If you’ve had a good year security-wise, you may not be thinking about how to enhance your company’s defenses against malware and scams. Having a year with no intrusions or ransomware doesn’t predict that your security will perform equally as well in the new year. You’ll need to keep your software up-to-date, to protect devices with modern antivirus, to stay vigilant with your email practices, and keep your discipline with passwords and MFA. If you’re covering those bases, it’s probably time to take the next three steps as well.
1. Threat Detection
We’ve written extensively on modern antivirus, and how it scans your endpoints in real-time to see signs of abnormal behavior. These abnormal behaviors can be things like high disk or processor usage, for instance, which could be signs that an attacker is in the process of exfiltrating your data. While that is an important part of your data security, so are some more straightforward questions: is your network accessible to bad guys, or do you have devices that are vulnerable to attack on your network?
Threat detection, like that offered by Qualys or CyberCNS, scans your network (either continuously or intermittently) to let you know where the soft spots might be. CyberCNS can be used to protect assets like your Active Directory, which contains the credentials and privileges associated with your user accounts on a Windows network. Making sure that it isn’t vulnerable is critical to keeping all of your data safe and making sure that users only have access to the data they need to have access to.
CyberCNS helps your MSP assess threats by not just scanning from inside the network, but also scanning it from the outside. This makes it possible for them to take the position of an attacker and see what can be learned about your network by connecting to it from the outside world. If you need to meet specific compliance specifications (for your cyber insurance or government contracts), their scan supports a few standards—HIPPA, GDPR, NIST800-53, NIST800-171, and others—so that your administrators know exactly what to prioritize and address.
2. SIEM
Finding and patching holes in your network can be a first line of defense against intrusions, but if someone does get in, you need to know immediately to take action. When using Security Information and Event Management (SIEM) from a service like Todyl, your MSP or your Detection and Response Account Manager (the manager of your security at Todyl) can monitor reports in real time. SIEM helps you see that your detection is working when everything is fine, since it makes all of your network’s detection information visible, instead of hiding it away in a log file that nobody will look at.
Crown Computers can help devise detection rules that make the most sense for your network: what kind of data you have and how it is stored means that you may need custom rules for when alarms get triggered. If something looks suspicious because it doesn’t fit regular usage patterns, your security team will be alerted immediately, giving them the power to intervene or stop an attack in progress, or address whatever problem it is.
3. Honeypots
Another layer of detection that you should equip yourself with is honeypots. Honeypots are a great way to see if there’s something malicious happening on your network. As we wrote here, honeypots are a good last line of defense, because they show that someone is handling an asset with no other function than letting you know that something is being tampered with. That makes them a great tool for knowing that an attack is ongoing.
Thinkst is a company who has been working on honeypot defenses for a long time, and they recognize that the problem with deploying honeypots is that it’s easy to mismanage or forget about the honeypot. They’ve solved the management problem by offering devices and software that look real and valuable to an attacker, then send an alert to a console in the cloud. The “Canaries” that they offer just need a DNS server to communicate with the outside-world, so setting them up is really simple. In fact, they say that deploying their hardware Canary takes five minutes or less.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team