Page 48 - Cyber Warnings
P. 48
KNOWN UNKNOWNS
• We filter our incoming traffic by looking for what we know about the unknown
• we look for signatures within virus content and malware and exclude them with our anti-
virus systems.
• We search for key words within email and source addresses against a blacklist either
globally or locally held.
• We can filter for spam, and other inappropriate material, again using whitelists and
blacklists and also filter web content for employees based on departmental requirements
and time allocation.
• We block ports on firewalls and open others for incoming or outgoing traffic.
However, underlying this thorough inspection is all the other traffic our systems have
acknowledged as acceptable - that traffic is either conforming to the rules we have devised or
that traffic falls out of the scope of our rules because we have a set rules without all the
permutations in place. These are the unknowns that we know are abroad and that in order to
quantify them as a risk we need to identify them first.
The attack surface for many companies is expanding and entry points into the heart of the
network becoming numerous. We have to approach security from a zero trust perspective,
treating user systems on the inside with equal scepticism to those on the outside. Network
confidentiality, availability and integrity have not been treated equally by IT managers.
SLA’s have traditionally been built around availability rather than confidentiality which needs to
change. SLA’s should revolve around the data rather than the infrastructure. A recent Forrester
report detailed that over 66% of data breaches are not identified by the organisations that are
breached but by third-party companies.
Of course we absolutely do need the anti-virus, firewalls and content management systems;
these form the foundations of our defence against the rising flood or targeted and drive-by
incursions.
These defences need to extend to the various end-points of the network, inside and out. It is not
an impossible task to garner all the traffic on a network, what is tricky is to analyse the
information and understand the risk each data packet poses.
Security Event and Incident Management (SEIM) technology is a large portion of the answer to
this problem, but it is not a silver bullet. SEIM produces a vast amount of information about the
way traffic behaves within the network and can indicate that systems are in the process of being
compromised or at least the behaviour is not best practice.
SEIM will also point out exposures on the systems and indicate the fixes needed to patch those
vulnerabilities.
48 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
