Design Cybersecurity Layers to Monitor and Defend

You cannot defend, fix or replace what you can’t see. You’re looking for signatures, behavior, DLP and Indicators of Compromise (IOC) that pose a threat to your network. [Akin to a car slowly breaking without out notice,] threats found too late, cost too much to clean up and repair. Early detection from defense layers facilitate a response, containment and cleanup at a fraction of the time and cost that a penetrated (and permeated) threat will cost. No one cybersecurity tool will find all threats; a layered approach, software patching and user awareness, collectively offer a formidable defense posture. I recommend the following approach to designing the layers of your cyber defense architecture.

Protect your network. A Next Generation Firewall should reside just inside your router (that connects to the Internet via NAT IP). They can use a traditional whitelisting policy, yet are migrating to a blacklisting policy. Security controls common to NGFW are a) controlling user access where ever staff makes their connection to the network, and b) controlling the applications allowed to exchange data through the network.

Protect your hardware. A cyber appliance tool should reside in the 1st position adjacent to your Firewall. It’s virtual endpoint chamber detects processes running to pass safe processes to/outside your network or block threats before they enter or exit your network; the user never sees the filtering done by the tool. Imagine the costs saved from damaged hardware.

Prioritize Threats to Network. In second position, the collection of threats existing in your network will be seen by individual tools (IDS/IPS, web proxies, AV). The collective data captured from these tools tell a story of threats to focus on by priority (aka severity) to decrease the threat surface.

a. A SIEM aggregator offers a graphic, global picture of your network in real time, telling you what threats to close first and those that can wait.

b. An effective yet less expensive option is a SIEM that scores threats via a rules set and an outsourced SOC service.

The SIEM aggregator or the SIEM scorecard can be set with rules to notify the security analyst, network administrator or CISO of threats to focus on via email alerts.

Note: Some of these tools offer a module to notify the labs desk of your AV vendor of new threats found. They convert them into new signatures, pushed to the AV agents on your endpoints to scan for those threats, eliminating them.

GPO. Group Policy Object allows the network administrator to deploy rules from the server OS to groups of staff to keep their computing experience safe and optimized (including whitelisting).

DLP. In 3rd position (within the network) is Data Loss Prevention software. Data within the enterprise is categorized to enable the software to detect and notify the operator or administrator, of company data traveling through the network unauthorized (in-use, in-motion or at rest.) This software controls the flow of company data within the network.

Sinkhole. In 4th position within the network, can be software configured to redirect malicious activity into a sinkhole viewed by an administrator; it keeps malicious processes from completing their tasks. A network engineer typically designs/configures this tool, monitors it and reports its activity to management.

Unified Threat Management. In 5th position (with a central console) is a software tool to monitor each endpoint, is a multifaceted software tool to detect and manage threats. Endpoints include desktops/laptops, servers and mobile devices.

a.  Software Firewall or a HIDS (Host-Based Intrusion Detection System).  This can restrict which websites are seen (whitelisting) or can block websites not wanted.  It’s often integrated with AV to help AV find threats quicker to block, quarantine or remove them.

b. Virtual Detonation Chamber (sandboxing). This virtual machine allows threats to execute in an enclosed safe environment (sandbox), for analysts or administrators to see to contain or eliminate them before damage is done (to endpoints or the network).

c. Anti-malware. This module of the software detects threats to block, quarantine or delete them. Threats include spyware, adware, malware and rootkits. Rootkits hide inside software kernels, causing extensive damage that’s often discovered too late.

Results from the UTM are slowly being integrated into SIEMs to centralize view of threats detected by layers of security tools.

Patch your perimeter. Software vulnerabilities are identified regularly. IP scans are done without affecting network performance. They are configured to identify open ports and vulnerabilities in the software driving your public facing IP’s, webpages and intranet websites. Scan results are shared with System Administrators (SA’s) to patch vulnerable software. Currently, scan results are slowing being integrated into the SIEM.

Vulnerability Scans and Pen Tests. Vulnerability Scans are passive scans made as needed to identify weaknesses (open ports, vulnerable software, unnecessary processes running) within your network. Pen(etration) Tests are “planned” attempts to (ethically) hack into your network or exploit vulnerabilities found, during hours of low network use. Results show a detailed view of vulnerable software and network posture to enter your network without consent. Your SA’s will take the results to patch vulnerabilities.

Keep Software Current. A vulnerability assessment is a software-configured scan of your endpoints against a current list of software versions to identify software that’s vulnerable to attack. Your patching manager will present the assessment results to a manager to identify which software will be patched that matches software it supports.

Education. This is an essential element of a formidable security posture. A staff that’s always educated about threats, how to deal with them and how to report them contributes to a safe computing environment.

Policies, Procedures and Processes. This is the handbook created to open when dealing with threats found. The content aligns industry guidelines (aka NIST) to your resources that respond to threats. Its complete with chains of command, guidelines, swimcharts and call trees to guide a timely response.

I have performed or supervised all these parts. RiSe Solutions Cybersecurity Management service can assess your overall security posture for an hourly fee, preparing a detailed report that recommends how to fill gaps to strengthen your security posture. If you agree we can shrink the threat surface of your enterprise, please click the “Request A Consultation” link in the upper right of the screen, write “Design Layers” in the subject line. Please write your name, email address and tel. # in the body of the message; I reply within 24 hours. Thanks for reading and listening. #

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s