Most security monitoring practices focus primarily on reactive security, alerting security teams when a possible attack has been detecting on their network so that they can react to it and try to stop the intruders before any damage is done. The problem with this method is that the longer it takes to detect an attack, the more it will cost to fix it. The longer the attacker is inside your network, the more of a chance it has to find sensitive information.
But what if you could prevent most attacks from ever occurring at all? Proactive security focuses on making your network more secure by fixing vulnerabilities that could allow intruders in, rather than trying to detect attacks once they are already in progress. Think of it as installing stronger locks on your doors and fixing holes in your fences rather than just having security cameras.
The SANS Institute has released their 20 Critical Security Controls for Proactive Cyber Defense (CSCs), which are essential guidelines to making your network more secure in preparation for known attacks. The CSCs make intrusion into your network more difficult through the use of:
- asset and configuration management
- proactive security monitoring and scanning for vulnerabilities
- finding vulnerable points in your network
- fixing vulnerabilities before they are exploited
The CSCs are ordered such that the top controls are the easiest and most important to implement. Although organizations are strongly encouraged to implement as many as possible, let’s start with the first four.
Control 1 - Inventory of Authorized and Unauthorized Devices
This control focuses on keeping an up-to-date inventory of all devices connected to your network. Essentially, as a network manager, it is your job to know exactly what is connected to your network. This control is critical because unknown devices connected to your network can gain easy access to your network without your knowledge, opening you up to all kinds of attacks. To prevent this, your network should continuously scan for new devices connecting to it, especially ones that might connect and disconnect frequently such as mobile phones and laptops. Newly discovered devices should be identified and inventoried so that you can decide whether they are trusted or not and should be allowed access to your network.
Control 2 - Inventory of Authorized and Unauthorized Software
This control is similar to the previous one in that it stresses the importance of knowing what’s on your network, but focuses more on software that is installed on nodes in your network. It may be that devices you trust contain malware or unpatched software with vulnerabilities. In this case, inventory of devices is not enough; proactive security includes detecting unauthorized software that isn’t critical for business purposes.
Control 3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Default configurations of operating systems, services, and software are often geared towards ease-of-use rather than security, so this control focuses on continuous monitoring of settings and configuration states of devices on your network. Security vulnerabilities are commonly present in many default software configurations, so monitoring these settings makes sure the software and operating systems on your network are in their most secure and up-to-date state.
Control 4 - Continuous Vulnerability Assessment and Remediation
This control is somewhat general, but still very important. It stresses the need to constantly monitor your network for possible vulnerabilities. This can be achieved by correlating information such as vulnerability scanning tool results, event logs, and current events in network security that reveal the latest known vulnerabilities in systems you might be using. Essentially, always stay as up to date as possible on the state of your network and the state of cyber security in general in order to learn how you can fix vulnerabilities as soon as they appear.
Implementing these first four controls will help achieve a more proactive security monitoring program.