Download pdf - White Paper - Enterprise Wireless LAN Solutionspage.arubanetworks.com/.../ESG-White-Paper...FINAL.pdf · White Paper Today’s Mobile Enterprise: The Need for a New Network Security

White Paper Today’s Mobile Enterprise: The Need for a New Network Security Strategy

By Jon Oltsik, Senior Principal Analyst

November 2015

This ESG White Paper was commissioned by HP and is distributed under license from ESG. © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Today’s Mobile Enterprise: The Need for a New Network Security Strategy 2

© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Contents

Executive Summary ...................................................................................................................................... 3

Network Security Can’t Keep Up with Rapid Change ................................................................................... 3

How to Tackle the Network Security Transition ........................................................................................... 4 Pervasive Network Visibility ................................................................................................................................... 5 Contextual Access Controls for Policy Enforcement ............................................................................................... 6 Include Network Security Technology Integration ................................................................................................. 7

Network Security Strategy Benefits .............................................................................................................. 8

Aruba ClearPass ............................................................................................................................................ 9

The Bigger Truth ........................................................................................................................................... 9 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.



Executive Summary

Large organizations face a difficult challenge on two distinct fronts. On one hand, they are engaged in a perpetual fight against cyber-criminals, hacktivists, and state-sponsored spies. On the other, CISOs need to bolster protection in an IT environment that includes BYOD, remote workers, and all types of mobile applications where users demand instant access to a myriad of on-premises and cloud-based applications.

How can enterprises mitigate risk effectively in this type of dynamic environment? This white paper concludes that:

Network security is getting increasingly difficult. Enterprise security professionals have recognized that mobile computing, BYOD, and cloud have increased the enterprise threat landscape, but they may not have the necessary tools to mitigate all risks. The Internet of Things (IoT) will make network security even more difficult in the years to come.

Tactical adjustments won’t address this problem. In the past, many security professionals addressed the latest threats by adding another point security product, but this approach is no longer adequate. Point products only create islands of security that come with their own limited defenses, management consoles, and reporting. Hackers have overcome these obstacles by exploiting the gaps between security defenses.

Large organizations need a new network security strategy. Organizations today need comprehensive network security defenses that span the enterprise, not a series of one-off security safeguards with limited scope. It’s time to take a fresh perspective on network security with a comprehensive strategy that:

1. Starts with centralized and authoritative network visibility. 2. Uses attribute-based access controls for policy enforcement. 3. Includes network security integration that enhances incident prevention, detection, and response

regardless of user, device, or location.

Network Security Can’t Keep Up with Rapid Change

According to ESG research from 2014, 28% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) agreed that network security was much more difficult than it had been two years previously, while another 51% proclaimed that network security had grown somewhat more difficult.1

When asked why they felt network security had grown more difficult, cybersecurity professionals pointed to several factors (see Figure 1):2

An onslaught of users, devices, and mobility. Security professionals find it difficult to align network security policies and controls with the rapidly growing number of new mobile devices and users. The ability for users to access a variety of applications outside of the realm of traditional network security controls and the growth in network traffic are also concerns.

The increasingly dangerous threat landscape. ESG research indicates a rise in targeted attacks and evasive malware. This is why 38% of organizations believe that an increase in sophisticated malware designed to circumvent traditional security controls has also led to network security challenges. To circumvent traditional security controls, cyber-adversaries are even experimenting with mobile malware targeting smartphones and tablets.

Faced with these growing threats, many organizations have tried to address network security with point products and traditional perimeter defenses like firewalls, IDS/IPS, and web threat gateways. Unfortunately, this approach carries a lot of manual process and operations overhead as the cybersecurity team is forced to utilize defenses on a box-by-box basis, which has led to large security gaps.

1 Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014. 2 ibid.

http://www.esg-global.com/research-reports/network-security-trends-in-the-era-of-cloud-and-mobile-computing/



Figure 1. Top Ten Factors That Have Made Network Security Management and Operations More Difficult

Source: Enterprise Strategy Group, 2015.

As network security becomes more difficult, it becomes highly likely that security teams will miss something, make mistakes, or find themselves overwhelmed with operational tasks. Throwing additional security point products at the problem will only lead to additional complexity and overhead.

How to Tackle the Network Security Transition

Many CISOs now recognize that legacy network security is a mismatch for today’s burgeoning security requirements, but remain confused on how to move to a more appropriate model for mitigating risks associated with mobility and modern cyber-threats. So what’s needed? ESG believes that an effective and efficient network security strategy should:

1. Include centralized and authoritative network visibility. 2. Use contextual access controls for policy enforcement. 3. Enhance incident prevention, detection, and response by utilizing multiple security point products in a

cohesive model.

