Blog / Actively Monitoring Cybersecurity Solutions
It’s well known that antiviral software should be installed on all your computers. It’s also well known that it should be setup on your firewalls along with your intrusion prevention system. What’s not very well understood is that things like this need to be looked in on from time to time. There’s an assumption that if there’s no obvious problem with firewalls then there’s no reason to go looking at them.
Physical security is easier to understand than electronic security. This is probably because the means of attack are visible and tangible. I find this makes analogies and comparisons more effective. So consider that if you install an alarm system on a building, you don’t do so without a plan of action for what happens if it goes off. This means two things:
First, you have a system in place to monitor for alerts. You don’t simply rely on people hearing the alarm and acting accordingly. Usually this means some kind of remote monitoring company that offers 24/7/365 monitoring to cover weekends, holidays, nights, and other times when people aren’t around.
Second, you have internal staff who are responsible for things like monitoring, arming, and disarming the system. This means the system is being checked (and tested) on a regular basis, and it will probably get noticed fairly quickly if it’s not operating correctly.
So why isn’t this understood for electronic security? Why do firewalls get put in place and configured and then are expected to simply work without anyone checking on them for months or even years at a time? Antimalware software is also often installed and forgotten about. What’s worse, it’s possible that they’ve never been actively tested to confirm they’re working. The person responsible may simply have installed the software, clicked a few checkboxes, and assumed everything was working properly. The only time most people look at a firewall is to add a rule to allow something new through. Similarly, the only time antivirus software is looked in on is usually to install a new version.
To be fair, most of the time there is no problem. Antimalware settings are probably working properly and the firewall is probably doing fine. Probably. The problem is that even though it’s usually fine, nobody would know if it wasn’t until it was too late. You wouldn’t have any indication that there was any danger until there was a successful attack.
One of the duties I perform at TRINUS is security audits on customers. Part of this involves looking at their antivirus logs (among many other things). I can recall one audit where I found logs that showed there had been a ransomware infection that had been prevent over a month before the audit. Now this may seem like a success since everything worked properly, but that nobody was aware it had even happened is still a problem.
Part of a good security policy is using these sorts of events to look at your own defenses. You can take a look at how far things got, what defenses were bypassed or failed and why, as well as what defenses worked to detect the attack. So in this situation, a ransomware executable had managed to make it into the network but was detected when it tried to execute. Yes it was prevented from causing any damage but what happened with the frontline defenses? Was there a misconfiguration? A failure? How was it able to get inside the network in the first place and could things be improved? These are the sort of questions that should be asked and answered in order to improve digital defenses.
Unfortunately, since the event had happened over a month ago there were no more records of the situation. All useful logs had been rolled through and any users involved won’t remember what they were doing at the time. A situation that could have provided some good, useful information that might have been been able to improve the overall security was never noticed and rendered useless.
Sadly, this is exactly the sort of thing that happens all too often; security products are put in place and go unmonitored for months or years at a time when they need to be regularly checked to make sure everything is working properly. IPS setups are easy to trigger intentionally. Antivirus can be tested safely. Webfiltering is also simple to test. Every defense that you have can be easily and systematically tested in a short amount of time. Making someone responsible for monitoring and double checking from time to time is not only practical, it’s appropriate.
Today I’ll share a line from Shakespeare’s play Troilus and Cressida, Act 2, Scene 3 “The common curse of mankind, folly and ignorance, be thine in great revenue”.
If you have any questions about active monitoring, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.