I think we as security experts need to stop focusing on who or what will attack us and start acting like we’re already owned. If we just started thinking in terms of “I’m already compromised” the security and monitoring of your network and systems would improve drastically. The initial fear of security experts was of being hacked or compromised, but in reality this is happening everyday while you’re on the clock. If you’ve ever had malware infect a workstation you’ve been breached. This is just a small example, but it’s true. There are two types of security professionals:
With this being said, we need to start focusing on extrusion detection (coined by Richard Bejtlich, @taosecurity) as well as intrusion detection. We speak about security in layers a lot and this is just another way to detect threats. The problem is that often we immediately jump to shiny new objects out there such as Data Loss Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job done. While these are all helpful tools that can certainly improve your ability to monitor for the exfiltration of nefarious traffic, there are things you can do immediately to improve your security posture.
Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM, but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
Detect the “Bad Guys” in Your Network
The network is where all the action happens in a breach. It’s like a highway during a high speed police chase: usually the network has rules that the bad guys must follow, and often times that means letting them drive into the neighborhood. There are many things that can be done with firewalls, but we’ll get to those in my next blog. At this point let’s just focus on two things which can easily detect bad guys in the network itself.
In the next blog, I’ll share some tips to get more out of your IPS and firewall implementations. Good luck!
Receive notifications of new posts by email.