Good planning is a critical factor in the success of any deployment. Planning should start well before the implementation begins, and the plan should be continually reviewed and updated during the entire project. ACME invites the relevant stakeholders to a series of HIPS project planning meetings. During the meetings, it intends to address the following:
Review the Security PolicyChapter 4, "Security in Depth," goes into some depth about corporate security policies. Your security policy guides all of your major decisions during a CSA deployment. If you don't have a security policy, you should strongly consider creating one. Without it, your deployment is likely to take much longer and be far more difficult. Luckily, ACME has a well-documented and up-to-date security policy. It started its planning session with a review of the security policy in light of CSA's components and capabilities. The intent of this review session was to begin thinking about the following:
Define Project GoalsIt is important to have a concrete set of measurable goals before the implementation begins. Goals give the stakeholders something to actively work toward and a way to measure the progress of the project. You also use them to restrict the scope of the project. Any decision or product functionality that does not contribute to the achievement of one the goals should not be a part of the implementation. Most of the goals you define for the project such as deadlines, budgets, and so forth are the same for any project. However, two goals are related specifically to CSA deployments:
BalanceThe first goal you should define is, in a general sense, where you want to fall in the security versus manageability spectrum. This spectrum refers to the idea that for the most part as security increases, the resources needed to manage the security increase as well. Also, increased security can have an undesirable impact on the user experience. Try to characterize your organization's overall philosophical approach to security. To make this characterization, think about the following:
Classify your organization as restrictive, balanced, or permissive. Here are some firewall implementation examples to further illustrate this process:
When ACME started to characterize their organization, it quickly realized that it fits the classic profile of a balanced organization. At ACME, all the following were true:
Furthermore, ACME's review of the corporate security policy supported this characterization. Problems to SolveThe second goal you should define clearly is the purpose of the implementation. Start by identifying the problems CSA should solve. Maybe the only problem you want CSA to address is the threat of new and unknown malicious code. Perhaps your corporate security policy includes some restrictions that CSA could enforce. Try to make as thorough and detailed a list as possible. As you make the list, identify which problems are immediate and urgent and which problems can be solved over the long term. Here are some sample problems:
At ACME, the list of security-related problems to solve never seems to shrink. Every time one problem is solved, another is added to the list. At a stakeholders' meeting, ACME puts its list of 30 or so potential security initiatives on the whiteboard and eliminated the ones that CSA could not help with. They ended up with seven problems that CSA could solve. After some discussion, the stakeholders decide that as a balanced organization with limited resources, they should not try to tackle all seven problems at once. Instead, they put the seven in order of importance and eliminated the bottom four. That left three goals for the implementation:
Select and Classify Target HostsNow that you have established your goals for the project, move on to the next predeployment tasks, which are as follows:
Select Target HostsBefore you can start installing the agent, you must decide which hosts should be protected by it. If you purchased enough agent licenses to cover all of your hosts, the decision is easy. Your decision is more difficult if you bought a smaller number of licenses, but it's likely you had a group of target hosts in mind when you made the purchase. In either case, you should start your deployment with hosts where you think the deployment has a high likelihood of success and that provides benefit to your organization. Ultimately, ACME plans to install CSA on all 10,000 desktops and 300 servers. However, ACME decided to buy an initial 1500 desktop and 20 server licenses to prove the concept before buying the rest. It was tough to decide which hosts to protect first with CSA. ACME consulted its goals to select the hosts that, if protected, would contribute the most to the achievement of the goals. It started with the server licenses, and decided to put the agent on 20 of their Microsoft IIS web servers. Its B2B e-commerce site is hosted by those servers. Having CSA on them would reduce the number of times they need to be patched. Selecting only 1500 desktops out of 10,000 was more of a challenge. ACME earmarked 1000 licenses for the mobile laptops because they are so vulnerable when they are remote and not protected by the corporate security countermeasures. Infected laptops were the source of 8 of the last 10 virus incidents at ACME. If those laptops could be protected while they are remote, it would dramatically increase ACME's protection against malicious code. The remaining 500 licenses were reserved for the desktops in the manufacturing areas. Each desktop is used by several employees that work in manufacturing. They are supposed to be used only for e-mail and a few other programs, but almost every one has P2P software installed. They generate lots of file-sharing traffic and should be locked down so that they can be used only for legitimate purposes. Classify Selected HostsAfter you've selected your target hosts, you should loosely classify them by placing them in restrictive, balanced, or permissive groups. These groups are used later to help you decide which CSA security policies should be applied. They also help you know how much effort is required to deploy and subsequently manage the policies you choose. To classify a host or set of hosts, answer three questions:
Note Don't confuse host classification with the balance goal you set in when you defined project goals. The goal you set there should influence only the way you classify hosts. If you have a situation where you think a group of hosts falls somewhere between restrictive and balanced, apply your organizational classification to help you decide. Think of the organizational classification as a "rounding rule." If the organization as a whole is permissive, round downward. If it's restrictive, round upward. Here are some samples:
ACME had an easy time classifying its hosts. When the e-commerce servers are down, it costs the company lots of money. New software is rarely installed on them, and they should be meticulously protected. They are externally accessible. Therefore, ACME classified its e-commerce servers as restrictive systems. The manufacturing desktops don't cost the company much money when they are down, users are permitted to install software whenever they want, and they are protected by other ACME security countermeasures such as firewalls and Network Intrusion Detecction Systems (NIDS). ACME classified the desktops as permissive, with the caveat that they should not be allowed to download music from the Internet. Finally, the field laptops were put in the balanced group. The laptops need good protection against attacks because they are often unprotected by corporate security. At the same time, the users need to have some control over their system configuration when they are in the field. Plan for Ongoing ManagementIt is a good idea to think about the ongoing management of CSA after it has been implemented. You should try to decide who takes over CSA administration when the project is finished. Also decide where the administrators are to be physically located, and who has responsibility for what types of administration. You should plan for ongoing management at this stage in the project so that you can involve the future administrators in the deployment early on. That way, they are prepared when it is finished. ACME decided that two members of the corporate security team are to be responsible for CSA policy administration, event handling, and incident response. The servers, the operating system, the server agent software, and the software that make up the CSA Management Center (MC) is to be under the control of the server team. The desktop team is expected to install and troubleshoot the agent software on the desktops and laptops after the project is finished. All of the personnel who manage CSA post-deployment are located at ACME headquarters. Choose the Appropriate Management ArchitectureThe final predeployment planning task is to architect the solution that manages the HIPS agents. You should be careful and take your time finishing this task. If you don't plan well and realize later that your management should be different, it is usually difficult to change after agents are deployed and actively managed. At least five factors affect your choice of management architecture:
If your company is widely distributed and the branches have limited network connections, single-server management centers at each location might be your only option. It is a costly option from a budgeting and administrative perspective. You have to buy hardware for each location, make sure that security policies are synchronized between sites, and CSA administrators have to treat each location as a separate entity which increases the management burden. If the company is not distributed or is but has respectable network connections between the branches and headquarters, a single-tiered CSA MC makes more sense. Large organizations can have a number of network operation centers (NOCs) that would be suitable for single or tiered MCs as needed for the number of agents each NOC is expected to support.
Although ACME has licenses for only 1520 hosts, it would eventually like to put CSA on all 10,300. It decided to start with a server big enough to handle that many agents, even though it wouldn't be managing that many at first. The documentation indicates that a single-server CSA MC supports up to 20,000, so the single-server architecture seemed like the best choice. Before ACME made a final decision, it consulted with the server team. Together, they decided that a single-server will work. The budget is limited, the administrative model fits, and the bandwidth between most ACME sites is respectable. |