While we can never say, all is well in the world of network security, this week I feel I can write to you about something other than a US-CERT alert.
This week’s topic – an interesting Cisco Talos blog post on the top 5 recommendations the Cisco Incident Response Team, looking back over the past 3 years, have been making when they are engaged with a client in responding to an actual security incident. These represent items that in looking back “if only “xxxxx” had been in place”, the incident would have been not so bad / easier to resolve / less damaging to the organization.
The top 5 most often occurring recommended actions by the Cisco IRT to their clients to help avoid having or improve response to another security incident in the future has been:
- Incident Response – know who you are going to call should an incident occur ahead of time. And hopefully, that same group is working with you on a continuous basis to improve your network security posture.
- Use an Advanced Endpoint Protection product on your endpoint devices – the old first generation AV products don’t provide all the protection you need, and more critically, in this case, don’t provide the necessary forensic information to track and respond to a security incident.
- Segment your Network – I have talked about this over an over for years. We need to protect against the ability of one compromised device to be able to attack the entire internal network.
- Perform active Security Monitoring of your network – this is the hardest one for most of you. It requires the addition of new monitoring tools as well as the investment in someone to be really looking at and responding to the tool's output. These are new costs for most of you that now need to be in your budgets to protect your network going forward.
- Network Security tools – SPAM filtering, Web filtering, DNS protection – most of you have this one covered, or at least the first two parts. Putting these in place help protect against accidental clicks, and if monitoring the logs, can help identify compromised machines that request access to compromised domains.
For most of you that first call for Incident Response will be to CSI, where we can engage both members of our team as well as other outside resources should an event occur.
And we are constantly informing our clients about new tools and encouraging all our clients on how to better improve the security posture of their networks, either on their own or by using new service offerings from CSI.
An unfortunate byproduct of our interconnected world today is our need for the increased capability to watch over our network to make sure what is happening on them is only what we desire to have happened, and not something else. Our networks “are not in Kansas anymore.”
If you want to discuss how to implement any of these recommendations in your network please contact the team at CSI and we will be happy to work with you on a plan to do just that.
If you want to read the full text of the Cisco Talos blog post you can find it here: