Information Assurance for a Fortune 500 Customer
Objective: Secure an enterprise network that has deployed a heavily-customized version of a widely used business ERP commercial software application being utilized to connect Engineering, Manufacturing, Purchasing and Accounting organizations to digital assets of extremely high sensitivity including drawings, architecture designs, and business critical data.
The Challenge: The technical architecture is a multi-tiered application with separate web, database, business-logic, and management tiers. Replicas reside in locations that are widely dispersed geographically. All tiers are segregated through network topology, but all must interact with each other. There is NO SCOPE to modify any of the deployment strategy or implementation, so the information-assurance capabilities must be deployed transparently. And of course, no noticeable impact on application performance is tolerable.
The Risks: The network consists of a large and heterogeneous user base compromising primarily (but not exclusively) technical personnel. Access is primarily via workstations in a global corporate network, but there are the inevitable risks arising from uncontrolled endpoint devices (iPhones/iPads/smart phones) as well as hackers.
There is pervasive exposure to Advanced Persistent Threats in the user (WAN) environment. The overall system is at constant risk of exfiltration (data theft).
The Solution: Deploy Bayshore Networks SingleKey™ large-scale application firewalls in the core switching fabric (campus network), ensuring that integration is transparent to the application through dynamic routing (BGP) and that there is complete interoperability with Cisco Catalyst 6500 and Nexus 7000 series of switches, ASA modules and load balancers. Allow no measured impact on performance, even with very high resource utilization.
The SingleKey™ components transparently proxy all application traffic, bi-directionally, on all links between users and application tiers, and between the application tiers themselves. This was easy to implement because of our direct integration with the switching fabric, and imposed no changes to application or server configurations or application management processes.
SingleKey™ proactively blocks all application behaviors that violate basic security rules, protocol definitions, and known attack signatures. But that's not nearly enough to fully protect a complex application with tens of thousands of users, a small number of which are malicious actors engaged in foot-printing the application's vulnerabilities and attempting to gain escalated privileges!
To meet that objective, adaptive learning by SingleKey™ continuously profiles the application behavior as it proxies, enabling real-time detection of behavioral anomalies and application errors that signify the presence of APT attacks. Anomaly detection can be immediately reported to system administrators, or it can be automatically blocked by SingleKey™, at the discretion of administrators.
Maximizing efficiency and fully leveraging the SingleKey™ application heuristics and analytics technologies, SingleView™ was deployed to provide remote management and control of this widely-distributed deployment model.
SingleView™ is a critical part of the system because it provides a system-wide view of the policy violations and anomalies detected by each of the SingleKey™ firewalls deployed in this complex global architecture.
Application Security and Availability for a Fortune 100 Enterprise
This Bayshore Networks Case Study illustrates how SingleKey™ helped a large enterprise solve a critical application availability and security problem. SingleKey™ is the most powerful Application Firewall for enterprise IT.
This case concerns a large global enterprise with Manufacturing and Services operations in dozens of countries, and more than 50,000 employees. The company is a well-known technology leader, and is on the leading edge in regard to information-security practices.
The company runs a large portfolio of critical business applications, many home-grown and many from vendors, most of them now accessible through web interfaces. Like many large enterprises, they have a policy of auditing applications for security on a regular basis. In practice, however, limited resources constrain the amount of auditing they can realistically do.
So like many other organizations, they tend to pick and choose the most sensitive applications for review. They recently selected an eight-year-old home-grown application that gave business partners access to certain production databases through the Internet. Importantly, the application is also accessed by a wide range of internal users.
The company runs a peripheral security architecture that is remarkably good, stable, and secure. They are certainly in the top rank of companies when it comes to best practices for network security and peripheral protection.
It turns out that even a company which is so good at security best practices can have serious vulnerabilities when it comes to applications. In this case, the review exposed serious problems which created exploitable vulnerabilities, not only from Internet users, but also from supposedly "safe" internal users.
The company started by selecting the application we've been describing for a security audit. A scan by a well-known commercial vulnerability scanner turned up several hundred specific problems, of which several dozen were rated as "severe" or "critical."
The severe vulnerabilities detected by the scan were of several different classes. They included data leakage, SQL injection, and cross-site scripting. Most of these vulnerabilities are due to poor awareness by application programmers of the latest security threats, and inadequate adherence to secure coding standards.
The corporate-level security policy of the company dictated that the vulnerabilities needed to be remediated in a very short span of time (about three months), or the application would need to be taken offline. The latter outcome was clearly unacceptable to the business user of the application, so the security team investigated alternatives.
The obvious choice (and the choice first considered by many enterprises in a similar position) was to recode the application. Since it had been written eight years earlier, however, there was some question whether the original development team would be available, whether they could acquire the required skills to remediate the threats, whether all this could be done in a reasonable amount of time, and how much it would cost.
In general, the path of recoding a large portfolio of applications is challenging, because simple economics works against it, in large enterprises and small ones. (Small firms very often face a situation very much like the one described in this case, because of the need to comply with the PCI Data Security Standard.) Application developers are a severely constrained resource. It is almost the best case to find them busy with other projects, because then at least business-unit managers can negotiate for their time. It is just as likely to find that key developers on a production system have left the company, or are unavailable because the system is from a vendor that doesn't release source code.
In the event, our customer was lucky enough to be able to consider bringing back the original project developers, give them time to relearn the application code, and receive training in the latest secure development techniques.
But it turned out that the time required to do all this would run to about six months, and the cost was about twice what the team desired to spend. Consider the impact if this situation had been replicated across the enterprise's whole portfolio of business-critical applications, rather than just one.
We at Bayshore were contacted by this Fortune 100 company to see if our SingleKey™ product could provide a solution.
SingleKey™ works as an inline reverse proxy. Like other products, SingleKey™ directly remediates a large class of network-level errors, threats and vulnerabilities. Unlike other products, however, SingleKey™ also includes Adaptive Heuristics, which enable it to automatically tune its internal rules to match the characteristics of the application being protected, down to a very fine level of granularity. And these heuristics can be fine-tuned by system administrators.
The task of installing and setting up SingleKey™ took approximately a day and was largely trouble-free. Immediately the customer's application team ran another vulnerability scan.
Right out of the box, SingleKey™ automatically remediated about 80% of the originally-identified vulnerabilities and errors in the application. Over the next several days, Bayshore support personnel worked with the customer to fine-tune SingleKey™'s heuristic protection ruleset. At the end of the process, every single critical and severe vulnerability had been eliminated.
The whole process, which had originally been budgeted at an unacceptable six months, took less than a month. The dollar cost of the Bayshore solution was less than half of the original budget. Best of all, there was not the slightest modification made to the original application, and none of its programmers had to be redeployed from their current projects.
SingleKey™ from Bayshore Networks provided a fundamental change in the economics and timing of critical application protection efforts to this global technology leader. They are now formalizing plans to use SingleKey™ to protect a much wider range of their enterprise application portfolio.