To build a defence in depth is a well-known military concept that can be mirrored one to one in your strategy for protecting your data and separated network. At Arbit we do not claim that one single action, like implementing diodes, will do the job but we do help customers set up their cyber defence more effectively with diodes in the frontline and other measures/technologies in depth. As we have implemented solutions for many high security networks used by armed forces, police, intelligence services and large corporations we are able to advise you how to set up your Cyber border perimeter protection that will match your needs.
Looking across the solutions we have implemented, in most cases it starts with a segmentation or an air gap between the “internet connected network” and the network containing classified or sensitive data. In this news article we will take you through the most obvious steps in the process – and how to overcome the problems associated with it.
Defence line One: Separation
Step one – to separate or segment your network, is a crucial step as it stops any communication and transfer of data to and from the network. To reestablish this function and transfer data from for instance the internet (low) to the protected network (high), an Arbit data diode is an obvious choice. The diode is capable of data transfer in one direction only (Certified according to Common Criteria) which ensures that you have eliminated attempts to actively hack your network with this first step as a potential attack usually begins with an intense port scan to analyze and identify an attack vector.
Defence line Two: Malware protection
We normally divide the dataflow via the diode into three independent flows: Files, E-mail and streaming. As the diode ensures transfer of data from low to high, all files must as a minimum be scanned for malware and put into quarantine if infected. In regard to files, this is a rather easy operation with either a single malware detection software or, as we recommend, a multi scanning software like OPSWAT MetaDefender (MD). Emails are a bit more complicated compared to files when it comes to scanning as both email and attachments might contain different types of attack vectors that need more than just scanning.
Defence line Three: Content Disarmament and Reconstruction (CDR)
For both files and mails, CDR is a valuable tool that offers a number of features like Data Leak Prevention (DLP), heuristic analysis, deactivation of links and more. Together with the diode it ensures that infected data does not enter your network and that “the talk back” is effectively cut by the diode.
Defence line Four: SANDBOX technology
Just another step that will ensure a “second opinion” on the above measures.
Data release / data export
The above are feasible, preventive steps to secure your data import and the beauty is that they can all be, and should be, reused during data release. However, one essential feature must be added: The Right-to- Release feature.
The Right-to-Release and to whom it should be given is an organizational decision – who in the organization has the authority to release data? Technically, there are several ways to ensure this Right-to-Release, like only appointed releasers may sign data, releasers are checked against the Active Directory etc. and the Arbit Data Diode supports this The Arbit data diode also supports the use of customized filtering via an open API as we do not deliver “a black box”, – we support integration of third party software .
NOTE: This release procedure – using one release diode – is what we recommend releasing data from RESTRICTED or equal networks. In order to release data from SECRET and TOP SECRET networks please take a look at our Arbit Trust Gateway.