10 things to help you identify intruder threats faster

The security threats posed by external and internal intruders cannot be overstated, and will become even more significant as [[xref:http://www.cso.com.au/article/612808/hitchhiker-guide-it-security-governance-risk-management/ |compliance and operational requirements]] continue to tighten. Yet with studies suggesting that [[xref:http://www.cso.com.au/article/528748/red_vs_blue_security_response_war_room/ |mean time to respond]] (TTR) remains a major issue for businesses of all size – Verizon’s latest Data Breach Investigations Report found that 84 percent of breach victims took many weeks to discover they’d been breached – businesses are already behind the 8 ball when it comes to staying on top of their security exposure.

There are, however, ways to identify intruder threats faster. Here are 10 issues to consider in planning your response:

1. Improve network visibility. As the lifeblood of the modern enterprise, data networks are the first target for outside attackers – and the biggest battleground where you will meet them. By baselining normal network behaviour, it’s possible to more easily spot anomalous behaviour – but this requires visibility into all traffic entering and exiting the network. Modern monitoring tools are adept at collecting and organising this data to support proactive network defence.

2. Monitor cloud applications. Growing adoption of cloud applications has created new opportunities for efficiency-minded enterprises, but it is also expanding the threat surface through which attackers can potentially gain access to your resources. It’s crucial to ensure that cloud-based application traffic can also be monitored so you know who – and what –is entering and leaving your business.

3. Keep tabs on your cloud provider. Cloud service providers usually offer some degree of security protection, but that won’t typically extend into your virtual machines and other infrastructure elements. Yet those virtual environments are as vulnerable to exploitation as your own network – so make sure you have visibility into their activities.

“The cloud isn’t just a black box with data going in and out,” says Gigamon distinguished sales engineer Ian Farquhar. “Just moving things to the cloud doesn’t make security issues go away. You can’t defend against what you can’t see – and the idea that the cloud changes this is absurd.”

4. Monitor your endpoints. Endpoint compromise remains a significant vector for modern security breaches, which is why security experts recommend the use of proactive endpoint logging and monitoring solutions. Such tools not only improve control over endpoints but provide essential visibility into user activities and the flow of data to and from endpoint devices – and this is essential in detecting potential compromise quickly and effectively.

5. Tap into threat intelligence resources. Growing industry-wide sharing of threat reports and new vulnerabilities has given businesses a powerful tool to improve their security response. Utilise available threat-intelligence resources to ensure you’re up to date with the latest threats and issues at all time – thereby ensuring that you can turn your own network visibility into action.

6. Utilise cloud-based security services. Increasingly feature-packed cloud-based security services are helping companies of any size gain access to powerful security capabilities that range from application monitoring and traffic filtering to network monitoring, DDoS protection, and security response. Cloud-based services can also improve visibility by consolidating the reporting of security alerts from multiple services and platforms – helping businesses react more quickly when things go wrong.

7. Get a ‘single pane of glass’ view. Effective monitoring requires a consistent view across a range of data sources. With today’s security environments more likely than not to be running a broad range of security tools, ensure that these tools are all linked to a central monitoring console that shows alerts consistently and rapidly; this visibility will help you respond to any security issues sooner and better than ever.

8. User behaviour monitoring. Many businesses focus on the threat from external actors without developing effective policies to protect against insider threats – yet in many cases insider threats have proven to be just as devastating, if not more so. Ensure that your security environment can track user behaviour across a range of devices, with baselining capabilities that allow anomalies to be quickly detected and acted upon.

9. Test your security regularly. There’s no better way to test your ability to identify intruder threats than to run proactive penetration testing on your environment. Engaging internal experts or an external provider to probe your network security defences – and test your staff’s handling of phishing attempts – will help quickly remediate any issues and ensure that you’re ready to respond quickly. After all, security isn’t a set-and-forget proposition.

10. Get help. Burgeoning IT environments have increased the burden on security staff to keep up with massive volumes of information – but many companies are struggling to find and keep enough skilled staff to do this. Managed security service providers can fill in the gap by providing access to skilled staff and new technologies that improve monitoring and analysis of your network traffic – thereby helping ensure that you can respond to any security incident as quickly and effectively as possible.