Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Many of the clients we work with find themselves concerned that the newest device they’ve read about could pose an existential threat to their business. Although they may see advantages to bringing a new technology into their environment, they are also uncertain as to how it might—or may already be—affecting the cybersecurity of their business. In truth, lots of business environments already have connected technology in their environment that may pose a risk to their network’s security.
For the purposes of this blog, think of an IOT device as anything that plugs into your network. If you look around your office, you’ll quickly notice that printers, telephones and/or cell phones are all connected to the wireless network. And this list is growing rapidly. Consider your thermostat, security cameras, televisions and lights—these are among hundreds of new devices that ask for some type of network access.
In smaller workplace environments, these types of devices often get added to the network without much thought. The simplicity of putting everything on one network makes things easier, and we get that. Unfortunately, there is risk involved with this practice. If you’ve ever installed a computer software patch, you know that they come about quite frequently. In fact, in the first 9 months of 2017, we saw over 11,000 new vulnerabilities documented.
When we first meet with our clients, we establish their appetite for risk and how they price it into their operations. This is an important first step, as understanding risk as a governance model helps set the stage for how we can address whatever challenge they want to take on.
So ask yourself: when was the last time you updated the firmware on your printer? There were over 200 printer related security vulnerabilities discovered this year alone. If your printer is running the firmware it had when you first installed it, do you know how many of these vulnerabilities are present on your network?
Of course, the point of this isn’t to make you run around the office and unplug all your printers, but rather to understand that every network-connected device in your business brings with it some inherent risk. Our goal is to quantify and remediate that risk wherever it is pragmatic to do so.
First of all, make a list of what needs to be connected to your network. Is this list different from what is currently connected? Know who is on your network and what their business purpose is. In our printer example, we have a multifunction device that could have the following characteristics:
Your network device list should list everything. (Did you include your servers and workstations?) The level of specificity you develop here should both support the business and limit your risk.
Our next goal is to segregate these different types of devices into corresponding networks. You should be able to create a network segment specifically for devices, like printers, that have a less secure posture to help isolate them from your more protected assets.
So, which networks should be on your short list for this type of segregation?
At a minimum, we would always recommend printers, VoIP phones / teleconference hardware, clients, servers, internal wireless and guest wireless should be on your short list. If your IOT devices are wireless, you may also want to create a separate IOT wireless to keep them away from guests and your internal network.
While the presence of Next Generation Firewalls complicates things somewhat because of their enhanced functionality, the biggest single source of misconfiguration we see for an external firewall is that it often does not use a default egress posture. In fact, most firewalls have default settings that don’t let anything in but do let everything out. It’s not all that uncommon to even see web proxies put into place, and next to them, a firewall that lets the same traffic out, un-proxied.
As you begin to look at next generation firewalls and intrusion detection systems, there are more sophisticated detection and prevention technologies that can further remediate the risks for rules that you create, but more often than not, you can simply remove the risk by not allowing unnecessary traffic.
Setting new rules in place should be a slow and careful process. To do it right, you are going to get good at reading log files and making sure that a failure within your environment isn’t the cause of an overly aggressive firewall rule.
At this point, you’ll want to start getting a sense of the standard noise that the network sees versus what might be desired but unauthorized traffic. A great example of this is broadcast. In many cases, you will see clients trying to broadcast traffic on their network segment that the firewall won’t pass. It can show up on your firewall log, but can be safely ignored if you understand why it’s there. On the other hand, if something is broken, looking at the logs to see if there is any unauthorized traffic because a device uses an undocumented port can be quite common.
Learn to look at your logs, even if only for troubleshooting purposes. Developing a sense for how to distinguish the signal from the noise can be key in identifying security issues within your environment.
eSentire’s Managed Detection and Response capabilities are very useful, especially when you’re connecting to the internet. The traffic you end up passing along that can threaten your business isn’t always easy to find and disrupt. Our esNETWORK works with the next generation functions of your internet firewall to detect and disrupt many of the kinds of threats that would otherwise go unnoticed. If you’d like to learn more about your organizational IoT risk, we want to help. Contact our Advisory Services team today for more information.
Principal Security Strategist helping customers refine and develop their response to the cyber security risks that face their businesses.