Security visibility is key
You cannot protect things without knowing what you are protecting.
Securing buildings is something everyone takes for granted. Keys or badges are used to grant access only to authorized persons, alarm systems help detect if intruders are trying to get in, and guards keep an extra eye on everything. When we extend this example to the online world, we see that there is still a lot of work to be done. Cybersecurity is an important factor in the current age of growing companies, the expanding network of devices and the number of services and devices that need to be secured. Companies own a lot of data, and we need to make sure that it can’t be misused.
Visibility is key! You cannot protect things without knowing what you are protecting. The architecture of businesses is complex: users, firewalls, home offices, computers, servers, phones, email, internet usage… These are just a few examples, and it is important to get a good view of them. There is no such thing as being 100% secure, but each component that is made visible provides an extra layer of security.
Five domains to keep an eye on for sure!
- Endpoint Detection and Response – Agents that are installed on the endpoints that analyze the behavior. They are more efficient at detecting malware than normal antivirus programs, and are therefore also better suited for detecting zero day exploits. These products also have the necessary tools to react quickly when something malicious happens, for example by placing the endpoint in isolation.
- Network monitoring – A perimeter firewall is like the gateway: it can protect the resources of your network from outside abuse. It contains a wealth of information about what connections are taking place, so it is important to monitor it.
- Domain Name Server (DNS) Security – DNS is a protocol that translates domains to IP addresses. Whenever a user clicks on a malicious URL, it is logged in the DNS server. The request can be blocked prematurely, so that the user does not interact with the web page
- Email Security – A common infection vector used by threat actors is email, where they try to get the user to open a link or download a file. When a user reports having clicked on a phishing email, it is possible to see if any other users have received the same email in the company. Another important aspect, of course, is to provide users with sufficient awareness training around email usage.
- Cloud Security – Many companies don’t only have services or servers running on premise but also in the cloud. These are facets we can’t forget about when logging. An example of useful information this provides is the impossible traveler incident, where a user is logged in at short notice from two different locations.
Keep track of all events
It is important to map out as much as possible, but of course that also implies there is a lot of data to work with. Imagine having to keep an eye on every different tool. That would be an impossible task. The data needs to go somewhere, like a centralized dashboard where analysts can customize these dashboards. It allows them to focus more easily on the incidents that matter to them. For this purpose, we, here at Spotit, have a Security Operation Center that uses tools such as a Security information and event management (SIEM) system where all the data is collected and managed. This makes it possible for our analysts to gather enough information concerning the incidents and to provide meaningful feedback and remediations to our customers.
Creating visibility in your network is a good step towards a more secure digital environment, but there’s still a lot of data to analyze. In an upcoming blog post, we will go into more detail about how to automate processes, so our analysts aren’t overloaded with alerts. Keep an eye on our pages!