Posted: July 28, 2016
There is a great song by Chicago called “Does Anybody Really Know What Time It Is?” which I think of every time I’m sent to evaluate a client’s security posture. I often note that they don’t really know what is going on in their networks. Typically, this is due to the fact that they don’t yet have the necessary tools in place to monitor and detect malicious activities. The song could be called “Does Anybody Really Know Who’s On The Network?”, or for that matter “Does Anybody Really Care?”
On the other hand, companies typically do a decent job of restricting inbound access from the Internet on their firewalls. However, I have seen many cases of ill-advised access controls that permit unsecure or unnecessary access to the primary network and no true DMZ segment to protect the primary network. Even if the inbound firewall rules are properly configured, many configurations allow ALL network traffic to flow out from inside the network to the Internet.
As a hacker, all I need to do is compromise someone’s computer via drive-by malware, a phishing attack, or any other nefarious methods that can escape detection of Antivirus. At this point, I’m golden to bring up a command and control connection to anywhere in the world.
Considering the sheer volume of network traffic, we understand picking out the bad from the good is a challenge in itself. An Intrusion Detection System (IDS) is certainly a step in the right direction. If a company has deployed an IDS, they are typically:
Yet, good malware (if you can call it that) can easily bypass detection of the IDS. Thus, you have to know what you are looking for and be diligent in your monitoring to effectively detect a malicious attack.
Gathering security logs from your critical systems is another very important step. Dumping all that information into a SIEM provides a single point of reference for events to be stored and searched. The problem is, however, that a small organization may have 60-70 EPS (events per second) which relates to 6 million events per day or 180+ million events per month. That’s a lot!
We work with clients that have 1000+ EPS, which creates astronomical amount of data. Many organizations, especially small to medium sized ones, don’t have the resources or expertise to scour through the logs to determine what is relevant and what is not.
This is where an MSSP (Managed Security Services Provider) can provide much needed resources who have appropriate expertise. The MSSP can deploy the appropriate tools for analyzing the vast amount of data and understanding the trends and noise to find that needle in the haystack. They can employ external threat analytics and policy directives that cross correlate all the event data that is captured and look for certain types of behaviors that would indicate malicious activity. An MSSP is constantly looking at numerous client environments to identify commonality and trends in malicious events.
The MSSP’s focus is all about security and can result in finding a compromised system in a matter of hours or days rather than in months or longer. According to Ponemon.org, “Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it.” There can be a lot of damage done in that period of time. The sooner you are aware of a situation, the less time the threat actor has time to recon and exploit your data and systems.
These have been trying times with compromised organizations and sensitive data leaks being reported almost daily. It has changed the mindset of many organizations from security as an afterthought to one that answers the question “Does anybody really care?” to a resounding “YES!” How about you?
For additional information, we invite you to join our webinar on September 15th at 2 PM EST where we will be discussing the topic of network security in more detail. CLICK HERE to register.
David Greenwell is the Manager of CISO Services and delivers on managed security services and client remediation consulting. David has managed, consulted, designed, and implemented networks for all sized businesses and government/military agencies. He is focus on network architecture, data center operations, and security solutions. He is a 37 year veteran of InfoTech and is a founding member of CompliancePoint.