Author: Vann Abernethy, Field CTO, NSFOCUS
When thinking about how to best to protect an environment, most non-security people tend to focus on the latest whiz-bang tools and threats that get mainstream media attention. Truly effective security, however, starts with understanding the environment that you are protecting, and wrapping policy, process, tech and finally people around that.
The best defenses tend to be those built in layers. Normally people tend to just think about the tech side, such as perimeter, WAN(s), LAN(s), infrastructure, enterprise applications. However, don’t just layer up defenses looking for the known threats that can be detected by signature or type. Think instead about how to track the mundane, looking for unusual behavior. It is the unknown that is truly scary and the only way to find that is to fully understand the environment and set up systems to recognize when anomalous behavior is going on.
This could be as simple as gathering flow or SNMP data from networking devices within the network to actual packet capturing software. The key is to know what “normal” looks like and if “not normal” happens, look into it. Your mileage with this will vary as some systems have well-known patterns that you can set tight tolerances for, other are wildly unpredictable as far as activity – but people at least should track WHO they talk with (and look for variances) if they can’t nail down with certainty a traffic pattern to track.
Another aspect that is important is policy and training. Training, along with tech, will help the defenders improve not only at detecting threats, but responding to them. It is not just knowing how the NextGen Firewall’s interface works, but understanding what it does, how it does it, what causes flags to be raised and the implications (and this applies to all security devices and applications). If people knows WHAT they are protecting and HOW that protection might be circumvented, and back that up with knowledge of how the tools they have deployed are used to mitigate this, then they are far along the path to creating a viable defensive system. From there, create policies that help the tools the companies have deployed, and this in turn will help turn them into highly trained staff to catch threats.
Finally, employee education is key – the greatest policy and the most sophisticated defensive network in the world is worthless without this critical piece. Not everyone is a security expert, but every employee should be trained on some basic rules. Create “security 101” classes, or better yet, make employees pass simple tests to gain access to certain systems. Make sure everyone knows some basic rules of the road and understands what the consequences are if they fail to follow policy. The best defense is an integrated one. It uses tools that are designed and capable of protecting the company’s unique assets; its policies maximize the effectiveness of those tools to defend critical assets; its security staff are highly trained, and its employees understand current threats and can act as additional eyes and ears for the core security team. If the company has all these in place, it is well on its way to having a well-defended environment.
Vann Abernethy is the Field CTO for NSFOCUS. He brings more than 20 years of Security and IT management experience working for a wide range of companies, from start-ups to the Fortune 500. Throughout his career, Abernethy has developed and deployed security, network and infrastructure management products and solutions; ranging from SMBs to government to some of the largest, industry-leading enterprises worldwide.