“If you’re not measuring what’s coming in and out of your network you’re leaving an enormous gap in what you can detect,” said Dan Frye (@frizille), Associate Vice President of Corporate Security at CedarCrestone.
What we’re losing site of is the same concepts we use to detect dormant malware are the same concepts we use in security day in and day out, Frye said. So why not use those same techniques day in and day out so you don’t have situations like malware sitting on your system for ten years (a real problem Frye said happened at one college).
In that situation, it’s not a breakdown of technology, said Frye, it’s a breakdown of the process you use to track and monitor that activity.
I asked Frye about creating a tough infrastructure to thwart malware and he suggested that instead of having a huge network of computers that’s hard on the outside and soft and chewy on the inside, we monitor how those shells communicate with each other. Ask yourself, “What are the ports that are open, the processes that are running” and then look for outliers.
Frye said if you just monitor the inputs and outputs, in theory, you have perfect intelligence of what’s going on with my system. Your job now is to look for outliers and patterns that don’t exist with a normal network.
“It’s not an anti-virus or intrusion detection telling me that,” said Frye. “It’s just me monitoring my environment.”
Stock photo of network cables courtesy of Shutterstock.