Prevention Is Ideal But Detection Is a Must Strategy
When I say, “prevention is ideal but detection is a must,” I’m talking about preventing the adversary from penetrating, and really focusing in on these areas. We can limit the information that’s out there. We can control and stop the payload. We can stop executable for money.
I went through those solutions by application
So when we’re talking about trying to prevent the adversary we’re really trying to control the delivery and execution. We’re focused on what gets delivered to your system and what gets executed on your box. We can start to prevent and stop that.
From a detection capability, we’re really looking at what is the network patterns and the network traffic that’s occurring and happening on the system. I am a
When we’re looking at the detection, we’re looking at the network patterns that are occurring. There’s also a very important subtlety here that I want to draw out when I’m talking about prevention and stopping this. Most of this occurs on the inbound traffic. So, I’m really talking about inbound prevention. I’m looking at what’s coming into my network inbound and trying to prevent, stop, or limit that. When I’m talking about detection, I’m really focusing on what’s leaving my organization or what the outward bound traffic is.
So what we’re really getting into here
What are some actionable things that we can do on the preventive side? Limit visibility. Reduce the exposure within your environment. When organizations first started deploying networks in the late 90s, adversaries were targeting systems of public IP addresses. So we took every system that had a public IP address, put it on an isolated network (called a DMZ). We locked down, secured, and patched those systems. Then we firewalled them off from the rest of the network. We made those targets very difficult.
We actually caused the problem we have
We thought, in the 90s, there was no way to break into a computer with a private IP address. We felt all of our systems that had RNC 19 18 addresses were going to be secure and protected. We just had one big network where they were there.
Via the e-mail, Web, and other mechanisms, the adversaries figured out how to penetrate that perimeter. When they get into one of those systems, they have full visibility into all the other networks.
We have to do the same thing we did 20 years ago. We need to take all those client systems, put them on separate isolated segments, firewall them off, lock them down, and limit any sensitive data. Then, if they get compromised the amount of exposure is limited.
Here’s the problem today. If you compromise a client computer on the private network, it will be able to see 8000 servers. What if we take all of our clients, we break it into groups of 50, put 50 systems on
That’s the approach we want to take. Start limiting and controlling visibility. Start locking down our environments.
For more tips on staying safe in cyberspace, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at secure-anchor.com/contact.