15%

17%

21%

23%

25%

25%

29%

32%

36%

38%

0% 10% 20% 30% 40%

My organization’s IT security department is understaffed

An increase in the “rogue” use of cloud computing services by employees and other users with legitimate

access to the network

An increase in the use of cloud computing services forcorporate use

An increase in network traffic

An increase in malware volume

An increase in the number of users with access to thenetwork

An increase in the number of mobile devices accessingthe network

An increase in the number of targeted attacks that maycircumvent traditional network security controls

An increase in the number of overall devices withaccess to the network

An increase in sophisticated malware designed tocircumvent traditional network security controls

In your opinion, which of the following factors have made network security management and operations more difficult? (Percent of respondents, N=313, three

responses accepted)



Pervasive Network Visibility

Management consultant Peter Drucker is often credited with saying, “You can’t manage what you can’t measure.” Regrettably, this is exactly what many organizations fail to do by making policy and enforcement decisions without truly understanding what’s on the network. For example, ESG research indicates that 41% of organizations struggle to understand which applications are installed on each device, 36% report weaknesses in terms of monitoring suspicious/malicious network activity of mobile endpoints, and 36% can’t really monitor downloads/execution of suspicious/malicious code on endpoint systems (see Figure 2).3

Figure 2. Weakest Areas of Endpoint Device Security Monitoring


For example, consider commercial aviation and imagine forcing pilots to make consistent accurate decisions when “flying blind.” This is why the commercial aviation industry is anchored by air traffic control systems, radar, and airplane-based sensors to provide situational awareness for pilots and air traffic controllers. Similarly, network security must be built on a foundation of real-time monitoring that enables the security team to:

Understand what’s on the network. To accurately assess risk, security and network personnel need to know what types of devices are connected to the network. This includes PCs, servers, mobile devices (i.e., smartphones and tablets), printers, POS systems, Internet of Things (IoT) actuators and sensors, etc.

This mix of endpoints typically comes with a variety of operating systems, configurations, and applications that may not be “owned” by the organization itself. Armed with details about everything connected to the network, the security team can establish situational awareness and an understanding of risk, and use the data to quickly identify rogue or unknown endpoints.

Know the state of network devices. Aside from knowing which devices are connected to the network, the security and network teams need a more comprehensive profile of each system—how it’s configured, what

3 Source: ESG Research Report, The Emerging Intersection Between Big Data and Security Analytics, November 2012.

19%

24%

27%

28%

36%

36%

41%

0% 10% 20% 30% 40% 50%

Operating system configuration

System changes

Current patch levels

Local storage of sensitive data

Downloads/execution of suspicious/malicious code

Suspicious/malicious network activity

Applications installed on each device

With regard to endpoint devices (i.e. PCs, tablets, smart phones, etc.), in which area is your organization’s security monitoring the weakest? (Percent of

respondents, N=257, multiple responses accepted)

http://www.esg-global.com/research-reports/research-report-the-emerging-intersection-between-big-data-and-security-analytics/



applications and patches reside on each device, etc. Once again, this detail provides solid information for risk management decisions.

When a popular software vendor issues an emergency patch for a specific version of an application, the security team can quickly figure out which systems on the network are vulnerable and thus prioritize and accelerate remediation processes. In addition, policies can be used to keep specific devices from connecting if they have not been approved for access.

Detect anomalous activities. In addition to endpoint context, security professionals need the ability to identify suspicious usage patterns like multiple system login attempts, internal network scans emanating from a user’s device, or network beaconing to an unknown IP address in Eastern Europe.

Most organizations collect log data and employ SIEM systems for this purpose—a good start, but log analysis and SIEM success depends upon security analysts’ diligence, skills, and time commitments. To supplement the security staff, many organizations are experimenting with machine learning and risk scoring algorithms tuned for accurate anomaly detection. Detected anomalies must lead to protection services that may include the wireless or wired infrastructure, policy management, and device management features.

Based on discussions with enterprise organizations, ESG believes that a successful network security strategy really begins with a thorough understanding of the network itself—what’s connected, how network nodes change over time, who accesses which assets, etc.

CISOs and their teams can use this data as a blueprint to work collectively with business managers and create appropriate security policies. This requires a centralized policy component that contains command-and-control services across wired and wireless networks as well as VPNs.

