Resolving Layer 8 & 9 Issues
January 29, 2015
Ah, Layers 8 and 9. Everyone has theories about what these are and how best to account for them in your security architecture. Layers 1-7 have it easy. They come with industry-accepted definitions and standards that have been in use for decades. The Open Systems Interconnection (OSI) reference model covers the following data communication layers:
2) Data Link
But that’s really just the beginning. Anyone in information technology or security understands there is a lot more than that going on if you ever want to get anything done when implementing changes to an environment. The rest of the story includes:
Okay, 10 may be a stretch (and you’re on your own for that one anyway). But, I want to delve into what we have found are great methods for getting through obstacles in Layers 8 and 9. For starters, you always want to be ahead of the game and lead the conversation. Be the one to suggest or facilitate the plan and, as much as possible, be in a position direct the conversation - “You heard it here first.” It helps to be a subject matter expert (SME) or to take the Henry Ford approach and have SMEs at your disposal. No matter how much of a SME you are in any particular area, you can never be a SME in everything. Security has become far too broad. So, make sure you have backup. Every security professional needs a phone-a-friend, and probably more than one.
Further, no matter how knowledgeable and sincere you are, sometimes you need backup to prove your point. As mentioned above, the backup could come from outside SMEs or you can set up activities to prove your point. There are a few common, effective approaches to use:
- Breach Discovery
- Tabletop Exercise
- Incident Response Risk Assessment (aka: Gap Assessment)
Each of the above has merit in its own way, and you may want to employ one or more to make a convincing case. I will enumerate the values of each as follows:
Breach Discovery - This is an engagement that involves prolonged analysis of all endpoint activity (through near real-time, continuous endpoint monitoring solutions with retrospection), all network ingress/egress activity (through near real-time, continuous network monitoring solutions with retrospection) and correlation of all logs from ingress/egress, security and authentication devices with a reliable threat intelligence solution. The idea is that with so many data points (essentially surrounding the entire environment), there will always be some kind record or artifact of malicious activity that leads to its identification.
This is quite possibly the nuclear option of value propositions in that after a successful breach discovery has been performed, it identifies which systems have been breached and what data is affected, and basically acts as a nanny-cam for data abuse. It is very clear: “Bad guys over here, are using this malware and these user accounts to steal this data and send it there.” The discussion generally changes from one of “What should we do for security this year and how much should we spend?” to “We need to implement systems and procedures that stop this from happening now or ever immediately!”
Tabletop Exercises - This is an engagement leveraging a pseudo-real scenario (customized for your environment) that you are likely to face, complete with handouts for analysis (physical or digital) and wrinkles that add sufficient complexity to the situation. Tabletop exercises can target any level of an organization. To be as effective as possible, they should include representation from all groups that would be involved in real-life scenarios. Sure, you can simulate participation from legal or the executive team, but it does not give them the practice or involvement they need, nor do you gain a true perspective of what they actually might do.
I have successfully used tabletop exercises many times to enumerate technology deficiencies, operational gaps and communication shortfalls. It is not the smoking gun that Breach Discovery is, but it probes the environment in a different way and identifies procedural shortfalls you might not understand.
Incident Response Risk Assessment (IRRA) - An IRRA is the broadest and most theoretical of the three offerings and examines the capabilities of the people, processes and technology within an environment to respond to foreseeable threats. It involves a holistic look across the 10 domains of FishNet Security’s incident management framework (IMF), which include:
3) Collection of Information
7) Legal Counsel
8) Immediate Response & Remediation
For a deeper dive into FishNet Security’s IMF, see my white paper: “Practical Application of Fishnet Security’s Incident Management Framework.” It goes into specific detail regarding each domain and how it maps to key infrastructure and documentation found within your environment.
If executed properly, each one of these approaches is effective in their own way for making the case to get past nearly any Layer 8 or 9 issues. If you can clearly identify problems, communicate them in a business-centric way and road-map out solutions, you stand a strong chance of getting the support you need.
For any of these approaches to work, it is essential that you have the ability to look at your environment and security capabilities objectively and sometimes to admit that you have an ugly baby. Every once in a while, we come across people who don’t want to identify weaknesses in their environment or in a solution that they are closely associated with. But, that is a recipe for failure.
The vulnerabilities will be found sooner or later (by whom is the question). And, it is better to take one on the chin now than to look stupid later. Nobody wants to be perceived as being unaware of the problems that they should have known about, which may become compromised by a malicious outsider and put your company in the headlines for the wrong reasons. That is a dangerous place to be. Don’t be “that guy.”