As IT professionals, we live in state of continuous attack – much like a living organism with an immune system that is constantly battling infection. And just as a living organism can’t fight off a single virus and declare itself safe from future infections, so too is a one-time network security audit or report unable to stave off future cyber attacks. Rather, continual security monitoring and hygiene cycles are critical to network health. The end result is better security intelligence that can be tapped to determine where and when to use often limited IT security resources should a future security incident occur.
Striking a proactive posture before an incident can help close open doors that are vulnerable to exploits, given that we know which ones are accessible and automated via exploit kits. Security experts are finding that 90% of vulnerabilities do not need attention. They recommend focusing on ones noted in ExploitDB and within the Metasploit framework first. Plus, research shows that attackers are quick to react to new vulnerabilities with high scores, or existing ones with scores below a mid-range since they are likely ignored.
As cyber attacks cycle through their kill chain stages, inbound and outbound traffic analysis can provide detection of Indicators of Compromise (IOCs), along with suspicious and potentially malicious activity. Security experts are finding 20% of systems are infected with some type of malware within an organization. Analysis of DNS traffic, spikes in UDP traffic, request and response sizes, inhuman web activity and geo-tagging are proving to be good candidates to investigate for compromise.
Research shows that, after an incident, a third party is most likely to notify you of stolen data. Worse still, the gap between infection and detection/notification is well over 200 days. Despite these factors, finding patient zero and the pivot trail for a compromise is good practice since it educates us on what to look for and how to improve security hygiene practices. The challenge in doing so is that the expertise on how to normalize and correlate various silos of security information is a valued skill set and not always easy to find. Fortunately, you can share IOCs within your industry or via public exchanges, and thereby become educated even if you lack the necessary data and expertise.
To recap, like maintaining our own health, our networks require security hygiene practices that go in continuous cycles and are not one-time events. They should be proactive against exploitable and accessible vulnerabilities, detect infected systems by exposing anomalies in communications, and leverage forensic analysis to educate and improve defenses and detection.
The big question I pose to you is – do you think you can best implement continual security hygiene via a DIY internal effort, or would a partnership with external security experts be preferable?