Defense in Depth

With the evolution of technologies our dependency on digital devices has increased manifold. And we are exposed to cyber-attacks more than ever. Lately, some of giant organizations like Sony and Amazon have become the victims of cyber-attacks and that have sent ripples to the others similar or smaller and less protected establishments to ponder over how immune they are for such attacks or what defense mechanism they have to defend if such attacks happen to their organizations. As they say Cyber Attack is not the question of yes or no it is the question of ‘When’, we need to be as ready as expecting the attack today itself. Security is never much but the terms; ROI (Return on Investment) and cost benefit analysis are also relevant. Most of organizations adopt multilayered security approach, Security at the perimeter-Firewalls, DMZ (De militarized Zone), IPS (Intrusion Prevention System), IDS (Intrusion Detection System) Honey pots, WAFs (Web Application Firewall) and Host based Protection System as Antivirus, Anti-spy ware, threat protection etc. Considering this as not enough, many organizations place SOC (Security Operations Centre) and NOC (Network Operations Center) to have a robust mechanism in order to defend the cyber-attacks. SIEM (Security Incident and Event Management) helps to captures logs in real time, generate alerts and does the correlations also to identify the abnormal or suspicious activities on the network. SIEM solutions like HP Arcsight, MacAfee ESM, and Alien Vault USM also help in auditing breaches such as misuse of the privilege user IDs and unauthorized changes etc. organizations are also introducing End User IT Analytic Solutions like Nexthink & SysTrack that monitor the end user activities in real time and generate alerts and reports to helpdesk to respond to any security incident quickly and efficiently.  ISO27001 and ISO27035 articulate the need of a robust Security Incident Management to actually make use of these automated security tools. Unless the organizations have a strong Incident Management in place, they will find themselves off-guard when they have to do a face to face with DoS/DDoS (Denial of Service/Distributed Denial of Service) attack for example.

The basic components of a Security Incident Management are Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post Incident Activity 

 

This is a continuous cycle and each subset of the cycle is as important as the entire cycle. Organizations need to have a clear and well defined Incident Management Policy & guidelines with clarity on the roles and responsibility of all the teams/individuals involved in the cause. Post Mortem to actually find out lessons learnt is very important as they say “There is a principle that says, never waste a good crisis."

However as the defense security is not complete without strong Incident Management Program, the same is true about Information Security Awareness. Security Awareness has lately become the major part of any security defense program. Given the rise of Social engineering techniques such as phishing, spear phishing, email spoofing and APTs Security Awareness has become the talk of the town. With the help of Social engineering attackers can penetrate even the strongest perimeter security and break into the most reliable and secured network. Many companies are investing on security awareness program besides other traditional security protection measures.  Security Awareness can thwart most of the security incidents and can keep a check on insider attacks. Organizations need to have a thorough Information Security Awareness Program in place to educate the employees about the security threats and best practices.