Adoption of an holistic security strategy
Analysis of abnormal network behavior in the PC
Centralized automatic management with domain policy
Intrusion Prevention System
Firewall rules based on active directory users
Files analysis with ThreatGrid platform
Web Security Appliance
Umbrella as DNS
SARA has opted for a hybrid Cloud solution with access to Cisco Cloud management services, in which the ISE solution elements are virtualized in the company’s Data Center at the Rome headquarters.
The cybersecurity solution created for the SARA network is an all-round package.
The approach chosen by SARA – and implemented by Italtel with Cisco solutions – consists of overcoming the idea of a decentralized security system, in which each element features some countermeasures to thwart any possible attacks or abnormal situations, and adopts a holistic security strategy in which each element applies those countermeasures and then informs the other systems of what it has found; this way, all other systems on the network apply similar countermeasures following a non-direct signaling of that element, which has been distributed by another network element.
In fact, the solution is articulated on several levels, starting with the security of personal computers (the physical clients or end points), on which the AMP – Advanced Malware Protection agent for Endpoint is installed as an evolution of the antivirus.
Besides the usual antivirus features, the AMP for Endpoint (integrated with other Cisco elements) analyzes abnormal network behavior in the PC and carries out several operations, ranging from the deletion of a dangerous attachment to the isolation of the PC in extreme cases.
SARA distributes the AMP for Endpoint across employees’ PCs through an in-cloud platform in which it is possible to implement client customizations (specific to each operating system), which are then installed on PCs, usually through the platform’s centralized automatic management with domain policy.
The implementation comprises the IPS (Intrusion Prevention System) component, which is always included in Cisco Firepower 2130 devices with FTD software, and was added at the request of SARA and previously implemented by another function. More specifically, it migrated from the old deployment to a single centralized platform, which simplifies the configuration of firewall management rules.
SARA has evolved from a rigid firewall configuration structure (for instance, when changing a network it was necessary to update all the rules that affected that same network) to a more dynamic one. A further evolution consisted of adding networking-based rules (source IP/destination IP) as well as rules based on active directory users. Someone from the Milan office who visits the Rome office no longer needs to integrate the Rome network as their source; that employee will be handled solely on the basis of his/her credentials, thus obtaining simplicity and versatility with regard to the Active Directory group without having to change the entire infrastructure.
User-based configuratibility is made possible thanks to the ISE (Identity Services Engine), a Network Access Control which is integrated with the Active Directory and the Firepower.More specifically, the ISE has been integrated to allow the Firepower to configure the rules on a user basis rather than on an IP basis. The ISE offers many other features; as an NAC (Network Access Control) it controls access to the network, be it wireless or wired. SARA has opted to expand the ISE deployment in order to distribute it (as it is an access control tool for a geographically vast network with a large number of users), thus offering proximity to the end user.
The Cisco WSA (Web Security Appliance) acts as an advanced proxy, replacing the previous McAfee Web Gateway, and integrates perfectly with the solution along with other Cisco elements. The WSA is the element sending DNS requests. In addition to the WSA, and still in the security domain, SARA has also expanded the Cisco Umbrella licenses of 2100 units to integrate its various branches, thereby obtaining greater security because the first security layer that is applied on a network is the DNS level, through the detection of malicious URLs/IPs. In other words, SARA’s infrastructure uses Umbrella as a DNS solution.
Finally, the ThreatGrid platform analyzes files that have been emailed to or downloaded by a user and for which there is no threat-level documentation yet, emulating operating systems, network behavior and user behavior to verify how the file acts (for instance, whether it changes the registry keys) in a so-called sandbox – that is, a secure, closed bubble. Based on the report, the file is classified as malicious or otherwise. This information is then distributed across Cisco’s global system. This platform is of great value as a protection against so-called zero-day threats, that is, viruses that are so recent that they have not yet been identified.