2020 was a wild year for cyber security professionals, and 2021 seems to have followed the same trends. The SolarWinds supply chain attack severely affected many high-profile organisations globally. Critical vulnerabilities, including the Net logon Elevation of Privilege Vulnerability, SigRed, Bad Neighbour, SolarWinds, and dozens of ransomware attacks dominated headlines and introduced businesses to unprecedented security risks.
Many organisations which were affected had antivirus and endpoint detection software in place. But a key area where many organisations are still lacking is network security. Network security is a key component when developing a security risk management program that keeps your network safe, leaving your organisation to focus on innovation and delivering value to customers. Here are six reasons why network security is essential to improve your organisation’s security posture and thwart costly attacks from sophisticated actors.
Policies, standards, and procedures are the lynchpin of every enterprise, operational and security programme. Does your organisation have mechanisms in place to enforce policies or notify administrators of violations? The chances are your organisational policies are not being followed as intended. This introduces excessive risk to your network, meaning you are likely to have zero visibility.
Mechanisms can be configured in network security systems to support business policies and help leaders identify and manage risks strategically. Your corporate “acceptable use policy” (AUP), for example, may disallow browsing on social media sites and file sharing sites. However, this behaviour is likely to still be happening on the corporate network. Without network security, your teams have no visibility to spot behavioural patterns, making it nearly impossible to prevent.
The ability to detect and prevent such behaviours on the network helps decrease the organisation’s threat surface, improve compliance, and decrease the risk of insider threats. Endpoint protection alone cannot find and prevent APT & Zero-day exploits.
One of the most significant compromises of the past year was the SolarWinds attack. Malicious actors were able to infiltrate some of the biggest and most sophisticated corporate and government organisations. These included: NASA, Microsoft, the FAA, NVidia, and FireEye5. One of the key indicators of compromise (IOC) was traffic to avsvmcloud.com which functioned as a command-and-control server6.
C2 traffic was unusual behaviour occurring on the network that endpoint systems were not well suited to detect. Network-based security gives businesses visibility to command-and-control behaviours in addition to dozens of other tactics, techniques, and procedures (TTPs). This enabled attackers to move laterally across enterprise networks.
Antivirus (AV) companies do a great job updating signatures as new malware is discovered in the wild. However, malicious actors are often able to leverage and exploit signatures for extended periods of time before they are discovered. Taking a network-based approach to identifying unusual behaviours introduced by malicious actors can uncover their tactics. This can help empower your team to contain and eradicate the threat before it becomes even more costly.
One of the most challenging parts of initiating an incident response plan during a breach is containment. Containment of an attack is all but impossible without a clear understanding of how systems are communicating over the network. When network defenders begin reimaging systems or eradicating malware, it must be done thoroughly. It takes just one device where the attacker has maintained a foothold to reinfect the network and send incident response teams back to square one.
It is alarmingly common for hidden malware from ransomware attacks to remain in the network. A 2018 Sophos survey shows that organisations hit with ransomware are very likely to suffer repeat attacks: “Unlike lightning, ransomware– sadly – struck twice with affected organisations suffering on average two ransomware attacks in the preceding 12 months.” This quotation is particularly alarming because, according to the same report, “…over three quarters (77%) of ransomware victims are already running up-to-date endpoint security. Organisations are discovering the hard way that stopping ransomware requires specialised protection.”
Compliance requirements are increasing and a transition from self-attestation to third-party auditing is making waves in many industries once free of these demanding reviews. This includes the Department of Defence (DoD) contractors who, in the near future, must comply with the Cyber security Maturity Model Certification (CMMC) to continue doing business with the DoD.
CMMC is not the only compliance regime that requires network monitoring. For example, NIST 800-171 has several network security requirements, including [DE.CM-1] which states, “The network is monitored to detect potential cyber security events.” Every set of compliance requirements includes continuous monitoring of the network itself, not just endpoints within it. Another example in the FFIEC is in section [IS.WP.8.4.e:] which states “Determine whether management has effective threat monitoring processes, including the following: Monitoring both incoming and outgoing network traffic to identify malicious activity and data exfiltration. “
Several frameworks already require network security and additional requirements are likely to be in development. The new compliance climate places a greater burden on organisations to meet requirements in order to preserve their customer base and avoid costly fines. Procuring network security solutions minimises the operational impact of adjusting to the new requirements by automating operational and compliance requirements.
Everyone knows how the network should look, but only a small minority of IT professionals understand how the network is actually behaving. When organisations implement network security, operational and security professionals within the IT department are often astonished that various (supposedly decommissioned and therefore unpatched) servers are still alive and well on the network. Network segmentation was not working as expected. Endpoints are communicating with one another for no apparent reason, further, many other uncomfortable and risky behaviours are also occurring. Gaining visibility to such activities empowers IT departments to make sound, data-driven decisions based on the actual current state of the environment.
Firewalls are usually in place at the network edge, which leaves the internal network vulnerable to lateral movement. In most organisations, once an attacker or a malicious insider is behind the firewall, there is no network monitoring or visibility solution that can enable network defenders to identify abnormal, risky, unapproved, or malicious behaviours. Now that many employees are working from home, the threat of lateral movement is even greater. Corporate devices on home networks can easily become infected. On home networks, there are a variety of devices with weak security postures, including IoT devices. Furthermore, some household members may participate in file-sharing forums and peer-to-peer data transfers, which are easy ways for attackers to gain access to your home network and all the systems within it. In many cases, once those devices are reintroduced to the corporate network, malware can spread without having to deal with any firewalls.
To learn how you can protect your organisation from attacks, sign up for The Cost of Ransomware webinar on December 2nd at 1:30pm. Save your seat here.