4 keys to cyber threat detection

Jan. 23, 2017
It takes solid policy and commitment from every employee to ensure the security of an organization's infrastructure

For most IT managers, it’s a constant battle to protect the organization from intruders looking to find their way into the network. These threats are increasingly difficult to detect and defend, and they come from many sources. A focus on external threats is critical, of course, but at the same time, we shouldn’t overlook the threats that may emerge from internal sources.

Would-be attackers are looking for ways to breach your network, and they will evolve their tools and techniques based on success experienced with other recent breaches.  How can you keep ahead of these new weapons that might be used against you? The old way of doing things may no longer be effective, but the good news is that a number of new tools and applications are available to help mitigate the risk of intrusion.

With security applications ranging from IDS/IPS, anti-malware, DLP, endpoint protection, firewalls, patch management, SIEM and advanced analytics, there is no shortage of tools – or hype – available. However, no single application type can provide adequate protection to your organization.

Applications such as firewalls and IDS are critical but do not provide the in-depth defense that is now critical. Advancements in next-generation firewalls and IDS/IPS are helping, and this is an area of much improvement. Beyond these applications, next-generation analytical tools use deep learning and neural networks to detect unusual activity in the network traffic often based on deviations from a known baseline. But the reports from these tools must be descriptive enough to detect real threats and provide reporting and alerting with actionable results.

There are a number of important considerations when developing or reviewing your organization’s security policy to aid in threat protection. And let me suggest, if you don’t have a security policy, develop one now. It’s not a matter of if you will be targeted by cyber attackers, but when. You need a strong plan that is reviewed often within the context of a changing environment and rapidly emerging threats.

Here are four keys to making sure your defense against cyber threats is as effective as possible.

#1 Choose Your Security Tools Carefully 

Not every type of organization will face the same threats, so different classes of applications will be appropriate for different businesses and situations. For example, healthcare and financial institutions may require strong compliance applications, while retail organizations may focus on advanced analytics tools and companies operating in the defense industry may look for robust DLP and end-node protection tools.

Likewise, not all applications are created equally, so it’s important to consider identifying the best-in-class tools for each specific need. You must be able to monitor the output of the tools to ensure your network security teams understand how the tools should be used and the options they have in terms of reporting.

#2 Generate a Baseline of Your Network

As an initial step in setting up your security plan, you should generate a baseline of your network traffic and understand what it tells you about the characteristics of your network. Many tools are capable of generating a baseline of the network, and you should continue to evolve this baseline over time as your systems evolve with your business.

Once formed, these baselines can be used to detect anomalies and unusual deviations in network traffic, for example, providing insight into what files and data are moving throughout the network and what new connections are being formed.  This process is aided by advanced deep learning tools, an area where innovative research has demonstrated great promise.

#3 Zero Tolerance to Vulnerabilities

It is critical that you take a zero-tolerance approach to all emerging vulnerabilities on your system. According to the Verizon Data Breach Investigations Report, half of all vulnerabilities are exploited long after the vulnerability has been published. 

Make sure all segments of the network and all traffic are monitored for vulnerabilities on a constant basis. This should not just be done as an scheduled annual task. Consider the use of a passive vulnerability scanner such as Tenable PVS. This will complement the use of more traditional vulnerability scanning tools. Ensure all systems are patched regularly, with a particular focus on browsers, OS and application software.

#4 Create the Right Reporting and Alerting Output

Finally, ensure the applications you use are generating the alerts and notifications you need to stay safe, delivering the right information to the right expert at the right time. Determine how your tools are utilized and how alerts are distributed, making sure critical applications present valuable output in a unified fashion to your security operations center. And don’t allow your team to fall victim to “alert fatigue.”  Desensitization can lead to longer response times or to missing important notifications.

To be effective, most of the best-performing tools require visibility to network traffic.  Getting the right traffic to the right tool is critical. Accept no limitations in this regard.

Your network monitoring system must have the capability for aggregating network data, and then grooming, filtering, stripping, slicing and stamping network traffic before distributing it to the right tools. Without this functionality, your investment in security applications will be deemed ineffective. It’s also important to maintain scalability in whatever solution you choose and remain flexible as the organization grows and conditions change.

Everyone within an organization has a role in protecting its critical infrastructure. To defend against potential intruders, have a solid security policy in place, and make sure your entire team understands and uses your security applications effectively. Be sure to carefully manage the alerts and notifications generated by these applications, and maintain a continuous and determined approach to network and security monitoring.  That’s the only way to keep in front of the next potential threat.

About the Author: Richard Rauch, President and CEO, of APCON, has spent more than 20 years building one of the industry leaders in state-of-the-art network monitoring technology. After founding APCON with the objective to develop computer connectivity products, Rauch applied his passion for technology and leadership while building an internationally recognized company with a global workforce delivering network monitoring solutions to Fortune 1000 enterprises and midsize organizations in 40 countries. Through the years, APCON has forged innovative solutions in data privacy and security for diverse sectors including government, finance, and healthcare. Today, Rauch is an industry thought-leader and the driving force behind APCON’s vision to be a global technology and innovation company specializing in network security. Rauch holds a BSEE degree.