When real-time threat detection is essential

Advice on how organizations can navigate out of vulnerabiliites

real-time threat detection
Thinkstock

Finding the bad guys right away

While organizations always want to find threats as quickly as possible, that ideal is far from being met. On average, dwell times last months and give cyber criminals all the time they need to peruse a network and extract valuable information that can impact a company, its customers and its employees.

There are times when an organization will be especially vulnerable if they don’t have real-time detection capabilities, and in preparation for these events it’s a good idea to reevaluate tools and strategies. Mike Paquette, director of products, security market at Elastic, identifies some of the most common events that can leave an organization vulnerable, and offers advice to successfully navigating them.

real-time threat detection
Thinkstock

Implementing IoT

Any network-connected device can be an entry point for hackers, and as more companies start experimenting with IoT, they need to be ready to identify potential attacks through new devices.

As organizations implement IoT they should consider a network redesign that segments IoT devices from the rest of the internal network via strong access controls. They can deploy anomaly detection technology to baseline normal behavior between the IoT segment and the internal and external networks. This continuous monitoring will help to identify unusual network behaviors.

real-time threat detection
Thinkstock

Working with new vendors or partners

Target’s massive data breach was famously the result of hackers gaining access to the network through an HVAC company. Whenever an organization grants network access to new vendors or partners, they should be on the lookout for unusual activity. There are a few steps for doing this effectively.

First, prioritize management and security of vendor/partner access to company resources, and be diligent about removing access once contracts are complete. In addition, limit vendor VPN access to a known set of IP addresses and publish this list internally. Lastly, deploy analytics to detect unusual behaviors from these IP addresses in near-real-time.

real-time threat detection
Thinkstock

Mergers & acquisitions

Combining networks belonging to two previously disparate companies is risky business. Dwell times for hackers lurking around networks undetected can last for months. If a hacker is already on Company A’s network, you’d be giving him the keys to Company B (and the combined organization) by integrating them.

Preparation is the key to avoiding this scenario. Perform network and security assessments on each company’s infrastructure before connecting infrastructures. Then, deploy analytics to baseline behaviors in network and log data for the combined network as soon as possible so you can monitor for unusual behaviors.

real-time threat detection
Thinkstock

Adding physical locations

Whether it’s new corporate offices, or storefronts for retailers or fast food chains, the infrastructure that comes along with those new locations could bring new vulnerabilities along with it. In addition to adding standard controls, organizations in this situation should think about deploying analytics that can perform “population analysis” to determine if this new location exhibits behaviors in its network and application log data that are different from the behaviors seen from other locations.

real-time threat detection
Thinkstock

Patching or updating software

In complex environments, a change in one place could inadvertently impact someplace else. In many cases, this could create vulnerabilities and open the door to hackers. Updating to Windows 10 is a great, timely example.

Getting through a patch or update successfully boils down to using good IT procedures. For instance, make sure to communicate planned upgrades to IT security teams. Then, define post-upgrade diligence periods during which extra scrutiny is applied to security logs.

real-time threat detection
Thinkstock

Introducing new hardware

This could include any hardware, from servers to new mobile devices. When you add new hardware to a network, there are a lot of things you don’t yet know about it. And what you don’t know could hurt you.

It’s a good practice to ensure that all software running on new servers is patched and updated. Check for any known vulnerabilities associated with the hardware or software. And in a similar best practice for software upgrades, communicate planned hardware upgrades to IT security teams. Then, create post-upgrade diligence periods during which extra scrutiny is applied to security logs, preferably using automated analytics.

real-time threat detection
Thinkstock

Employee onboarding

A lot of companies welcome a batch of new employees at the same time, like after they hire and train new college graduates, for example. In cases like this, they’re adding a large number of new users with new and unique behaviors, and potentially new devices to their networks. These new users increase the chances of a hack or data breach (that could occur both willingly or unwillingly).

The first step to dealing with these periods of growth is to emphasize education regarding company policy and good IT security practices. Make sure to reinforce these policies and practices regularly. Then consider deploying user behavior analytics (UBA) to model the new users and compare their risk to other groups of employees in the company.

real-time threat detection
Thinkstock

Employee outboarding

Events like reductions in workforce, terminations, and resignations – especially when they’re involuntary – can be turbulent and increase the chances of malicious activity from people who know their way around a company’s data, network and applications.

During these sensitive times, prioritize Identity Access Management (IAM). Be diligent about removing access to all resources, both on-premises and cloud-based. Lastly, define post-upgrade diligence periods during which extra scrutiny is applied to security logs, using automated anomaly detection.

Copyright © 2017 IDG Communications, Inc.

Related Slideshows