Security of remote work

How to make network security monitoring easier – problems and solutions for the public sector

(08.06.2020)

Rafał Broda, Project Manager, EXATEL S.A.

Paweł Wojciechowski, Business Development Manager, Fortinet

— Rafał Broda — 04:03

In a previous webinar, by asking and answering fundamental questions, we created a secure access system taking into account organisational requirements and multi-factor authentication.

— Paweł Wojciechowski —

The result is this architecture. We talked about how to create secure remote access. The main component of this solution is FortiGate, a firewall included in our offer, on which you can implement a VPN gateway. To connect this on the client’s side, you need FortiClient i.e. a VPN client that will allow you to connect this VPN tunnel and then you will have a secure remote connection. We talked about the fact that you could have a free VPN client and such a client had only a VPN functionality. But because we’re talking about remote work and endpoint security is critical, you should consider the full client option, i.e. FortiClient together with management – FortiClient EMS. This is a paid option, however, in addition to the VPN gateway it provides endpoint security, i.e. antivirus software and other advanced security systems, vulnerability scanner, network filtering, as well as integration with Security Fabric and security policies on FortiGate.

You can also add two-factor authentication to further strengthen the security of remote work. To this end, you need FortiToken on the user side which can be available in either application or hardware version, and a FortiAuthenticator that will centrally manage the tokens to implement this two-factor authentication. This is the picture we presented to you last week, and today what we are going to show you how to manage it effectively in a larger company with many branches.

— Rafał Broda — 06:40

We already have some components of a security system. The solution works and is stable. Security is a constant arms race. The question that comes up all the time is how we can do things more efficiently when we have budget constraints. How to choose, adequately to my current situation, components, services, people, so as to control this security in our organisation, but at an assumed, common sense level.

— Paweł Wojciechowski —

On this slide you can see the Security Operations Center and its applied maturity model. Depending on the size of your organisation, its maturity, and the tools you have, you need to choose activities and tools that are appropriate to your organisational skills and create a SOC that you can use effectively. There are three levels of SOC. SOC 1 are organisations that have a joint IT and security team where incident response is the best possible practice. When it comes to tools, we’re talking about logging, but also incident detection and response. Then we’re talking about an organisation that is a bit larger and has a dedicated security department. It is not that big and comprises potentially 3-5 employees. In terms of processes, it already has a security incident response plan, if not for all areas, then at least for some. It also has tools that allow for management of a heterogeneous environment. The third level of the organisation is an organisation that has a highly developed security department, an organised SOC, an extensive environment and a vast infrastructure to manage. It also conducts advanced processes that require automation. As far as tools are concerned, this type of organisation has already achieved the highest possible level, and in order to control

inefficiency of selected processes, we need to implement tools that will put processes in order and react to security incidents in a consistent, uniform way.

Each person needs to answer the question what tools they need. What we are showing here (in terms of a maturity model) is that if you have a homogeneous environment based on FortiNet and it is not a large organisation, then Fabric Management Center (which consists of FortiAnalyzer and FortiManager) will definitely be a good solution. If you go higher, i.e. you have a more mature organisation, a separate security department and a heterogeneous environment, then it is worth adding FortiSIEM, which will download logs or messages from various solutions, from various developers, and you will have one central management console at the FortiSIEM level. The third level is the largest organisation that needs consistency of incident response and process automation. That’s what FortiSOAR is for. What you see on this slide is that regardless of the size of your organisation, if you have FortiNet solutions, it’s always a good idea to have FortiAnalyzer and FortiManager in your security architecture to manage FortiNet. It’s part of a larger solution that you’re going to implement. Our focus today will be on organisations that have an IT department combined with a Security department.

— Rafał Broda — 11:58

This is a best practice model indeed, but I would like to apply it to my own network. The situation here looked like this: In the beginning there was a central branch, mainly a firewall, a VPN concentrator, and then more branches were established (field, regional) which used to organise Internet access on their own, and at the same time needed access to central resources. The concept of bulk-launched remote desktops at switch was interesting but proved ineffective. In addition, there were third-party solutions coming from e.g. some database providers, local system providers, geodetic maps, etc. Over less than a year our network has expanded, we now have a dozen or so UTMs under our management, and the scale effect that has come about in the meantime has overwhelmed us a little. We try to maintain homogeneity, consistency of suppliers because we can’t afford the budget for engineers one of whom would take care of the edge of the network, the second one of the switching layer, and another one of the Wi-Fi network. We have one complete and comprehensive technology but how to manage it all effectively?

