By Chris Richardson with Bob Rose
In our blog, Modern IPAM as a Security Asset Part 1, we proposed the importance of triangulating data for context and quick response, reliable data and 100% visibility of network endpoints. We’d like to continue the thought by recalling the story of Sam Security and Nancy Network.
Sam Security and Nancy Network Revisited
A SecurityWeek article co-authored with Rod Rasmussen some years ago raises this point: “Why Sam Security needs a seat at Nancy Network’s table.”
The main – and still very relevant – takeaway here is to use “low-friction” assets already available that can benefit (or at least not harm) network performance. The subtext you can read into this clever lexicon is that it is best to use existing budget line items to get done quickly what might otherwise take several months of negotiation for enhanced resources. Selling the benefits to peers as a win/win can be an easier pathway to progress than buying something as a new or add-on solution. If you disagree with that statement, please connect with us and we can chat offline. This principle is still certainly true with modernizing DNS Resolvers and designing security into network administration – your DNS servers are either a security asset or a security liability today – whether it becomes an asset or liability is a choice left up to you depending on how you allocate resources. However, an even simpler manifestation of this principle is to look at your IPAM. In the network operations world, few solutions have been as much of a boon to network administration as moving from shared spreadsheets (and Notepad in some cases) to efficient IP address management. A couple of questions to ask yourself about whether your organization is using resources efficiently are:
1) Can you get the contextual data you need for today’s event easily?
2) Can you automatically get the data you need for yesterday’s event easily?
From our perspective, the answer to these questions both start with IPAM. Why? Let’s look at what organizations nowadays are up against. Many employees have capability to stand up 500 connected virtual machines instantly. Containerization using IPv6 will only amplify that volatility. Do you know how many user-device combinations have privileges to administer, edit and configure your cloud data? AWS offers per-user administrative configuration for who can do what, but are they are configured with the principle of least privilege? How would you verify this? And let’s look at “old” Internet of Things (IOT): multifunction printers have hard drives, are connected and store sensitive data by default. Your answer? Our internal DNS is fine. Who attacks a printer? Why do I need to inventory MF printers on our network? Or unpatched windows machines or Point-of-Sale systems? The list goes on. Why are we not using these innovations in network management to move toward individual risk scoring of assets? That is to say, link user and computer situations and then overlay a richer set of DHCP meta data like lease history? From there, assign DNS RPZ risk rule sets to those unique situations? A point to ponder.
So many threat intelligence whitepapers, articles and conference panels include variations on this theme: “We gotta do basic hygiene. We gotta do the basics well.”It turns out that boring hygiene can actually be a great source of data through modern IPAM. As we approach another RSA extravaganza, keep in mind the basics. Boring as it may be, it just so happens that modern IP Address Management can be a rich and reliable source of applicable wisdom that enhances everything else you’re doing – or trying to do – in security. Great data leads to great creativity – more use cases can be addressed and more solutions can be devised by the talented people you work with every day. What is the point here? When you do IPAM for free, you “buy cheap, but pay twice.”
Enter authoritative IPAM. Authoritative IPAM accurately reflects the state of your network, provides contextual visibility (i.e., the who, what, why, when, how, where and which) of your network assets (e.g., IP addresses, subnets or VLANs) and enables you to replace manual, error-prone tools and processes with efficient, automated workflows. The following graphic provides a step-model for understanding where this fits in your plan.
If we were to devise a “punch list” for how to integrate authoritative IPAM data as a security asset, we’d suggest 4 key components:
- Single Source of Truth (Authoritative IPAM): Accuracy, visibility, reliability and IPAM automation is where to start. Management through distributed, high availability, security-hardened, easy-to-manage core network services with central platform visibility delivers your advantage. Providing an agentless DDI overlay that retains Microsoft DNS and DHCP protocols, enables visibility to AD Sites and Services, user/IP mapping and IPAM sync makes your life better by eliminating IP conflicts, lease and network outages.
- Continuous Asset Discovery (On-Premises and in the Hybrid Cloud): Automated on-premises and multi-cloud asset discovery, visibility, IPAM sync, switch port management, rogue and compromised asset detection, open RESTful and leading cloud interfaces (e.g., AWS, Azure, Google Cloud Platform, OpenStack), DNS/IP provisioning, DDI policy-based automation, auditing and workflow automation deliver the efficiency and control you need.
- Cross-System Interoperability (Security Ecosystem): Automated quarantine and scans of newly discovered assets, near-real-time remediation and TrustSec policy updates via security vendor integrations (e.g., McAfee, Cisco, Carbon Black, FireEye, etc.) and threat data sharing with NACs, SIEMs, TIP, ITSM and other security tools is also an essential component for modern threat defense.
- Network Visibility and Intelligence (Integrated Reporting and Analytics): Best practices call for fast plug-and-play deployment and full visibility through pre-built, customizable dashboards and reports, search, predictive analytics and Splunk-powered visualizations to give you actionable control of endpoint, performance, security forensics, access logging, audit and network management.
100% visibility should be the strategic imperative in everything you do at all times. If that sounds daunting, expensive and never-ending-“pie-in-the-sky-ish,” it just may be a lot more achievable than it seems.
There are superior and affordable alternatives to IPAM-only solutions that lack full network discovery, extensive ecosystem integrations and basic reporting. We invite you look at our IPAM QuickStart and speak with one of our Network Architecture professionals. QuickStart enables you to affordably achieve authoritative IPAM control and automation based on your time, priorities and resources. QuickStart provides a “light-lift, solid bang for your buck.” Don’t merely assume the Network Operations Department is moving in this direction. Sam, get a seat at Nancy’s table and advocate for 100% visibility, always. That begins with how you manage your internal IP addresses. After all, you need full and reliable network data from all sources. Otherwise, you cannot secure what you cannot see.