You strive for the best network security.
You buy the best tools, implement overlapping layers of security, train your employees, and you practice good password hygiene.
Even so, you discover holes built into your security. While a breach is not guaranteed, security flaws will certainly be discovered, even with the best software in place. For that reason, you must prepare.
For our third and final IT resolution for 2021, we promise to monitor for trouble. While you can’t plug the holes you don’t know about, you can certainly watch for attackers who made it past your defenses.
Discovering Cyber Security Flaws
In 2020, NIST documented 19,199 common vulnerabilities and exposures (CVEs) with 1,584 new CVEs documented in December 2020 alone.
Microsoft alone disclosed 1,250 vulnerabilities in 2020, and regular announcements are made from every major vendor, such as Adobe, Intel, Citrix, SAP, and Oracle.
Keep in mind that not all CVE’s receive equal publicity. CVEs for widely-used software, such as Microsoft, will be featured in articles and blog posts. However, you need to monitor the CVEs for more obscure software and hardware used by your organization.
For example, in December 2020, a cybersecurity firm discovered a hardcoded administrator account, “zyfwp,” in Zyxel firewalls and AP controllers. While Zyxel claims they only used the account to automatically deliver firmware updates via FTP, the SSH login allows any attacker to obtain administrator control of the hardware.
Your IT department needs news alerts for each significant software or hardware used by the organization in order to catch announcements of vulnerabilities, along with any patches that eliminates the flaw. Just keep in mind that, to be recognized as a CVE, the flaw must also be acknowledged by the vendor.
Even if researchers (or attackers) discover potential flaws, until they are recognized by the vendor, you’ll simply have holes. Unfortunately, attackers monitor for these announcements too, and they will formulate attacks upon exposed vulnerabilities as quickly as possible.
Continuous Monitoring for Trouble
With the number of vulnerabilities and phishing attacks continuously increasing, every organization can expect an attack of some sort in the near future.
While your layers of security and network segmentation reduce the risk, these passive defenses will not stop all intruders.
In order to catch the attack in action, you’ll need to monitor for signs of an attack. In the past, we covered key signs of an attack in progress for the domain or the network. But, how is that monitoring done?
Computer, servers, and many network devices keep records of user commands, system calls, and other activities as log files. For our partners, we use software to collect and analyze these logs which, ideally, provides the basis for both network and security monitoring.
Continuous network monitoring offers many benefits such as early detection of security vulnerabilities, satisfying compliance requirements, and certifying configurations. It also provides insight into traffic flow, and can help your organization create more efficient, segmented networks.
The logs pulled for network monitoring also combine with endpoint and server logs for security monitoring. Continuous security monitoring provides early detection of attackers and can shorten the time needed to stop attacks.
We look for commands and behavior flagged as malicious, as well as anomalous actions. Malicious behavior can be defined in various ways, but it often targets programs or actions typical employees don’t use that exploring the network or security settings.
Anomalies flag unusual patterns within the otherwise normal activities. For example, a user might regularly log into several different machines, but if that user accesses multiple machines at the same time and from different places, it may indicate the ID has been compromised.
While software solutions can assist with network and security monitoring, it must be combined with knowledgeable employees to ensure proper configuration and to understand the output. These analysts monitor the software, investigate the red flags, and can take immediate action, when needed.
Any security staff can be lulled into a false sense of security because many alerts are false alarms.
However, today’s false positive may be tomorrow’s real event, so all alerts must be taken seriously.
Log analysis experience matters, but veteran analysts are in short supply. Large corporations can provide the pay and the challenges to retain them, but smaller organizations struggle to benefit from the expense of a full-time analyst.
Outsourcing to a managed service provides expertise at a fraction of the cost. The can either integrate into your team to provide supplemental monitoring, or provide full-service support.
If your organization is ready to leverage the network monitoring experience of Ideal Integrations or the security monitoring experience of Blue Bastion, call us today at 412-349-6680 or fill out the form below!