Providing strong and effective security for an organization's network, IT infrastructure, and environment requires some forethought and planning. If you are now tasked with monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity., managing, or maintaining network security operations within your organization, after USM Anywhere has already been deployed, many of the planning steps and decisions may have already been made. In any case, it is worth reviewing some of the overall best practices that many organizations follow in implementing and then maintaining network security operations in their environments. The general process is the following:
- Determine the scope of your network security operation, the range of networks and subnetworks to be covered, and the network devices or assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. (hostReference to a computer on a network. servers, applicationsA software program that performs some collection of tasks on a computer or some other programmable device., firewallsVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them., routers, and switches) to be protected.
- Assess risk, determine what is most important to protect, and determine the type of network security you need to provide. Identify specific threats and vulnerabilities you need to address. Also determine specific regulatory compliance and other business standard requirements you need to meet.
- Define and determine security team rolesTasks and responsibilities based on job description and position within an organization. A user's role is often used to define access to functionality and privileges to perform specific tasks and operations., permissions, tasks and responsibilities, and implement authenticationProcess used to verify the identity of a user, user device, or other entity, usually through a username and password. and authorization to support USM Anywhere security operations. Also determine notificationCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. and escalation strategy for emails, ticket handling, incident responseIncident response is a business process or plan dictating how an organization handles security incidents such as a security breach or attack., and compliance documentation requirements.
- Develop a plan for initial implementation and rollout of network security operations, plus planned updates and enhancements, based on priorities. Take into account the time and resources required for monitoring, incident analysis and response, compliance reporting, and record-keeping, plus subsequent updates to address additions or changes in the environment, as well as new threats and vulnerabilities.
- Deploy and run USM Anywhere to monitor and analyze the behavior of the environment. Use dashboards, reports, and other features of the USM Anywhere web UI to examine eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall., network traffic, alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., and notifications. Establish baseline behavior, identify threats and vulnerabilities, and eliminate or reduce false positivesA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology. and other noise from normal, benign behavior. After establishing a baseline, you can use various tools provided within the USM Anywhere web UI to investigate alarms and suspicious events, identify threats and vulnerabilities, and continue monitoring your network for attacks, intrusions, or any other type of maliciousActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems. and potentially damaging behavior.
- Make continuous security lifecycle improvements and perform regular maintenance: new asset discovery and risk assessments, new vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. and thread detection, compliance reporting, backup and archival record-keeping.
- Incident Response. Develop and implement processes and procedures for Incident Response (IR) to provide special event and incident handling. Detect anomalies and suspect behavior; investigate, identify, and isolate threats, intrusions, or attacks; eradicate, remediate, or mitigate threats; conduct post-incident, post-mortem reviews to identify improvements to security processes and practices.