039
ENTERPRISE SECURITY BLUEPRINT
MANAGEMENT LAYER
03
Visibility
Visibility is needed for two reasons: situation awareness – understanding what is happening
in the network; and incident response – doing something about it.
The SDP Management Layer supports incident response as an interaction between Control
Layer protections and human responders. While automated controls excel at sifting through
huge amounts of big data and detecting anomalous behavior, human intelligence is still
superior when it comes to identifying patterns of unauthorized behavior, weeding out false
positives, categorizing events by motive and intent and identifying effective and safe Courses
of Action (COAs). Automated reaction mechanisms are sometimes used for blocking
malicious behavior that matches high-confidence indicators.
Situation Awareness
The Management Layer collects, consolidates and correlates events from enforcement points
deployed in the network. Incident responders are provided with real-time visualization of the
chains of events. This allows identification of initial attack vectors, as well as subsequently
subverted hosts and compromised data. Event investigation can generate new threat indicators
for malware, threat behavior and network addresses associated with each identified attack.
These indicators are then fed automatically to the Control Layer and distributed from there
to the Enforcement Layer in order to protect the organization.
Security-relevant event reports can be received from various sources, including:
Enforcement points report a match between a detected interaction and a
threat indicator
Enforcement points report an unauthorized interaction
Management Layer analytics uncover anomalies in presumably authorized
interaction records that warrant further investigation
A report of suspicious behavior is received from sources inside or outside
of the organization. For example, a user reports that a service is unavailable,
or another company complains of an attack originating from inside the
organization
When a potential incident is detected, a response procedure should be invoked to triage the
detected symptoms and to make a decision as to whether a response is required. Forensics
data is collected and analyzed. Attention should be given to stopping an attack, researching
possible damages and stopping any recurrence of the attack.
An incident may be an independent event, as in the case of a non-targeted virus or hacking
attempt. Once the attack is prevented or recovered from, it is over. Conversely, the incident
may be a symptom of a wider attack campaign. It is important that incident responders
categorize each incident as one or the other because in the latter case, the detected events
