We’ve all heard about the many successful cyber-attacks carried out in various industries. Rather than cite a few examples to establish background I would encourage you to review the annual report from Verizon called the Data Breach Digest. This report gives critical insight for understanding how the most pervasive of attacks are executed and what to protect against to impede or prevent them. In order to provide a sound architecture and operational model for this purpose of protection, let’s look at some universal principals that have emerged as a result of forensics from these events. Those principles are time and space. Space, in this case, is cyberspace and involves the moving digital components of the target systems that must be compromised to execute a successful attack. Time involves events that may occur at network or CPU speed, but it is the ability to trap those events and put them into a human context, in terms of minutes, hours, or days, where security operations can respond. The combination of unprotected attack vectors, already compromised components of the system, and the inability to spot them, creates what are known as “blind spots” and “dwell time” where an attacker can harvest additional information, and potentially expand to other attack vectors.
While all of that is hopefully easy to understand, we have to face the reality that many attacks still occur by using compromised credentials from social engineering. These credentials provide enough privilege to establish a foothold for command and control used in a cyber-attack. For this reason, we want to employ one of the core principles of the Managed Security Services Maturity Model, known as Zero Trust, or the idea that every action must have specific authentication, authorization and accounting (AAA) defined. By subscribing to this maturity model as a VMware vCloud® Air™ Network service provider, you will uncover ways in which you can leverage features, such VMware NSX® Distributed Firewall and micro-segmentation, putting you well on the road to offering services that can help customers address potential blind spots and reduce dwell time, thereby taking control and ownership of their cyber risk posture. No matter how nefarious a rogue entry into target systems is, or what escalated privilege was acquired, the Managed Security Services Model will limit the kind of lateral movement necessary to conduct consistent ongoing attacks, or what is known as an advanced persistent threat (APT). Although not all occurrences are APTs, by understanding the methods used in these most advanced attacks, we can isolate and protect aspects of the system required to execute a “kill chain,” essentially allowing ownership of a system in undetectable ways.
Managed Security Services Maturity Model
Cyber security, in its entirety, is a vast concept not to be given justice with a small set of blog articles and white papers. However, given the expansive nature of cyber-threats in this day and age, along with the ratio of successful attacks, information technology needs to continually seek out new approaches. One approach is to create as much of an IT environment as possible from known patterns and templates of installed technologies that can be deployed with a high fidelity of audit information to measure their collective effectiveness against cyber-threats. This turns on its head the idea of protecting environments against an exponentially exploding number of threats with greater diversity in the areas frequently attacked, and instead refines deployed environments to accept only activities that are well defined, with results that are well understood. Simply put, measure what you can trust. If it can’t be measured, it can’t be trusted.
Once again, this approach touches on a large concept, but it is finite in nature in that its definition seeks to gain the control needed to deliver sustainable security operations for customers. To further illustrate this point, let’s think about the idea of what a control and the maturity model affords the operator in pursuit of their target vision. First, is the idea of “control,” which simply put in cyber security terms means defining a behavior that can be measured. This could be architecture patterns expected from the provider layer, such as data privacy or geo-location, or automation and orchestration of security operations. Second, is the maturity model itself, which has prerequisites for executing on specific rungs of the model, along with providing operational and security benefits. One output of each rung of the maturity model is the potential set of services to be offered to aid in the completion the customer’s target cyber security vision.
Enter the Managed Security Services Maturity Model, which encodes the methodology for capturing each customer’s ideal approach and provides five different maturity “layers” that aid vCloud Air Network service providers in delivering highly secure hybrid cloud environments. Looking at Figure 1, we can see that the ideas of time and “geometry” (networks and boundaries we have defined), along with the provider (below the horizontal blue line) and consumer (operating system and application runtimes) layers, provide us the cyber dimensions we seek to define and measure.
Figure 1. Managed Security Services Maturity Model
Like most capability maturity models, when starting from the bottom we can often borrow attributes and patterns for service from the layers above. Generally, however, we need to accomplish the prerequisites for the upper layers (Orchestrated and above) to truly be considered operating at that layer. Often, there are issues of completeness where we must perform these prerequisite tasks n number of times in the design of our architecture and operations to have mobility to upper levels. For instance, to complete the Automation level, you should plan to automate on the order of about a dozen elements although your mileage may vary.
You may find more work to be done moving up the levels as you determine the right composition and critical mass of controls appropriate to deliver for targeted customer profiles. In the case of our maturity model, we will bind several concepts at each level to ultimately achieve the Zen-like “Advanced” layer 5, where we truly realize the completeness of the vision to own cyber security for our customers. A big responsibility to be sure, but perhaps a bigger opportunity to change the game from the status quo. The offering of managed services composed of facets from all levels is not for everyone but there is plenty of room to add value from all layers.
We have defined the following layers for the Managed Security Services Maturity Model:
At this level, we introduce VMware NSX, VXLAN, and the Distributed Firewall to the hybrid cloud environment. This allows us to create controlled boundaries and security policies that can be applied in an application-centric fashion, resulting in focused operating contexts for security operations.
At this level, we want to automate the behavior of the system with regard to controls. This will prompt security operations with events generated by discreet controls and their performance involving established measurements or tolerances. The goal is to automate as many controls as possible to become Orchestrated.
