041
ENTERPRISE SECURITY BLUEPRINT
MANAGEMENT LAYER
03
A precursor to an active incident may be identified in the form of detected attacker
reconnaissance, reports of attempted human engineering incidents or threat intelligence
on an impending attack. Precursors allow the organization to adjust its protections to
foil the attack – e.g., by distributing appropriate protections that remove or mask a
vulnerability exploited by the presumed attacker, or by importing threat indicators that
block access to a website from which malware is distributed.
If there is a reasonable post-infection suspicion of a successful attack, post-infection
containment controls can be used to keep interactions to a minimum, while investigating
any indications of compromise. Configurations allowing minimal functionality are
defined in advance for each segment and can be enforced by automated controls that are
triggered when the segment is identified as compromised or vulnerable to an ongoing
attack. Containment can block multiple attack vectors while still allowing business-
critical interactions to take place.
Attackers very seldom attack only a single organization or rebuild their complete TTPs
from scratch for every target. Sharing security events enables collaborative intelligence,
which can help corporations defend themselves by using the consolidated event data of a
larger group. Threat agents, TTPs and threat indicators can be identified on one enterprise
network and be shared so that knowledge can benefit others before they themselves are
targeted.
Management Layer Summary
The Management Layer makes the Software-defined Protection architecture come alive.
By enabling each component of the architecture, this layer acts as the interface between
the security administrators and the other two SDP layers.
The SDP management interface enables the definition of access and data control policies
and the activation of threat prevention separately. Threat prevention policies can then be
applied automatically to traffic allowed by the access and data controls policies, but could
also be managed by separate people or even outsourced.
Within the access control realm, the SDP management should support the policy layers
and sub-layers associated with various network segments, while also providing the
ability to delegate management to specific administrators who can work on all of them
simultaneously.
Enterprise orchestration provides the Management Layer with the intelligence needed to
tailor security controls for the organization.
Further, the Management Layer provides visibility into what is happening in the network
and to support proactive incident response.