What Can You Do to Strengthen Your Network?

In general, businesses should consider initiating their own cyber security defense plan, like what MSN reporting suggests here. Besides just shoring up defenses, businesses should start looking for signs of intrusions and setting up a way to create "manual overrides" to security threats and intrusions. After that, it falls upon the business to determine what can and should be done.

What can you do, specifically, to strengthen your network?

The question always gets down to what specifically can you do to strengthen your cyber security architecture. Unfortunately, a lot of this is security architecture dependent and industry risk dependent. However, here are some simple but effective general guidelines.

Start immediately with a simple plan that works with whatever other architecture guidelines you follow (NIST Cybersecurity framework, MITRE ATT&CK framework, Defense in Depth, Zero Trust, etc.). Effective simplicity is one of the best techniques because it ends up being an approach that you can maintain. Elaborate, complicated architectures that are designed to "kick the crap" out of security attacks can become too high maintenance and too complicated to stay effective long term.

Here is one, simple 3-point plan to consider:

Prevention – Reduce as many threats entering the network as possible

Detection – Find and quickly remediate intrusions that are discovered within the network and implement a cyber resilience plan for successful breaches

Vigilance – Whether you trust or don't trust, periodically test your defenses to ensure that they are actually detecting and blocking threats

Let's look at the suggestion above in more detail.

Step 1 is about preventing as many intrusions into the network as possible by implementing a solid security architecture. Simply put — do what you can to stop the threat(s). This due diligence will be worth its weight in gold in stopping a significant number of attacks. Inline security solutions using an IPS, WAF, TLS decryption, and other technology are good examples of a best practice.

Step 2 is about finding intrusions on your network and quickly remediating those issues. The faster you find the problem, the safer you are. This is extremely important as the Ponemon Institute finds every year that it takes way too long to identify breaches on the network. For example, the 2021 Ponemon Institute Cost of A Data Breach report found that it took businesses an average of 287 days to identify and contain a data breach. This gives bad actors way too much time to do their dirty work.

Step 3 is about periodically validating that your security architecture is working as designed. This means using a breach and attack simulation (BAS) solution to safely and repeatedly check your defenses against real-world threats. Your network changes throughout the year. You need to know that a new hardware upgrade, software upgrade, or configuration change didn't break anything.

The following is a detailed list of actions that security engineers and architects can take based upon each of those three steps.

Preventative Actions:

1. Review your cybersecurity and infrastructure plan, including your escalation plan. Are they up to date? Who has what specific responsibilities? Are there any disconnects between systems?

2. Ask senior management and the CISO to send reminders to employees about potential phishing attempts intended to capture credentials and gain access to the network. The first key message to employees – "never click on the links." The second message to employees is that they will not be punished for reporting phishing or mistakes that could have led to a compromise. Maybe they should even get a reward? The key point here it that people make mistakes. If they think they will get reprimanded if they report their mistakes, then they never report anything which actually does more potential harm to the network by obscuring important facts.

3. Make data backups now and continuously. These backups need to be stored on removal memory, i.e. store the data "off network" so that it can’t be contaminated. You want the data and system configurations handy though. If ransomware or other malware is encountered that you can't get rid of, you want to be able to go "nuclear" and simply wipe the whole system clean and then reinstall programs and data. Some data will be lost with this approach but if the backups are frequent enough, this could be a very fast and minimally painful remedy.

4. Implement upgrades and patches. If you are new to the organization, test your security tools in a lab using a security tester like BreakingPoint to make sure (or determine) that your equipment is fortified to handle known security threats like DDoS, malware, virus', etc. You want to look for architecture vulnerabilities and to determine the EXACT performance (not data sheet specs) for the types of equipment (firewalls, IDS, IPS, WAF, Threat Intelligence gateways, etc.) within your network.

5. Upgrade/optimize your inline security protection solutions. Deploying security tools like an IPS, WAF, etc. are very effective at preventing threats from entering your network. However, you need External bypass switches and network packet brokers (NPBs) to optimize those solutions. Bypass switches allow you to maintain business continuity for your network and inline security tools. NPBs further enhance this solution with n+1 load balancing, internal data packet decryption, and enhanced data manipulation.

6. Install threat intelligence gateways to augment firewalls. Firewalls are good, but it's even better to have help from purpose-built devices that that provide rapidly updated whitelist or blacklist IP addresses and geographies for you. The purpose here is to remove the human element and use automation to limit threats. Since attacks are constantly "popping up" from new IP addresses, most security engineers simply cannot keep up with the list on a daily basis. Automated threat intelligence gateways fill this need.

7. Deploy TLS 1.3 decryption. It is estimated that 70% or more of security threats are now hidden within encrypted data packets. If you can't look into the packets, you're flying blind – so expect a horrific "crash and burn" scenario without TLS decryption functions.

