ClearPass orchestrates rapid incident response with security process automation

Share Post

Vinay Blog.png

Once a network is compromised and one or more devices are infected with malware  it can take the IT staff days, weeks or even months to discover and effectively plug the breach. Last year, the median number of days an organization was compromised before the breach was discovered was 146. That's nearly five months.

Such a large air gap between infection and response is dangerous as it affords the attackers an uninterrupted window of opportunity to exfiltrate valuable corporate data and IPR.  To make matters worse, such breaches are increasingly playing out in the public resulting in loss of market share, and oftentimes the firing of senior execs. Attackers see mobile devices as the easiest route to accessing sensitive enterprise data. The rise of the Internet of Things (IoT) means that many more devices—and many different types of devices—are connected to enterprise networks. And all too often, IoT devices were not designed with security as a priority.

Shift from manual to automatic

When a breach does occur, every second counts. But the reality is that many security administrators are overwhelmed. They spend an inordinate amount of time investigating threats to see if they pose a real danger. They have to wade through massive volumes of alerts, and as the Target breach, and many other subsequent incidents showed, they often ignore or fail to notice these alerts entirely. The threat is often lost in the noise.

IT organizations are turning to security process automation to help them respond faster to security incidents. With automation, the burden is shifted from people to tools. When security tools work together, admins are no longer left to connect the dots themselves. Instead, the security infrastructure can work together to identify and analyze potential threats.

For example, Aruba ClearPass Policy Manager lets you secure network access for all device types covering wired, mobile and IoT, and provides visibility, policy control, and workflow automation. You can define smart access policies based on very granular context, including device type, ownership status or operating system.

But ClearPass goes one step further: It works in conjunction with your security and IT infrastructure to connect the dots and enforce policies for you. Firewalls, intrusion prevention systems, endpoint security solutions, mobile device managers and security information enterprise managers (SIEMs), trouble ticketing systems and other products work as the eyes and ears for ClearPass. ClearPass Exchange, the ecosystem partnership program for ClearPass works with more than 150 technology partners.

Let's say that my laptop suddenly begins sending out huge amounts of data. The unusual data flow is detected on the network and logged into Microfocus ArcSight. ArcSight can use well defined ClearPass APIs to automatically pass an alert about this suspicious activity, and ClearPass can automatically enforce a policy to protect the network from my laptop. The policy action may vary, depending on the severity of the policy violation and could take into consideration additional context that ClearPass always has access to. For example, ClearPass can block access for that device by working in conjunction with the firewall. The threat is automatically neutralized, with no manual intervention. Or ClearPass can quarantine the device and force the user to re-authenticate. Or it can simply send an alert to a trouble ticketing system or the IT service desk, for further action.

Partner solutions integrate with ClearPass using well-defined REST APIs, Syslog, NetFlow etc.  In addition to sending alerts or information to ClearPass, partner solutions also can extract context, user and device authentication data from ClearPass that will help them be more effective and accurate with their own correlation, analytics, and threat detection functions.

A step-by-step approach

Even though most security administrators are overburdened, many are wary of automatically denying network access, as the device may belong to an executive or a critical business process. Automating security policy enforcement doesn't have to mean a total loss of control.

Instead, take a step-by-step approach for automating detection, validation, and enforcement. Start by alerting the service desk when particular policies are violated. That way, the service desk staffer can review the incident and escalate as needed. As you gain confidence, you can automate detection and enforcement. If nothing else, you can use ClearPass to more effectively detect and flag issues in the network by taking advantage of deep context in its database, and its integration with a large number of security solutions.