10 Ways to Implement Multi-Layered Security 10 Ways to Implement Multi-Layered Security 2 How secure is your enterprise? Does your current strategy include true end-to-end security? Learn 10 ways to better implement a multi-layered security approach in your organization. Topics covered include: Lost laptops and smartphones, botnets, network security, messaging security, Intrusion Prevention Service (IPS), End Point Security, and much more. Any complex business has security IP or customer credit-card files A better solution to this holes: lots of them. And in today’s are still very much at risk, your dilemma is multi-layered world of always on, ubiquitous business may also be the target security: implementing multiple, computing, universal Internet of less-pointed attacks, like email overlapping security solutions connectivity, and seamless or e-commerce denial of service, so that your most-critical assets mobility it’s getting harder to or random ‘phishing’ aimed at are buried deep behind several identify the risks, much less closes capturing employee or customer lines of defense. In theory, it’s them. Worse, a fast-growing, personal data. Bottom line: as a solid strategy, but one that global dark economy centered defender, you must fight to large enterprises – even with on disseminating and leveraging thwart every possible attack. The comparatively great resources and exploits is making it more difficult attacker, however, only needs large pools of specialized IT talent to predict attacks and mount to locate one weak link to wreak -- have been at pains to deploy. targeted defenses. While classic havoc. hacker prizes like your strategic 10 Ways to Implement Multi-Layered Security Time for an upgrade It’s doubtful you’d still be in business if you didn’t already 3 features built in. But how do increases assurance, and you simplify and reduce the provides an important link in the workload of transition, not to technology due-diligence chain for mention manage the licenses regulatory compliance. Because involved? The answer is to patch deployment is typically implement an automated solution more time-sensitive, but less for OS upgrade distribution storage and bandwidth-intensive and management -- one with than OS upgrades, the architecture appropriate characteristics supporting these solutions is (e.g., large file storage, session slightly different. Often, the bandwidth, OS-specific logging, patch-management function is policy management, etc.) to augmented by configuration and handle this specific task, which policy management (see below). Lorem Ipsum Dolor Sit Amet Conseteteur Sadipiscing Elitr have endpoint security (i.e., virus and malware protection), and hadn’t given your less-savvy users at least one round of stern talks about “never opening strange emails.” As a next step, upgrading desktop and laptop operating systems may be the single most effective move you can make to secure your company – not only because an OS upgrade brings online collective security learnings from prior versions, but also because the upgrade process itself tends to simplify and impose rigor: eliminating old, little-used applications, and giving you a change-up point for negotiating new security protocols with users. Windows 7, for example, is at this point increasingly a known quantity, generally more stable than XP, highly compatible has storage, network and computational characteristics quite different from everyday patch issuance and configuration management (see below). Patch early, patch often Configure remotely Servers, endpoint PCs, laptops, and mobile devices can all be made more secure by ‘hardening’ their configurations -- a complex and time-consuming process involving turning off unused While we’re on the subject, getting services; constraining remote- a handle on OS and application access and other convenience patches lets you keep ahead of features; setting administrator and exploits while improving product user identities; defining execution stability and performance. Patch policy for required applications; deployment solutions let you and many other details. Configuration management Patch deployment solutions let you evaluate, select, test, aggregate, deploy, log, and audit patch history. software keeps track of device, OS, application, and other configuration masks, interrogates and applies appropriate configurations over the network, and can often be used to remotely with legacy software, and with improved security, encryption, malware removal, automated patch sequencing, and other evaluate, select, test, aggregate, commandeer stolen or otherwise- deploy, log, and audit patch exposed devices. history. So it reduces workload, 10 Ways to Implement Multi-Layered Security Virtualize the browser and surf from the inside Secure the perimeter The web is a critically-important that 71% of organizations with tool for modern business. But the 2,500 or fewer employees had browser is a popular insertion- significant trouble finding and point for malware and has retaining IT security specialists. become the vector for remote That’s a telling stat when you attack techniques like Cross- think of the how complex a Site Request Forgery (CSRF). full-featured, enterprise-class Letting users manage their own layered security solution can be. browsers can lead to trouble: Attacking the problem, Unified unsophisticated folks are prone Threat Management systems to installing toolbars, plugins and consolidate security and edge- other ostensibly labor-saving network