As I travel to industry events and talk with peers about network security, the biggest issue I see is that bright, shiny security tools with the latest bells and whistles mesmerize people. Too many companies deploy these tools without analyzing how the technology will be used or integrated with their security management structure. Collectively, network security teams need to put a stop to this mindset; they must slow down, take a look at the network and focus on solving the problems at hand.
First, let's look at the security incident process. How many incidents can you recall where the post-mortem review contained items such as install or update the antimalware software; patch the OS, application or hardware; update switch and firewall rules; change access control lists or implement some local device configuration? If your post-mortem meetings are anything like mine, then you are looking at security best practices for corrective actions. How can we use a "back-to-basics" approach with the goal to increase the security posture of our network infrastructure?
Nick Duda, Principal Information Security Engineer, Vistaprint
- Developed and implemented an automated IT security system for Vistaprint's modern distributed network supporting 4,500 employees, 25 localized websites and a Web portal that ships products to more than 130 countries.
- Mentors and offers advice to others on the technologies he's deployed including ForeScout CounterACT, Sophos SafeGuard and Thycotic Secret Server. Designed ForeScout CounterACT Cacti host template for monitoring key metrics of the appliance and published it to the ForeScout Community.
- Credentials and affiliations: Compliance and Regulations PCI DSS (level 1), MA CMR 17.0, ForeScout Certified Engineer
One of the key security best practices is making sure preemptive or corrective actions are taken. Take a step back and make sure you have visibility into all the devices on your network. Everything connected to the network should be identified and properly categorized. The best way to do this is to use several data points to identify the device. While a MAC or IP address is a good place to start, they are easily impersonated and spoofed, thus opening the network up to potential hacks. Using several criteria to identify a device helps to eliminate this risk.
I've conducted many security post-mortems, and more often than not there are one or more issues related to software or hardware missing a patch, not running the latest secure version or with a misconfiguration. Once you have visibility, you can put preemptive steps in place, such as alerting the help desk if a system has outdated antivirus protection or is running an older operating system. The help desk staff can then work to ensure that corrective actions are taken or, if you have a network management system in place, you can automate corrective actions. For example, you can auto-notify end users to update their antivirus software, or automatically move endpoints to a quarantine VLAN if they are not compliant with your pre-established policies.
Outside of work
Apple or Android? Apple, because Siri said so
Plan B: To be a Marine
Security hero? Ed Skoudis. Most of my security training was issued by Ed, whose stance and vision on cybersecurity is very much like mine.
Two things people don't know about you: Own every issue of The Amazing Spider-Man from 1962 to present, regular at the annual Burning Man festival
Six degrees of separation: Gabrielle Carteris (Andrea from Beverly Hills 90210) is my wife's second cousin.
What keeps you up at night? Zero-day vulnerabilities
Compliance and auditing tools are another area to leverage. To deal with the growing smorgasbord of compliance and government mandates, many enterprises have mapped tools and controls across industry and regulatory compliance frameworks to more efficiently institute governance, risk and compliance security best practices. These tools often include comprehensive information and a set of controls that provide insight across your IT environment.
Finally, get all the teams within the larger IT operations group collaborating with each other. Each team has made investments in technology that may have features and functions that benefit other teams. The network team often has information regarding how and where devices are connecting to the network. The help desk team can be a crucial ally in making sure all assets are identified, properly upgraded and patched. The risk and compliance group often has tools that validate the compliance status of devices before they are granted network access and offer methods for remediation, or the quarantining of devices. Not only does this cross-team collaboration increase the ROI on all security implementations and related tools, it leads to better data, more accurate processes and a more secure enterprise overall.