Contextual Access Controls for Policy Enforcement

In the past, network access control was based on simple rules centered on user role or device status, but this is no longer enough when employees and non-employees need to access business applications and sensitive data from a myriad of locations, devices, and situations.

Driven by BYOD and growing user mobility, many organizations are beginning to move toward contextual access controls where decisions are based upon contextual relation combinations of granular identity attributes. According to ESG research, enterprises already consider factors like device type, user role, and access activities to create contextual network access policies today (see Figure 3).4 ESG finds that more organizations need to move to a model that allows for the use of policies. Many organizations are still leveraging legacy AAA solutions that do not support active policy enforcement.

4 Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014.

http://www.esg-global.com/research-reports/network-security-trends-in-the-era-of-cloud-and-mobile-computing/



Figure 3. Attribute-based Access Policy Parameters


Contextual network access controls give organizations the ability to:

Align security policies with business processes. Security and business objectives are often at odds. While security professionals seek control, business managers lean toward user freedom to maximize productivity. Attribute-based access controls represent a workable compromise between these two extremes by creating granular usage policies governing who makes which decisions and how.

For example, a major teaching hospital can create a policy granting physicians access to clinical data via an iPad connected to a hospital network, but denying access to the same data from a public network. In this way, attribute-based access controls balance business enablement, compliance, privacy, and security.

Enforce policy decisions based upon real-time threats and vulnerabilities. Attribute-based access controls should be able to enforce static business policies and also make dynamic policy enforcement decisions based upon real-time changes related to threats and vulnerabilities. When a software vendor issues an emergency patch, vulnerable systems can be quarantined or redirected to a remediation VLAN immediately. In this example, network security controls correlate internal system state characteristics with real-time cyber-intelligence to modify network access policy decisions and mitigate risk.

Attribute-based access controls should be used to decrease the network attack surface, making it more difficult for cyber-adversaries to conduct targeted attacks, regardless of whether they start from outside or inside of the organization.

Include Network Security Technology Integration

CISOs must make operational efficiency a major objective as they transform their network security strategies. To accomplish this goal, security professionals should select individual tools with published APIs and work with vendors that have already integrated their individual legacy and next-generation technologies into broader network security solutions.

58%

60%

67%

69%

69%

71%

72%

31%

32%

28%

26%

26%

24%

21%

10%

7%

4%

4%

4%

4%

6%

1%

2%

1%

1%

1%

1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Device/user location

Managed/unmanaged device

Security state of devices

Configuration of device

Access activities

User role

Device type

Which of the following parameters do you consider as part of your network access policies? (Percent of respondents, N=334)

Use today Don’t use but are planning or are interested in doing so Don’t use, no plans or interest Don’t know



ESG sees an emerging integration trend between network access control, network profiling tools, mobile device management (MDM), and threat detection and analysis systems for improving incident prevention, detection, and response. When these disparate tools are aggregated into an interoperable architecture, CISOs and their teams can:

Coordinate defenses. Integration of security tools allows organizations to implement coordinated layers of defense for wired, wireless, and VPN connections, which takes a holistic approach to threat management and visibility. Endpoint management, access control, threat protection, and system logging should work as one entity. This combined with attribute-based controls and enforcement can help to lock out attacks while keeping network doors open for employees and guests.

Accelerate investigations. When any of the detection tools issues an alert, security analysts can quickly gather additional contextual information about system state, location, activities, history, etc. In this way, network security integration creates a platform where security analysts can find the relevant information they need without querying each tool or sorting through a morass of log data stored in a SIEM. This should help them reduce the dwell time of malicious actors when they do gain access to the network.

Fast-track incident response. Once security analysts identify an actual cyber-attack in progress or see an anomaly related to a user’s device, they then move on to incident response. The goal here is to take corrective action as soon as possible to minimize damages associated with an attack or threat.

Network security technology integration can help by enabling an assortment of remediation actions. When a PC beacons to a known command-and-control (C2) server, the SOC team can terminate its IP address, disable a wired or wireless network port, or block network egress traffic to the suspect IP address. In some cases, remediation actions can be fully automated.

Network Security Strategy Benefits

The network security strategy described can help organizations mitigate risk and improve threat prevention, detection, and response. In addition to enhancing security, this type of strategy can also deliver strong ROI benefits by:

Streamlining security operations. A network security strategy like the one described can help streamline security operations in several ways. With real-time information about what’s on the network, CISOs can accelerate the decision-making process as they fine-tune security controls. Attribute-based access controls can help narrow the attack surface, allowing the SOC team to focus on security investigation and remediation rather than mundane security operations tasks.

