Maintaining security over networks has become a much tougher challenge over the last few years, once solid perimeters turned into Swiss cheese and classic security tools became insufficient in dealing with contemporary demands. One prominent example is the attack against Sony Pictures Entertainment in December 2014. The hacker has subsequently been localised in North Korea and the attack revealed the capabilities (and obsessions) of cyber criminals. Even big players with large security budgets have problems maintaining their networks.
It’s difficult to keep up with network security challenges. There are threats from zero-day vulnerabilities, but even when an application or operating system weakness becomes known, IT needs time to research it and understand it, in order to fix the leak in the network. Gartner argues that through 2015 attackers will exploit well-known vulnerabilities in 80 percent of the cases that are open to attack because of insufficient actions.
It would be unfair to write that off as human failure. Dealing with security leaks requires time and resources, and both are hard to find, especially when facing more and more attack vectors. Also the strength of attacks, and therefore the time necessary for remediating them is increasing. In a recent survey by Frost & Sullivan on skills gaps in the IT industry, 85 percent of all interviewed security professionals feel that they spend significant amounts of time remediating attacks and malware. The number has risen over the last few years as well.(3)
Today, networks also need to be open and secure enough for wireless access. The amount of devices and processes that are integrated into the digital network is rising. Cloud services, smart watches and even coffee machines must be considered as network endpoints by organisations, which opens up a wide, uncontrolled space for attacks.
This so-called “shadow IT” (i.e. hardware or software within an enterprise that is not supported by the organisation’s central IT department) is a significant new demand on security and, with more and more devices connecting, it is easy to lose visibility over networks. IT directors are already experiencing the changes and often cannot tell for sure how many devices are accessing their networks every day. According to Gartner, organisations are only aware of 80 percent of the devices operating in their networks.
New Requirements In Network Security
Entrepreneurs need to rethink their cyber strategies, as there is currently no single vendor that offers a comprehensive solution to prevent and protect networks against all attacks. Baseline is the fact that networks under attack from different sites and organisations will face security issues sooner or later. The ability to execute security policies is necessary not only during a connection, but also before and after a connection is established.
To address the heterogenic mass of users’ actions on a network at any one time, an exchange must be done automatically, but still be flexible enough to allow for the enforcement of granular policies for different user groups and individuals. Classic tools are still necessary, but new ways to strengthen network security are also required. Frost & Sullivan recently asked about the best tools to improve security in networks and the most common answer, from 75 per cent of the IT professionals questioned, was network access control (NAC). IT professionals feel that tools for network analysis are the best way to harden their networks.
NAC As A Response Centre For Security Issues
Next generation NAC has matured and is capable of managing devices without requiring a client (also called supplicant or agent) installed. NAC solutions are generally operating system agnostic, and support employer-provided, BYOD or company-owned, and personally enabled (COPE) approaches. The moment a device tries to log in to the network, NAC creates a security profile, including information on patches, unsanctioned software, active host-based defences (including anti-malware, AV, IPS and related tools). Patch management is a first step to close the attack vector of known vulnerabilities.
Odd behaviours can be addressed without directly blocking or switching off the device. Users are informed, can self-remediate their system and ultimately change behaviour before policy enforcement is enacted. Critical issues can be settled with high-speed tickets through the default path. NAC not only delivers periodical scans; incorrect or non-compliant configurations, compromised systems or issues with host-based protection and management software can be considered, and granular actions taken.
Modern NAC solutions do not rely solely on the IEEE standard 802.1X and can deal with virtual infrastructures, more expansive network environments (comprised of multiple subnets), and remote and transient devices. Support of alternative authentication methods allows the management of both employer- and user-provided endpoints. Even devices making-up the so-called Internet of Things (IoT), with small footprints left in the network, can be embraced.
With a monitor-only mode, all actions can be tracked, allowing NAC to learn about the applications, devices and services in the environment. This allows a lean and quick implementation, and shows security gaps and exceptions. It also enables organisations to find weaknesses in their defence, and helps with the application of knowledge from third parties.
In the case of a leak or loss of data, NAC helps with providing post-connection information for forensic analysis. NAC hardens network security and helps achieve compliance with different industry standards, such as ISO 27001, which provides a framework for the legal and physical legislation controls involved in information risk management processes. This turns NAC into a response centre. The management is centralised in one location and assures that approved actions are taken and reports are generated to significantly aid external compliance and internal governance requirements.
Third Party Integration By NAC
In addition to its own intelligence, some NAC platforms can interact with third-party security tools to receive actionable intelligence. Sharing information and automated execution of intelligent responses is key to combatting zero-day-malware and Advanced Persistent Threats (APT). Endpoints deemed insecure by a vulnerability assessment tool can be remediated, or a breached system isolated after being identified by Advanced Threat Detection (ATD).
Indicators of compromise (IOC) can be shared and information applied on new and existing endpoints. The integration of a third-party firewall is not limited to a dichotomous go/no-go schema. In the case of a potential security incident, devices and users can be located and identified. ATDs alone are not capable of automatic remediation or isolation of threats after detection. And often, they do not have visibility into the full scope of a threat. Integration with NAC can solve these shortcomings.
To protect wireless networks, integration with mobile device management (MDM) solutions allows the enrolment of new devices to make them visible for these container-solutions. NAC is able to determine whether a device does not comply with a corporate security policy, e.g., if it has no anti-virus program installed or is jail broken. MDM solutions alone are not able to prevent network access, making the device a potential threat.
The interaction with other tools through the provision of application programming interfaces (API) allows bi-directional integration for information sharing. Information from a security information and event management (SIEM) system, for example, can be transformed into actions. Blacklists are enforced and put in a position where they can be managed and adjusted without much effort. The NAC appliance communicates through simple network protocols (SNMP) or command-line interfaces (CLI) with network devices such as routers, switches or wire access points to allow, block or limit access. Devices can also be placed in guaranteed secure virtual local access networks (VLANs).
Summary
New endpoint types and malicious applications make a NAC system the best practice solution to face the challenges of securing today’s next-generation networks. In the future the number of devices trying to access networks will continue to grow, so security solutions need to be more responsive and flexible. The trend of “things” accessing the network will not stop with watches. NAC meets a number of requirements in the area of operational intelligence, endpoint compliance assessment, access control, threat protection and even incident response that makes it well-suited for the challenge.