The Basics
There are some straightforward, yet specific, tool-related recommendations organizations can implement at near zero additional cost to maximize investments already made in their environment. Initially, when folks think about network security for organizations, network appliances like firewalls (FW) come up in conversation. Less commonly discussed is how permissive the FW rules are. Too many cybersecurity horror stories start with questions like, “are they configured to all any/any or implicit allow?” Or are they (ideally) configured to explicitly deny unless opened for a specific and required business transaction?
With this, unfortunately, all-to-common challenge illuminated once network discovery is complete, organizations should look to lock down all ports/protocols not required by the business. Upon completion of port hygiene, companies should re-evaluate the remaining port/protocols leveraged by the business from a security perspective. RDP may be currently “required by the business,” but port 3389 is likely not the only way for the business unit to complete critical work.
Chaos Engineering
As security engineering teams partner with their business peers, these riskier connections can be re-engineered with chaos in mind from the onset. For example, in 2010, the Netflix Eng Tools team created Chaos Monkey in response to Netflix’s migration from on-premise datacenters to cloud-hosted infrastructure. In 2012, Netflix shared the source code for Chaos Monkey on Github, and less than two years later, created their first “Chaos Engineer” role. Similarly, by 2020, AWS added Chaos Engineering to the reliability pillar of the AWS Well-Architected Framework (WAF) and, at the same time, introduced Fault Injection Simulator (FIS) providing fully managed chaos experiments natively running on leveraged AWS services. Companies that are known to be actively practicing Chaos Engineering include Twilio, Netflix, LinkedIn, Facebook, Google, Microsoft, Amazon and many others.
Attack Surface Management (ASM)
More general network security efforts center around securing the organization’s DNS positions while confirming all externally facing domains. The discovery process and the associated hardening are commonly referred to as attack surface management (ASM). RFC 9116 is a related low-cost process improvement while cataloging all public domains; simply adding the proposed “Security.txt” file can provide security researchers a direct means of engaging the organization’s cyber team. Additionally, this can often be leveraged as an infant bug bounty program as covered on RH-ISAC’s recent podcast related to establishing and maturing vulnerability disclosure programs.
Identity Aware Proxies and DMARC Services
Another helpful security control is the implementation of network proxies. Proxies (ideally identity aware style) allow your corporate network’s internal traffic to be masked and, in essence, provides a gateway between users and the open internet. Companies like F5 BIG-IP define the benefit of the identity aware component as delivering per-request application access, while securing and managing access to all applications, regardless of their location, authentication or authorization methods.
This is advantageous for the organization for several reasons. For the intent of this discussion, it enables the ability to block certain domains and all outbound traffic except that needed for business purposes. Examples include blocking access to unauthorized web-based storage services or unapproved web email services. Although not typically considered a network security basic, email filtering / managed DMARC services are critical to protect user populations from many common email-based attack vectors as well as be able to assist proxies with filtering out potentially malicious inbound traffic.
Web Application Firewalls (WAFs)
Similar to network proxies, web application firewalls (WAFs) can provide an application layer view into transactional behavior. Companies such as Akamai, Cloudfare, Fortinet, or F5 Networks all provide some flavor of WAFs. WAFs are often coupled with intrusion detection or prevention systems (IDS / IPS, respectively); these can block signature or behavior-based attacks instead of just identifying a specific indicator of compromise (IOC).
Macro and Micro Network Segmentation
As organizations mature, network segmentation becomes critical — initially working on partitioning externally facing or DMZ traffic from internal-only — then to high/low-security zones or OT/IoT microsegments as granular as logical for the organization. Although it is seemingly one of the most straightforward tasks, network segmentation efforts at scale are often some of the most challenging feats due to their immediate operational impact if not well planned. Another security-borne initiative that often yields catastrophic operational outcomes if mismanaged or ill-planned is network access control (NAC). Conceptually, NAC is the confluence or coupling of user profile characteristics with machine-specific identifiers to ensure a session/connection is indeed the intended user on the authorized device.
Security Service Edge (SSE), Secure Access Secure Edge (SASE) and Remote Work
With the recent pandemic and the mass migration to remote work, NAC principles are somewhat being absorbed into secure access secure edge (SASE) or secure service edge (SSE), where from a framework perspective – multiple cloud native technologies (SWG, CASB, NAC, FWs, WAFs coupled with SDWAN) are combined to securely connect users, systems, and endpoints to applications or services from anywhere at any time. Gartner defines SSE as the security half of SASE and represents the convergence of secure web gateway (SWG), cloud access security broker (CASB) and zero trust network architecture (ZTNA – which in itself represents the confluence of device-specific-identity and network access control). Joint research performed by Forcepoint and Gartner suggested by 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services, and private application access from a single vendor’s security service edge (SSE) platform.
Have questions about zero trust? RH-ISAC’s Member Exchange is the home for discussions among retail and hospitality peers. Not a member? Learn how becoming a part of the RH-ISAC community could benefit you.