— Paweł Wojciechowski —

The central management system consists of two solutions. The first is FortiManager which, in a nutshell, is a central configuration management system for FortiNet solutions. This solutions does what a configuration management system would do. FortiManager makes it possible. You have the configuration management of FortiGates but also Switches, APs and Extenders in one place. You also have security policy management in one place, so if you have a certain number of devices and you would like to keep security policies consistent, you create them in one place and then distribute to those devices and control what type of profiles and policies are applicable on them. That’s the first thing.

The second important point is the central back-up of device configurations. FortiManager allows you to create a central back-up of the device configuration. When something happens to it and needs to be replaced, you can restore the configuration of this device from the back-up. We have a central back-up of the device configuration and consequently we have control over the process and audit changes. We have configuration versioning, meaning you can see configuration version, its timeline, how, when and by whom it was changed. This is also a very important functionality, not to mention something we call Zero-touch provisioning. It comes in handy when you have dozens or hundreds of devices to configure at one time or they are geographically dispersed. We have a procedure and a process to ensure that if the device is connected to the Internet at the target location, it will connect to the cloud. You just need to subscribe the FortiDeploy service. Next, the device will receive information to which FortiManager it should connect. Then the FortiManager accepts connection and automatically sends configurations to the device. This way we can automatically configure a large number of geographically distributed devices. This takes just a few minutes after which the device works and you have a secure remote branch. Not to mention the RESTful API.

As I stated at the beginning, we’re organically developing the Fortinet Security Fabric platform, we have it open, we have a pretty broad API, so if you have FortiManager, and you wish to e.g. download information from FortiManager, upload it into the reporting system and wish to integrate the information

that is within FortiManager with another external system, then you can do that, because the API allows you to conduct such operations.

— Rafał Broda — 17.40

Centralised management does sound appealing, doesn’t it? But we did not anticipate such costs in our expansion. We are able to point out its strengths such as relieving the burden on people or responding more quickly to change. But we are operating within certain budget limitations. We have the discipline of public finances, we have a budget to meet and it is good that it is not exceeded – whereas with the development that we have shown on the timeline, costs are increasing. In this case, how to approach the implementation of such a solution? Should I use physical or virtual model? Are there any additional, hidden costs for other functionality licenses?

— Paweł Wojciechowski —

We can provide both solutions, of course, in the form of devices or virtual machines. What we’ve presented on this slide is a fragment of data sheet that shows what type of devices we have. What you should know when it comes to FortiManager licensing is that it is licensed per number of devices managed. In case of FortiManager 200F there are 30 of them, and assume 100 for 300F and 1000 for 1000F. It’s a bit different with virtual machines because the basic option has 10 licences but as your environment grows, this base version can be expanded. The second 10+ licence is called FortiManager-VM-10-UG. It adds ten more devices, so if you buy the basic licence and the 10-UG licence, you get 20 managed devices. You can of course extend it to 1000 or 5000. If you ask for recommendation, with a dynamically changing environment that’s potentially going to grow, it’s worth going for a virtual machine because it’s expandable and scalable. If someone has a fixed environment and knows they have, say, 28 devices and this network won’t be expanding, they might consider a physical machine. What is also worth emphasising is that we license FortiGates. FortiSwitches and FortiAP, which can also be managed from FortiManager, do not require a licence and do not enter the counter. So, if you have ten FortiGates, two FortiSwitches and three FortiAPs, you need ten licences, which means that the basic VM licence is enough to manage such an environment. And one more thing – if you have several FortiGates, without FortiManager you must manage FortiGates separately, i.e. log on to the FortiGate and configure the security policies there. Our experience is that when customers have 10 or more devices, then they want to have FortiManager as well. Some customers even with fewer devices also opt for it.

— Rafał Broda — 22:04

At this point we have proper management and we can roughly estimate the budget. Some clients end their journey here, while others go a little further. I have the central management solution and I collect plenty of data and events. The Holy Grail of security is false-positives which are those incidents we waste time analysing for, and at the end of the day it turns out that they were actually good actions, it wasn’t some incident or hacking attempt. We would like to deal with actual security incidents. In the previous webinar we presented statistics that  it takes a few months until action is actually taken from the moment a problem occurs in the network (a network infection), so I have some time, while this stream of events that flows to me is fairly large. The number of reported events is really high. How do you, metaphorically speaking, try to separate the wheat from the chaff?

— Paweł Wojciechowski —

And here is the second component of the Fortinet Management Center – FortiAnalyzer. In simple terms, FortiAnalyzer is an analytics tool that gives us real-time insight into your network infrastructure. This tool has many functions but we will focus on the key ones. The first is that FortiAnalyzer is a tool you need to create the Fortinet Security Fabric which is one common and central platform for cyber security management. It is a tool that allows you to collect logs practically from most FortiNet solutions and is a central log repository. The icons you can see at the bottom on the right reflect the various products in the FortiNeta portfolio that log events to the FortiAnalyzer. The central log repository is essential in some regulated industries. Also, if you have an audit at your site, typically one of the audit questions when it comes to IT is whether you have a central log repository.

