it security
Let’s face it. Cyber-attacks are our new reality. Companies of all sizes, from the little guy to huge enterprises, and even the government, are successfully attacked and breached. Fast Forward IT has adopted the mind-set that it is no longer a question of if your business will be attacked, but when; it is therefore imperative to be prepared. How do we do that? Let’s first define some terms, then see what technologies can help.
Compromise
A compromise is unauthorized access into a network.
Breach
A breach occurs when data is taken from a network, such as after a compromise occurs.
Vulnerability
A vulnerability is a product defect, that can be leveraged to gain access to a network. Vulnerabilities are often patched by software vendors when the vulnerabilities are discovered.
Vulnerability Management
The practice of actively looking for vulnerabilities for the purpose of mitigating the vulnerability. Mitigation could be remediation in which the vulnerability is patched or it could be mitigated by temporarily or permanently taking the system offline.
SOC
Security Operations Center. The SOC houses security teams that analyze data looking for signs of a compromise. A SOC usually makes use of a SIEM in researching security events.
SIEM
Security Information and Event Management. The SIEM receives and holds logs from IT systems such as Microsoft 365, anti-virus products, Microsoft Windows, firewalls and other IT assets. The logs collected by the SIEM are useful to the SOC in determining if a compromise or breach has occurred.
SASE
Secure Access Service Edge. This is effectively a VPN service with additional security layered on. While connected to the SASE network, your laptop for example, sends encrypted traffic to a private network to access private resources on the network such as a server. The additional services layered in are things like traffic inspection, which looks for threats, and filtering. The additional services built into a SASE solution vary from provider to provider.
EDR
Endpoint Detection and Response. This is endpoint monitoring paired with a modern next-generation antivirus product.
XDR
Extended Detection and Response. This opens up the scope of EDR to go beyond just the device the product is installed on. XDR may include things like vulnerability management and insights into additional systems such as Microsoft 365.
MDR
Managed Detection and Response. This is a managed version of EDR, provided by a security firm. The advantage is that trained security professionals are analyzing data.
MXDR
Managed Extended Detection and Response. This is a managed version of XDR, provided by a security firm. The advantage is that trained security professionals are analyzing data.
Immutability
This is the concept of ensuring data cannot be deleted. For example, your backups should be immutable so that if your network is taken over the backups cannot be
deleted.
Phishing
The practice of sending emails to users, that look legitimate but are not, with the goal of getting the end user to take an action that allows the attacker some type of access to the network. An example of a phishing email might include a link to reset a password, however the link takes you to the attacker’s site and prompts for your password. In this example, if you typed the password on the attacker’s site, they would then know your password.
Security Awareness Training
The process of educating employees so that they become security aware. This process helps employees spot phishing emails, and other types of threats.
Ransomware
This is malicious software that encrypts data, making it unusable. The attacker who encrypted your data askes for a ransom in exchange for software that will decrypt your data.
So, which of these tools do I need? The short answer is most businesses need all of these tools or would at least benefit from them. The reason most businesses need these tools is that virtually all businesses are or will be attacked. It is important to remember that these attacks are to a large degree automated, meaning it doesn’t matter if you are small. Since the attacks are automated, they can be indiscriminate. Often small businesses are more valuable to attackers as they are less prepared and can be more likely to pay a ransom to an attacker.
Q: Why use a SOC and a SIEM?
A: If your network has been compromised, you would want to know, right? That is the purpose of the SOC and SIEM. The SIEM collects information, the SOC analyzes the information and provides notification. The goal is to detect the compromise early so that it does not become a breach and data is stolen. These services run 24x7x365, with the goal of detecting compromises around the clock.
Q: Why is SASE important?
A: Because it provides secure access to company resources. If company resources are only available though the SASE solution it is much more difficult for attackers to reach those systems.
Q: Why use a vulnerability management system?
A: Failing to detect and mitigate vulnerabilities is like building a castle with an unlocked rear entrance. If you fail to secure the entire castle, you should not be surprised when someone walks right in.
Q: EDR, XDR, MDR, MXDR? Which one?
A: Unless you can field a team that can respond 24x7x365 a managed solution is probably warranted, so that threats detected can be responded to. This means either MDR or MXDR. When evaluating MDR or MXDR the question to ask is what scope do you want to cover? Are you only interested in securing computers or are you interested in computers and platforms? These days nearly everyone leverages cloud services, if you leverage cloud services go with the MXDR solution for round the clock coverage and visibility into additional systems like Microsoft 365.
Q: Why educate my employees with Security Awareness Training?
A: Most successful attacks leverage mistakes made by employees, often through phishing attacks. Even if you spend large amounts of money on IT security products, humans still make mistakes. You can reduce the likely hood of employees allowing attackers in through education.
Q: What about immutability?
A: Immutability is important for recovery. If your data is encrypted as a result of a ransomware attack, do you want to pay the ransom and hope the attacker gives you the decryption software or would you rather recover from your backups? The FBI recommends not paying a ransom, https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/ransomware.
Other tools we recommend include passwordless authentication, advanced email scanning, password managers, and data encryption.