Threat Intelligence – Computer Networking and Security

Summary: This brief article discusses network security and the importance of system log management. Learn why the United States government issued an executive order outlining the appropriate cyber security steps to detect and manage network threats. For additional questions about network security monitoring, contact DIGIGUARD CYBER SECURITY at 833-33-CYBER (833-332-9237) or visit www.DIGIGUARDsecurity.com to discuss your SMB’s network security.

The Solar Winds supply chain attack in 2020 compromised government agencies, organizations and companies worldwide. The attack took many IT professionals by surprise. The U.S. Department of Homeland Security was one of the attack victims. Because of the severity of the breach, the U.S. Cyber Security and Infrastructure Security Agency (CISA) issued an official government memorandum, M 21 31, in response to President Biden’s Executive Order 1428, Improving The Nation’s Cybersecurity.

Before the Solar Winds hack took place, system log management was not a priority line item in most organizations’ cyber security strategies. However, supply chain attacks like Solar Winds have proven to be devasting for organizations because they target weaker, trusted third-party vendors or suppliers, intending to breach all related entities up and down the supply chain. Many of those trusted third parties are SMBs with inadequate network security. Unfortunately, those SMBs might not be able to survive the economic and reputational consequences of a supply chain attack.

Threat Detection Through Event-Log Management

We can’t defend against a threat we can’t see. Maximum visibility within your company’s network environment is one of the keys to a secure network. For an IT expert to thoroughly analyze the cause and magnitude of detections, they need access to the system logs from many parts of the network. Improved visibility allows faster response time when events occur and enables the analysis of root causes of detected threats. Also, IT professionals can help analyze weaknesses in the supply chain and help companies establish detection rules and best practices to help prevent attacks. Discovering the weak links and getting all supply chain entities on the same page in applying necessary security measures is imperative to prevent future attacks.

Some SMBs don’t have the budget for a full-time IT employee. Furthermore, a deep dive into the steps necessary to prevent a supply chain attack might seem overwhelming or beyond your IT competency. CISA offers the following guidance for prioritizing which logs are most important:

• Operating Systems
• Network Infrastructure
• Identity, Credential and Access Management
• Cloud Operational Environments
• Email Security Logs
• Antivirus Logs
• Endpoint Detection Tools

As hacks get more sophisticated, it is essential to collect log data from all points on your network, including all connected devices. A comprehensive Security, Information and Event Management (SIEM) solution requires every endpoint to have up-to-date security to decrease or eliminate overall vulnerabilities, increase event monitoring and create a robust alert system.

Log Source Optimization

The faster and more efficiently log data can be retrieved for analysis, the better your chances of discovering vulnerabilities and “weak links” in your network. One crucial part of optimization is data parsing, which facilitates the following objectives:

• Avoiding Duplicate Coverage – Additional optimization can be achieved by not duplicating multiple log sources with the same coverage. It’s a waste of monetary and computer resources and slows down searches.
• Speeding Up Search Times – Optimizing storage drives makes computers run faster and more efficiently; the same guideline applies to system logs. Why is speed important? In all areas of cyber security, the more rapidly a vulnerability or threat is identified and neutralized, the lower the chances of suffering operational and monetary consequences.

A Defense in Depth (DiD) Strategy

As we’ve mentioned many times, robust cyber security requires many layers of security to prevent cyber crimes. The more layers of security and parts of the network hackers must breach, the harder it is and the more time it takes. Cyber thieves prefer easier targets. Therefore, the more security layers, rules and log sources you put in place to block hackers, the more likely you are to avoid a cyberattack and prevent future events.

Human Error – The Weakest Link

Unfortunately, we must still deal with the “human factor.” If users are not trained in cyber security best practices, they can unwittingly execute malware attacks that include infostealers, malicious code that can lead to a credentials dump. Once a hacker has a user’s credentials, they have a key to stealing emails, bank accounts, credit card accounts, all kinds of private information and access to other personal online platforms. When cyber thieves can grab credentials, they have already gotten past the first layer of cyber protection. The good news is that with comprehensive system log management, threat detection can be faster and more seamless. Also, the timelier the alert, the quicker the source of attacks can be identified, mitigated or eliminated.

SMBs Must Train Employees

Training employees in cyber best practices is imperative to keeping your business secure. New employees should be trained on the first day of work and be afforded follow-up training and resources. Moreover, even employees who have been with the company for a while should have ongoing training regularly to refresh their knowledge and skills and keep up to date on new cyber risks.

Detecting network intrusions is a 24/7 operation. Hackers are launching new attacks while we sleep. Therefore, businesses should be fully armed with the best and most up-to-date cyber security.