In homogeneous environments with FortiNeta solutions, FortiAnalyzer provides this functionality.

25:14

The second key functionality is visibility, visualisation. By collecting logs – by Security Fabric – and connecting to individual solutions in the FortiNet portfolio, FortiAnalyzer can present the network infrastructure.   Here you have a picture of the physical topology, but we can also see the logical topology. Depending on what incident we are dealing with at the moment, we can use different topology. Logical topology is clearly helpful in explaining incidents and failures because it shows how the connections are made at the time. But we also have other visibility because – through Security Fabric and the connection to the endpoints, which is FortiClient – you can have visibility of the vulnerabilities that are on the endpoint computers at any given time. For example, let’s take Mr. Thomas Knoll who has both a Windows and a MacOS endpoint device: in that basic IP view you can see where it is at any given time but also what vulnerabilities his applications have. Thus, FortiAnalyzer enables you to visualise your network infrastructure. FortiAnalyzer is also, or perhaps primarily, a tool for central analysis and management of security incidents. What you can see here is a view of security events that have gone through certain security policies, have been extracted from logs, and may even be correlated already. In this view they are shown in the context of end devices. For example, the laptop shown on the slide has 12 security events, ranging from medium through high to critical. This is the first view but there are more so that the way these security events are managed is effective. Here you can see the list of compromised hosts. You can access this view and quickly get information about which computers in your company have critical security events, and therefore which computers need to be addressed and require appropriate action to be taken.

Another view is from the perspective of the type of attack, and here we will use the example of communication with command & control, which is a botnet management center. In this view, you can see that you have computers in your infrastructure that are part of botnets and are communicating with the switch. Here we can see that there are 14 botnets that computers or devices from your infrastructure are communicating with. So, we have several types of security event views that serve the purpose that if a security analyst or a person who deals with security in a company is to review these messages, they should review them in an efficient manner and then, and on the basis of those views, draw conclusions as to which events or areas of security they should address in order to use their time efficiently. Once that person has analysed the events, then you can automate that process and run further correlations and create incidents from those events. That is, we have security events, then we have security incidents, and those are the issues that a security analyst or a security person is supposed to deal with to explain and close them. We can manually create the incident from these security events but we can also do it automatically.

Once we have a security incident, FortiAnalyzer provides you with a tool that will manage the full lifecycle of the incident and give you a view where you can see everything related to this incident. What is more, this solution can be integrated with selected helpdesk systems, so if your organisation has a helpdesk system and processes within which are used to manage security incidents organisationally, it is possible to integrate it so that the incident is sent to the helpdesk and processed there. FortiAnalyzer will still provide a tool to help analyse but also close the incident and then – as the helpdesk closes the incident – it should automatically be closed in FortiAnalyzer as well.

— Rafał Broda — 32:18

The solution is quite interesting. We have event correlation, intuitive visualisations, lots of views but I want to go back to the question asked in case of centralised management – how to estimate the budget of such a solution? We have had a few presentations regarding maybe not similar but analogous solutions and we would not like to fall into the trap of a low cost of entry which increases when adding more functionalities, views, etc. So, which version of this solution should be chosen, the physical or virtual one? What else could be licensed there?

— Paweł Wojciechowski —

Again, I’ve taken the liberty of cutting out fragments of the data sheets regarding the performance of each solution. Most of our clients use FortiAnalyzer in the virtual version, although we provide both, of course, namely

a virtual and a physical machine. As with FortiManager the difference is in scalability i.e. FortiAnalyzer as a physical device has this performance assigned to individual devices and the larger the device, the higher the performance. So, if you have a reasonably stable environment, you can determine what kind of performance it needs, and then the FortiManager in a physical version can be the best solution. However, most of our clients use FortiAnalyzer in the virtual version. One of the arguments for this is that they can start with a basic option and then as performance demands increase, add capacity to that basic option, that is scale it. We do not license devices. In the virtual version there is practically unlimited number of devices, and if someone has an environment larger than 10 thousand devices, they need to put more virtual machines. What we license is performance i.e. in this case the number of gigabytes of logs per day and the capacity of the solution (the number of logs that can be stored in this solution). Depending on your needs, these two parameters are in fact the most important when selecting a solution, because as far as performance is concerned, you know how many devices you have and how many logs there are, and the second thing is to answer the question of how long you want to keep these logs – whether it is 10, 30, 100 days or half a year – and then choose the appropriate size of a virtual machine or a licence.

