No, a firewall and anti-virus software are NOT enough protection against today’s intruders

March 05, 2017

Unfortunately, in today’s world you will eventually get attacked if you don’t pay attention to your employee’s IT hygiene and manage good corporate policy.   And you will probably suffer severe consequences if you have not planned for an attack by identifying your critical data, creating an incident response plan, reviewing your cyber liability insurance rider and investing in continuous monitoring.

To learn how NetWatcher addresses this issue watch our demo video

For a time, firewalls offered great protection for keeping the bad actor from being able to get into the
network and locking you down for ransom or stealing your data for other illegitimate purposes.

However, in today’s world, unfortunately it’s not the bad actor breaking through the front door (firewall), it’s employees letting the bad actor in the front door.  Today’s threat is more about the unintentional insider threat where employees click on phishing messages, install risky software, do not patch software, send information over the internet in clear text and go to nefarious websites—all vulnerabilities that a bad actor can exploit.

Anti-Virus is also not keeping up with today’s threat.  Crypting services like have become popular that obfuscate the binary data of an executable just enough for anti-virus software not to detect its signature hence bypassing detection.  These tools and services have become indispensable for the bad actors trying to take advantage of an individual or company.  However, without anti-virus software a user is at risk every time they go to a website, open an email or download a file.  The point is that it’s not enough protection.

Regulators that support the financial services, retail, healthcare and government agency verticals knew this 15 years ago and created policies that mandated “continuous monitoring” of IT systems.

VerticalMandateMandate Text
HealthcareHIPAA Security Rule164.308(a)(1)(ii)(D): Security Management Process – Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. 164.308(a)(1):  Security Management Process §164.308(a)(1)(ii)(b) – Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
RetailPCI-DSS11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.  Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
Financial Services and BankingGBLA Safeguards Rule314.4   Elements – In order to develop, implement, and maintain your information security program, you shall: (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.  Guidance from FTC on ‘how to comply’: Using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to: keep logs of activity on your network and monitor them for signs of unauthorized access to customer information; use an up-to-date intrusion detection system to alert you of attacks; monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user;
Control: The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization defined techniques and methods];
c. Deploys monitoring devices:
1. Strategically within the information system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

In many ways, continuous monitoring refers to monitoring the network and IT systems in case someone lets a bad actor through the firewall by un-intentionally creating a security vulnerability … and monitoring if an endpoint (laptop, server, phone, printer etc) gets exploited…Download Whitepaper

From a technology standpoint, it means:

  • Log Monitoring (SEM) – Provide real-time analysis of security alerts generated by network hardware and applications.
  • Intrusion Detection (IDS) – Monitors network via Deep Packet Inspection for malicious activity or policy violations.
  • Net Flow Analysis – Monitor the analytics of a networks traffic
  • Active Scanning – Assess computers, networks & applications for weaknesses.
  • Advanced Correlation – Monitor events from the SEM, IDS, Net Flow and Scanning over time for poor security hygiene, security vulnerabilities and exploits then classify severity of the issue and alert others via a workflow based on the severity of the issue.

If you don’t do continuous monitoring:  You may miss attacks on other IOT devices (smart TVs on board room walls, printers, smart phones).  You may miss root-kits that have compromised endpoint assets.  You may miss poor behavior by the staff using vulnerable/risky software or going to nefarious websites or sending data over the internet in clear text all of which will lead to your company being breached.

To learn more about NetWatcher’s continuous monitoring service visit