Facilitating business enablement. Business managers see endless opportunities to use cloud and mobile applications for business advantage, but these IT initiatives can be a CISO’s nightmare as they reduce the ability to control users, monitor network behavior, and protect sensitive data. A well thought out network security strategy can address all of these issues by combining continuous monitoring and attribute-based access controls. With these capabilities, CISOs can partner with business managers, build and enforce business policies, enable new business processes, and manage IT risk.

Aligning user experience with mobile security. As smartphones and tablets become our primary compute devices, network security must account for user mobility and ease of use. A tightly crafted network security strategy can expedite this in several ways. All iPads accessing the network will immediately be recognized as managed or unmanaged devices. Unmanaged devices can be redirected to specific VLANs for onboarding and then assigned policies created for non-IT-managed devices.

The ability for employees to be guided through registration options using native self-service interfaces familiar to non-technical remote users offloads IT. Granular attribute-based access controls can govern network activities and can be supplemented with intuitive messages that explain policy and enforcement decisions in an understandable way. Finally, mobile user behavior can be tracked for anomaly detection. In this way, mobile users can be productive and secure at all times.



Aruba ClearPass

As organizations move from network security point tools to an integrated network security strategy, they will need to work with partners that can help them improve security protection and streamline operations at enterprise scale. Aruba, a Hewlett Packard Enterprise company, is one vendor that fits this description. In fact, Aruba’s ClearPass policy management system can anchor a network security architecture by:

Tracking assets and users on the network. Aruba’s ClearPass applies a wide-angle lens to network monitoring, capturing contextual information about users, connected devices, and device posture. To accomplish this task, ClearPass Exchange supports various APIs and protocols for data exchange with other security and IT management tools such as MDM systems and network directories. In this way, ClearPass Exchange acts as a central point for sharing contextual data and providing a real-time view of the network for situational awareness and risk management.

Centralizing policy management for attribute-based authentication. CISOs can use ClearPass as a nexus for attribute-based access policies across multivendor infrastructures as well. In addition to infrastructure vendors, ClearPass also works with a variety of security technologies in order to leverage existing IT and cybersecurity investments.

Acting as an integration hub to share data for incident detection and response. ClearPass is built to exchange data with all types of security tools and technologies including SIEM systems, threat intelligence data feeds, MDM, anti-malware gateways, and firewalls. Aruba has a long list of partners in these areas including Citrix, MobileIron, Palo Alto Networks, and Splunk. This helps turn standalone tools into an interoperable network security architecture that security analysts can utilize to accelerate investigations, improve incident response, and even automate some remediation tasks.

ClearPass has become a cornerstone of Hewlett Packard Enterprise’s networking, security, and mobile enterprise strategies. Furthermore, HPE will include ClearPass practices in its global professional services group to help customers build network security solutions for mobile business processes, and new cloud applications.

The combination of ClearPass capabilities with HPE’s enterprise skills should appeal to CISOs looking to evolve from network security tools to an integrated network security architecture.

The Bigger Truth

Many CISOs and their teams face a cold reality: Their current approach to network security isn’t working, so they need to try something new. While many security professionals are aware of this, they aren’t sure of what actions to take or what their highest priority should be.

ESG believes that there is actually a logical progression as described in this white paper. To mitigate risk, streamline operations, and build a security architecture for business enablement, organizations should:

1. Start with a plan that centers on visibility. This will provide CISOs and business leaders with the right level of situational awareness to assess risk and build the right policies and controls for proper risk mitigation, regardless of use case.

2. Use contextual access controls for policy enforcement. With the proliferation of cloud and mobile computing, CISOs should anchor their security policies on identities, real-time attributes, and actions related to sensitive data. Attribute-based access controls will allow them to govern which users can connect to applications and data in a granular fashion. This will help them greatly reduce the attack surface for would-be hackers and non-savvy users.

3. Include prevention, detection, and response points that all work together. Network security is a collaborative and collective process across a multitude of policy enforcement points throughout the network. This demands tight integration between disparate security technologies for command-and-control, policy management, and policy enforcement.



Aruba ClearPass is designed for central network visibility and attribute-based access controls regardless of user, device, access method, or location. Furthermore, ClearPass can act as an integration hub for exchanging information and coordinating policy enforcement with other network security technologies. CISOs must consider building a foundation that includes policy management as a centerpiece for progressive network security that improves processes while streamlining security operations.

20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com

http://www.esg-global.com/