In last week’s email, we talked about the second NIST Cybersecurity Framework category – Protect. This week we will be discussing the third category – Detect.
Detection seems like it should be pretty straightforward. According to NIST, the Detect Category defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events. The concept is indeed straightforward – be watchful and know when someone invades your network. The problem is, the bad actors keep evolving new ways to get at your data. So vigilance and adaptability are key.
Just to ground the discussion in fact, here are the specifics according to NIST:
Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
Here are some examples from NIST:
- Ensuring Anomalies and Events are detected, and their potential impact is understood
- Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities
- Maintaining Detection Processes to provide awareness of anomalous events
Examples of detection processes are tools that monitor what devices are on your network. Are there devices that exist that shouldn’t exist? Almost every school district runs in an environment with “virtual servers”. Almost every Microsoft Windows or Apple Mac device has the ability to host virtual servers inside them. Is anyone scanning for what is on your networks and asking the basic question, “What is this device, and should it be there?”
Auditing tools are another looking for abnormal login times and failed logins and unusual file activity. In the last year, the NYS Comptrollers office technology audits of school districts have dinged districts for things like inactive user IDs and computers or unusual rights to the network. These types of tools can pretty effortlessly identify the accounts and machines your tech staff need to focus on to keep the district’s name out of the paper.
A new area of security focus is security and vulnerability tools that help your technical staff quickly identify many of the vulnerabilities of your network so your technical staff can remediate and plug the known security holes and at the same time begin to directly address the technical side of the NIST framework.
Antivirus is a traditional tool that you are probably familiar with. The reality is that traditional antivirus tools are a bit dated. Those that would do you harm often can easily exploit antivirus weaknesses. If your district is still subscribing to basic antivirus, we recommend you reallocate that money towards a more advanced Endpoint Detection and Response (EDR, but you will hear the marketing terms MDR (Managed) or XDR (Extended). They are all essentially the same at the basic level). EDR builds upon and even leverages traditional antivirus technologies by adding artificial intelligence (AI) analysis as well as in some cases live security analyst analysis generally from a Security Operations Center (SOC).
The design principle is that you should employ multiple levels of security analysis – each looking at what is going on in your network from a different perspective. The goal is that by combining these tools, even if one layer misses something, or is compromised, another security layer will catch the attack. Think of it like a bank. The front door is locked. If that doesn’t stop the criminal, the alarm goes off and everything is recorded on video. If that doesn’t stop the criminal, there is the bank vault. And the police (the Security Operations Center) are on the way. It is vital that you have SOC oversight for your security implementation. Midnight on Christmas Eve they will be actively watching your network and acting accordingly to any threats seen.
Next week’s bulletin will discuss category 4 – RESPOND.
Talk to your Director of IT about what systems are currently in place to detect a possible incursion into your network. The best practice is to be looking from multiple points of attack (ie, your firewall and your endpoints). Discuss the suggestions below with him/her and understand your district’s plan for Detection
- Install/check the status of Windows Defender on every server and workstation - at least as a second opinion tool. It is free. It works with anything else you might have installed. However, your present security stack came to be please make a point to survey your network and make sure that Windows Defender is installed everywhere it can be installed - regardless of what else you are doing.
- Make sure your detection systems have meaningful alerts for actionable events. Having an alert of activity on a console is not helpful if no one looks at the console. Gaps in your protection can be a serious exposure. Attackers only need to be right once.
- Invest in the more advanced Anti-virus companion tools that provide additional layers of protection beyond the basic Microsoft Defender anti-virus. While Microsoft Defender is good, different products and layers look at events from different perspectives. While nothing absolutely sees everything, hopefully, one of the layers sees the bad thing and either blocks it or at the very least pulls the fire alarm to alert you that something bad is going on.
Consider as one of your investments a Managed Endpoint Detection system with a 24x7x365 SOC. There is tremendous peace of mind in having a full Security Operations Center and/or live Security Analysts playing centerfield looking at and correlating all those alerts and, if necessary, intervening proactively until you can be notified.
If you would like additional information about any of the suggestions here or are interested in getting help navigating the NIST CSF journey, please contact Lisa MacDougall at lmacdougall@csiny.com or call 845.897.9480.
You must be logged in to post a comment.