By: Jerry Horton, IT Director
“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.” -Bruce Schneier
Bruce Schneier is a guy you should listen to. He is widely recognized as a cybersecurity expert, wrote the book on cryptography, and is a respected thought leader about digital privacy and the surveillance economy. While I don’t entirely agree with Bruce here – I think defense and prevention to some degree is possible – the final sentence of this quote should be everyone’s focus. Detection and Response are key to minimizing the effects of all cybersecurity incidents. That being said, all of the detection and response in the world aren’t worth much if you don’t do basic prevention/defense strategies. Installing a great intrusion detection system in your office won’t yield results you intended if you don’t first prevent intrusions by locking the doors.
Last month, this blog (read it here) focused on the fact that a cybersecurity incident (or more than one…) is inevitable and began building the foundational elements for good cybersecurity. As a quick recap, you should:
- Change your mindset
- Stop being your own worst cyber-enemy
- Figure out what to protect and what to protect against
- Practice good basic cyber-hygiene, including passwords, patches, least privilege, and touching on backups
This month, we are digging into the basic elements you need to help you do the best detection and response for your business. Next month we will explore security without boundaries, such as work-from-home and a mobile workforce.
Let’s get started!
From this point forward, the assumption is that you have put all of the steps from the first blog into place. If you haven’t yet, go back, re-read that blog, and finish checking those boxes. That being said, you can implement them at the same time you start working through this section, but it is a lot easier if all of the simple things are done first.
Lock the outer doors
The first thing to talk about is the perimeter of your business. In a brick-and-mortar facility, you have doors for both staff and customers. Each of these doors will be treated very differently. Areas for inventory, offices, or workspace are restricted for staff members that have been assigned access, perhaps using a physical key or code, but that door will remain locked 24×7 as it is only intended for authorized personnel; the public entrances are a different matter. Such entrances will need to be open during business hours and locked outside of them. Sounds obvious, right?
Think of your network as the digital brick-and-mortar building. You have areas where only employees should be able to operate, but you still have email servers or websites which the public will need to access in order to communicate with you. The way you lock and monitor these digital doors is with a business-grade firewall, coupled with a secured wireless network.
By default, a firewall is effectively a one-way door, allowing authorized traffic out and blocking all entry attempts by unauthorized traffic. You need to add specially locked ‘doors’ to allow staff members in when they aren’t physically in the building through a Virtual Private Network (VPN) and some doors that allow certain types of traffic to communicate with your email or web servers. Add a firewall for inbound and outbound traffic and you have a top notch first line of defense.
A business-grade firewall is the first technical control you have to put into place. While it may seem that a consumer-grade router, like the one you have at your home, will do the same job, let me assure they do not. Comparing the two in sports terms, the consumer-grade router is a weekend ball player and a business-grade firewall is an Olympic level athlete. Put another way, using a consumer-grade router in your business is like locking your doors with Velcro strips – sure, it will keep the door closed, but they easy to open.
Lock the inner doors
Now that you have traffic controls in and out of your digital building, think about how best to protect each area. You may have traffic flowing freely between areas, but you still need to know who is going where, when they go there, and what transpires. In a brick-and-mortar building, that means adding additional locks for secure areas, putting in video cameras to watch traffic, or even putting RFID tags on equipment or inventory so you can track it more efficiently.
Your digital building has a lot more openings than your physical one. Each and every workstation, laptop, server, or smart device is a door for the cybercriminals to try to open. Patching, which we talked about last month, is only the first step. You need to have robust protection on every one of these devices, which is an advanced endpoint solution. An advanced endpoint protection product needs to have some of features of traditional anti-malware, but it needs to go much further. New versions of ransomware and other malware are created at far too fast a pace for traditional methods alone to completely protect your environment. A solution that can look at the behavior of your machines and the software on them, make intelligent decisions, block potential malicious actions and record an audit trail of the incident is what is required.
