Steve McGregory
Ixia Senior Director, Application and Threat Intelligence
Blog

See Something, Say Something, and Do Something!

October 11, 2017 by Steve McGregory

Cybersecurity in the workplace is a necessary and important portion of a healthy work environment. We are in week 2 of the official Cyber Security Month, October. The focus this week is Cyber Security in the Workplace is Everyone’s Business. What this means to me is that we should all do our part to educate ourselves and co-workers on some best practices for the workplace. To me, there’s one thing that would greatly benefit all of us and it is the practice of reporting suspicious events even if you are not sure that there is a problem or breach.

Company Policy to Support Reports of Possible Incidents

Companies should embrace this by rewarding people for reporting such activities. Employees must not be fearful of getting into trouble, as long as what you did was purely accidental. Things like browsing porn or any website that you know is not appropriate at work must be avoided. However, we are human and subject to human behaviors; this is often the psychological means an attacker uses to fool you. If you accidentally clicked on a URL because you thought it came from a trusted source, and immediately closed the browser once you noticed something wasn’t right; you should report this to your IT Security team and they should thank you for doing such.

Mean time to detect a breach - 205 days!

The absence of such behavior and program within a company will likely lead to a breach that goes unnoticed. We know that on average a breach goes about 205 days before detection, in general this provides the hackers with plenty of time to infiltrate your network and complete their main objective. The report should be welcomed, investigated, and the person reporting the incident should be thanked; perhaps even have a swag program to give out small gifts for reports.

How do You Know if Your Security is Working? Do Something!

Solely relying on your users to tell you when something may have gone wrong is not a strong security posture. We all know that it takes people, tools, and processes, and layered security to fully give yourself the best chance at catching malicious activities in your network. And, you will be much better served and aware of your security posture if you practice. You need to validate this layered security defense, assessing your people, tools, and processes ability to functioning as desired. You can validate your security people, tools, and processes using a Cyber Range.

A Cyber Range can be a standalone lab setup or it can be configured within your production network. The goal is to generate real world traffic, user and service behaviors, while injecting some malicious networking events. This can be safely done within a production network by segmenting the Cyber Range from your operational networks, using VLAN or private network segments. Your IT and Security Operations teams will arrange for a “Red Team”, the attackers, to setup scenarios that challenge and test the “Blue Team”, your regular IT and Security Operations team, without the Blue Team knowing anything about the Red Team plans. This operation can be a short 15-minute scenario or perhaps go over several days. At the end of the assessment, the Blue Team will report what they saw and how they responded. The Red Team will compare those findings with the actions they took.

What you now have is the knowledge of how your people, tools, and processes, performed under a real-world attack sequence. The results are knowledge of strengths and weaknesses in your current cyber security defense. It’s now time to shore up or mitigate those weaknesses, and when ready you should repeat the scenario. Best of all, you can use a product like BreakingPoint to be your Red Team, this product has over 12 years of supplying real-world traffic mixes and network exploits to NEM, Carriers, Service Providers, Governments, and Top 500 companies. With the introduction of BreakingPoint Virtual Edition, we have delivered a product that can do the same for any size company.

Having Knowledge of Valuable Assets and Applying Budget

In this topic of People, Tools, and Processes, we cannot leave out the method of applying security policy and budget. In many cases I see businesses attempting to apply same level of security across the board. This leads to over spending in some areas and under spending in other areas. In comes the topic of asset awareness, knowing what’s in your network and where the most valuable assets or data exists. Most companies focus on perimeter defense and while this is needed, it leaves a huge swath for network wide open for hackers.

Continuously scan and monitor your networks, knowing what assets exist and their value to the company. At the same time, deploy network visibility tools that can help you assess and normalize the traffic patterns; who talks to who for example. A simple example of something out of normal communication is a one-off communication in your network. Keep an eye on the lesser of traffic patterns, these are often tale-tell signs of abnormal network behaviors that should be inspected. We have seen Command and Control systems send a single ping to an external network just to let them know they are inside a network.