Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Application Aware and Critical Control 2 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Application Aware and Critical Control 2

Have you ever considered how many Critical Controls that your contextual (e.g. Next Generation) platform applies to? I bet it is more than you think. Consider your application aware platforms feature, in which it does deep layer 7 packet inspection and identifies applications. Wait a second, “I assumed” by inventory that the Control mean going around to every workstation and assessing what was installed? Sure, that is a critical component, but with application aware platforms, your ‘platform’ can quickly be turned into an audit device. Set up a span/mirror/tap on a spare port and assess VLANs. Pull reports on ingress/egress segments. This is all part of implementing critical controls.

First, you can run analysis and identify what applications and services are leaving your environment. Add on to that encryption inspection and then the platform becomes an effective shadow Information Technology (IT) audit device. Imagine for a moment business unit X, unit X we will call Marketing, for the moment (secretly I like to pick on marketing because they are maverick thinkers). Marketing decides they need a new website with ‘explosive’ new features. They know that ‘IT Security’ will ‘have a cow’ on this… but it will drive business, they say. Now, how many of us know this has either

A) Seen this

B) Had a colleague tell us

C) Can imagine

We will go one step further for this illustration and say super important Event Y is in 3 weeks. This event is the biggest XYZ event of our industry.

For this scenario we will even go a few strides further and say the event and the launch is a smashing success. Now ask yourself, does Marketing go back and update? Do they contract maintenance? Does all the regular order of what it takes to maintain an IT application occur? Who knows!

People drive business, features and function drive revenue to be sure! Now,  lets get back to Critical Control number 2, know thyself (e.g. Software). For sure, you should inventory what software is deployed in your environment. This would include more than what your contextual next genration platform can do, however lets stop for a moment? Some software stays local on systems, a great deal of software talks to the cloud. What if there was a platform that could pervasively identify … ‘wait setting myself up to well’ … Applications?  The platform can provide you insight into applications and services running in your environment and serve as an analysis platform. This can clearly aid in Critical Control 2 as well as serve as an audit and control platform.

Let us say there is a research and development network segment that needs inventory. There is an effort underway to assess, pragmatically, each workstation. Now imagine if you could have a view into what applications were in regular use? Application aware platforms is a Critical Control 2 enabler! 

Richard Porter

--- ISC Handler on Duty


173 Posts
ISC Handler
Nov 4th 2015

Sign Up for Free or Log In to start participating in the conversation!