Let’s examine the importance of developing and maintaining a deep understanding of your organization’s network and resources.
Know Your Environment
Many IT professionals immediately equate security with a variety of tools: IDS/IPS, anti-virus solutions, SIEM, and more. Those elements are very important in improving an organization’s security posture and playing a role in defending your assets and network. But the single best tool for building a strong security program isn’t based in technology. It’s institutional knowledge. Know your environment. Understand and enumerate the resources that comprise your environment. Understand what constitutes normal activity within it so that you can better identify what’s abnormal.
How can you protect your IT resources if you don’t know what they are? How can you identify anomalies if you don’t know what’s normal for your environment? Creating and maintaining documentation of an organization’s resources and what’s deemed “normal” in an environment provides a strong foundation for better understanding daily operations, potential threats the organization faces, and the associated level of risk that must be managed. At the very least, the following documents should be created and updated at least twice a year, if not quarterly:
- Network diagram: This is the “map” of your environment, detailing the paths that data takes across the network and the resources with which the data interacts. At a minimum, it should represent data flows, the location of low- and high-trust zones, critical assets, networking infrastructure, and the identification and location of sensitive data in the organization’s environment. Failure to create and maintain this “map” means an organization literally does not understand the “lay of the land” in its own environment. This can cripple at a foundational level its ability to understand potential threats, build adequate layered defenses, and successfully assess and mitigate risk.
- Hardware inventory: A list of authorized hardware (desktops, servers, switches, firewalls, wireless access points, etc.) should be created and maintained in order to provide insight into the components that comprise an organization’s infrastructure. It should be updated any time a new component is added to the environment or an older resource is decommissioned. A well-maintained hardware inventory aids in three crucial areas:
- It defines the proper scope of hardware that must be included in the patch cycle on a regular basis.
- It can be leveraged to flag decommissioned resources that have not been removed from the network. Decommissioned servers that remain on the network might not be actively patched once they are retired, thus introducing unnecessary vulnerabilities to the environment.
- The list can be used to determine quickly whether a newly discovered endpoint potentially is an unauthorized or rogue node, or simply an authorized host that needs to be added to the inventory.
- Software inventory: Akin to a hardware inventory, a software inventory provides insight into the applications that are approved for use in the environment. Maintaining such a list aids in two crucial areas:
- Detection of the use of an unapproved application could be an early indicator of suspicious/malicious behavior or compromise. If LogMeIn is not an approved application in your environment, detection of the application would immediately be an event of interest to be thoroughly investigated.
- An inventory of approved software defines the proper scope of applications that must be patched on a regular basis. Why spend time researching a vulnerability for application A and appropriate patches if you know that application A is not authorized for use in the organization’s environment?
- List of Approved Protocols: Determine which protocols have legitimate business uses tied to the organization’s daily operations and implement controls that detect or block the use of unapproved protocols. For example, is there an actual need for BitTorrent and other peer-to-peer sharing protocols to be used in the environment? If not, it represents an unnecessary waste of bandwidth and potentially could lead to the illegal distribution of copyright-protected material or malware posing as benign files and applications.
Building and maintaining this knowledge are key factors that often are overlooked or neglected by organizations. By engaging in the effort to collect, update, and understand this information, an organization lays a strong foundation in which it can add the appropriate technology, people, and processes needed to build a highly effective security program.