Above All, You Need Total Network Visibility
It used to be the case that if an attacker gained a foothold within your Enterprise, he had the upper hand on the network defense staff. The attacker could often enumerate and scan the entire network for weaknesses, compromise a few key accounts and simply lurk until he decides to steal corporate data. But if you get total network visibility- full packet capture and logging- and have great processes, and an agile defense team with the authority to act on behalf of the enterprise- the attacker doesn’t stand a chance.
My pal Rocky put together this graphic talking about what it takes to defend a network in the modern age. And if you have to gather consensus to implement rule changes, or have to rely on SIEMs alone to find attackers, you are doomed to failure.
As a good example, I recently encountered an Enterprise who opted against adopting a SIEM solution like everyone else did back in the late oughts. When they became aware of a compromise, they excelled at defending their network because they had two things most modern networks and defense teams don’t have: Total Network Visibility and an agile security team who had the authority to rule their network control systems with an iron fist.
They didn’t play the old fashioned “trap and trace” game that every network forensics book says you have to play- monitoring activity to gather evidence, fearful that any changes you make to the network would “tip your hand” and force the adversary to change tactics. They had total network visibility, so they slammed the door in the faces of the attackers and double dog dared them to return! And they didn’t have to put in a change control request or go through a risk management committee to get it done, either. What they lacked in overall security technology they made up for in streamlined processes and absolute authority. And it was beautiful to behold! My favorite line in Rocky’s post here is:
If the time it takes your adversary to get into your network and extract data is measured in seconds to minutes and your change control window is measured in weeks – who wins?
