For effective network security monitoring, you need to see what devices are connected in your environment and how the vulnerabilities on those assets expose you to threats and intrusions. Attacks do not usually happen in one swift blow. Rather, they unfold in multiple steps. The earlier you detect attacks, the better chance you have at intervening to prevent a data breach or other harm.
Welcome back to Whiteboard Wednesday. My name is Mike Cromwell.
I’m Brian DeVault, and we’re here today talking about the Cybersecurity Posture series. We’re now into network. So, Brian, why don’t you walk us through the elements here and walk us through how a company can assess where they are and what the path looks like to get to great posture?
Yeah. So from a networking perspective, that’s a huge topic. Right. So we’re going to try to hit the high points here with the things that you should be doing if you have a security operations center, a network operations center or a network operational staff. Right.
So at the very top of the stack, we’ve got log and SIEM. The bottom line is your networking devices produce logging that can clue you in once you analyze it and alert you if something malicious is going on in your network. So you’ve got to do that piece of it.
The analysis piece of it is most commonly done with Tools software. We’re an At&T cybersecurity partner. We use Alien Vault for this. It’s a great tool. Highly recommend it.
Regular scanning. We’ve talked about this during the series a couple of times, but this is vulnerability scanning. Right. So any network has vulnerabilities, whether that’s through WiFi or whether that’s through firmware on a switch or firmware on a firewall, could be an incorrectly configured piece of networking equipment could be a VLAN configuration. There’s a variety of things, right. You can’t cover them all just by doing Port scans and reviewing Visio diagrams. You’ve got to scan the network so you can find it with a tool that’s highly capable.
Then you’ve got to Hunt. You’ve got to go out there and look for things that are wrong. Right. So these types of things are not going to be as obvious, but maybe you’re walking around the office one day and you see that somebody’s plugged in a WiFi router into a wall socket. So those are threats that are outside of your control and command. And if you’re regularly scanning your network, you would discover that asset. But it may not be the same day. Right. You may only scan your network once a week, so you got to look for things, right.
Behavior analysis is the process by which, like, say, Mike, if you were logged into your PC in the office, and then tomorrow I saw you logged in from Afghanistan, right. That would alert me that something is probably not. Right.
So the next item is research. So you got to understand what threats are out there. Do you remember in episode five, I told you about our Honey Pot server that’s out there on the Internet, just grabbing data all the time that educates us as to what’s going on on the Internet and what those threat vectors are.
Obviously, you got to monitor it. This is a classic case of the dashboard or the wallboard with your stats your vital stats up there and understand what they are. You’re going to have some things that are environmental awareness categorized, like if somebody’s doing a Port map scan of my firewall in my data center, that’s a pretty common event. Believe it or not, right. People are scanning public IPS all day long, every day. That’s not going to cause me to go do something to correct it, necessarily, unless I see it coming from a foreign country that I ever want to communicate with. If that’s happening, I can go block that traffic right and monitor and get you that. So IPS IDs. And that’s an exact function. Intrusion prevention system. Intrusion detection system. So have an IPS IDs in place on your network. If you have a breach that’s going to tell you about it and it’s going to alert you to it.
The last one I’ve done there is WiFi. This is a no brainier. Everybody should be doing this, but secure your WiFi network. Don’t have guest networks that don’t have passwords. Don’t write your password for your WiFi on your conference room wallboard. Don’t distribute it on post it notes. There are people that are trying to hack into your network to your wireless networks. If they’ve can see them, so secure your WiFi properly and you’ll be safe from moving forward.
Log management tools and Security Information and Event Management (SIEMs) tools are more complementary than competitive. Yes, they broadly overlap in that they both process event data, however, they are designed and utilized to meet different use cases. And there are those who want the flexibility to design their own SIEM using a modern log management tool.
Log management tools are primarily designed to collect any kind of machine-readable data, and provide optimized storage and search capabilities for it.
SIEMs are primarily designed to provide a security overview of a system. While savvy practitioners can adjust either to meet similar needs, the best use case for either solution is to deploy them in a way that corresponds with their greatest strengths. Therefore, it’s more appropriate to run a log management tool alongside a SIEM tool as a means to add additional data for better context, and use it for faster search and better storage.
Data collection and analysis tools are defined as a series of charts, maps, and diagrams designed to collect, interpret, and present data for a wide range of applications and industries. Various programs and methodologies have been developed for use in nearly any industry, ranging from manufacturing and quality assurance to research groups and data collection companies.
Continuous vulnerability scanning services provide an added level of security protection that all organizations should be leveraging to uncover those situations and significantly reduce the time to detect in your environment.
To ensure that vulnerability scans have no lapse in detection, it is suggested that both authenticated and unauthenticated vulnerability scans are conducted. While the authenticated scan allows the tester to log in as a user and see vulnerabilities from a trusted user’s perspective, the unauthentic scan does the opposite and offers the perspective of an intruder. Scanning under all circumstances, again, ensures that even with constantly evolving technology, companies are safe from threats.
Configuring your wireless network is one of the essential tasks to upkeep the security of your corporate wireless network. At least among IT professionals, it is not a big secret how important it is for the Wi-Fi networks to be safe for any business. You can do a quick search on Google or skim through the social media or news feed to read about it. You will indeed read some interesting content about how vulnerable wireless networks are to attacks and data stealing.
Hackers, in no time, can get into your system if you use the default Service Set identified (SSID) name and password. So the first tip to make it secure is to hide the SSID name or change it along with a solid password to complete your network.
Don’t use common SSID names (e.g., admin), as hackers are aware of this trend. It will take them no time to enter that network without doing much. Ensure the password includes numerical, special characters, alphabetic, uppercase, and lowercase to make it stranger and challenging for the attackers to crack.