After we have many controls automated, we want to make them recombinant in ways that allow for controlling the space, or the “geometry”, along with coordinating events, information, automated reactions, and so on, which will allow us to drive down response times. These combinations will result in “playbooks,” or collections of controls assembled in patterns that are used to combat cyber threats.
Taking on full lifecycle responsibility means just that. We might monitor in-guest security aspects like anti-virus/malware or vulnerability scanning in discreet, automated, and even orchestrated ways in previous levels. This level, however, is about actually taking ownership of operating systems and perhaps even application runtimes within the customer virtual machines. By extending managed services to include what is inside the virtual machines themselves, it is possible to take ownership of all facets of cyber security regarding applications in the hybrid cloud.
At the Advanced level, we must be able to leverage all previous levels in such a way that managed services can be deployed to remediate a cyber-threat or execute on a risk management plan to help address security issues of all types. Additionally, we want our resulting cyber toolkit derived from the maturity model to become portable, in appliance form, where managed security services can be delivered anywhere in the hybrid cloud network.
In the upcoming series of blog postings that describe VMware vCloud Architecture Toolkit for Service Providers (vCAT-SP) reference architecture design blueprints and use cases for each maturity level, vCloud Air Network service providers can help customer’s to visualize what it will take to both architect and operate managed security services used to augment the hybrid cloud delivery model.
Eliminating Blind Spots and Reducing Dwell Time
The cyber defense strategies that are devised based on achieving levels of the maturity model focus on defining individual elements within the system. Management user interfaces, ports, session authentication, as well as virtual machine file systems, network communications, and so on, should be defined to allow alignment of controls. In addition, the provisioning of networks between the resources that consume services and those that provide them, such as management components like VMware vCloud Director® or VMware vCenter™, DNS, or Active Director and logging of network components (including those that serve end user applications to their communities), should also occur in as highly an automated fashion as possible.
In this way, human-centric, error-prone activities can be eliminated from consideration as potential vulnerabilities, although automated detection of threats by discreet components across cyber dimensions is still expected. A high level example of how we expect these discreet, automated controls to behave is described by Gartner, who defines the concept of a “cloud security gateway” as “the ability to interject enterprise security policies as the cloud-based resources are accessed”. By defining controls for system elements and their groupings in this way, we can form a fully identified inventory of what is being managed and by whom as well as where it resides. Likewise, by understanding and quantifying the controls in the system that are applied collectively to these elements, we can begin to measure and score their effectiveness. This harmonization is critical to deliver the consistency in the enforcement mechanisms we can rely on across both sides of the hybrid cloud creating the foundation of trust.
Despite our efforts to inventory all elements within systems, attacks will still arrive from the outside world in the user portions of the application stack, for example, through SQL injection or using cross-site scripting techniques. The threat of compromised insider privileged users will still be present as will “social engineering” methods of obtaining passwords. However, the “escape” of a rogue, privileged user to a realm from which they can continue their attack has been minimized. We have taken the elements of time and space and defined them to our advantage, creating a high security prison effect and requiring new vulnerability exploits to be executed for each step in the kill chain.
Because the attackers generally deal with a limited budget and time in which to execute a successful attack, often times even our simplest security approaches are enough to make us the safest house on the block. Also, because of the likelihood that all activities that occur within the environment are well known, effectively generating high confidence indicators or signals, and very little noise as a sensor, anomalies are easy to spot. Given the presentation of those anomalies and playbooks already available to address many adverse operating conditions, you are providing customers the ability to deliver a credible response to threats, something that many lack today.
The goal of vCloud Air Network service providers and their partners should be identifying cyber security challenges that customers face, as well as which meaningful, coarsely grained packages of managed services can be offered to help tackle those challenges. By aligning with the Managed Security Services Maturity Model, providers can leverage the VMware SDDC and VMware NSX software-defined networking and security capabilities to deliver something truly unique in the enterprise IT industry—a secure hybrid cloud. By further aligning these capabilities and services with those of application migration and DevOps (stay tuned for blogs on those and other subjects), and taking ownership of the full lifecycle of security, the potential of effectively remediating existing threats becomes possible. Together, we can help customers evaluate their risk profile, as well as understand how these techniques can minimize attack points and vectors and reduce response times, while increasing effectiveness in fighting cyber threats.
What you’ll see throughout the Managed Security Services Maturity Model is the creation of a “ubiquity” of security controls across each data center participating in the hybrid cloud. This ubiquity will allow for a consistent, trusted foundation from which the performance of the architecture and operations can be measured. Individual policies can then be constructed across this trusted foundation relative to specific security contexts consisting of applications and their users as well as administrators and their actions, leaving very little room for threats to go unnoticed. As these policies are enforced by the controls of the trusted foundation, cyber security response becomes more agile because all components are performing in a well understood fashion. Think of military special forces training on a “built for purpose” replica of an area they plan to assault to minimize unexpected results. Security operators can now be indoctrinated and immersed, knowing what scenes are expected to play out instead of constantly looking for the needle in the haystack. This will also ultimately create the ideal conditions for helping to rationalize unfettered consumption of elastic resources while also fulfilling the vision and realizing the potential of the hybrid cloud.