Unfortunately, in today’s world you will eventually get attacked if you don’t pay attention to your employee’s IT hygiene and manage good corporate policy. And you will probably suffer severe consequences if you have not planned for an attack by identifying your critical data, creating an incident response plan, reviewing your cyber liability insurance rider and investing in continuous monitoring.
To learn how NetWatcher addresses this issue watch our demo video
However, in today’s world, unfortunately it’s not the bad actor breaking through the front door (firewall), it’s employees letting the bad actor in the front door. Today’s threat is more about the unintentional insider threat where employees click on phishing messages, install risky software, do not patch software, send information over the internet in clear text and go to nefarious websites—all vulnerabilities that a bad actor can exploit.
Anti-Virus is also not keeping up with today’s threat. Crypting services like execrypt.com have become popular that obfuscate the binary data of an executable just enough for anti-virus software not to detect its signature hence bypassing detection. These tools and services have become indispensable for the bad actors trying to take advantage of an individual or company. However, without anti-virus software a user is at risk every time they go to a website, open an email or download a file. The point is that it’s not enough protection.
Regulators that support the financial services, retail, healthcare and government agency verticals knew this 15 years ago and created policies that mandated “continuous monitoring” of IT systems.
|HIPAA Security Rule
|164.308(a)(1)(ii)(D): Security Management Process – Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. 164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(b) – Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
|11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
|Financial Services and Banking
|GBLA Safeguards Rule
|314.4 Elements – In order to develop, implement, and maintain your information security program, you shall: (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures. Guidance from FTC on ‘how to comply’: Using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to: keep logs of activity on your network and monitor them for signs of unauthorized access to customer information; use an up-to-date intrusion detection system to alert you of attacks; monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user;
|FISMA (NIST 800-53)
|SI-4 – INFORMATION SYSTEM MONITORING
Control: The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization defined techniques and methods];
c. Deploys monitoring devices:
1. Strategically within the information system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;