Security and Dealing with Legacy Systems
By Sean Updegrove, CTO, Keck Medicine of USC
There will always be legacy systems that need to be secured. It is well known in the industry that technology professionals prefer to keep the fact under wraps that legacy systems will always be around. Although we don’t like to talk about it in the open, we have to acknowledge even the most diligent lifecycle management practice will not be able to keep all systems up to date all the time. It seems like we just dealt with Windows XP going end of support–Windows 7 and Server 2008 are right around the corner for their end of extended support date.
The medical industry in particular is saddled with the requirement to retain systems and applications that cannot be easily upgraded or replaced. The sheer cost of attempting upgrades of medical devices or specialty software can break the budget of most organizations. Organizations just cannot afford to replace medical devices and expensive software solutions every four years to keep up with changes in technology.
The information that medical systems are now gathering and maintaining is much more valuable than any credit card information, and the standard guidance given to secure the technology environment of a medical center is always “make sure your systems are up-to-date and you have applied the latest security updates." If only it was that easy.
The fact of the matter is that there will always be a need to support legacy systems and applications within an environment. The speed at which operating systems, applications, and hardware progresses—far outpaces the ability of manufacturers of medical systems and applications to keep up.
The question then becomes what can be done to secure an environment that has to support legacy systems?
"The information that medical systems are now gathering and maintaining is much more valuable than any credit card information"
Visibility of your Environment
True visibility into your network and systems environments means more than just gathering system logs, sending alerts, and looking back in time at what has happened. Real-time knowledge of what is happening on your network is required. What are users doing? What are applications doing? Are files being accessed in new and unusual ways? Is something or someone crawling around your network and systems?
The ability to see and analyze everything that is happening in near real-time on your network is now vital in order to secure environments. Advanced analytics now bring the ability to model user, application, and systems behaviors. When any of those behaviors goes rogue, you need to know and have the ability to act immediately.
The most effective visibility toolset would be one that captures all packets traversing your network. Once all this information is collected you have full visibility into everything happening in your environment. This is where advanced analytic now comes into play. With the proper analytics, every session, user action, and application action can be tracked and inspected.
Limit the Ability of Something, or Someone, from Moving around Inside your Network
Define a series of use cases of groups of clients, not necessarily client types. Segmentation around use cases will simplify firewall rule sets and access control lists. Keeping the rules simple and straight forward will ease the operational overhead that segmentation can add to the environment. Moderate the urge to create too many segments on your network, and maintain a balance between security and the extra added operational overhead. Do not make it so complicated that the addition of new applications and systems now takes a lot of integration time.
Easy segmentation use cases include printers that only need to talk to a few print servers, voice systems that only communicate with a specific set of servers, and biomed devices that only communicate with a limited set of systems. Most organizations already segment a guest network, so creating a segment specifically for legacy systems and limiting what and who they can talk to will greatly contain the threat they pose to the organization. If you have drawn down the number of legacy systems, then those use cases should be relatively simple.
Use of firewalls to create and manage segmentation gives you the ability to centrally manage firewalls which will keep your overhead down. With the standardization of use cases, the firewall rule sets can be kept clean and simple.
Prevent cross talk between systems within a security segment. For example, biomed devices do not need to talk to each other. Neither do printers, voice systems or other devices. In fact, even “normal” clients should be able to properly function without the ability to talk to each other directly.
Access control lists at the switch level is an easy way to prevent this cross talk within segments. ACLs can be difficult to manage in an enterprise, however, with properly defined use cases, and a limited number of them, ACLs can be templated and standardized.
Segmentation can be created a variety of ways but the key here is not to get too complex. Too much segmentation makes integration of new systems and applications very difficult, but segmentation of your network will help contain threats.
Ability to Take Automated and Immediate Action
The third piece of this puzzle is being able to force systems into zones designed specifically for them. Network access control tools perform this action to great effect, and most network access control systems implementations work based upon a “comply to connect" methodology. With this method, the network access control tool queries the client when it first connects to the network. This method prevents suspect clients from connecting to the network, but this method can also be taken to the next logical step.
With the integration of the visibility tools and the network access control tool, actions can be taken as soon as unwanted behavior is first shown. For instance, if a client is infected by malware and begins the process of encrypting files, the visibility toolset will show this action immediately. The visibility tool is then used to trigger an event on the network access control tool to isolate the offending client and quarantine it on a special segment of the network. The client can then be analyzed, cleaned, and information gleaned to remediate any malware activities.
With the correct implementation strategies, legacy systems can be properly isolated on your network to limit the overall cross section of risk present. Naturally, this scenario can be expanded from just protecting the organization from legacy systems and used to create a very strong security foundation for a whole organization.