Detection

1. While log files can be erased by certain types of malware — packets don't lie.  Network packet brokers should be used to capture the right security data and relay it to out-of-band security tools, like an IDS, DLP, etc. These tools can then analyze those packets to find indicators of compromise.

2. Deploy threat hunting tools, like Viavi, to actively look for on-premises and cloud-based threats. For any threat hunting tool to be effective, it needs to see ALL of the data. Seeing part(s) of the data isn't good enough. The tool needs everything, or it will miss intrusions. This is why you need to deploy data taps at critical points across your network and then use a network packet broker to aggregate and filter that content so that your security tools (IDS, DLP, SIEM, etc.) get exactly the right data at the right time to properly flag any anomalies or suspicious activities. The tap and packet broker combination gives you the visibility you need so that your security tools are as successful as possible. At the same time, you also need lossless visibility. You don't want to add just any packet broker. Depending upon their design, some packet brokers (like ones that use CPUs to process advance functionality) drop packets — i.e., they "lose" data. This means that you could be missing up to 60% of your security threats and not even know it. So, packet broker selection is critical.

3. Use application intelligence to look for indicators of compromise. Flow data can provide some general information, but you still need a deeper look. You can get this from application data, i.e., Layer 7 packet data. This allows you to see how applications in general are flowing across your network and also if there are specific problems. For instance, is there a DNS or NDP packet flood attack happening? You can literally see it by using a network packet broker that supports this application intelligence function.

4. Reinforce your cyber resilience plan. If you do get attacked, how do you get back to normal operations as fast as possible? There are many possible components to this plan. Here are a few to consider:

a)  Optimize network continuity with external bypass switches and heartbeat messaging. These devices can be set to Fail Open or Fail Closed, as you choose. The reason for an external bypass is that if you have to completely replace a security tool (and you are relying upon an internal bypass), then your network goes down during the changeout.

b)  Inline and out-of-band network packet brokers using load balancing and n+1 survivability allow you to maintain operations during "impaired" network situations. The right choice of packet brokers also provides reversion capability which means that they can automatically sense when out of service security tools become operational again (i.e., if a security tool does a reboot and comes back online). This provides a "self-healing" component to your security architecture.

c)  Inline packet brokers with Active-Active processors provide enhanced business continuity without loss of data. Active-Standby solutions will lose data while the standby processor comes online.

d)  The ability to completely simulate the attack in your labs to validate any fixes is especially important. This is where you need a security threat generator, like BreakingPoint, to faithfully reproduce the security attack in your lab so that you can determine whether your security fix actually works. The last thing you want is to shoot yourself in the foot by rolling out a security fix that doesn’t work. This could lead to another successful attack/breach and be a career limiting event for yourself.

e)  Something else to consider is network packet brokers that support integration to SIEMs. This allows your network to support automation to collect data faster and thwart security attacks as fast as possible.

f)   Start conducting cyber range training exercises so that you can recognize and respond to attacks faster. It's one thing to suspect that a certain type of attack has happened, or is happening, and another to be able to "see" the indicators of different types of attacks in real-time. Practice seeing these attacks in a cyber range is critically important. While you may not be able to tell a Petya attack from Ryuk, you can at least narrow down your search to the fact that it is probably a ransomware attack and proceed forward with that information.

Vigilance

1. Every network has security issues. You know it, I know it, and hackers know it. You need to hack yourself before someone else does it. A straightforward and fairly easy way of doing this is perform breach and attack simulations (BAS). Pen testing is only good for a point in time and is typically expensive. You need repeated and continuous evaluations.

2. You need to be able answer executive questions as well as your own. For instance, what systems were updated recently (both hardware and software)? Did these new changes adversely affect the security architecture? You need to know and just not assume that everything is okay. Once a few weeks or months have passed, new weaknesses will probably exist. There is a reason why businesses continue to be hacked, even though those businesses invest in security solutions.

3. If you're a new security engineer to a business, BAS gives you a way to check and see if routine patch maintenance has been conducted. For instance, maybe a patch wasn't applied or was applied incorrectly. How would you know unless you performed an extremely time-consuming audit of all of your equipment?

4. And crucially, were the right fixes applied if a vulnerability was found? For these reasons and more, you need to use a BAS solution to determine the current strength of your defenses.

Hopefully this blog has given you some things to consider. If you're looking for help, KEYSIGHT offers many solutions that could be beneficial like:

• Security threat testers like BreakingPoint

• Network taps like Flex Taps

• External bypass switches like iBypass

• Network packet brokers like Vision ONE

• Application intelligence like AppStack

• Threat Intelligence gateways like ThreatARMOR

• TLS decryption like SecureStack

• Breach and Attack simulators like Threat Simulator

See for yourself how Keysight's solutions can significantly enhance your company's security architecture.