Introduction
A common challenge with implementing any security solution is knowing how effective it is. While security event logging and analysis provides a means for event-based awareness security indicators, it is also useful to understand the strength of the overall solution before any events actually have a chance to take place.
One of the features offered with the CoIP Access Platform is its policy configuration-based Protection Score, calculated based on the programmed policies, and independent of any detected or prevented policy violation events. Violation events and analytics are not comprehended in this guide.
The Protection Score reflects the strength of the segmentation implemented in by the Secure Access Policies. For every access enabled, a new potential attack surface is exposed. Whether narrow access is allowed as part of a required application, or loose access is granted as a matter of convenience or configuration error, the scores indicate the effective exposure.
Finally, Score improvement is a critical aspect of managing a secure access platform. Besides knowing the overall segmentation policy strength, the CoIP Access Platform helps to identify the gaps and guides the improvement.
Segmentation Protection Scorecard
The Scorecard on the dashboard presents the following figures:
Protection Score |
Total score of policies with the Chamber mode currently set in either prevention or detection mode. While Prevention mode blocks communication attempts and logs them, Detection mode logs them, providing visibility and actionable events |
Prevention Score |
Score considering only on the Prevention strength of the same overall surface |
Coverage |
Percentage of servers onboarded in Applications or Endpoints that have Detection or Prevention mode turned on |
Total Servers |
Total number of servers onboarded in Applications or Endpoints |
Both Prevention Score as well as the Protection Score (Prevention + Detection) consider the inbound service port exposure, aggregated over all servers as destinations of access policies and weighted by the number of servers and policies. For example, if a policy allowing only port TCP 3306 is inbound to an Application with 3 servers, the score contributed for that policy/servers would be 3 servers * 1 open port / 128k potential ports. This would indicate a minute attack surface exposure, and contribute to a higher score.
On the other hand, if misconfigured policy is left with “Any” port (TCP and UDP) specified, this would produce a high surface exposure (weighted by policies and servers) and negatively impact the overall score.
The scores are also aggregated and displayed in the dashboard summary tables for each Application or Endpoint. These help pinpoint on a more granular basis which Application or Endpoint might need attention if a score is low.
Improving Scores – Reducing Attack Surface
The Improve your Scorecard action button generates specific actionable recommendations to tighten the segmentation policies and enhance the overall score. These recommendations are intended as guidance and should be reviewed carefully before applying, as some as some services and ports simply need to be open for proper functioning of the applications.
Note, a 100% score is only reachable if the exposed surface is eliminated – ie. all ports are closed. Since a useful Application Profile needs to have some communications, the aim is not to have a perfect 100% score, but rather a stable high number, where it is easy to spot if a poor policy or a configuration error was added.
Comments
0 comments
Article is closed for comments.