When it comes to network security, preventive measures like firewalls are necessary, but they’re not enough.
It’s like washing your hands to avoid getting sick. It’s a common sense step that everyone should take, but if there’s a particularly nasty bug going around, hot water and hand soap might not be sufficient protection.
So what are the major weaknesses of a prevention-only strategy? And how can you bolster your organization’s defenses?
The Problem with Prevention
Here’s the problem with relying purely on prevention: technology – and intrusion strategies – are constantly evolving. New network security vulnerabilities are emerging regularly. This year’s “Heartbleed” and the recent “Shellshock” exploits were found in very common, time-tested software that is used across the web.
In this constantly fluctuating security environment, preventive controls must constantly evolve just to keep up. That’s a tall order, and even the best prevention systems aren’t going to have a 100% success rate.
Many organizations overlook common vectors of attack like social engineering, or fail to keep their security software up-to-date -- opening themselves up to attack. Even the most sophisticated firewall can’t stop a wily scammer from impersonating a customer to extract sensitive data from a flustered customer service representative.
More importantly, putting all of your eggs in one preventive basket means that once intruders do manage to compromise your system, you may not find out until it’s too late. And by that point, your options for response may be severely constrained. That’s why, in order to be at its most effective, your network security management strategy should be like a three-legged stool. One of those legs is prevention, but in order to stand up properly, you need the other two legs as well: detection and response.
Detection for Network Defense
The tricky thing about network intrusion is that it’s usually surreptitious by nature. In most cases, an intruder doesn’t want to brute-force their way into your network at all costs. They want to slip in undetected, so they can gather as much valuable information as possible over a period of time. Many data thefts and online scams are long games, with the hackers setting up shop in your network and waiting for the opportunity to score big.
That means detection is paramount. While there are plenty of automated network monitoring software solutions, they face some of the same challenges as automated intrusion prevention software. They need to stay up-to-date with the latest strategies and red flags. And they have a bigger problem: software can’t contextualize signs of danger the way a human being can.
That’s why human monitoring is so essential. Trained security experts can find, analyze, and formulate a response to early warning signs like unusual network traffic patterns or too many failed login attempts to an account that logs in just fine every other day. Your network monitors may be part of your security staff or they may be part of an outsourced solution – either way, they should bring consistent, contextualized, and up-to-date analysis to your network.
Another note on human monitoring: every member of an organization can contribute to this effort. Subtle signs of a network intrusion can include login credentials suddenly not working, or a usually-reliable network starting to lag. By having your team report these irregularities to your security experts, you can have someone follow up immediately to find out if and how you need to respond.
The Right Response
This brings us to the third leg of effective network security management: the right response.
Here’s what the right response isn’t: panic. Minimizing the damage from an intrusion or theft means taking decisive but careful action.
A comprehensive Incident Response Plan can help you determine the best course of action for a particular situation. This guidance is important because in some situations it makes sense to immediately disconnect affected machines, and in others you may want to allow the activity to continue for a bit while you monitor closely to determine the scope of the incident.
Read more: Six key defenses against Shellshock attacks
How you disclose information about the attack is important too. Your public communications must be as straightforward and honest as possible, and abide by any reporting guidelines to which you are subject, including state and federal governments or industry entities. It’s entirely possible to take a reputational bruising when you get hit by a network intrusion. But the way your organization conducts itself in the aftermath can be the key to recovery.
It can also help you prevent future attacks. If you’ve experienced an attack, collect as much data as you can about it and then reassess your network security strategy, finding any holes that may need to be patched. By calmly and thoughtfully improving your network security management strategy based on the data at hand, you can make your defenses stronger than ever and put yourself in the best possible position moving forward.
About the Author
Jason Riddle is Practice Leader at LBMC Managed Security Services where he helps defend his clients’ networks. He has over 15 years of experience working both as a consultant, advising commercial & government clients, and as a corporate information security officer for a financial services organization. His core areas of expertise are technology infrastructure, security & compliance, electronic payments, and developing processes to defend networks and systems against today’s advanced threats.