Top 4 Security Questions to Ask of Your Data (and The Data You Need to Answer Them)

May 13, 2014  |  Lauren Barraco

The security industry has an unhealthy love affair with complexity and sophistication. Blame it on the media, or our own tendency towards masochism... but, whatever the reason, it seems that most are more interested in putting most of our time and attention on Advanced Persistent Threats or zero day attacks than in implementing basic security practices. The sad truth is that most of the damage done to organizations is through simple, broad-based attacks that exploit the lack of foundational and essential security controls.

Indeed, the message from most of the research is that organizations keep getting pwned because they fail to deploy the basic tools and technologies they need to prevent, detect, and respond to incidents. This is why - even in 2014, more than two decades after the first commercial firewall came to market - it's truly time to focus on the essential security tools, and the basic questions you'll need to answer to stay ahead of the threat.

Here are the basic questions you'll need to answer for essential security intelligence, along with the types of data you'll need and the tools you'll need to collect and analyze that data.

1) What's (and who’s) connecting to my network?

Why it's Important - You can't secure what you don't know about. You'll need to know which systems connect to which network segments, how these systems are configured, and who uses these systems. It's also essential to have this information automatically updated, so implementing regular discovery scans is a good practice.

The data you'll need:

  • IP address
  • Asset information - OS, running services, software installed
  • Identity and Access events - LDAP, Active Directory, Domain Controller, VPN, etc.
  • Network access events - traffic data (e.g. firewall logs)

The tools you'll need:

  • Asset Discovery and Inventory - automated tools, port scanning, etc.
  • Log Management and SIEM

2) What are the potential security vulnerabilities?

Why It's Important - Security vulnerabilities are software weaknesses that can be exploited by attackers to steal data or computing resources, commit fraud, and impact operations. It's important to identify all vulnerabilities within a system's OS, applications, as well as those on network devices such as firewalls, routers, and switches so that you can remediate them before they're targeted in an exploit.

The data you'll need:

  • IP address
  • Asset information - OS, running services, software installed
  • Vulnerabilities on endpoints, servers, and network devices

The tools you'll need:

  • Asset Discovery and Inventory - automated tools, port scanning, etc.
  • Vulnerability Assessment / Vulnerability Scanning

3) What behaviors - network traffic, system events - are considered normal and acceptable?

Why It's Important - You can't detect "abnormal" until you know what's "normal". "Normal" in the security world is not easy to standardize. What's "normal" for your organization might be considered atypical in someone else's organization. That's why it's so essential to establish network baselines so that you can spot suspicious behavior and other anomalies that may signal a threat in progress.

The data you'll need:

  • Network access event logs - traffic data (e.g. firewall logs, packet capture)
  • System event logs
  • IP address - necessary meta data to capture for the above analysis
  • Asset information - OS, running services, software installed
  • Identity and Access events - LDAP, Active Directory, Domain Controller, VPN, etc.

The tools you'll need:

  • Asset Discovery and Inventory - automated tools, port scanning, etc.
  • Netflow Analysis / Packet Capture
  • File Integrity Monitoring
  • Service Availability Monitoring
  • Log Management and SIEM - apply event correlation rules to system and network event log data to determine potential exposures

4) What behaviors - network traffic, system events - signal an active threat?

Why It's Important - Your network is constantly changing, and the threats facing it are also changing. Consistent and comprehensive network security monitoring powered by the latest threat intelligence will help you detect active threats wherever they occur in your network. The challenge is in collecting the relevant data and applying the appropriate signatures and event correlation rules against that data so that you can quickly respond and investigate further.

The data you'll need:

  • Network access event logs - traffic data (e.g. firewall logs, packet capture)
  • System event logs
  • IP address - necessary meta data to capture for the above analysis
  • Asset information - OS, running services, software installed
  • Identity and Access events - LDAP, Active Directory, Domain Controller, VPN, etc.
  • Threat intelligence - IP and domain reputation data, malware analysis, updated signatures and rules

The tools you'll need:

  • Asset Discovery and Inventory - automated tools, port scanning, etc.
  • Netflow Analysis / Packet Capture
  • File Integrity Monitoring
  • Intrusion Detection Systems (Network-based IDS, Host-based IDS)
  • Log Management and SIEM - apply event correlation rules to system and network event log data to determine potential exposures and active threats

So, what can you do?

Fortunately, with AlienVault USM, you can answer all of these questions within a single platform. Join us on Thursday for a live demo to see how AlienVault can help you accomplish these key tasks in one fully-integrated solution. But in the meantime, stay focused on the essentials.

Share this with others

Get price Free trial