Making Cybersecurity Policy Work For You: Tunable Security Mitigation At Attack Speed

Posted June 16, 2020

The latest CloudShield™ Eclipse (formerly known as Aeonik) software release introduces real-time Cybersecurity Policy Orchestration & Enforcement, providing tunable security mitigation across a comprehensive set of attacks including SMBGhost.

In our prior software release, LookingGlass CloudShield™ Eclipse added support for AWS Cloud deployments, as well as upgraded the supported Zeek version for behavioral detection and mitigation plans.

With CloudShield Eclipse’s’s new software release (v2.3), we address one of the challenges of managing an organization’s cybersecurity systems: how to orchestrate and tune those technologies to meet cybersecurity actions required by compliance, operational necessity, or even incident response.

CloudShield Eclipse – Policy-based cybersecurity supporting dynamic adaptability of secure behaviors

Without CloudShield Eclipse, many organizations have a patchwork of technologies, which often take significant operational effort to integrate and may still not provide the enhanced security protection strategy that drove the purchase in the first place. Policy definition and enforcement across a disparate security stack is often difficult or impossible.

CloudShield Eclipse introduces a major enhancement that supports Policy Orchestration for the entire security stack deployed across the enterprise. CloudShield Eclipse ’s Policy Framework leverages technology from the open source project Open Policy Agent (OPA), which provides cloud native policy control for technologies such as Kubernetes.

CloudShield Eclipse defines the three separate policy roles (administration, decision, and enforcement) as follows:

Figure 1: CloudShield Eclipse & Policy Architecture
Figure 1: CloudShield Eclipse & Policy Architecture

Implementing CloudShield Eclipse into Your Cyber Mitigation Strategy

To help put the power of policy orchestration in context, let us start with how organizations typically apply cybersecurity policy in practice.

Figure 2 Phases Of Cybersecurity Policy Application
Figure 2: Phases of Cybersecurity Policy Application

Policy Planning

As we highlighted in our blog on integrated cybersecurity, the Zero Trust framework has provided the cybersecurity industry with a useful reference on how to define, organize, and plan cybersecurity controls to protect an organization.

CloudShield Eclipse Policy focuses on supporting organizational requirements across granular access, complete visibility, operational automation, and deployment flexibility as shown below.

Figure 3 Zero Trust Requirements For Policy
Figure 3: Zero Trust Requirements for Policy

Most organizations’ cybersecurity policies are typically applied based on a mix of compliance, strategic, and tactical requirements across the four key areas defined by Zero Trust.

For this reason, CloudShield Eclipse supports the concept of multiple named policy lists that can be deployed and activated independently; each named policy list can be defined by separate departments, roles, and reasons.

Figure 4 Example Of Organizational Policy Lists
Figure 4: Example of Organizational Policy Lists

An organization’s compliance or risk team may choose to define the Baseline Policy List utilizing policy rules driven by compliance-standard requirements or corporate long-term strategies that define specific rules for detection and mitigation of cybersecurity threats.

For the Day-to-Day Policy List, the organization’s security operations team may define a set of policies that are focused on operational threats and the associated team playbooks.

Finally, the organization’s incident response team may define an Investigative Policy List containing policies they wish to apply to the environment at specific times. These policies serve to update how the security fabric behaves for specific incident investigations and resolution phases in which they are involved. Upon completion of an incident, the incident response team may choose to submit certain policies defined in the Investigative Policy List to the security operations team or compliance/risk team for inclusion in the other two policy lists.

Policy Control

With CloudShield Eclipse, organizations are able to define policies across a broad range of requirements, whether it is Per Deployment, Per Security Aspect, Per Security Team Role, Per Temporal Condition, or some combination of all of these aspects.

Figure 5: CloudShield Eclipse Policy Options
Figure 5: CloudShield Eclipse Policy Options

In addition to supporting a variety of areas, the organization can define policy that encompasses threat detection and mitigation leveraging one, some, or all of the security engines available within the CloudShield Eclipse.

Figure 6 Policy Controlling Security Detection Mitigation
Figure 6: Policy Controlling Security Detection & Mitigation

Policy Evaluation

s has been highlighted, there are many opportunities for an organization to leverage CloudShield Eclipse Policy to enhance or define security operations to meet specific Zero Trust requirements.

CloudShield Eclipse provides organizations with extremely flexible and comprehensive YAML policy language that includes the criteria that is matched against to the real-time traffic across the fabric. Upon a match between the criteria and the traffic including any engine analysis, CloudShield Eclipse then applies the actions defined in the policy to the real-time traffic as well as any additional associated security behaviors.

The following three examples highlight some of the diverse policy enforcement capabilities supported by this language.

Example 1: Blacklist a known bad domain and override its intelligence score

Use Case: An organization has intelligence that known C2 domain has been identified controlling a specific botnet. The organization wishes to block access to, generate an alert when any asset in the enterprise reaches out to that C2, and correct the intelligence scoring assessment to a value of 20.

Figure 7 Policy Example For Blacklisted Domain
Figure 7: Policy Example for Blacklisted Domain

Example 2: Whitelist communications on a specific CIDR

Use Case: An organization has received intelligence that has produced high false-positive results in their alerting and response systems for CIDR They have analyzed the CIDR and consider it to be risk-free to their organization; they wish to ignore any actions that require further detection, mitigation, or capture actions on CIDR or any communications involving it.

Figure 8 Policy Example Of Whitelist
Figure 8: Policy Example of Whitelist

Example 3: Tuning false positive alerts

Use Case: An organization leverages Suricata and intelligence from many sources but has learned that any signature or intelligence hit that has a severity score less than 40 should be ignored by their alerting and mitigation systems. They have determined that tuning the system to not trigger further analysis or mitigation for severity events under a certain threshold allows both their limited computer and human assets greater ability to focus on higher severity alerts.

Figure 9 Policy Example Of Lowering False Positive Alerts
Figure 9: Policy Example of Lowering False Positive Alerts

Getting Started with CloudShield Eclipse for Cyber Mitigation

CloudShield Eclipse integrates Cybersecurity Policy and the Power of Three: Intelligence, Signature, and Behavior to automatically and instantaneously detect and mitigate  attacks as they traverse the network.

Organizations can shape, evaluate, and enforce cybersecurity policies across their entire network using the simplified security stack CloudShield Eclipse provides with its new policy framework.

This significantly reduces the complexity of operational security whenever teams must apply detections across the entire organization, potentially in real-time.  Additionally, CloudShield Eclipse simplifies and standardizes policy-defined mitigation actions without introducing significant manual or error-prone tasks across disparate technologies and teams.

CloudShield Eclipse – Policy orchestration as threats and risk profiles change

At LookingGlass, we are embracing this approach to enterprise security monitoring and threat response to deliver a real-time, coordinated cyber defense response.

If you would like to discuss CloudShield Eclipse, please contact me on Twitter or reach out to us directly.

Additional Posts

Need a (SMB)Ghost Buster? How CloudShield Eclipse Handles SMB Exploits

See how CloudShield Eclipse enables visibility and protection from the wormable vulnerability known ...

Elevating Security Orchestration with CACAO

Cybersecurity experts join forces to present an overview of the new, emerging standard, designed to ...