Threat research and scanning represent the proactive Threat Management actions necessary to prevent intrusions across the enterprise. Threat research is a system that allows organizations to gain intelligence on the emerging vulnerabilities and threats that will impact their IT infrastructure. Additionally, this system must have workflow management capabilities that enable security teams to track new threats through to their resolution.
Currently, threat research is conducted inefficiently. Security teams today rely on email alerts from BugTraq and other service providers. Sometimes these emails are just forwarded to administrators for them to patch the affected systems. Only after events like Slammer and MSBlast do security teams find out that the systems were never patched. Instead, organizations should build a database for these alerts and any of the additional vulnerability research they conduct. Severity, priority and responsibility must then be assigned to all new threats. From there, security teams can pull reports to make sure all threats are addressed in a timely fashion.
Vulnerability scanning is the second preventative action. Organizations must conduct regular scans of their environment to find any vulnerabilities that could be exploited. Threat research alone does not guarantee successful prevention, since new devices are typically added frequently to the IT infrastructure. If possible, organizations should also schedule scans on remote users' computers, as these are increasingly becoming the starting points for successful attacks. Armed with scanning and an effective threat research program, security teams can prevent most external attacks.
Unfortunately, fortifying the environment through threat research and scanning is not enough to guarantee the elimination of incidents. Organizations need to stay vigilant and continuously protect themselves against insider threats or the savvy hacker carrying out premeditated attacks. To accomplish this, security teams must conduct 24X7 security monitoring, immediate incident response and ongoing analysis of their enterprise-wide security activity.
Monitoring the network 24X7 will alert organizations to anything unusual that may signal malicious activity. Security monitoring should not be limited to just security devices. Instead, monitoring needs to be holistic, encompassing applications, databases and other critical, high risk components of the IT infrastructure. All the security information generated by the environment must be aggregated and correlated in real-time. This will provide security teams with the context of the attack in a timely fashion. Armed with this information they will be able to respond quicker and reduce the amount of exposure to an attack.