31 October 2016

The 3 things you need to minimize and detect network breaches

There is a saying in the security community: there are two types of organizations: those who have been breached, and those who do not yet know that they have been breached.

I will also let you in on a secret: not all breaches are avoidable, bad actors have too many tools and there are too many angles of attacks (but that does not mean you should not try).

First, you need keep your house tidy (know what you own, remove things you do not need and review at least monthly that everything is up to date). This is your passive defence.

Second, you need a good NGFW (Next Generation Firewall, you can read my previous post here for more details). This will block a good portion of the malware from coming in and will block attempts from malware that makes it through to call home to their C&C (Command & Control). This is your active defence.

Third, you need to keep a watchful eye on everything. This may sound impossible, but this is what SIEM (Security Information & Event Management) is for. It will collect logs from most [all] devices, Netflow data from your firewall, normalize the events, correlate all the information and present a complete picture of the incidents occurring in the overall environment. The better ones will even have an integrated Vulnerability Scanner to find weaknesses in your systems and act as Network and Host Intrusion Detection System (NIDS and HIDS).

The bad news: this is not easy if you try to do it all with a small IT team.

The good news: this can be easy if you leverage a Managed [Security] Service Provider that can do this with you or for you (some will even do it with no initial cost).

Quick recap:

1: If you are not willing to keep your house tidy [pardon my bluntness]: don’t bother with 2 and 3, throwing money at the problem will not compensate.

2: Having only a NGFW will block a lot of things, but it will not detect more advanced attacks or identify complex signs that you have been breached.

3: Having only SIEM will detect all the signs, but it will not block [aka prevent] anything.

So you need NGFW and SIEM together…

Ping me if you have any questions!