But wait – there’s more!
Lock your inner doors – Part II
If you followed the advice I’ve given so far, there is one more thing that will make cybercriminals give up in disgust – Encryption. There is no slick building metaphor I can think of here, so this is straight up geek stuff…
You’ve probably seen movies where a villain steals digital data and brilliantly cracks the encryption in the nick of time using nothing more than a beefy laptop, chewing gum, and grim purpose. While encryption is crackable, it is also really, really hard to crack, even with the right tools.
You need to protect your data with encryption both in-transit (while it is moving from one location to another, both inside and outside of your network) and at-rest (when it is just sitting around on a hard drive, not doing much of anything.) The ability to encrypt your data is built into the Windows operating systems and so is easy to implement.
Get Virtual Security Guards
Okay, you made the perimeter and offices of your digital building as tightly locked as you can, so you are done, right? Not at all! The time has come to put a few more elements in place to detect and respond to events that will occur. Think of these as the security guards.
Email Security Gateway
Since the vast majority of cyberattacks begin with phishing emails, this is a critical element. An email security gateway acts as that security guard sitting at the desk who only allows authorized traffic and blocks all other attempts to enter or exit the building. A well-designed email security gateway will do that job and more; including blocking spam, checking every URL in an email, preventing spoofed emails, and checking outbound emails to make sure you aren’t sending credit cards or Social Security Numbers.
File Integrity Monitoring
You have your files stored, secured, and encrypted – all snuggled down and safe, correct? Not entirely. How can you be certain this is the exact same file with all of the exact same attributes you stored away? There are thousands of files on your computer before you even turn it on for the first time. The system files are critical to keeping your machine running and secure. These system files will be updated with patches and others are dependent on dynamic content that is specific to the user and the machine. Add the files created or installed when you add applications or hardware, your files, and it is safe to say that there is no practical way for you to determine what might have been modified. Enter File Integrity Monitoring: an automated method of tracking changes made in your system with a complete audit trail of what occurred, when it happened, and who did it. Detection accomplished and responses made quicker and simpler.
System Logging and Auditing
Since your digital building consists of many machines and traffic going every direction, you would be hard pressed to constantly review the logs of all of the machines, firewall rules, file changes, logon/logoff, emails, print jobs, etc. Those logs are generated on every machine all day long. Trying to find an indication that a bad guy was attempting something nefarious would be essentially impossible, especially if the logs are not centralized and filtered to only show critical or suspicious events. This is why Security Incident Event Manager (SIEM) was invented. Needless to say, having all of these logs collated, tagged, and sorted by importance means auditing those records becomes significantly less painful.
Implementing a SIEM is a pretty advanced and expensive step for most organizations, but also the most advanced best practice in cybersecurity.
No, we aren’t bringing in references to a hilarious 1960’s sitcom, we are talking about building your knowledge and awareness of cybersecurity. If nothing else I have written resonates with you, this one must – you cannot neglect regular cybersecurity training for you and your staff. Our good friend, Bruce Schneier, says “The user is going to pick dancing pigs over security every time.” It is sad to say that Bruce is correct. You have to learn how to recognize social engineering and phishing attempts in order to combat the evil intentions of cybercriminals.
No matter how many technical safeguards you put in place, the bad guys will walk right in if someone holds the door for them.
Wrapping it up…for now…
“The nature of computerized systems makes it easier for the attacker to find one exploitable vulnerability in a system than for the defender to find and fix all vulnerabilities in the system.”
Bruce is not exactly the most optimistic voice when it comes to cybersecurity, but he is accurate. As I said at the beginning, you can and should do as much as you can to lock your doors and minimize the effect the bad guys can have when they inevitably get to you. Even if Bruce and I disagree on basic protections, we see eye to eye on the fact that we have to get everything right every time and the bad guys only have to be right once. The advantage is theirs, so let’s make sure to make it as tough for them as we can.