Last post I introduced the three M’s of defense.
I’m going to admit up front that the first one, monitoring, isn’t the most fun, but it is vital.
There is an endless stream of data that flows in an out of every system, and the majority of that information is meaningless to anyone but the computer itself. Trying to sift out relevant data from the various system and application log files is like trying to find the proverbial needle in a haystack.
So you’ve got to automate across multiple layers.
The first layer to monitor is the firewall. Here we can set up scripts to detect port scanning attempts, block IP addresses that shouldn’t be accessing your network, and monitor outgoing data for unusual behavior. A well-configured firewall will protect you from a lot of random attacks, but it can help you even more if it is sending out alerts when something is amiss.
Past the firewall is the IDS or IPS (Intrusion Detection/Prevention System). These can be hardware devices or implemented in software (but in too many environments they are not present at all). The IDS/IPS constantly monitors network traffic and checks for oddities. There are different types, some check for strange behavior, others compare network packets to a signature database of bad actions.
Then we get down to the systems themselves. The operating system logs, web server logs, and others should all be automatically checked and send out alerts to administrators when something looks wrong.
This all takes a lot of up front work, but the rewards are great.
There are off the shelf products that can be purchased to do all of this, or you can customize your own solution.
I hope to add some of this functionality to the Poshsec project down the line.