Five Things To Know About Protecting Your Network From Emerging Threats
In today’s ever-changing security landscape it is hard for security operations to keep up. Millions of logs, shadow IT, malvertising, new applications appearing hourly, niche solutions, and the virtual removal of the perimeter all reduce the effectiveness of security technology that once kept your network secure. These new applications and loss of control of IT operations can easily provide an avenue that allows initial access for a would-be attacker.
Once the attacker is on the inside its pretty easy to move laterally and time is on the attacker’s side. Whether they are looking for data or credentials to your network, or just using your network as a jumping point to access another, they are largely undetectable once inside.
So how then can you secure your network to ensure you are safe, your customer’s are safe and your partners are safe and you are not vulnerable to emerging threats?
- Understand the current threat landscape
This is different for all companies. Depending on how you do business, the line of business you are in, where you do business, and the culture of your business all create challenges when understanding threats.
Is your data all in the cloud? Is it housed at your own datacenter? Is it a hybrid or is it dispersed amongst road warriors and servers that dot the landscape? The answer to this will help you understand your risk tolerance to vulnerabilities, targeted attacks, malware, spam, phishing, cyber criminals, web based threats and the list goes on and on.
No matter what your geographical footprint looks like or your physical presence looks like, having the ability to see where you are vulnerable is the key. Once you see where you are vulnerable you can start to understand your risk based on various scenarios and take action to mitigate that risk.
- Realize that your security perimeter no longer exists
Most likely you already have a firm understanding of this fact. The question is, have you taken action to limit the risks that it poses? In today’s world security must follow the user and its needs to be constant. It doesn’t matter if the user is at home on VPN, in the corporate office or in an airport not connected to VPN. Providing a consistent platform and expected behavior for the user is key. Otherwise if there is one connection that is less restricted, that is where the users will end up being connected the most. It is also where they will be at the most risk.
- Outsource the advanced threat analysis
What I mean by this is unless you work for one of the Fortune 1000 companies, likely you don’t have the resources that can analyze all of the threats that each of your users face daily. Likely you can’t analyze 1% of them. So why try. It is critical that you subscribe to a service that can do this for you. There are many of them out there, but here are some of the keys to look for when determining which one is a good fit.
- Does it integrate into your current security architecture? You do not want another console, another place to look at logs, or another item you have to correlate.
- Does it function seamlessly? Updates need to be automated, protections need to be automatic, and this service should free up your time, not take more of it.
- Is the service global and what is the size and scope of the analytics? As malware spreads around the globe you should have confidence that you’re not going to be the first user to run into the malware. Look at the footprint of your provider, understand how updates occur, understand how you are protected and ensure you have the support you need when you need it.
- What is the most important thing to control on your network?
In a lot of instances organizations block everything or they block nothing. Both are bad. Not blocking anything is bad for the obvious reason, but blocking everything and then allowing what is needed is also bad. The reason its bad is because it does not scale. What happens most of the time in these cases is you start by blocking everything and by the time you get done your policy looks like swiss cheese.
The first thing you need once again is visibility. Once you can see what’s going on you can determine if its good or bad. The second thing you need is the ability to block what AUP requires or what you know is bad – if you don’t have an AUP. The third thing you need is the ability to alert or train your users. Rather than just blocking traffic, would it be more effective if you were able to tell your users why something was blocked. Or better yet let them know what they are doing may be bad and ask them if it is what they intended. The latter concept lets you enforce policy without breaking or limiting productivity.
Realize that with modern day technology it is no longer a good practice to block everything. From a firewall perspective that is what you want to do. But when it comes to URLs and applications you want to permit users to use everything that does not cause problems, create breaches, or compromises the user.
Apps and URLs pop-up and go away so quickly today that you may break legitimate connectivity for legitimate business needs. You may be able to fix it quickly, but that is not a scalable solution. Start by specifically allowing what you know you need. Block what you know is not needed or not allowed. Make various levels of exception groups. And allow everything else. You will be safe, your users will be happy and your company will be productive.
- Assume you will not be successful 100% of the time
What this means is you have to assume that at some point you will be a loser. The bad guys will win for one reason or another. When that happens make sure you have a plan in place to mitigate your loss. When the user clicks on the link, what happens? Do you use that one single device or does it take down a whole segment on your network? Or is there a mitigating control? With proper planning you can block command and control communication, which in turn will limit the damage from the click.
Training is key. Often times it is overlooked because its not technical, but it is one of the most critical components because it involves the user. Anyone can secure a computer with a bag of concrete, but put a user in control and all bets are off. What happens when you get an unsolicited email? What happens when there is a link to click. What happens when there is an attachment to download? What happens when you store your passwords in notepad on your desktop? What happens when you do click the link?
Which is THE MOST IMPORTANT THING TO DO?
Out of everything we just covered, what is the most important thing? Everything. You must focus on everything. The best way to ensure you can focus on everything is as follows: Visibility, visibility, visibility. If you can’t see what’s going on today in a simple picture or graphical representation, how will you know when you are under attack? You must have a simple, graphical representation of your network health. Centralized Logging. It’s a must. You can’t log into 5 different places to follow an intruder’s trail. There must be mitigation for when an attack is successful, and it needs to be automated. Access control is required for all aspects of your traffic. If you only apply protections to traffic you can see – such as http only – you are missing 70% of your network traffic. A baseline and automated reporting that shows any deviation from that baseline over time must be defined.
This may all seem very daunting and if you don’t do it every day, I’m sure it is. If you want to talk some of these things through or you want to bounce some ideas off of the experts, contact us today. Ideally you should be looking for an example of how this all functions on your network. We can provide that in a few quick, unobtrusive steps. Click here to get started.