May 7, 2011 at 9:08 pm #6380
Not sure where this fits since its not just about malware or firewalls. Anyway I just finished about a 3 month project to get my organization (that I’ve been at for 6 months or so) caught up on years of back patching. Unfortunately the ISO’s words of wisdom consisted of “install all patches because they are old” regardless of whether or not the patch was deemed critical by MS or whether they had posed any risk to the organization. “Even this DVD/CD no-autorun patch for our servers that no one can get physical access too and we don’t frequently load media in…” “yes because its old…” but I digress…
So while waiting for all those patches to load, I did a lot of twitter reading and found that a number of pros have been recommending that we truly learn our network and what is running on it to better protect it. I mean its a simple enough concept, one would think you should know this anyway. Unfortunately when a network is built in spurts to accomplish a large increase in demands for resources, some things get pushed aside, mainly documentation. This is what I walked into 6 months ago. In that 6 months I had a full inventory of both servers and workstations, documentation on the functions of all the servers. That lead to me being able to decom a bunch of systems. Awesome when you ask someone what this does and they stare at you blankly (and they’ve been there for years). So, we turn it off and see what breaks! 😀 There I go again so back on track…
So whitelisting, awesome concept, I am currently working on a plan to implement this concept little by little. I have been setting up the AV policies to utilize the IDS/IPS features to whitelist applications and prevent certain directories from being written to, that should cut down on instances of Fake AV, which are rare but do happen based on the nature of user profiles. I am also in the process of getting data for implementing egress on our firewalls. The next big chunk will be to actually utilize the nice expensive switches and really segment the network, not just block it off for organizational purposes.
So the reason I am posting, I am curious to see if others are taking the advice and beginning to implement similar plans, or if you have already done so. I’d be interesting in getting some feedback and even any difficulties you may have had with certain parts of the implementation. Also how did you get management to buy into it? The team lead in our department has been trying to get NAC implemented but it keeps getting cut and he’s also been trying to secure the VLANs better but keeps getting pulled to do other projects. The management doesn’t seem to get that all the patching in the world isn’t going to protect you from a determined party and that we should be spending more energy at know what belongs on our network than blindly securing systems.
Sorry if this was long, but sometimes the mind shoots into overdrive. I look forward to your comments!!
May 8, 2011 at 2:12 am #39687cd1zzParticipant
I like the idea of white listing and in a static environment, it works well. However, unless you have a very good grip on your environment you may break a number of apps if you implement the policy without capturing every one-off app that some gal in accounting needs to use.
In the energy industry white listing works quite well because (gasp) AV can break the old software that our power plants run on. A great way to get around that is with white listing software.
I suppose a very slow and methodical roll out would definitely help you catch things you miss in your planning phase. It would be a monumental effort I think, so good luck!
May 8, 2011 at 11:24 am #39688
Yeah I’ve been running the Application and Device control feature in SEP in a logging only mode and it captures quite a bit. Found a great article on it as well. Our environment isn’t too riddled with random pieces of software. For most people Office, IE, Adobe, Java and our special in-house applications are it. I think it is quite possible to do and I will eventually be testing on a small group. As for the networking side, that is definitely possible, but management has always had us put it on the back burner for whatever their monthly crisis is.
If anything, the research portion will be a good thing for me even if it doesn’t get implemented at my current place of employment.
May 8, 2011 at 11:44 pm #39689dynamikParticipant
Just out of curiosity, how large is your network? This can be difficult to manage effectively over time. It sounds like you’re already stretched pretty thin on resources.
May 15, 2011 at 8:43 pm #39690
140 workstations, 100 or so servers. It probably is a pipe dream though even if I can implement part of the plan, I’d be happy. Man some days I wish I could get the chance to build from the ground up.
May 16, 2011 at 6:11 pm #39691AndyB67Participant
Tried to do something similar to this a few years ago at one of my previous workplaces.
If I remember rightly we VLAN’d into the smallest lans we could get away with and rolled out the policies per VLAN giving it a week or so of monitoring between each rollout to see if anything fell over.
We got 4 VLANS swapped over and were running about 500 (out of 2500) machines and 8 (out of 20) of the servers before we had a major issue with the network (totally un-related) that stopped the change over dead in it’s tracks.
Never did get to finish that as a new contract kicked in shortly after and all the workstations and network got ripped out and replaced from scratch.
May 22, 2011 at 1:25 am #39692
That’s too bad Andy. I have determined that I will probably focus on pushing for a better organized network and in the meantime I can continue running SEP’s logging on its App/Device control feature. Sadly our Network engineer is very protective of his duties and gets very defensive when we want to make changes to it. We think its because he doesn’t know how to utilize VLANs.
I just need to word my proposal so that the managers realize that we don’t need any new flashy tools, we just need to utilize the ones we have efficiently.
May 22, 2011 at 10:12 pm #39693AndyB67Participant
I wish you the best of luck the Triban. Explaining things to management that don’t have a clue what i’m talking about is why I have so many grey hairs!
May 23, 2011 at 12:34 pm #39694WCNAParticipant
Here’s some whitelisting related stuff. One’s a bit old but the idea is still the same.
At a TED talk
I don’t know if I agree with everything he says (he hates hackers) but it is food for thought, especially the Default Permit.
May 23, 2011 at 3:29 pm #39695lorddicraniusParticipant
Thanks for sharing those links, WCNA. I liked that TED Talk, it was both interesting and “srsly? wow…” seeing the history of the Internet told like that haha. His article was a good read too. I wasn’t into the infosec scene in 2005, but relative to how fast technology changes, I imagine the role of security pros and “hackers” have as well. I’d be interested in hearing his views on #4 these days.
June 20, 2011 at 2:22 am #39696
Is that were these gray hairs are coming from?? hmmm damn them! Thanks for the links WCNA.
So of course this side project will be put on hold since they will be decided what mystery projects we will have ti do before the year end. And even better, got a “temp” manager for the next few months and he’s another MBA hopeful with little relevant experience and seems to enjoy micromanagement. Oh well makes for a good reason to make sure the resume is updated. :-p
- You must be logged in to reply to this topic.