This post deals with the hands-on work of operating and maintaining security systems to block attacks on your company’s environment or minimize their impact.
- Firewalls. While operating firewalls often involves adding and editing rules and reviewing logs, there are other
tasks that are important, too. For example, review the firewall configuration change log to see which configuration
settings have been changed recently.
- Intrusion detection and prevention systems. You need to routinely evaluate the effectiveness of your IDS and IPS systems. You also need to review and fine-tune the alerting functionality. If too many alerts are sent (especially false positive or false negatives), administrators will often ignore or be slow to respond to alerts, causing response to a real incident alert to be delayed.
- Whitelisting and blacklisting. Whitelisting is the process of marking applications as allowed, while blacklisting is the process of marking applications as disallowed. Whitelisting and blacklisting can be automated. It is common to whitelist all the applications included on a corporate computer image and disallow all others.
- Security services provided by third parties. Some vendors offer security services that ingest the security-related logs from your entire environment and handle detection and response using artificial intelligence or a large network operations center. Other services perform assessments, audits or forensics. Finally, there are third-party security services that offer code review, remediation or reporting.
- Sandboxing. Sandboxing is the act of totally segmenting an environment or a computer from your production networks and computers; for example, a company might have a non-production environment on a physically separate network and internet connection. Sandboxes help minimize damage to a production network. Because computers and devices in a sandbox aren’t managed in the same way as production computers, they are often more vulnerable to attacks and malware. By segmenting them, you reduce the risk of those computers infecting your production computers. Sandboxes are also often used for honeypots and honeynets, as explained in the next bullet.
- Honeypots and honeynets. A honeypot or a honeynet is a computer or network purposely deployed to lure would-be attackers and record their actions. The goal is to understand their methods and use that knowledge to design more secure computers and networks. There are important and accepted uses; for example, an anti-virus software company might use honeypots to validate and strengthen their anti-virus and anti-malware software. However, honeypots and honeynets have been called unethical because of their similarities to entrapment. While many security-conscious organizations stay away from running their own honeypots and honeynets, they can still take advantage of the information gained from other companies that use them.
- Anti-malware. Anti-malware is a broad term that often includes anti-virus, anti-spam and anti-malware (with malware being any other code, app or service created to cause harm). You should deploy anti-malware to every possible device, including servers, client computers, tablets and smartphones, and be vigilant about product and definition updates.
For solution, online support and query.