One of our goals this year is to roll out a whole slew of security detection and response technologies we have developed to improve the security posture for all of our customers. We use many different technology platforms in our business to build scripts, alerts, and policies etc. that intertwine together enabling us to develop our tools for security detection and response. We also ensure our customers have the appropriate technologies in place for us to implement this technology. For example, a server is critical for security to enforce computers onto the domain which not only enables centralized user management, secure document sharing, and printing. The server also offers configurable group policies which are crucial and extremely important for the I.T. department to have the control to manage a business’s computer system in terms of enforcing organization wide security. This is one reason we highly recommend having a server for your business and not relying solely on the cloud.
Below we have put together a short list of several detection and response technologies we have built that empowers awareness we think every business should have as a part of their security tool kit:
Reporting Domain Administrators on the Network:
We have created a script that generates a file listing all the domain administrator accounts on the network. This file is then compared against the original generated file that includes all the approved domain administrators performing what is known as a “diff”. If the file has changed in any way indicating a new domain administrator has been created on the network an email is sent to our support board creating a new high priority ticket which includes an attachment with the list of domain administrators so we can take immediate action.
Reporting Account Lockouts:
One important policy to enforce is a password policy. In other words, businesses should be changing their passwords every 90-120 days and should be requiring a certain level of complexity. Once the password policy is established it is then important to enable account lockout settings. Basically, if an end user, software program, device, etc. fails to login correctly more than 5 times the account is automatically locked out for a duration of time as a precautionary measure. This situation then triggers an email that is sent to our support board creating a new high priority ticket outlining which username and computer/device that is experiencing the problem so we can take immediate action.
Reporting Unknown Hosts on the Network:
Do you know what computers, network devices, smart phones, etc. are connected to your business network or home office network? Most businesses do not know this information and this is a vulnerability in our opinion. We highly recommend implementing technology that gives the I.T. department control over this aspect. We have implemented technology that monitors the network for new un-registered devices. Every device with a network connection has a unique MAC address and this is how we can detect new devices. Anytime a new device that is not already registered in our database connects to the wired or wireless network an email is sent to our support board creating a new high priority ticket outlining the information about the new device so we can take immediate action in case an intruder found their way onto the wired or wireless network.
Reporting New Applications:
Understanding what applications are allowed on the computers and servers in your environment is very important for multiple reasons. At any time if an application is installed on a computer or server an email is sent to our support board creating a new high priority ticket outlining the information about the application so we can cross reference this new application against our approved application list. This helps us mitigate problems such as a new virus or malware being installed on accident.
Reporting when the Anti-Virus or the Windows Firewall is Disabled:
Viruses and malware can be really clever about disabling software or firewalls when they dig themselves onto a computer system basically so they can go about damaging your system. In the event the anti-virus software or Windows firewall becomes disabled we have created technology that will automatically restart the protection and send a new high priority ticket telling us what computer this is occurring on so we can begin a thorough investigation and resolve the problem.
Thank you for your time today learning more about our security detection and response technology to enable greater visibility and awareness into the technology environments we manage. To request more information about more of the technology we developed please feel free to email firstname.lastname@example.org. Thanks again for being a loyal reader of our Predictably Better newsletter. We’ll be back next month!