Weekly Tech Tidbit - Guarding The Wall
"Son, we live in a world that has walls, and those walls have to be guarded by men with guns"
-Col. Jessep "A Few Good Men"
That classic movie line rings true on all our networks. We are under active attack. Bob can tell story after story as to how an exposed IP address starts to get port scanned within 15 minutes of exposure. The NAT rules are exposed and suddenly the bad guys are attempting to directly touch your devices to find a way in. It is frightening as to how fast they move when they see a potential breach.
That is why we are obsessive about DMZs, keeping third-party vendors on protected VLANs and layers of security. Some of the security layers we are recommending are:
- Managed Firewall - Looking at active traffic for anomalies or threats
- Log Monitoring - Analyzing logs for bad actors
- DNS Filtering - Cisco Umbrella
- Active Directory Auditing - A separate auditing server.
- CSEDR - A leading EDR agent plus a 24x7x365 Security Operation Center watching your devices.
- Patch Management - Automating and managing Windows patches
- Third-Party Patch Management - All those other application based threats
- Device Monitoring - Paladin Sentinel Monitoring
CSI has solutions for all of those layers of security, but today I want you to seriously consider adding another layer to your security stack: Huntress Agents.
Huntress Labs is an amazing company run by a number of ex-NSA folks whose job it was to be offensive hackers and penetrate our enemies' networks. They are the smartest people I have ever met in my 42 years of working in technology. They started a company dedicated to protecting you from the bad guys.
They start with a simple premise, "Everything can be hacked". That is why we have layered defenses. They are under no illusion that all of our or anyone else's wonderful security tools can withstand every threat. Therefore, they have adopted a unique position on your network completely different than anyone else. They look for behavior. If a bad actor has breached your network either with fileless malware (aka living off the land), or because they disabled your primary AV/EDR client, sooner or later the bad guys have to touch files or alter your system. They analyze thousands of endpoint changes a month and look for the bad guys setting up shop. They look for files being altered for ransomware. They look for ports being opened to the internet. The changes are analyzed in minutes first with AI and then with live analyst as necessary. If there is a persistent foothold of a bad guy appearing on your endpoints, they alert and script the recovery for us to implement. They don't replace you front line AV/EDR product. They are a companion product to that product. They don't block anything. They report malicious changes and provide the remediation recipe in a semi-automated fashion for us to implement to remove the threat.
As endpoint security products go, this is relatively inexpensive.
I would like you see your endpoint security to evolve to in the following way:
- Put CSEDR with the Secruity Operations Center on all the servers, critical workstations and all other workstations that you can afford focusing first on workstations that have access to Windows shares and sensitive information
- Put Huntress on those machines as well.
- On all machines where the full CSEDR client is not yet financially possible put Huntress on all these devices combined with your traditional anti-virus client.
The ransomware file activity and internet open port alerting alone could be the difference between quickly mitigating a ransomware attack and losing control of your network.
There's a lot more to talk about and their road map of new features is extremely exciting, but this is a tidbit so if I have piqued your interest, give Lisa a call and we'll show you how this works.