Story image

Getting up to speed: five EOFY tips to improve your IT security

22 Jun 18

Article written by Content Security team leader for incident response Clint Marsden.

While the end of a financial year is the time to tally the numbers and tidy up the books, it’s also the perfect time to cast an eye over your IT infrastructure. Supporting virtually every facet of business, this vital asset must be protected from a growing range of threats that can cause disruption and loss.

A regular review of IT security ensures all necessary protective measures are in place and operating effectively. While such reviews should be conducted throughout the year, undertaking a comprehensive audit now will ensure everything is on track as the new financial year unfolds.

The top five EOFY tips for better business IT security are:

1. Patch your systems

Many vulnerabilities exist within business IT infrastructures due to software patches that have not been installed. By having a regular and consistent patching regime in place, the attack service is reduced significantly, making it much harder for attackers to gain access. While this has been the message from Security Vendors and Device manufacturers for many years, many breaches could be prevented from this fundamental step.

Patches should be deployed as soon as they are released by software vendors as any delay in doing so is leaving critical infrastructure at risk. In addition, the harder an attacker has to work on gaining access, it is more likely it is that you will detect them within your Security Information and Event Management (SIEM) system.

2. Check log retention

IT teams often rely on the fact that they have logs available but are not clear on how long logs exist on their systems until an incident occurs. They believe these logs will make it easier to spot unauthorised activity on a network and determine the source of an attack should one occur.

However, all too often, these logs are overwritten or deleted before an incident has been detected. From a forensic investigation perspective this makes it difficult to understand the initial entry point of the attack. Without this information, the ability to identify exactly how the adversary gained access to your infrastructure may be lost. Finally, lack of log data can prevent detection of what lateral movement has taken place Proper log retention and configuration is therefore vital.

3. Undertake centralised logging

If you don’t already have a SIEM in place, consider deploying one. Not only is this important when it comes to retaining all logs to prevent accidental or deliberate deletion, but using a platform to correlate logs from all systems within an infrastructure can greatly assist in the detection of a data breach, sometimes still in the early stages.

By implementing a centralised logging system, an IT team can reduce the mean time to detect, and more importantly, ensure an accurate and efficient investigation can take place due to the availability of relevant forensic artefacts.

4. Review your existing baseline

If the IT team doesn’t know what normal activity within their infrastructure looks like, it’s very difficult to spot Indicators Of Compromise. Take time to analyse day-to-day activity to develop a baseline of regular activity and actions. This should include recording normal processes and network connections from servers as a first step. Understand bandwidth on internal and external network interfaces, and finally what looks normal on your database servers – the crown jewels!

Then, when an incident occurs, it will be much easier to spot as it will involve activity or data flows that have been flagged as interesting. This approach helps the team filter out noise and focus on the events that matter. When an incident occurs, many eyes are focusing on the infrastructure. It is at this time that everything can be perceived as interesting or ‘evil’. By understanding what is normal prior to an incident taking place, your team can more quickly look for anomalous behaviour.

5. Implement a principle of least privilege

Within many organisations, there are a number of staff who have higher levels of network access than they required to complete their jobs. For example, some staff members who have been with the business for many years may have been acquiring and retaining system access as they shifted from role to role.

Consistent audits of group memberships can be time-consuming, but they reduce the risk of insider threats (Snowden 2013). Also, if an attacker does compromise an account, it will limit how far they can move within the network or resources that can be accessed.

Following these security recommendations will allow a business to be confident they have taken significant steps to secure their environment and ready to face the challenges of the new financial year. Taking the time now to review measures in place and close any gaps that might exist could save significant time and expense further down the track.

Security is a never-ending journey, but following these fundamental recommendations will reduce risk and make your network less vulnerable to compromise, and if a compromise does occur, empower Incident Responders to provide better investigation outcomes.

Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."