Cracking Down on Rogue Devices

Meritrust Credit Union: Network Security Case Study
Cracking Down on Rogue Devices

Rogue devices. They are an ongoing network security challenge for institutions of any size, any geographic region.

See Also: Silos: Banking's Silent Menace

So, when Brian Meyer became information security officer for Meritrust Credit Union, a Wichita, Kan.-based institution with more than $881 million in assets, he tackled this challenge head-on.

"I'm one security guy; I can't be in 14 places," Meyer says. "So when we started looking around, we found evidence of unapproved devices, evidence that these devices were rumored and/or caught communicating on the network, and also other devices that had improper apps or wrong versions on them."

What Meritrust needed was a network access control strategy, Meyer says, and so the institution deployed new policies and a ForeScout Technologies solution to introduce a layered security approach.

"By implementing that inclusive NAC solution, I'm able to focus on multiple events out of the GRC and security guidelines with the critical controls," Meyer says. "We've achieved our goal that we set of securing the endpoint devices."

In an interview about how Meritrust tackled network security, Meyer discusses:

  • The rogue device challenge;
  • Meritrust's NAC solution;
  • Benefits from this new layered security approach.

Meyer is an information security officer for Meritrust Credit Union, based in Wichita, Kan. Over the past five years at Meritrust, he has implemented layers of control to meet ongoing compliance objectives and streamlined security policy.

Rogue Devices

TOM FIELD: Organizations everywhere struggle with rogue devices in their networks. How has the challenge manifested in your organization?

BRIAN MEYER: Starting a couple of years ago, we took a step back. [In] implementing critical security controls, we looked at a gap analysis of where we were at and where we needed to be. We started to see that there was a lot of policy that wasn't being followed. Everybody has policy, but how do you make sure it's properly enforced and followed? I'm one security guy; I can't be in 14 places. So, when we started looking around, we found evidence of unapproved devices, evidence that these devices were rumored and/or caught communicating on the network, and also other devices that had improper apps or wrong versions on them. They weren't up to where they needed to be patch-wise.

We tried to analyze what single expenditure could we do to mitigate this risk and encompass a lot of the security controls that were established out there. We looked at NAC, and that obviously was one of our key points to implement.

Implementing NAC

FIELD: What specifically have you done since you recognized the issue?

MEYER: Once InfoSec and the CIO got together and took that stance by saying "No unapproved devices on the network," we pulled all the directors in and said, "Look, we're not having any more of these policy violations. Here's the actual policy, and we're going to take steps to mitigate it." I looked at the industry as a whole. I analyzed Gartner reports and looked for some guidance. I discussed with our local IT vendors and looked at multiple solutions.

We honed in on a NAC solution [ForeScout's CounterACT] that was going to fit a best practice that we wanted to implement and that was going to align with the critical security controls that I mentioned earlier. [We tried] to take out a lot of those security controls at one time with a single expenditure. Key for any organization that's going to be starting up and trying to get their arms around this is finding a device that's flexible and unique to the space, [not] "I'm going to solve this one problem." You actually have some flexibility where you can solve multiple issues with a single expenditure.

Improved Security, Compliance

FIELD: What results have you seen?

MEYER: By implementing that inclusive NAC solution, I'm able to focus on multiple events out of the GRC and security guidelines with the critical controls. We've achieved our goal that we set of securing the endpoint devices. We meet our IT GRC compliance guidelines. The big key takeaway is that we have automated policy enforcement with our NAC appliance. It checks every device that's plugged in real-time. We check it against multiple policies that are out there, and if we have a policy that changes or we want to modify a certain way that things are looked at, then that's able to be done, pretty much in real-time. If auditors come in or we need to approve certain regulatory things, we're able to do that with either canned reports or customized reports as needed.

The other thing was, if we do find a rogue device or an unapproved device - even now as we're entering the phase of BYOD, as the hot term that's out there - we're able to apply policy, not just a strict yes or no, and we can take additional steps of either isolating them on or off key segments on the network, or entirely off of the production segment and say, "You're in this quarantine space until you do X, Y and Z."

Advice

FIELD: Based on your experience so far, what advice would you offer to other institutions facing the same challenges?

MEYER: Work with your IT resources and vendors. You want to do a gap analysis and see where you're at with everything. Look at your roadmap. Find what direction you want your GRC policy to go and then - if it's a NAC solution that you decide to go with - choose a product and a demo that's going to integrate into your environment.

Beware of the big-name vendors that say they can do everything. Make them prove it. Our solution has been the ForeScout CounterACT, and it has been wonderful to have the flexibility and continued plugin features that allow us to extend the solution beyond the normal NAC authentication yes/no solution. Along with that, I would definitely recommend purchasing a few hours of professional service from the vendor that you go with.

Especially with NAC, you want to get a baseline policy set up, so that you don't have to rely on authentication alone. You want to be able to profile machines. You want to be able to look at your environment as a whole and then make decisions that aren't specifically based on one or two key data points. You want to look at all of the data points together.

Additionally, you don't want a single point of failure; you want layers. Authentication alone is not sufficient, and you want to tie all of your devices together. You're striving for the holistic approach. You want to get your NAC to feed your AV to feed your IDS to feed your SIEM so that you have this all-inclusive bubble of your whole entire network that you can see and look at in real-time and make sure that everything is in compliance and meeting your GRC policy.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.