Build your Cyber Security Watch

For me Threat Intelligence is not only the last buzzword for security products. It also means education of the day-to-day professionals who take care of network and system. It can be related to security watch

I often hear from system administrators that they rarely have time to care for security or don’t know where to look. Of course I encounter most of the time relatively small companies with a single guy or a small team responsible for the whole IT in the company. I agree that when you’re not in the security world it might be confusing to enter and to determine what makes sense for your day-to-day work. The hardest in security is most of the time to be aware of the risks you incur.

In this post I propose examples and advice to grow your security knowledge and keep track of security events that makes sense to your business and your system.

  1. Know your assets : This is definitely the hardest part, to build up a list of what runs in your company and maintain it is most of the time a huge pain. Nonetheless it’s critical to know what you need to secure. Besides it’s something valuable you’ll be able to use for monitoring, patching, return of investments tracking. By doing that you may already realize on which system you need to focus for security purpose. As anyone, an attacker would go for the weakest element of your infrastructure. You need to be aware of where it is, maybe act upon it by isolating or upgrading it. Security could be another leverage to use with your management in order to do so. Hopefully there are asset management tools to help you do this. I personnally encountered one called Nexthink which was really good for this task. If you know others please let me know in comments.
  2. Aggregate security feed in one place and review it everyday: IT professionals need to stay up to date with a lot of things and technologies. As any other security should be in your daily routine. You can build a dashboard such as Netvibes, Feedly, Newsblur… I personnally use Netvibes and my watch page can be a start. I highly recommend you to add the CERTA of your own country, in your language as well as all the security feed from the vendors you identified in step one. Most of big vendors will have security feeds as well as functionnality one to keep tracks of new versions. It might take a day to prepare this dashboard but then you’ll gain so much time everyday by looking at a unique dashboard. However don’t forget to keep it up to date every now and then. The best would be a tool to correlate the feeds you receive with the inventory made in step 1. It would take name and version to create alert events.
  3. Dashboard security events publicly: By this I mean, put a screen in the open-space or in your view displaying security events, dashboard, feeds. It helps reminding you of security and make you aware if something happen. Most of the time it only costs a raspberry pi and a screen and can have huge impact. My customer used to display login logs of his servers using a SIEM and could react within minuts when an attacker came in. Same practice is often used for monitoring.
  4. Attend security conference or events:  Make the effort to be curious and attend at least one security event by year. Depending on your level there are different types of security events. You don’t need to go in highly technical stuff if you don’t understand half of what the speaker is talking about. You should pick something you have slight interest into or related to one of the product you own in step 1. If you play smart, you may ask one of your vendor to invite you to one or at least tell you some conferences name. Otherwise google : security + town_name and you might find yourself lucky 🙂 It’s also a great occasion to meet interesting people to share advices and methodologies to implement security in-house.
  5. Bring security into discussions with managers or deciding new products: Once again it’s an effort you need to make to make everybody aware of security topic. The more you’ll tell your management, the more they’ll know you care and eventually they will too ! It’s also pretty fun to see the vendor salesman turn white when you pronounce the word security for their products 🙂 Eventually this will both help you get invited to security events and create a security culture internally.

Resources:

http://securelist.com/

http://web.nvd.nist.gov/view/vuln/search

https://www.us-cert.gov/ncas/alerts

http://www.exploit-db.com/

http://packetstormsecurity.com/

http://www.symantec.com/connect/symantec-blogs/sr

http://www.trendmicro.com/us/security-intelligence/current-threat-activity/

https://www.cert.gov.uk/resources/advisories/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.