Harden and Validate Network Security with FireScope DDM

You cant protect what you don’t know what you have. FireScope Discovery and Dependency Mapping enables organizations to discover their entire infrastructure, including servers configured to not respond to ICMP traffic which most discovery engines can't detect. Furthermore, the solution helps organizations understand all service entry points and their down stream dependencies, enabling organizations to align security efforts with how IT supports the business.

  • Service Maps provide visibility into all threat vectors
  • Fully inventory your Operational infrastructure, accurate to the minute
  • Understand the normal business state of dependencies and connectivity
  • Identify unapproved changes and systems
  • Locate and track your most commonly used entry points to plan and validate layered defense
  • Spot abnormal activity that may be the early stages of a security breach or attack

Discovery Has a Clear Role in Security

You can’t secure what you don’t know you have. Sounds basic, but with advances in automation, DevOps and as organizations outside of IT start to engage their own technology projects, this basic premise becomes much more challenging for today’s IT Security professionals.

Case in point; A recent customer discovered 3500 servers they didn’t know they had using FireScope DDM, and that was in an environment with strict change control processes and discovery tools running sweeps of every subnet on a 24-hour basis. That’s 3500 potential threat vectors that security wasn’t actively watching.

So, how did so many servers escape notice?

In this particular case, system images had tight local firewall rules to ignore or block ICMP traffic. Most discovery engines begin with a ping sweep to create a narrow list of IP addresses for subsequent scans; these machines weren’t responding and therefore were ignored by subsequent system fingerprint scans. Agents, which would have gotten around this problem, weren’t installed on these servers due to an organizational distaste for agents.

Just because these systems had strong security policies applied, doesn’t mean that they were invulnerable to attack. It also begs the question, could any of these be VMs created by hostile actors attempting to hide a backdoor into the data center?

How did FireScope detect 3500 servers that other discovery tools didn’t see?

The key lies in FireScope’s unique method of dependency mapping. By collecting NetFlow/sFlow and raw packets from port mirroring, we could see that systems were communicating with IP addresses that didn’t have discovered assets. I liken it to discovering black holes; you don’t necessarily see black holes themselves, but can you see their interactions with nearby objects and therefore infer their existence. An Oracle server with appropriate firewall rules may not respond to discovery scans, but will communicate with application servers, web servers and other service dependencies. This was the type of traffic that lead us to spotting these network black holes.

 

Identification of Service Entry Points

FireScope also provided this customer with a number of other insights that helped them adjust their security strategy. The most critical of these insights was to produce a decisive list of the entry points of applications or services by monitoring the requests being made by internal and external consumers. Most of these were already known, but anything less than a 100% accurate understanding of service entry points can lead to possibly unknown threat vectors that cannot be fully mitigated.

From each entry point, FireScope DDM maps all of the dependencies and establishes a baseline dependency map for each critical IT Service. This aids security teams in two ways.

First, they can fully understand the flow of normal user experiences and their physical, virtual and network underpinnings; from a security perspective, I can now devise an optimal layered defense that is aligned to services being delivered, and prioritized by business impact (as opposed to a technology centric approach wherein everything looks equal).

Secondly, as FireScope DDM continually analyzes network activity, exceptions to the baseline topology map are visualized in a split view that makes it exceptionally easy to see new members of a service, changes in cross system communication or the disappearance of members. I can now compare this against approved changes to understand where unauthorized connections are being made, or unauthorized systems may have been brought online. These are potential security threats that should be analyzed further.

 

As mentioned previously, you can’t secure what you don’t know you have. It’s one of the oldest tenants in IT Security, and one that is becoming increasingly difficult to achieve in the wake of more rapid change in modern datacenters. Traditional security monitoring approaches that rely on log aggregation and analysis cannot readily solve this challenge; how do you monitor logs from systems you don’t know you have and that traditional discovery tools can’t find? The key to solving this challenge lies in finding new methods of discovery and getting back to the basics of fully understanding service dependencies and what normal connectivity looks like within the data center.

Want to know more? Take a look at FireScope DDM in action by viewing our short, 7-minute demonstration.