposed to use McAfee as a non-cloud-based platform. McAfee currently offers several solutions, including the award-winning antivirus, tools for performance optimization, licensed virtual private network (VPN) security solutions, password manager, and encrypted storage solution (McAfee, n. d). Depending on the number of devices required to be protected, Sifers-Grayson may select optional pricing packages that will go with 1 to 2 years’ subscription. For the cases of working from home, additional options for protecting the device operating from the local network are also available. Finally, the choice of McAfee subscription allows additional protection opportunities such as keeping tabs on personal identity through dark web monitoring, turning on public Wi-Fi network’s insecure hotspots, and virus removing services.
Solutions for the Second Strategy
For the second defense strategy, which is the implementation of enterprise-wide protection, detection, and prevention capabilities, the following tools and applications were chosen to be installed on Sifers-Grayson servers. The prerequisite requirement considered for the strategy is that cloud hosting is not allowed. The application lifestyle management tool recommended for the strategy implementation is Azure DevOps Server, formerly known as Team Foundation Server. The tool is based on a multi-tier, scalable architecture and is built through the Windows Communication Foundation services (Microsoft, 2020a). For the Sifers-Grayson’s defense strategy, the obvious advantage of the tools is that one is written using a service-oriented model, which virtually can communicate with aby tool to call a web service and is extendable for subscribing to system alerts (Microsoft, 2020a). Hence, the tool will also be useful for integrating data protection strategy with activities of remote facilities such as the R&D Center to protect the main facility from malicious intrusions.
Following the idea of using Microsoft-sponsored products, it is recommended to use the Microsoft Azure Active Directory as the identity and access management (IAM) solution. The suggestion is also supported by the fact that Sifers-Grayson’s headquarters have recently moved to the complete use of the Windows 10 operating system, which will provide better internal security. Furthermore, the Active Directory in Microsoft Azure is based on the common infrastructure management principles, which means that system administrators familiar with it will not experience the transitional difference with the new IAM tool (Microsoft, 2020b). Finally, the scalability options available for managing users and groups will be useful for adjusting access rights and controlling the data exchange process to ensure that the right users have appropriate rights to access internal data.
For Security Information and Event Management (SIEM), it is worth considering the scope of solutions offered by Solarwinds. It is recommended to prioritize SIEM over the unified threat management (UTM) solutions since it is mentioned that SIEM “aggregates and manages log data from other devices”, which might as well include UTM that deals with original data (Solarwinds, n. d.). Furthermore, there is a remark mentioned by the product owners that UTM solutions provide similar capabilities to those offered by SIEM, while also might be vulnerable in terms of a single point of failure to the whole network (Solarwinds, n. d.). Meanwhile, depending on the available budget, Sifers-Grayson should make a choice between perpetual and subscription licensing since the cost of Solarwinds services starts from more than $2,000, which is much larger than the cost of previously discussed tools.
Finally, for the forensic image capture utility, it is recommended to use Sift as a cost-effective solution. Sift offers several products in digital trust and safety, payment protection, content integrity, and account defense domains (Sift, n. d.). The latest release includes opportunities for creating an ecosystem of fraud-mitigating tools, availability of dynamic insights through the use of big data, text clustering, and workflow enhancements, as well as intuitive tool management (Sift, n. d.). Furthermore, SIFT website also provides educational materials related to vendor evaluation, fraud prevention during economic unrest, fraud reporting strategies, and recent observations on digital trust and safety, which could be helpful for network administrators. Meanwhile, Sifers-Grayson should consider that SIFT solutions are diverse and therefore carefully plan the allocated budget for incident response and network improvement since some of the solutions proposed by the company might be irrelevant to the business.
Summary
To summarize, both strategies pre-defined for Sifers-Grayson could be successfully implemented using available market products within a reasonable budget. For the DMZ strategy in the R&D center, the most applicable approach is layered security, which could be implemented by installing suites, applications, and tools that are not expensive. Nevertheless, those will provide sufficient multi-tier protection for all devices operating at different hardware and software schemes, eventually replicating the capability of smaller networks. However, for the second strategy that predisposes enterprise-wide protection, it is important to ensure the use of larger security suites that integrate contemporary functional requirements for data protection and fraud prevention. Hence, it is highly recommended to consider two main aspects prior to the proposed deployment. First, it is required to estimate the budget constraints before choosing the components of the suites recommended for the second strategy as the most expensive one. Second, it is proposed to ensure that Sifers-Grayson is prepared for the security strategy implementation, meaning that the appropriate training efforts are introduced. Finally, it is required to consult with vendors regarding the implementation of solutions to ensure that security network transition is completed with minimum risks.
References
Cisco. (n. d.). Cisco network convergence system 500 series routers.
McAfee. (n. d.). McAfee total protection.
Microsoft. (2020a). Azure DevOps Server 2019 update 1 release notes. Web.
Microsoft. (2020a). What is Azure Active Directory?
Perrin, C. (2008). Understanding layered security and defense in depth. TechRepublic.
Sift. (n. d.). Fall 2020 release: Transformative power.
Solarwinds. (n. d.) SIEM tools.
SonicWall. (n. d.). Products.