Certain security basics used to be good enough to protect your network. You could roll out an endpoint security tool, implement a firewall, and use sandboxing, and at least sleep a little easier at night. But today’s attackers are more sophisticated, and that means security professionals have to be more sophisticated, too.
A key part of that is configuring policies that are specific to your network and match the behavior you expect to see. This makes it easier to surface anomalous communications that could indicate a breach. Since attackers often won’t know about how your network is structured, these policies could block or surface an attack in progress, or make it harder for an attacker to pivot laterally within your organization.
The following are a set of guidelines for how to begin implementing security policies on your network:
1. Segment your networks
Network segmentation tools can enforce rules about which networks are able to communicate with each other. For example, your corporate network, where your employee endpoints live, probably doesn’t need to communicate directly with your datacenter except in limited situations. This can prevent lateral movement and reduce the impact of a single machine being compromised. Expanse Behavior, for example, has a policy feature that can take your network segmentation rules and monitor them for consistent and correct enforcement, ensuring that your segmentation deployment is effective.
2. Standardize certain communication protocols and block others
Organizations today use a litany of protocols to communicate with coworkers and collaborate on shared work items. While there are many secure options, there are also some legacy protocols like SMB, FTP, and RDP that are often insecure or can have vulnerabilities that could allow an attacker to observe the communication or, at worst, penetrate your network.
Even when there are choices between multiple options, it is generally best to standardize on a single choice for each high-level use case within your organization. In many cases, this will allow your organization to set fine-grained controls on the approved vendor or mechanism.
3. Monitor for prohibited software
There’s a lot of risky software your employees could be installing that you don’t know about. They could be using insecure collaboration software or P2P sharing applications. You can detect prohibited activities like these through monitoring network communications with the public Internet. But first, you need to have a policy in place and practice around what kind of software employees are allowed to have. When determining these policies, you should pay particular attention to any software that uploads data that lives on your devices to the cloud or any software that could introduce vulnerabilities.
4. Watch for proxy Internet access
The vast majority of threats to your endpoints originate from the public Internet. So naturally, monitoring traffic to and from your endpoints to the web is critical.
Most companies do this through a proxy or other secure web gateway (SWG)-type functionality. But it’s not enough to just configure these systems. You also need to enforce policies that prevent them from being bypassed by disallowing web access unless it goes through those approved systems.
5. Monitor relevant third parties for risky communications
If you merge with or acquire another company, that company’s network risks become your risks. But all too frequently, M&A due diligence consists of vendor self-attestation or risk scores, which don’t provide continuous visibility or drive meaningful operational improvements. In addition to understanding the asset inventory and exposures on the new network you are integrating, you need to be aware of any risky or out-of-policy communications that could expose your company to undue risk.
In the event of a divestiture, you should monitor communications between your network and that of the divested company. It is common in these events for ties between the companies’ networks to not be fully severed. This could lead to business risk, especially in a situation where parts of your network still implicitly trust the divested entity’s infrastructure. With Expanse Behavior, you can monitor for any communication between your organization and the divested entity so you can ensure your operations are cleanly separated.
Similar to any companies you’ve acquired or divested from, suppliers can also open you up to risk. If a supplier is disrupted, that can result in business disruption to you as well. Many suppliers also possess sensitive intellectual property and other information connected to the companies they serve. And if an attacker gains unauthorized access to a supplier’s network, he or she may be able to pivot to gain access to your network as well. You need to set guardrails for appropriate and out-of-policy communications between your organization and your strategic suppliers and between suppliers and other entities on the public Internet.
Expanse Behavior is the only solution that can monitor M&A&D parties and suppliers (without any deployment needed on their side) for communications that might violate your policies.
6. Make your policies your practice with Expanse Behavior
Setting company-specific policies that reflect your organization’s specific needs and vulnerabilities will reduce your risk substantially compared to doing a set of standard basic practices on their own.
The next step after setting policies is to make sure they are being fully enforced. It can be very hard to know if your policies are being consistently and correctly applied across your entire network perimeter, especially if you have a large network with heterogeneous networking equipment.
That’s where Expanse Behavior comes in: Behavior constantly monitors all network communications going into or out of your network, modeling your own stated policies and alerting you whenever any part of your network appears to be violating them. This will help bring your actual, day-to-day security practices in line with your policies for a more secure organization.