16 Aug Remote Locations: Soft Targets Make Great Footholds
A short time ago, in a remote office a few internet hops away….
Given recent trends in overall corporate spending for security solutions, most companies are now armed to the teeth much like the Empire in the Star Wars series of movies. More weapons to stop, frisk, and ultimately eliminate the bad guys in data centers is always a great thing, but as the saying goes, the larger they are, the harder they fall. Most organizations that have made security breach headlines in recent years have done so not because they failed to arm themselves with increasingly complex and sophisticated security tools, but because they failed to do the little things, like getting visibility into network traffic in small, remote offices. This has become a glaring weakness in the attack surface of most organizations.
It is easy to understand how this happens. Security defenders are typically constrained in three dimensions: budget, time (in terms of people resources) and being viewed as inhibitors to efficient operations of the network (“you want to put ANOTHER device into my network?!?”). As a result, most of the security budget and time is spent protecting what is easily understood and easiest to communicate to management, i.e., the known critical informational resources and assets sitting in the main data center or corporate headquarters. It becomes much harder to justify putting an IDS in those 120 remote offices that only have 10-20 people, and which has limited information of any measurable “theft value” to the bad guys. Moreover, just managing 120 more devices could be a viewed as a challenge with limited manpower on hand. Other locations such as stores or branches that handle customer transactions are more important to protect, but those can number into the hundreds (or thousands) of locations, further exacerbating the cost/resource challenge most organizations face.
Without basic network traffic visibility, the security team does not understand what is considered normal or abnormal on the LAN, from user activity to devices, from applications to protocols. Which essentially renders the location a soft target. This basic data can be the difference between understanding when an attack is underway or a company being another data point in the industry average Median Time of Compromise to Discovery – a whopping 146 days!
Many remote locations are Internet connected, whether sanctioned or not. If I had a nickel for every time an assessment turns up a rogue wireless access point setup by some clever employee….Further, these locations are all connected back to the central network. If an attacker can compromise a remote location, it’s an effective foothold to get onto the main network.
Every Internet connection should have basic security including a firewall for access management and an IDS for threat detection. Most organizations fail to adequately provide for these two security functions, opting to use the most basic security functions provided by the network router, opting for the passé UTM or opting to “take their chances.” Routers weren’t built to stop attackers, UTM’s fail because of performance tradeoffs and “taking your chances” should be left to bets in a casino. Moreover, each of these bale wire approaches gives the security professional insufficient log evidence to back track when a breach is discovered.
Bricata has developed a small office IDS appliance that is purpose built to reduce the total cost of ownership for protecting large numbers of locations. Combing a low cost, high performance sensor with an easy to use central management console, Bricata makes it affordable to monitor, detect and protect against external threats in remote locations. The next generation network sensor leverages a multitude of open source technologies to achieve the low cost-to-detection ratio many companies have been seeking. The sensor includes a Suricata IDS threat engine that leverages the traditional IDS signature approach as well as a Bro Network sensor engine that leverages a protocol analysis approach for detecting anomalous patterns and behaviors on a network. Lastly, the sensor includes a PCAP solution that maintains from days to weeks of historical network traffic data useful during alert analysis and investigations.