I’m visiting organizations and companies for miscellaneous projects and I’m often scared by the lack of “visibility” they have on their infrastructure. For years now, new components have been deployed by pure requirements or (honestly) by the business “pressure”: Firewalls, IDS/IPS, (reverse)proxies, WiFi, SSL VPNs, etc. All those solutions, hardware as software, are deployed with their own management tools and sometimes protocols! Once, all these security toolboxes are in place, the next question arise soon: “That’s cool but… How can I be sure that all security components work together?“
A good example is the buzz around the AET or “Advanced Evasion Techniques” released by Stonesoft a few weeks ago. If you are interested in evasion techniques, Stonesoft presented a first research during the 2009 edition of hack.lu. At the moment, their announce looked indeed a major flaw regarding IDS systems, but I decided toÂ not blog about it and left some time run. Why? First, do you have an IDS? Not sure! Small organizations do not have resources (money, time, people) to maintain an IDS. You’re lucky and you have one? Do you rely on your IDS? I hope not! Let’s imagine that your IDS does not detect a malware injected in your network via an advanced evasion technique, your anti-virus solution should do the job… in a perfect world…
This example of flaw could also affect other devices. To prevent this, your security must be based on multiple layers of defense. Adding multiple layers increases also the complexity of their maintenance. To increase your security even more, you have to be the conductor of all those solutions and make them work in a convenient way! How to achieve this?
- Keep them up-to-date (apply the released patches)
- Keep the configurations clean and simple (perform regular “spring cleanups”)
- Centralize all the logs in a unique secured place
- Use tools to analyze the logs and create security incidents
- Keep a documentation of your infrastructure
- Keep your data flows under control
- Keep strong access policies to your data (“least privileges”)
And remember, you don’t need the latest killer-SIEM-solution to achieve this. They are plenty of free tools to build a simple and effective log management solution. Remember, visibility is the keyword!