The 10th (and Most Vital) Network Security Best Practice: Prepare for the Worst

Editor’s note: In the spirit of our highly popular post, “The 9 Most Vital Network Security Best Practices,” here’s an additional best practice you’ll want to add to your repertoire.

Although more than 2,000 years have passed since he said it, Greek philosopher Heraclitus’ famous quote, “Change is the only constant in life,” still rings true in network security. Those of us who keep the roads on which businesses run clear of obstacles know that even our most diligent efforts don’t always produce the desired results.

Even if we keep looking over our shoulders, we’re always aware that it won’t matter if we tightened our security posture and prevented most of what was thrown at us, or that we were right 999 times out of 1,000.

Security is very much a “what have you done lately” proposition, and when things do go wrong, every second of awareness of wrongdoing counts.

The Original Nine Best Practices

Prevention is always and everywhere the most effective network security plan, and, as noted above, we’ve previously identified nine extremely important best practices:

1. Maintain your software
2. Make visibility your top priority
3. Keep a close eye on user permissions
4. Use a reliable network packet broker to send the right traffic to the right tools
5. Stay compliant
6. Establish a security policy
7. Always back up your data
8. Don’t forget about third-party users
9. Educate your users

#10: Prepare for the Worst

Prevention won’t be effective, however, if you don’t know whether your prevention strategies are working. So, the additional corollary to prevention is prepare for the worst and constantly monitor your network for threats. Ensure that your prevention efforts are working, and when they aren’t, make sure to find the threat quickly and mitigate its harm immediately.

With that in mind, keep the following considerations front of mind when instituting effective detect-and-respond strategies:

Continuously Monitor — Use Metadata

Good prevention keeps the total number of threats low, but to find threats that get through, keep eyes on all traffic, regardless of cardinality (north-south and east-west). Many organizations keep copies (packet captures, or PCAPS) of this traffic for forensics and/or compliance purposes, and often incur large storage expenses to do so.

However, using traffic metadata tailor-built for incident response (and not just the generic NetFlow or internet protocol flow information export — IPFIX) and that is enriched with threat intelligence and contextual analysis, is far more effective for alert triage. Metadata also has a much smaller footprint, with size ratios compared to PCAP often on the order of 2000:1,¹ so storage costs can be kept to a minimum.

Analyze, Analyze, Analyze

Most security teams are able to address only 50 percent of the alerts they receive a day.² With the size of the datasets and the number of security tools (often 20 or above)² deployed in an environment, it’s a wonder that teams are even able to address the 50 percent they get to.

Machine learning (ML) and artificial intelligence (AI) provide some measure of relief, but used alone they can also compound the problem. ML and AI systems work best as force multipliers of security research teams who are well-versed on adversary tactics. Use their technologies and wisdom as a way to reinforce what you know and gain control over noisy alerting systems.

Keep Learning

This one is often overlooked. Incident response, threat investigation and threat hunting are all really tough jobs. Teams often suffer from fatigue, resulting in high turnover. Look into instituting a rotating process where junior-level teams can effectively learn from incidents and from their senior-level peers. Build metrics around this and encourage collaboration.

ML and AI won’t catch the most effective attacks and threat actors; only worthy adversaries can do this (humans are better at catching humans). Make your direct teams more effective through exciting exchanges of information and be sure to extend this to your end users. The old adage certainly applies here: Teams are only as effective as their weakest link. Make your end users strong complements to your security teams.

In all, keep your prevention strategies up to date, and be sure to augment them with effective detect-and-respond strategies. This approach provides the strong security posture needed to combat threat actors in today’s ever-changing landscape.

---

Citations:

¹ Reid, Gavin. “NetFlow AND PCAP (Not or).” Cisco Blogs, July 8, 2016. https://blogs.cisco.com/security/netflow-and-pcap-not-or.

² McGuire, Kelsey. “7 Insights from Cisco’s 2019 CISO Benchmark Study.” FairWarning, April 12, 2019. https://www.fairwarning.com/insights/blog/7-insights-from-ciscos-2019-ciso-benchmark-study.