Today all know that building an unbreakable shield is next to impossible. Surprisingly, quite a lot of IT professionals believe that enterprise IT perimeter will stop any attacks. On the one hand, it’s partially true that you can make penetrating perimeter very difficult and expensive, on the other hand, nobody can guarantee that some perimeter is truly unbreakable.

When IT manager realizes that however strong the perimeter might be it can not guarantee absolute security the next step will be understanding that one now needs invest attention and financial resources into IT infrastructure. It is necessary to create the ability to monitor it, find traces of attackers’ actions and take countermeasures to prevent achievement of attack objectives (theft or destruction of information, financial frauds, extortions, etc.).

Let us stress the importance of it once again:

First and foremost, it is always a very good idea to have information about what is happening in IT infrastructure and not only for security reasons.

Second, no attack develops with lightning speed. Attackers need time to recognise hosts and resources, get understanding of internal infrastructure, access data and execute harmful action. See attack stages as explained by MITRE ATT&CK which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

The bottom line is that we need to track attackers’ activity and catch them ASAP, before they really get access to data.

According to analytics, time between initial compromise and getting access to data ranges between couple of hours or a day. So we need fast and effective search of suspicious or uncommon actions to find tracks of attackers and localise the attack.

Sure, searching and tracking require certain level of expertise and competence of cybersecurity experts. But it is the only way to increase security to level where attempt to attack your infrastructure will become unprofitable for hacker team.  This is a reason behind dramatic growth of interest to SIEM systems, building on-site cybersecurity teams or switching to services of external teams, or MSSPs.

To achieve necessary level of security one needs to get logs and events from infrastructure to track the inside activities. We rely our experience to create minimal set of such sources to get sufficient enough overview of events and have ability to catch suspicious or uncommon actions:

  • System logs from servers and workstation logs;
  • Specific database logs;
  • Events from antimalware software, antivirus/endpoint protection system/endpoint detection & response;
  • Next Generation Firewall/ IPS/IDS logs & events
  • Router/gateway logs;

Besides, a very effective tool will be Deception or Honeypot systems, which simulate defenceless resources which will be very attractive for hackers, like Domain Server, Data Base, etc. Any attempt to attack or interact with this ghost will be logged and analysed because real user will not access such Honeypot. They just don’t know about such fake resources setup like traps.

Cybersecurity team or MSSP will process total amount of logs and events from all systems, correlate this information, analyse and discover security events (incidents) to investigate, localize and stop harmful activities.