With the ever increasing growth in security attacks across all threat vectors, you should consider these New Year's resolutions to help solve your security challenges in 2016:
- Take stock of what you have
- Segment your Network
- Setup controls with ACLs
- Secure protocols, network ports, & services
- Monitor account activity
- Monitor servers & databases
- Make sure that your applications are secured
- Ensure security policies are in place
- Measure effectiveness and ensure your security products are doing their job
- Add threat intelligence into your security operations
As you prepare for 2016 and reflect on all the security news stories from this year, these ten resolutions need to be on your "to-do" list:
1. Take stock of what you have
Knowing the genetic makeup of your environment is the key to securing your IT systems. It is critical to have an updated inventory of your systems, applications, and network devices as you cannot secure what you do not know about.
If you are starting up for the first time, you can use discovery inventory tools to create that initial inventory.
You should also consider using continuous discovery tools to identify what is connected to your private or internal network and what is connected to the public network or Internet.
As a best practice, you should use your inventory list and create device groups so that you can identify authorized users that perform critical tasks.
Eventually, feeding this information into a Security Information and Event Management (SIEM) product would help you to identify unauthorized access and mitigate threats before they become attacks.
2. Segment your Network
Managing network traffic and allocating bandwidth are typically seen as the main purposes of network segmentation, so some security aspects are often overlooked.
Adding new applications and making changes in the existing devices can drastically impact the security of your networks.
With proper segmentation in place, you will be able to apply appropriate security measures.
For example, the network that handles employees' personal information and compensation details could be clearly marked off from your financial activities.
The key factors to consider when segmenting your networks should include:
- knowledge of where your sensitive data resides
- what applications and services your users need access to
- capabilities of existing devices to implement segmentation
- regulatory demand
- how you will identify and respond when someone attempts to cross these boundaries
Based on this information you can allocate user and device permissions. Once you segment your networks based on required access, it will become easier for you to visualize how your devices interact across different segments and to identify suspicious activity.
3. Setup controls with Access Control Lists
Your firewalls and routers will permit or restrict data flow based on your ACLs. Ideally, you should be building your access control lists (ACLs) based on user need and in-line with your segmentation polices.
You need to identify what type of the controls are necessary for your applications and users.
With proper external ACLs, you could control IP spoofing in outbound and incoming traffic. For example, if incoming traffic shows an IP that falls within your organization's IP range, then it is suspicious. Similarly, if outbound traffic shows an IP that does not fall in your IP range, then you have every reason to suspect a black cat.
You can make good use of your IP whitelists using your firewalls and routers and telling them how to handle incoming and outgoing traffic.
4. Secure protocols, network ports, & services
Whether it's sensitive personal information or financial data, the demand for security of electronic communication is high for both private and business use.
To protect and keep your data secure, you need to secure your application, transport, network, and data link layers.
To ensure the availability of your critical business services, monitor your endpoints and detect traffic over restricted services, ports and protocols to mitigate malicious activities like:
- malware infections that could enter via removable devices like USBs
- unauthorized port scans, as attackers use this method often to gain entry into your network
Communicate best practices to your users and let them know what is acceptable and what is not - especially in terms of using BYOD, transferring files, and using VPNs.
5. Monitor account activity
Access rights to your devices need to be controlled and monitored. Apply the concept of least privilege enforcement to avoid abuse of privileges.
It is highly recommended that you monitor accounts that are given administrative privileges and set rules to log automatically off or disable that account if it is used for performing unauthorized activities.
For example, administrators can create local accounts with local administrative privileges. This is something an attacker or malicious insider would do to ensure they can retain access, even if they lose their privileged credentials.
Privileged accounts can, if unmanaged, lead to lack of accountability and increase your chances of credential theft. Stolen credentials lead to compromised networks which affect your customers, vendors, employees and eventually lead to loss of reputation.
6. Monitor servers & databases
Maintaining the integrity of sensitive information is vital. Keep track of changes made to files that contains business critical information or system data.
Since attackers like to modify local files or registry settings so they can embed themselves, monitor these changes. Correlate file audit events with user activity and system changes to thwart an attack.
7. Ensure security policies are in place
When regulatory agencies come up with compliance policies and procedures, they are trying to help you know how to defend attacks while also building customer confidence in doing business with your organization.
In reality, compliance standards will help you to identify ways to improve your IT infrastructure and act as a basis for your corporate security strategy.
For example, you should have clear internal policies when employees use their personal devices at work or when they use office devices/laptops at home.
These policies can help you prevent rogue users and devices from tampering with your data and network. In the case of mishaps, you should be able to take immediate action - remotely/automatically with your endpoint monitoring systems.
Implement change management for configurations of hardware and software on laptops, workstations, servers and network devices, to prevent policy violations and mistakes.
8. Make sure that your applications are secured
Patches are meant to plug security holes. You need to keep your systems patched with latest updates from vendors so that you do not have known vulnerabilities that could create unwanted issues.
Attackers find their targets based on known vulnerabilities - so if patches are not applied on time, you may be making yourself an easy target.
You should have a good patch management strategy in place to protect your environment from threats and unwanted malware that could result in a security breach.
9. Measure effectiveness and ensure your security products are doing their job
It has become an imperative to use multiple security systems like anti-virus & IDP/IDS.
Each of these systems is specialized and perform specific security functions. But, they operate in silos that could create gaps in data correlation and leave your organization vulnerable.
So, how do you measure overall effectiveness and ensure that your security products are working as expected?
Consider using a SIEM with continuous log monitoring capabilities so you can monitor and consolidate logs from all devices centrally and help ensure overall security of your environment.
Besides acting as a preventive measure, log monitoring also comes in handy for performing forensic analysis, in the case of a security incident.
10. Add Threat intelligence into your security operations
Threat intelligence data can help turn noise into actionable information to respond to attacks before a breach occurs.
Leverage this information with real-time event correlation to protect your environment from known bad actors.
As a best practice, send threat intelligence feeds into your SIEM since it's the best solution for collecting, consolidating, and analyzing all of your log data and threat intelligence in one place.
A SIEM will help you detect attacks faster. Your SIEM should be able to alert you if it gets a match between threat intelligence (let's say a bad actor IP address or URL) and what it is happening on your network.
Get Help Implementing These New Year's Resolutions
If you need help with these 2016 New Year's Resolutions, you really should check out these security products by SolarWinds.
For example, their Log & Event Manager is easy to use SIEM that comes with:
- Log management,
- automated security monitoring,
- file integrity monitoring,
- endpoint monitoring,
- real-time event correlation,
- And Threat intelligence with active response capabilities.
You can perform forensic analysis and look for specific data across monitored devices with powerful searches:
With Log & Event Manager you can:
- Gain key insight into critical activities and improve security, stay compliant, and solve problems in a single virtual appliance.
- Turn log data into real-time intelligence with in-memory event correlation and detect suspicious activities before it could harm your environment.
- Automatically respond to security threats and known bad actors with built-in active responses, which requires no scripting.
- Perform security audits and demonstrate compliance with predefined rules, templates and out-of-the-box reports.
Try Log & Event Manager - Download a free 30-day trial and have it up and running in less than an hour.