The SolarWinds supply chain attack severely affected many high-profile organisations globally. Critical vulnerabilities, including the Net logon Elevation of Privilege Vulnerability1, SigRed2, Bad Neighbor3, SolarWinds4, and dozens of ransomware attacks dominated headlines and introduced businesses to unprecedented security risks. Many organisations affected or compromised as a result of these vulnerabilities had antivirus and endpoint detection software deployed, as well as robust security controls, firewalls, and security policies aligned with industry best practices. However, a key area where many organisations are still lacking is network security. Network security is a key component to developing a security risk management program that keeps your network safe so your organisation can focus on innovation and delivering value to customers. Here are six reasons why network security is essential to improve your organisation’s security posture and thwart costly attacks from sophisticated actors.
- Network security enforces policies
Policies, standards, and procedures are the lynchpin of every enterprise operational and security program. Does your organisation have mechanisms in place to enforce policies or notify administrators of violations? If not, chances are your organisational policies are not being followed as intended. This introduces excessive risk to your network where you likely have zero visibility. Mechanisms can be configured in network security systems to support business policies and help leaders identify and manage risks strategically. Your corporate “acceptable use policy” (AUP), for example, may disallow browsing on social media sites and file sharing sites. However, this behavior is likely still occurring on the corporate network. Without network security, your teams have no visibility into the behavior, making it nearly impossible to prevent. The ability to detect and prevent such behaviors on the network helps decrease the organisation’s threat surface, improve compliance, and decrease the risk of insider threats.
- Endpoint protection alone cannot find and prevent APT & Zero-day exploits
One of the most significant compromises of the past year is the SolwarWinds attack. Malicious actors were able to infiltrate some of the biggest and most sophisticated corporate and government organisations, including NASA, Microsoft, the FAA, NVidia, and FireEye5. One of the key indicators of compromise (IOC) was traffic to avsvmcloud[.]com which functioned as a command-and-control server6. C2 traffic is unusual behavior occurring on the network that endpoint systems are not well suited to detect. Network-based security gives businesses visibility to command and control behaviors in addition to dozens of other tactics, techniques, and procedures (TTPs), enabling attackers to move laterally across enterprise networks.
Antivirus (AV) companies do a great job updating signatures as new malware is discovered in the wild. However, malicious actors are often able to leverage exploits for extended periods before they can be discovered and their signatures added to AV. Taking a network-based approach to identifying the unusual behaviors introduced by malicious actors in the environment can uncover these tactics, empowering your team to contain and eradicate the threat before it becomes more costly.
- Containment requires network protection
One of the most challenging parts of initiating an incident response plan during a breach is containment. Containment of an attack is all but impossible without a clear understanding of how systems are communicating over the network. When network defenders begin reimaging systems or eradicating malware, it must be done thoroughly. It takes just one device where the attacker has maintained a foothold to reinfect the network and send incident response teams back to square one.
It is alarmingly common for hidden malware from ransomware attacks to remain in the network. A 2018 Sophos survey shows that organisations hit with ransomware are very likely to suffer repeat attacks: “Unlike lightning, ransomware– sadly – struck twice with affected organisations suffering on average two ransomware attacks in the preceding 12 months.” This quotation is particularly alarming because, according to the same report, “…over three quarters (77%) of ransomware victims are already running up-to-date endpoint security. Organisations are discovering the hard way that stopping ransomware requires specialized protection. “
- Compliance requires network monitoring
Compliance requirements are increasing, and a transition from self-attestation to third-party auditing is making waves in many industries once free of these demanding reviews. This includes Department of Defense (DoD) contractors who, in the near future, must comply with the Cyber security Maturity Model Certification (CMMC) to continue doing business with the DoD.
CMMC is not the only compliance regime requiring network monitoring. For example, NIST 800-171 has several network security requirements, including [DE.CM-1] which states, “The network is monitored to detect potential cyber security events.” Every set of compliance requirements includes continuous monitoring of the network itself, not just endpoints within it. Another example in the FFIEC is in section [IS.WP.8.4.e:] “Determine whether management has effective threat monitoring processes, including the following: Monitoring both incoming and outgoing network traffic to identify malicious activity and data exfiltration. “
Several frameworks already require network security. Additional requirements are likely in development. The new compliance climate places a greater burden on organisations to meet requirements in order to preserve their customer base and avoid costly fines. Procuring network security solutions minimizes the operational impact of adjusting to the new requirements by automating operational and compliance requirements.
- Network security drives security and operational improvements
Everyone knows how the network should look, but only a small minority of IT professionals understand how the network is actually behaving. When organisations implement network security, operational and security professionals within the IT department are often astonished that various supposedly decommissioned (and therefore unpatched) servers are still alive and well on the network. Network segmentation was not working as expected; endpoints are communicating with one another for no apparent reason; many other uncomfortable and risky behaviors are occurring. Gaining visibility to such activities empowers IT departments to make sound, data-driven decisions based on the actual current state of the environment.
- Firewalls are not enough
Firewalls are usually in place at the network edge, which leaves the internal network vulnerable to lateral movement. Once an attacker or a malicious insider is behind the firewall, in most organisations, there is no network monitoring or visibility solution that can enable network defenders to identify abnormal, risky, unapproved, or malicious behavior. Now the threat of lateral movement is even greater because many staff members are working from home. Corporate devices on home networks can easily become infected. On home networks, there are a variety of devices with weak security postures, including IoT devices. Further, some household members may participate in file-sharing forums and peer-to-peer data transfers, which are easy ways for attackers to gain access to your home network and all the systems within it. Once those devices are reintroduced to the corporate network, malware can, in many situations, spread without having to deal with any firewalls.