Secure Architecture & Configuration for Cyber Security

Adopting a secure architecture is an ideal most organisations aspire to. However, most companies have an existing environment that was architected years ago when the cyber security threat landscape didn’t vaguely resemble the threat landscape we have today. Tearing it all down and starting again is usually not an option, so what do you do?

Designing a systems architecture in line with the MITRE ATT&CK framework is a nice to have, but disrupting a business while you build, migrate and then UAT such an environment simply isn’t practical. Therefore, this blog post will touch upon the theoretical principles you would use to build such an environment if you were starting from scratch as well as include recommendations on how you can do your best to ensure that you are doing the basics right in your existing environment.

 

Understand what you are building and why

Having a clear vision of the purpose that your environment will serve is key:

• Will there be lots of externally facing or customer accessible elements for example? 

• Will the environment primarily be used to host DevOps people who will constantly be needing new VM’s spun up and down? 

• Will huge databases be hosted that support applications or interact with cloud resources? 

Understand the level of risk that your organisation is willing to accept. Ensure there is an understanding that zero risk is possible, but the cost will be significant – work with your business to understand where the trade-off between acceptable risk and acceptable cost lies. 

Ensure you have a concept of how long the system you are designing now is likely to be around for? Legacy systems can be a huge cyber risk. If OS versions will go end of life in 5 years – how will that be accommodated? This will be essential in ensuring that you are building system that is fit for purpose now and in the years to come. 

 

Make systems easy to maintain and update

Maintenance and support is going to be necessary. Many organisations get stuck with systems that are out of date because they simply cannot take them down for any length of time. This means they are forced to implement other complex, costly solutions to protect the vulnerable areas.

Making it as easy as possible to get updates out and having the confidence that they have been successfully applied is key. You should only use supported OS versions. For anything that doesn’t have reliable automated updates, either use something else or find a methodology that works. For example, you may have to segment that device from everything else and patch it manually.

 

Patching – hardware firmware, OS and applications

Patching software vulnerabilities is one of the best ways to ensure your systems are secure. Not only does it remove software flaws, but it means that your organisation is more difficult to compromise. It may not be a deterrent to someone intent on gaining access, but it certainly will be for the opportunistic cyber criminals that are running automated botnets scanning for open ports or phishing email campaigns. If they can’t find an easy foothold, many will simply look elsewhere.

 

Change Management

Change management should be used to ensure stability of systems, verification of changes prior to implementation as well as providing a record of changes made should an incident occur. 

---

Understand Your Security Risks and How to Fix Them

Take your first steps into improving your cyber security posture, looking at 10 key areas you and your organisation should focus on, backed by NCSC guidance.

Take Free Assessment

---

Make compromise and disruption difficult

Having a layered network architecture is a great idea but can be very complex to manage not to mention difficult and/or time-consuming to work with. But as we’re starting again then look at the MITRE ATT&CK framework, familiarise yourself with the tenets it conceptualises and adapt your design approach accordingly.  Ensuring that your network is compartmentalised. Then a compromise of a single area does not compromise the entire environment – the same approach to damage limitation/control the military uses. From a risk perspective it’s brilliant and it means you can segment the sensitive data away from any avenue of direct or indirect attack. 

Use anti-spoofing controls such as DMAC, SPF and DKIM to make it difficult to spoof your email domains, again, this will deter many threat actors or force them to use domains that are obviously fake and easier to spot. 

Web content filtering

Actively blocking access to types of unregulated websites protects your environment from the risks posed by embedded or hidden malware as well as users from potentially offensive, malicious or distressing content 

Firewalls

Using firewalls has been a staple of IT environments for a very long time, there are still a lot of legacy-type firewalls in use that are not really suitable to combat todays cyber threats, use of next-gen firewalls is recommended if not already in use. 

 

Reduce the impact of compromise

Organisations should make it difficult to laterally move from one area of the network to another. Compartmentalisation is arguably worthless of an attacker can still traverse the rest of the environment compromising as they go. 

Using next-gen anti-malware to provide the highest levels of protection on your end-points such that should malware get to the end-point, it is detected and removed promptly before it can do damage. 

Ensure you have good backup discipline, having a secure local backup repository can mean the difference between a restore operation taking days versus weeks to restore from cloud or off-site repositories. Virtual backup servers are a risk that organisations should avoid. If you lose the virtual environment, you lose your backup server as well. This means you will have to manually rebuild the hypervisor and the backup server to restore everything else.

 

Monitor for indicators of compromise

There are an increasing number of analysis tools available that will user heuristics, ML and AI to automatically monitor network traffic and correlate individually benign indicators of compromise to provide a clear picture of malicious activity and act before damage is done. 

 

Use true Next-Gen anti-malware – must include AI-based detection

Using next-gen anti-malware to provide the highest levels of protection on your end-points such that should malware get to the end-point, it is detected and removed promptly before it can do damage.

 

Make it easy to detect and investigate compromises

Communication flows between different components can be particularly vulnerable to exploitation methods such as MITM attacks. Organisations should use tools such as encryption and network access control lists to protect against this and make any subversion attempts easier to spot.

 

Build a methodology to triage and respond when there is a problem

The likelihood of a cyber incident occurring in any business is only going to increase as new threats emerge and the pace at which we work continues to increase. Mistakes will happen. Your incident response speed is vital to maintain high customer confidence.

The cost of cyber incidents is also largely underestimated by most organisations until they are faced with them. Hidden costs from regulatory fines, loss of reputation, legal fee’s from customers whose data has been compromised can all be very real problems. 

 

Safely develop and manage systems

Ensure clear demarcation between production and development systems. Have clearly defined software release processes to prevent untested development software being loaded onto production systems. 

The number of remote workers is increasing and with that the variety of devices being connected to business systems. You need to have a clear understanding and control of the connected devices as well as how and where they are being connected. This is important to ensure the devices are legitimate and to protect against data exfiltration. 

 

Control applications in use in the environment

Application control ensures that users do not have the ability to use or install unauthorised software. Having rigorous application control in place with regular software audits can help identify software that should not be there and may be an indicator of compromise.

 

How CyberLab Can Help

CyberLab can provide consultancy and support on your key technology projects, help deliver business solutions, support your users in adopting them and provide managed or reactive support when your solution is up and running.

If you haven’t done so already, our Posture Assessment tool is a quick-and-easy way to identify your strengths and weaknesses, and get a better picture of your overall security posture. 

We have put together a page of recommendations for improving your Architecture and Configuration, and which tools can help, which you can read here.