functions, blending tools that may embody malware gateway switching and routing or leave them open to attack, with firewall, VPN, content-aware and to turning on features like web filtering, antivirus, anti- password caching, forms-filling spam and data-loss prevention and history that can make a (DLP). The pre-integrated result stolen PC a gateway to enterprise can be simpler to manage, and applications, mail and data. A UTM devices can also be key better answer – now supported enablers in helping you outsource by some security-oriented edge- security monitoring and network network devices -- can be to management to dedicated supply users with a virtualized professionals. A mid-2010 EMA study found 4 and infections. Biometric and two-factor access security help prevent exposure of data. And Lorem Ipsum Dolor Sit Amet Conseteteur Sadipiscing Elitr instance of a filtered standard browser. This strategy offers users a high level of assurance against commonplace attacks, and prevents even successful attacks from executing code, rooting the OS, or reaching and compromising the local file system or other vulnerable targets. Secure the endpoints Securing endpoint devices in an enterprise setting isn’t always easy, and solutions aren’t perfect. So layers should be implemented here, as well. Antivirus, local firewall and similar applications work to bar exploits file-based encryption keeps key information safe, even if it leaves the enterprise net and gets copied to portable media. 10 Ways to Implement Multi-Layered Security 5 Multi-Layered Security Broken Down By Areas of Concern and Applicable Toolkits IT Area of Focus Areas of Concern Relevant Toolkits • Endpoints • OS level • OS update appliance • Patch history • Patch/configuration appliance • Configuration hardening • Patch/comfit appliance • Desktop access • Embedded biometrics • Application access • Remote policy mgmt. • Install/Use policy • Endpoint encryption • File access • UTM manager • File storage • Secure browser • VPN authentication • Secure email • Browsing • Incremental backup • Email • Backups • Network Edge • Patch history • UTM manager • Configuration hardening • Optional off-site management • VPN • Firewall • Stateful inspection • Data-loss prevention • Log archiving/backup • Email • OS level • Patch history • Secure Email cluster appliance management • Configuration hardening • Archive management • Stateful inspection • Whitelists/Blacklists • Boundary encryption • Backups and archiving • Endpoint data encryption • OS level • Patch history • Automated infrastructure management • Configuration hardening • Patch/configuration appliance • Resilient computing • Backup management • Stateful inspection • DB encryption • Backups and archiving 10 Ways to Implement Multi-Layered Security Biometrics A little-discussed, but equally important aspect of endpoint 6 mainstay of compliance, auditing, pressed for resources, it can be and proving due-diligence hard – or impossible – to retain under any regulatory regime. and deploy the skills you need So email integrity is essential in to manage your layered security managing all forms of business system and intervene around- risk. For this reason, it makes the-clock when trouble strikes. sense, even within the context Luckily, new models for engaging of an otherwise-comprehensive with security experts and for layered security plan, to treat cost-effectively outsourcing email as a special case and give it the round-the-clock vigilance another layer of protection. The required to maintain cross-system good news is that top-rated email integrity are evolving quickly, in security systems are improving tandem with hardware, firmware, radically, offering malware and and software architectures for spam protection, boundary Unified Threat Management. The encryption to protect partner simplified, pre-integrated nature communications, sophisticated of UTM solutions makes them administration controls, and end- ideal for enabling remote network Lorem Ipsum Dolor Sit Amet Conseteteur Sadipiscing Elitr security is access control. Though it adds some cost to laptops, embedded biometric access control (e.g., via fingerprint) offers high security while reducing service caseloads (e.g., passwordreset requests). Hide in plain sight Sometimes even the bestengineered and maintained access-control and intrusionprevention systems fail. And no peripheral defense is proof against an ‘inside job.’ One effective way to mitigate the risk is to use deep encryption on proprietary and critical files to prevent data loss. Modern whole-enterprise filebased encryption solutions can be One effective way to mitigate the risk is to use deep encryption on proprietary and critical files to prevent data loss. engineered to run transparently, encrypting files in ways that don’t inhibit authorized use while protecting them in transit and in storage, both on the company premise and when files are user-empowering features such as and application monitoring, giving the ability to define and manage your IT staff access to IT experts whitelists and tune spam settings when you need them and where within policy guidelines. you need them the most, all while effectively controlling costs and copied to thumb drives or other Secure email There’s no substitute for HUMINT Email is a classic attack vector for Human Intelligence (HUMINT), introducing malware, phishing, skill and attention is the backbone and other attacks. It’s also the of reliable security. But if you’re removable media. risk at the same.