Stay Alert: Insights from Ancient Wisdom

Peter's wisdom from 62 AD still resonates today: Stay alert, for the adversary is always seeking to devour. In cybersecurity, monitoring and responding to alerts is crucial to catching attackers and preventing data breaches.

No organization is fully secure from all attackers. A persistent and/or advanced attacker WILL breach your systems if they decide to target you. It is impractical to fully defend against all attacks. Even “unplugging the computer” will not stop all attacks. As such, the ability to detect, respond to, and investigate unauthorized access is as critical a goal as having secure configurations.

Immediate Goals:

• At minimum, add failed/successful logins to the logs. This is advisable for real-time detection and forensic/incident response purposes.
• Enable all available logging throughout your environment.
• Enable alerting for all suspicious activity - web, email, SMS, authentication, etc.
• Include timestamps and source IPs, when appropriate.
• Spend at least a few minutes each day manually reviewing a summary of the logs, looking for alerts (ex: yellow or red items) and spikes in traffic, or use a managed service provider to collect, monitor, and alert on anomalous activity in your network.

Long-Term Goals:

• Perform the same tasks mentioned above across all of your systems – databases, servers, workstations, applications, etc.
• Consider creating alerts for abnormalities in authentication events - Ex. high volume, many unique usernames from a single IP, geographically improbable access attempts, etc.
• Anything that is capable of producing logs should be configured to generate and send logs to a secure central log management solution with real-time detection and alerting.
• Ensure you have a response plan in place in the event of an attack or breach. This plan should include a printed playbook of the immediate actions you will take, including what 3rd party resource you may call to help respond to the attack, what you will communicate to your clients, etc.
• In addition to logging/alerting, determine if security solutions being utilized, or ones available to use, can auto-block, at least on a temporary basis, some of the scanning activity. The idea is to cause scanning and enumeration to fail often enough and slow down an attacker enough to minimize potential vulnerability discovery.
• If the above goals are too burdensome for your existing staffing, consider supplementing your capabilities with a managed SOC provider (AKA SOCaaS) such as: ActZero, Arctic Wolf, Binary Defense, eSentire, Rapid7, SentinelOne, etc.

User Accessible Logs:

• Ensure each user, in addition to admins, has access to robust user-accessible notifications and logs related to authentication and profile change activity in the GUI.
• In addition to the accessible notifications in the GUI, also send the more concerning alerts to the user’s email/SMS – account locked, password changed, etc. - and/or API and/or syslog