Imagine This: You have a precious and valuable treasure. You keep this treasure in your bedroom. Criminals come from all over the land, every night and day, laying siege to your home to steal this treasure. You have no gated community, no security patrol, no walls around your home, no doors or windows - and every fight with a criminal happens right there in your bedroom with your treasure just feet away. You know that one misstep, one lucky punch, and you lose your most precious treasure. It’s game over.

Sounds like a crazed fever-dream, right?

Okay, try this: You have sensitive customer data and intellectual property. You keep this data on your network. Threat actors constantly scan your network for vulnerabilities they can exploit, and it’s a given that at some point a motivated, attacker will target your company specifically. You don’t have an edge router, your firewall rules haven’t been updated in months, no IDS/IPS, no network segmentation, and network traffic policies aren’t all on the same page. You do have endpoint security though, and it catches lots of stuff, but you know that one missed signature and you lose your precious data. It’s game over.

 

Is this a blog post ragging on endpoint anti-virus?

No. It’s a blog post ragging on organizations that only have endpoint anti-virus and think they’re protected - and those who celebrate when their endpoint security catches something bad instead of asking, “how did this threat get all the way down to one of our endpoints”, and “how can we make sure it doesn’t happen again?”

Spoiler Alert: Security practitioners should strive to minimize the number of threats that reach endpoints, because nobody likes duking-it-out with bad guys in their bedroom.

I know that talking about Defense in Depth is soooo 2015, but it’s important to think about network traffic policy as a series of filters, increasingly fine-meshed, from the network edge inward until you hit your precious treasure.

Here’s an example of network traffic filtering with huge returns on investment: Think about your organization. Where are your customers geographically? Where are your supply chain partners, your reps and dealers? If the answer is a limited number of countries, you should be blocking every other country you don’t do business with on an inexpensive edge router (far upstream from your treasure). Try this, and we bet you’ll see a huge drop in threats reaching your endpoints.

 

Network security filtering is like tiramisu, onions, and Shrek – there are layers.

The next layer might be your firewall, but firewalls are just big dumb expensive boxes. What makes a firewall earn its keep? The rules you put into it. If your endpoint layer is constantly mitigating a given set of threats, add the source and destination IPs related to those threats to your firewall rules. Doing this moves the point of protection from the endpoint, where the bad guy wants to be, to the firewall where it can be mitigated long before it reaches your bedroom. Do this fast or suffer the penalty of false positives.

Threats move around a lot, and they move quickly. If the IP is bad today, be blocking it today. Waiting a week to update the firewall rules means higher risk exposure and a good chance the IP won’t even be malicious by the time you finally add it to an ACL.

 

Internal routers and switches can be yet another layer of proactive filtering, and they can allow you to impose more fine-grained restrictions for a specific network segment, a department, or even individual users.

What really needs to talk to the production databases, a small handful of hosts probably? Should the finance department have the same web surfing freedom as the customer service department, or vice-versa?

 

DNS is another filter layer that punches way above its weight class.

Think about it, everything good and bad that happens on the internet starts with a DNS request. Click on a phishing link, browse a malware dropping webpage, get infected by a malvertisement – they all have roots in a DNS request. Almost every DNS platform today, from an open source BIND server to a big expensive DDI/IPAM appliance can do filtering of domain names and IPs. It’s good to have filters in front of your endpoints, and it’s also a good practice to have a safety net for the threats that make it past endpoint security. You will always prefer blocking domain resolution on an infected laptop over experiencing a treasure breach – and there’s a certain twisted satisfaction seeing an infected machine squirm because DNS security is blocking the call-home needed to complete the attack.

So, don’t throw out your endpoint anti-virus, it is still a valuable layer, but don’t rely on it to fight off the bulk of the threats your network encounters, that’s a guaranteed way to get a black eye defending your treasure.

 

To see how ThreatSTOP automates and centralizes the management of all these security filtering layers using hardware you already own, request a quick demo today.

Get a Demo