Is a Functioning Network Where No Users Are Complaining and Services Are available Okay?
Help desk tickets are down today, and users are not complaining. All services are up and accessible. Everything is going fine across the whole network.
Or is it? If that is your only metric, then you have succeeded. However, what if all services are up and help desk tickets are down because the people controlling your systems are making sure they are running flawlessly? The only problem is that the people controlling your systems don’t work for your company.
They people that are actually controlling your systems are on the other side of the world, and they are making sure the systems run without issue, so help desk is not called, and they are not found out. Is that possible? It is. I have seen it happen.
We had a customer we were doing an assessment for when we noticed some bot traffic. Instead of just terminating the traffic, the customer wanted to see exactly how far the bad guys had infiltrated. It turns out they were in so deep that they actually did maintenance on the computers they controlled so the systems would work without fail, and no IT personnel would ever have to be called. The bad guys had set up shop in this network to orchestrate control over many other computers around the world, and they simply hid their egress traffic in HTTPS traffic.
How do you ensure this doesn’t happen to you? That’s pretty easy. Simply follow the steps below.
- Always have a baseline. If you don’t know what your network looks like on a good day, how will you know what it looks like on a bad day? Make this baseline graphical in nature. Understand what a good “picture” looks like, and compare that picture to other days.
- Look at all traffic. You may have three, four, or five security applications that provide most of the protections to your network. However, you don’t have the ability to look inside of SSL traffic on your network. Depending on which statistics you believe, if that is the case, you are not seeing between 40-60% of the traffic on your network. That is likely where the bad guys hide while in transit.
- See all of the traffic. Just because you can log it and review the logs, there is no security technician that can possibly keep up with the logs simply in raw-log format, no matter how good the filtering. The logs need to be converted to a graphical representation, so it’s easy to tell if what you are looking at is good or bad. Is it normal or abnormal?
- Don’t just detect: prevent. If the system sees something it knows is bad, block it. Don’t just report on it. How do you know if it’s really bad and not a false positive? Do you have enough logic built into the system that you can ask your user and allow him to re-mediate his own problems or verify false positives? How do you do that? That’s what we do every day. Contact us, and we will demonstrate.
- Understand where the edge of your network is, and protect it. Where is the edge? It is everywhere. What does this mean to network security? It means you have to protect not only the enterprise, but the cloud, the endpoint, and mobile. This can all be done relatively painlessly if you employ the right technology. Don’t chase point products because they are cool. Use products with security framework and architecture built-in.
If you have something to protect and you follow the steps above, you can accomplish your goals. How do you find unknown malware on your network? If you want to learn more feel free to contact me.