5. Confirm. Next is to evaluate that enforcement is in place. Are all enforcement devices really updated and providing protections? The IT security should maintain an audit trail of all responses over time. In a large-scale environment, ensuring up-to-date enforcement of current and newly added devices can be subject to human error if the audit trail is maintained manually and updates are performed manually. Remember that enforcement is subject to priorities influenced by internal and external context. This means that after high priority internal systems and networks are secured, there may be another round of analysis and enforcement needed for incidents deemed a lower priority.
6. Block list management. Understand all the objects, rules, and lists in place. Large networking environments mean large enforcement lists and potentially complex policies. These must be organized, shared with the security team, and managed centrally to limit duplicate efforts and ensure consistent security. When responding to frequent or complex security events, your network is only as strong as its weakest link, make sure to double check lists, rules, and object updates to ensure consistency.
7. Test everything. Everything should be tested more than once to be sure both automation and manual processes are properly in place. Remember that even if you don’t test, there are more than enough hackers and penetration testers out there to test your systems for you. At a minimum, perform a conformance test and plan larger regression tests every quarter.
Threat management is a critical process that involves detection, investigation, analysis, and enforcement, with human involvement at the heart of the overall process. IT security staff and their teams are ultimately responsible for managing, reacting and securing corporate networks, but with the scale and complexity of threats, investigations, and multi-vendor enforcement devices, there are many opportunities for delay and human error.
With smart best practices and automation in place, IT security teams save time and reduce risk with a solid, end-to-end threat management and response process. With that in place, the gap between threat detection and enforcement can be closed, and companies have a better chance at remaining secure by reacting quickly when there is an attack.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.