Threat Protection: Forewarned is Forearmed

Security experts are shifting focus from passive protection to active threat detection by deploying relative tool and techniques before breach occurs

Threat Protection: Forewarned is Forearmed - CSO Forum

Securing enterprise networks is getting more complex with variety of devices accessing corporate networks and increasing viciousness of attacks by ransomware—compromising confidential customer data, jeopardizing business and greatly harming organizational reputation.

Security experts are shifting focus from passive protection to active threat detection by deploying relative tool and techniques before breach occurs. As Chief Security Officer in  Kalpataru Group—one of India’s leading real estate developer—we have a strategic focus on security and have embarked on an enterprise-wide initiative to streamline processes and incorporate industry best practices, which have significantly strengthened our security posture. Here are insights based on our experience:

Network Protection: Deploy various networks level defence systems such as:

  1. End-point security (anti-malware, HIPS, NAC )
  2. Network firewall
  3. Web application firewall
  4. Intrusion prevention
  5. Content filter
  6. Spam protection

These components must be deployed in strategic places with secure configuration and best practices to monitor logs and integrated with Network Analysis/Forensics to identify anomaly in the ecosystem.

Securing Devices: It is not sufficient to secure the network as securing devices are equally important—secure mobiles, laptops, tablets and all other devices within and/or outside enterprise network by installing an agent which communicates with central enterprise systems; antivirus and security tools such as firewall, whitelisting, monitoring, patching, logging, etc.

End-point Behaviour Analysis & Forensics: End-point devices exponentially increases enterprise risks with theft/loss of devices, misuse by disgruntled employee, inadvertent harm by careless behavior, etc. You must protect end-points to contain applications by isolating applications and files in virtual containers and monitoring memory and processes to detect incidents in real-time. The enterprise should also analyze end-point payload and network traffic to prevent all kinds of threats targeting the organization.

Network Analysis & Forensics: It is important to establish baseline, normal and seasonality traffic patterns to proactively monitor for anomalous pattern that indicate compromised and/or noise on the ecosystem. To conduct network forensics, it is important to capture full-packet and have an analytics and reporting system to identify advanced threats. This will help detect sleep cell in the ecosystem and provide the capability to reconstruct packet and replay flow and event to detect IOC (Indication of Compromise) and IOA (Indication of Attack).

User Anomaly Detection: It is important to benchmark user and seasonality access behavior pattern to detect anomalous events and network traffic logs. The system should automatically report security command centre to lock access once deviation is observed depending on severity.

Payload Monitoring & Analysis: Payload analysis detects malicious code and CnC being executed remotely by analysing the payload packet flowing through network. This technology uses a sandbox technique—either on premises or in the Cloud— to detect targeted attacks on a near-real-time basis. Traffic pattern is modelled and by comparing patterns you determine it can be classified as dangerous.

Navigating a safe passage is critical to reap the harvest of digital transformation. Security practices must continuously evolve to keep pace with sophisticated threats accompanied by sustained awareness building, close monitoring, penetration testing and remediation measures.

Detecting intrusions/threats proactively and preventing attacks is certainly more elegant than scrambling to minimize damages after an attack.

The author is CISO at Kalpataru Group


Add new comment