I spent the day today at the soccer field for the championship games of the local town soccer season. My daughter's team came in third place, winning its first and last games. It is interesting to watch little kid "beehive soccer." Everyone is bunched up where the ball is located, and rarely do you see anyone strategically positioned on offense or defense in case either side breaks out and makes a run on the goal.
My eight-year-old and I had this conversation at Tuesday night's practice. She then decided to play exclusively defense for the first time and started directing her teammates about being better positioned on the field. Her team lost but played the best game of the season. And then she did it again today, and her team won.
She had a comprehensive game strategy and convinced her teammates to implement it.
It was much harder to have a breakout moment against her team and much easier to capitalize on a breakout offensively.
Soccer strategy is much like network security.
You have a firewall. You have some sort of endpoint protection solution.
Do you have other levels of protection to prevent a catastrophic breakout of a bad actor in your network?
Are you monitoring the consoles of whatever AV/EDR/MDR/XDR product you have chosen? Is someone else monitoring them? If so, do they just tell you things or actively respond (i.e., incident response)?
It is said that if local admin can be derived on an endpoint, that domain admin *WILL* be derived by the attacker. Once domain admin has been obtained, it is estimated that you have about four hours until your network is irreparably compromised. And now, with the shift towards "Volt Typhoon" style attacks, which rely on "living off the land" vs. deploying "verybadthing.exe" that almost every antivirus will catch and kill, we may not always be looking at where the true attack is coming from.
It is all about layers of protection.
Here is what you must do:
- Keep your firewall current
- Monitor your firewall to look for anomalies
- Log your firewall and core switches for forensic data
- Log in to your Active Directory and look for anomalies.
- Patch your third-party apps
- Patch your OS
- Monitor your AV/EDR/MDR/XDR solution for active threats and ensure your endpoints are all online and reporting.
- Have a plan for nights, weekends, and holidays when most of these attacks come.
- Monitor all VPN and remote access connections.
- Continually harden endpoint, server, and switches to current security and compliance best practice standards.
None of this list is optional.
All of it must be addressed.
Failure to address all of this list is a lot like beehive soccer. Things are great until they break through that first defensive wall, and then the other team can run across the network unopposed.
No matter how well you think you are doing, this is always on your summer security checklist.
CSI has solutions to help address whatever part of this list you and your staff can't reasonably address.
If you need help, give us a call.
-Scott Quimby, CISSP
You must be logged in to post a comment.