When a network or device is compromised, it is critical to respond as quickly as possible in order to minimize the risk to your business. To have an almost instantaneous incident response, you have to do two things: you have to detect the incident immediately and you have to respond immediately.
Here we’ll show how combining automated detection with network access control (NAC) can improve incident response.
Networks are becoming increasingly difficult to protect
Networks have morphed into heterogeneous, hybrid-cloud infrastructures populated with multi-vendor devices. Making matters worse is the proliferation of IoT devices which come with very little built-in visibility or security. And on top of this, at the start of 2020, countless companies were suddenly put in a position where large segments of their workforce started working remotely.
With remote work came increased use of personal devices. And with this increase in BYOD, came a corresponding increase in endpoint security risks that were both difficult to track and difficult to manage.
As the adage goes, if you can’t see it and you can’t assess it, how can you protect it? More importantly, how do you protect a network with such a diverse number of endpoints? How do you keep up with them all? That’s the challenge facing IT departments today.
As things turn out, there’s a solution. A potent mix of vulnerability detection and network access control technology can be used to deliver almost instantaneous incident response.
Start with automated threat detection
As we’ve said in a previous article, the technology to detect weak or infected devices and the technology to quarantine them has long existed – but until now, the missing link has been the integration between the two.
You can’t respond to an incident you don’t know about. So it goes without saying, you must start with detection. Using a combination of agentless and agent-based vulnerability scanning and monitoring, you can identify vulnerable devices as soon as they appear on your network.
Both solutions offer automated detection, but some devices lend themselves to agentless discovery and detection, while others, like IoT devices, will need agents placed on the device. If you have a large number of devices in your network, you’re likely going to need both of these to stay ahead of the threats in your environment.
Agentless scanning can be used to find unmanaged devices and perform regular scans of everything on your networks without having to install additional software. But there’s a catch: you won’t be able to detect devices not connected to the network at the time of the scan, nor devices that are turned off at the time of the scan.
Agent-based scanning increases the visibility and security of all devices on the network – including IT, IoT and BYOD devices. These lightweight programs work in the background to continuously monitor network activity generated by endpoints and instantly detect signs of suspicious activity – but you have to gain permission of the user to install these agents.
Both solutions can be used to enact custom security policies and detect a range of threats from outdated software and missing patches to vulnerabilities, bugs and hijacked devices. Whenever a weak or vulnerable device is identified on your network, it is evaluated to determine the level of risk – and registered as an event. But what action should be triggered?
Continue with proactive analysis and prioritization
The flood of incidents can overwhelm an organization. According to an IDC study, “firms experience an average of 40 actionable incidents per week. Some of these will translate into genuine attacks but others require investigation in order to determine that they are benign.”
Over two thirds take between 1 – 4 hours. You don’t have to do much math to realize that’s one or more full time resources just responding to incidents. The bottom line is you cannot just scan your network for incidents. You also have to analyze and prioritize those incidents.
You must leverage technology to contextualize threats in real-time so you can take intelligent action. Most vulnerability assessment solutions use a combination of CVSS (common vulnerability scoring system) scores and insights gathered from CVE (common vulnerability and exposure) databases and real-time threat intelligence feeds to prioritize risks of incidents to the organization.
Everything you monitor and detect must be evaluated for its relative risk, otherwise you run the risk of trying to “drink water from a fire hose.”
Finish the job with automatic quarantine
What do you do once you have analyzed and prioritized incidents? You use network access control (NAC) to initiate automatic and immediate quarantine. When you synchronize your NAC service with your security scanning solution, as soon as a threat is detected, your NAC solution kicks into action – suspending access and preventing a security risk from expanding. You have almost instantaneous incident resolution by combining these two technologies.
With the user’s device now quarantined, the technology team can reach out to the user to safely address the security concern without leaving company networks open to ongoing threats.
Companies that don’t have a NAC solution in place should consider one of the vendors that now offer NAC in the cloud. It doesn’t require additional on-premises equipment and can quietly work in the background – jumping into action once the security software identifies a threat.
Detection, analysis and instant action – the key to improving incident response
A combination of automated detection with incident analysis, alongside the ability to automatically quarantine devices, delivers quick protection when an unknown system-wide threat emerges. It rapidly protects your network, giving you time to eradicate the threat.
Of course, the method we outlined is just one part of a broader cybersecurity strategy, but we are confident that automated detection and analysis, plus instant NAC-driven quarantine will deliver the incident response times CISOs demand.