Threats - announcement

Today, just a little bit about threats that we are facing today, and that are getting to be more serious in coming years. Short and kind a ‘high-level’ discussion to give the wide context and ideas.

Firstly, it should be said that apart from new sophisticated types of attacks (APT, AET, ... ), we should not forget about legacy infrastructure, which still is fundamental and crucial. Just to mention, firewalls (NGFW are awesome, but still),  IDS/IPS, NIDS/HIPS, AVs, policy, standards, end-user awareness, etc. When saying and listing these ‘standard’ and essential ways of protection (layers of security) I have SIEM infrastructure in mind. It is impossible to have it all, and understand and  have wide and clean visibility into company protection. Event management system and correlation is a must in bigger companies with big infrastructure .etc, somebody may ask what does mean ‘big’ or when company needs specific type of protection. I suppose this is all about risk management. Having those applied into our company we have context and visibility – very often we are able to shorten incident response, and filter out tons of – let say – unknown activity.

Recently, on one of webinars, lecturer mentioned and pointed out, that 24x7 coverage is major component of efficient incident response. Attackers are smart guys, and very often they know when the risk of being caught is the lowest – summer/vacation time, weekends ... etc. Now, I would like to go through several important aspects of ‘modern threats’. BYOD and popularity of social media. In my opinion the increasing popularity and ease of using internet communicators app, smart devices are lowering security (on the other hand comfort level is growing).  Very often people who are using this devices/apps are not technical educated persons – they are not aware of risk and threats waiting for them. Cloud technologies, easy access to global net and fast internet are also a problem for security. Here I should write several words about insider threat. IT espionage, IT sabotage or just spying are known to IT security; and this is a serious problem in field of DLP/DRM.

Moving forward, to have a robust picture of what happened we should have digital forensic on board. Awesome technologies such as E-Discovery or Triage will be great idea for hunting or just quickly checking what happened. In depth-analysis could be performed with tools for post-mortem analysis (X-Ways, Encase, FTK, .etc). On the other hand we have wide range of capture – package appliances, which is a great source of alerts (+SIEM).

Having said that, do not forget about apps (huge problem with application in companies and validations/ white listing .etc). Pentesting and audit should be considerated. Another field and great opportunity for security is vulnerability scanning, code analysis and whitelisting.