
Making Cybersecurity Policy Work For You: Tunable Security Mitigation At Attack Speed
Posted June 16, 2020
The latest CloudShield™ Eclipse (formerly known as Aeonik) software release introduces real-time Cybersecurity Policy Orchestration & Enforcement, providing tunable security mitigation across a comprehensive set of attacks including SMBGhost.
In our prior software release, LookingGlass CloudShield™ Eclipse added support for AWS Cloud deployments, as well as upgraded the supported Zeek version for behavioral detection and mitigation plans.
With CloudShield Eclipse’s’s new software release (v2.3), we address one of the challenges of managing an organization’s cybersecurity systems: how to orchestrate and tune those technologies to meet cybersecurity actions required by compliance, operational necessity, or even incident response.
CloudShield Eclipse – Policy-based cybersecurity supporting dynamic adaptability of secure behaviors
Without CloudShield Eclipse, many organizations have a patchwork of technologies, which often take significant operational effort to integrate and may still not provide the enhanced security protection strategy that drove the purchase in the first place. Policy definition and enforcement across a disparate security stack is often difficult or impossible.
CloudShield Eclipse introduces a major enhancement that supports Policy Orchestration for the entire security stack deployed across the enterprise. CloudShield Eclipse ’s Policy Framework leverages technology from the open source project Open Policy Agent (OPA), which provides cloud native policy control for technologies such as Kubernetes.
CloudShield Eclipse defines the three separate policy roles (administration, decision, and enforcement) as follows:

Implementing CloudShield Eclipse into Your Cyber Mitigation Strategy
To help put the power of policy orchestration in context, let us start with how organizations typically apply cybersecurity policy in practice.

Policy Planning
As we highlighted in our blog on integrated cybersecurity, the Zero Trust framework has provided the cybersecurity industry with a useful reference on how to define, organize, and plan cybersecurity controls to protect an organization.
CloudShield Eclipse Policy focuses on supporting organizational requirements across granular access, complete visibility, operational automation, and deployment flexibility as shown below.

Most organizations’ cybersecurity policies are typically applied based on a mix of compliance, strategic, and tactical requirements across the four key areas defined by Zero Trust.
For this reason, CloudShield Eclipse supports the concept of multiple named policy lists that can be deployed and activated independently; each named policy list can be defined by separate departments, roles, and reasons.

An organization’s compliance or risk team may choose to define the Baseline Policy List utilizing policy rules driven by compliance-standard requirements or corporate long-term strategies that define specific rules for detection and mitigation of cybersecurity threats.
For the Day-to-Day Policy List, the organization’s security operations team may define a set of policies that are focused on operational threats and the associated team playbooks.
Finally, the organization’s incident response team may define an Investigative Policy List containing policies they wish to apply to the environment at specific times. These policies serve to update how the security fabric behaves for specific incident investigations and resolution phases in which they are involved. Upon completion of an incident, the incident response team may choose to submit certain policies defined in the Investigative Policy List to the security operations team or compliance/risk team for inclusion in the other two policy lists.
Policy Control
With CloudShield Eclipse, organizations are able to define policies across a broad range of requirements, whether it is Per Deployment, Per Security Aspect, Per Security Team Role, Per Temporal Condition, or some combination of all of these aspects.

In addition to supporting a variety of areas, the organization can define policy that encompasses threat detection and mitigation leveraging one, some, or all of the security engines available within the CloudShield Eclipse.

Policy Evaluation
s has been highlighted, there are many opportunities for an organization to leverage CloudShield Eclipse Policy to enhance or define security operations to meet specific Zero Trust requirements.
CloudShield Eclipse provides organizations with extremely flexible and comprehensive YAML policy language that includes the criteria that is matched against to the real-time traffic across the fabric. Upon a match between the criteria and the traffic including any engine analysis, CloudShield Eclipse then applies the actions defined in the policy to the real-time traffic as well as any additional associated security behaviors.
The following three examples highlight some of the diverse policy enforcement capabilities supported by this language.
Example 1: Blacklist a known bad domain and override its intelligence score
Use Case: An organization has intelligence that known C2 domain baddomain.com has been identified controlling a specific botnet. The organization wishes to block access to baddomain.com, generate an alert when any asset in the enterprise reaches out to that C2, and correct the intelligence scoring assessment to a value of 20.

Example 2: Whitelist communications on a specific CIDR
Use Case: An organization has received intelligence that has produced high false-positive results in their alerting and response systems for CIDR 12.1.2.0/24. They have analyzed the CIDR and consider it to be risk-free to their organization; they wish to ignore any actions that require further detection, mitigation, or capture actions on CIDR 12.1.2.0/24 or any communications involving it.

Example 3: Tuning false positive alerts
Use Case: An organization leverages Suricata and intelligence from many sources but has learned that any signature or intelligence hit that has a severity score less than 40 should be ignored by their alerting and mitigation systems. They have determined that tuning the system to not trigger further analysis or mitigation for severity events under a certain threshold allows both their limited computer and human assets greater ability to focus on higher severity alerts.

Getting Started with CloudShield Eclipse for Cyber Mitigation
CloudShield Eclipse integrates Cybersecurity Policy and the Power of Three: Intelligence, Signature, and Behavior to automatically and instantaneously detect and mitigate attacks as they traverse the network.
Organizations can shape, evaluate, and enforce cybersecurity policies across their entire network using the simplified security stack CloudShield Eclipse provides with its new policy framework.
This significantly reduces the complexity of operational security whenever teams must apply detections across the entire organization, potentially in real-time. Additionally, CloudShield Eclipse simplifies and standardizes policy-defined mitigation actions without introducing significant manual or error-prone tasks across disparate technologies and teams.
CloudShield Eclipse – Policy orchestration as threats and risk profiles change
At LookingGlass, we are embracing this approach to enterprise security monitoring and threat response to deliver a real-time, coordinated cyber defense response.
If you would like to discuss CloudShield Eclipse, please contact me on Twitter or reach out to us directly.
Additional Posts

Need a (SMB)Ghost Buster? How CloudShield Eclipse Handles SMB Exploits
