Blog / Monolithic Defense Strategies – Protecting Your Computer Network
Defending your computer network is quite a big job. Not monumental or impossible by any stretch of the imagination, but still a big job. If you leave it at being “a big job”, then you create a problem. Your solution will lack focus. In terms of your network’s defense, to “lack focus” means that while your overall protection may be good, key areas wind up protection that does not accurately reflect their importance.
For comparison purposes, consider the defense of a country. You don’t have a single defense force. You have your Air-force that handles the air defense, Army for ground and Navy for the sea. They all have a similar purpose (to defend your country), but they are managed very differently, with divergent equipment and strategies, because the way that you react to threats in each area, is not the same.
The same logic is true for your internal network. Different types of resources need different types of defenses, to properly protect them:
– You need more than just Anti-Malware scanning to protect a file share properly.
– You need more than just a Firewall to protect a database.
– You need more than Spam Filtering to protect your email.
These are the sort of things that are often overlooked, when putting together computer network defenses.
How do you go about planning a proper Defensive Strategy?
Step 1: Start with the basics
A proper Firewall – What I mean by a “proper Firewall” is one with (at least) configurable Anti-Malware and an Intrusion Prevention System built into it. Both should have a set of signatures updating regularly. Constant updates mean there’s maybe some kind of support contract going along with the Firewall. Expect this, plan for it. If the Firewall doesn’t have it, then it’s probably a consumer class appliance.
Managed Anti-Malware software installed on every device possible – The biggest difference between what you install at home and you should install in a business, is the software being centrally managed. This can be handled from a single machine, in the Cloud, and doesn’t matter. If not centrally managed, then it’s not fit for purpose. Every possible device means exactly that, Every-Possible-Device (Desktops, Laptops, Tablets, Phones, Servers, etc.) If the Anti-Malware software is available, then it needs to be installed, managed, and enabled.
Anti-Malware software isn’t always centrally managed, but the reason I encourage that has nothing to do with detection of Malware and everything to do with monitoring of the software that’s been installed. Having to periodically go around physically checking the logs on all your devices to make sure that the Security software is still installed and running, is a process that doesn’t scale (and 100% necessary if you go with unmanaged software.) So, if it’s necessary to do this, and it doesn’t scale, then the truth is that it doesn’t happen (until someone has an issue.) Centrally managed Anti-Malware software isn’t significantly more expensive, so cutting costs here is not very effective, but also doesn’t have a big impact on Security (until you look at it over time.)
Some businesses seem to believe it’s okay to skimp on the Firewall and I’ve seen some using consumer grade devices that they picked up from Best Buy or somewhere. There are some cost savings that can be made by doing this. Nothing I would consider significant (from a business standpoint), but it’s easily upwards of $300 (depending on the model.) However, consumer level devices don’t have the same sort of investment in development that business class devices do. Even the low end Small/Medium Business (SMB) devices are far superior to anything that’s consumer grade. Saving a little money here makes very little sense, because you are sacrificing the features necessary to offer actual protection.
Step 2: Identify important assets
Once the basics are managed, you need to take stock of exactly what you have in your network. What sort of important information have you set-up? Some simple examples would be things such as Email Servers, Financial Records, File shares, Etc. This list should include important / central devices, and software that are needed for the smooth / safe operations of each department in your organization.
This means the job of coming up with this list does not rest on the shoulders of IT alone. For example: IT doesn’t decide what files and software are important for Finance to do their job. Maybe there’s a special software that one department uses to do chemical mixing. Each department needs to look at the things they need, decide if there are certain, ‘vital tools’, and communicate that.
Step 3: Take additional, necessary, protective steps
Once those important / critical assets have been identified, the next step is sorting out exactly what kind of additional protective steps can be taken. It’s not uncommon for people to install safes in their homes, in order to protect their valuables. Why do they do that if they already have alarm systems and fire alarms? Because some things need extra protection. The same logic applies here.
Additional protective steps could include periodic backups. Maybe you need some network segregation, so as to keep certain devices walled in. Another possibility could include the purchase of extra Security software. Properly providing additional protection for an asset depends on exactly what that asset is, how it behaves and how important it is to the organization. Maybe it needs Internet access; maybe not; maybe it needs to run as an administrator; maybe not. With no list of what is actually important, IT won’t be able to properly protect it.
The Security of your computers is not the sole responsibility of your IT department. It requires input from all levels of your organization to get it right. One side effect of going through a process like this, is that it makes developing things like useful ‘Incident Response Plans’ and ‘Disaster Recovery Plans’ much easier and more effective, because you actually know the things that are important.
If you have any questions about building a comprehensive Defense Strategy, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.