How to secure your network
As an executive of a large company, you may only know some things that go into securing an extensive enterprise network. Here, we will break down everything your company may need and want to secure your organization:
Vulnerability Detection:
Vulnerability Detection is the method of scanning your environment for:
Open ports/settings- You can see the ports used on your system and if they use up-to-date encryption protocols.
Outdated Software/Device Settings- Outdated software and insecure device settings can allow bad actors to run scripts on outdated software or misconfigurations to bring down your server, gain access to the server, and perform privilege escalation. Once a server is compromised, an attacker can daisy chain into other servers to either bring down servers, change information on your servers, export data, or encrypt your servers for a ransomware attack. This risk can be mitigated by detecting these vulnerabilities and following instructions by Mitre (https://cve.mitre.org/) for software vulnerabilities and the following frameworks for configurations (STIG, CIS, HIPPA, PCI-DSS).
NIPS/FWs:
NIPS is best for people external to your site to access your services. There are plenty of sites that notify you of bad actors and public IP addresses that are used for attacking your systems. You can also block out IP addresses from specific countries/regions. Advanced Persistent threats (APTs) have started to use cloud-based servers based in Europe and the United States to perform attacks to get around this. That is why it is best to create a threshold of different ports and protocols being hit on your systems and start blocking those IP addresses heuristically. Also, it is best only to open up ports and protocols for your system to be available/functional. Depending on your environment, it may also be best for your infrastructure to be Out-of-Band, meaning that if it is compromised, data cannot leave the system. Using firewalls properly will lower the hacker’s ability to find weaknesses and navigate your system.
HIPS/EDR:
Previously, signature-based detection was used to detect malware and quarantine the system. Nowadays, there are public tools that allow hackers to encrypt/obfuscate malware in files and applications easily. That is why it is best to have tools that not only scan based on signatures but are also able to detect items heuristically. Did settings on the endpoint change outside of the baseline? Is traffic leaving to an unknown or “bad” IP address? Are there sudden spikes in traffic? Are there consistent login failures indicating a brute-force attack? The best practice is to set up your EDR to automatically quarantine your system upon detection, as these attacks can happen outside business hours.
SIEM:
With log aggregation of your systems and integration with all your other tools, you can create dashboards to give you information about your systems and see attacks performed by your system. While HIPS/EDR can collect information about your endpoints, the agents on those systems cannot be installed on your infrastructure (switches, firewalls, routers, IPS, load balancers, virtualization hosts, etc.). This solution gives your team a 365-degree view of your environment.
Framework:
Cybersecurity frameworks are documents describing guidelines, standards, policies, and best practices for Risk Management in your Information System. The tools we listed only capture some needs per se, as each system has different needs, sizes, and operation costs. That is why developing a framework tailored to your system is best, as these frameworks are manageable. Usually, these frameworks (Risk Management Framework, ISO 31000, COBIT, OCTAVE, TARA) also go into awareness training policies, insurance, backup sites, and PII/PHI handling. Our other article covers them more in-depth here