As you can see, there is a basic version here and each subsequent licence that is shown later is a version that increases the capacity – the performance of the virtual machine in the basic version. While this is the basic version, there are additional licences for FortiAnalyzer that license advanced functionalities. If you wanted to be proactive and look for symptoms of hacking in your environment, which is really downloading IOC (Indicator of Compromise) from an external FortiGuard database, it’s one licence. If you want to automate certain processes and bring in that automation and orchestration along the lines of SOAR – it’s another licence. However, when it comes to the basic functionalities, i.e. log collection, visualisation and security incident management, you need a basic licence and answer two questions: “What is the number of logs per day” and “How long do I want to keep these logs on our solution”.

— Rafał Broda — 37:33

This is where I think I would stop my security development. It’s actually good to have that access to a global database and it’s good to have it correlated. Unfortunately, this year’s budget is running out. The solution presented here seems to be exhaustive. I have event correlation and mostly centralised management. Every once in a while, when analysing events and incidents, there are times when I can’t find a certain incident in the known databases and don’t know what to do with it really. Could EXATEL protect me somehow?

We have a team of certified experts. The composition of SOC allows for extensive security analysis – including incidents. SOC is not just a collection of technologies and procedures but it is the people who encounter particular incidents, analyse them and learn from them – it’s beneficial to have access to their services. What we want to offer you is the EXATEL Assistance service. It is not a service tied in some way to a full SOC, nor is it full monitoring or incident response, etc. This is like a compromise between the two – we are not going to use this maximum edge of our domain analysts’ skills, but we want to get something that is able to protect us in critical situations when we are not able to handle them. EXATEL Assistance service offers you a kind of insurance policy. This is a service dedicated to IT infrastructure where the client, during a two-year contract, can report up to four incidents per month. The number of incidents may not be that important but here the determinant of this service is the number of man-days (MD) we are able to devote within this subscription. The scope of the service is that 12 MD are assigned to this service, and if there are incidents (and sometimes they do occur) that exhaust the limit of man-days, then you can buy another package and further requests will be handled. The model for this service is presented on this slide. We are talking about the ad hoc provision of support by experienced SOC experts. In practice, after detecting an event/incident and trying to analyse it, the client is able to determine after some time whether it is serious and whether they are able to handle it or need support. There are many different actions that can be undertaken – sometimes it is backtracking of the code, sometimes it is securing data once we have found there was a break-in and we need to secure data, for example for prosecution purposes.

In each of these events, we are able to determine how long this action will take. A task force is set up to handle this specific incident and is in constant contact with the client via e-mail and phone. A preliminary analysis is then conducted and we can take action. In the beginning, of course, we perform activities that are supposed to quickly remedy consequences of the attack. Later, we move on to solving a specific problem.

To sum up, we created a model in which – let me remind you, we started with a dozen or so devices and branches – we have centralised management and we have created an intelligent log collector that can be supported by the global experience of the task forces. Finally, there is this last resort solution – contact EXATEL by phone or e-mail, describe your problem and the support team will analyse it thoroughly. It seems to be a pretty good compromise – on the one hand we have a precisely estimated budget, we know our fixed charges that come with it, and on the other hand we have this guarantee of the assumed level of security which in the case of these maturity models is achieved.

— Paweł Wojciechowski — 44:15

So, we have a coherent picture of an integrated safety and risk management environment. I’ve already talked about this base which is secure connection and two-factor authentication. Today, we added the issue of FortiAnalyzer Manager as this central management system. If your environment expands and you have a few or a dozen locations where you invest both in FortiGates and other FortiNet solutions, such as Switches, Access Points, and there is a lot of them, consider implementing a central management system and creating your own SOC based on these two solutions as part of the FortiNet Security Fabric.

— Questions — 46:52

“What guarantees does the use of the Assistance service provide?”

— Rafał Broda —

It’s not cyber insurance where we have the whole process of settling the claim, paying the claim, etc. This service is connected to security assessment process conducted for the client that is preceded by an analysis, a reconnaissance at the client’s site. While the Assistance service doesn’t offer the same guarantees as cyber insurance, it is a sort of “phone a friend” lifeline that you can use at any time and you have a guarantee that someone will help you and you won’t be left with a problem that you can’t handle yourself.

48:18

“How many logs generate security alerts? How many of them turn into an actual incident?”

— Rafał Broda —

An alert is a potential security incident, if I am right, but not the logs themselves because the number of logs can be gigantic. So we’re talking about security alerts here. For small organisations, roughly 8-10% of these types of alerts are classified as an issue for some deeper investigation. However, in the case of larger companies it is only about 3-5%.