For those of you that have been living under a rock for the past few months, there has been quite a lot of talk about Russia and their interference in the 2016 U.S. election. From open session meetings to leaked documents and the tweets heard round the world, the question on everyone’s mind is – how much did Russia have to do with the election results?
I’m not going to pretend I have the answer to that question nor do I want to talk about how to go about figuring this out – but it did get me thinking. Do we really know who our machines are talking to?
There are thousands of voting machines across the U.S. connected on different networks. There are servers that house these votes and there are networks used to calculate them. Your organization works in similar ways. If you have multiple locations, then you most likely have different networks that have to talk to each other as well as all of the devices on those networks. The data from all of these machines is most likely stored in the same data warehouse location where it’s accessed by multiple network devices. With infrastructure growing exponentially every day, do you know who you’re talking to or even where all of your connected devices are?
Where to start? Visibility – Monitoring vs. Mapping
At Core we are big fans of the line, “You can’t stop what you can’t see.” Though this may sound obvious for such a large problem, it’s true. If you can’t see what’s going on in your network, in real-time, then you can’t be sure of what’s going on. If you don’t know where all of your connected devices are and what they are connected to then you are no better off. Finding out after the fact that a device is communicating with a bad actor puts you behind on finding that device and shutting it down. Time that the bad actors are using to pivot through your network and find your sensitive data.
Back to visibility for a moment. Are you constantly monitoring the traffic going in and out of your network? If you are, then good for you – you can skip ahead to the next section. However, if you are like most people you don’t have the ability to do this. Like I mentioned before, the time it takes for you to be breached and alerted of said breach can be just as monumentally important when it comes to how much of your data is exfiltrated. Instead of getting alerts that something might be wrong or might not look 100% correct and wasting your time going back to find that one piece in 50 Billion communications, you need the ability to see it happening in real time and only get alerts when something is actually wrong.
There are over 1.2 Trillion DNS queries a day happening all across the world. That’s trillion, with a T. Even if your company was consuming 1% of this information it still would not be humanly possible to monitor it all. By using machine learning and threat modeling, you can create detection models to review this data and tell you if your devices are communicating with a known bad actor in real time. For example, every week we identify tens of thousands of newly suspicious command and control servers and IP addresses. From those, we verify and convict several thousand of them as malicious. Now, anyone with the right software solution can monitor their devices for any interaction with these malicious addresses and servers and your team can be alerted immediately to take action.
How many devices are currently connected to your network? I don’t mean the computers that are logged in at your office or the number of devices your IT team has provisioned to employees – I mean how many devices are, right now, on your network. Maybe you are ahead of the game and you can answer this question easily. However, if you are a company with 500 employees or more, figuring out this number can be a herculean effort and then you are having to answer where these devices are.
Using the earlier example, let’s say that through real-time monitoring you find that one of your devices, a server, is connecting with a known bad actor. It’s great that you know immediately that you need to shut this device down or at least, get it off your network. But where is it? Without having a map of where all of your devices are, who holds them and who to contact, the right information still doesn’t help.
You might be thinking, “Come on, a server? I know where all of my servers are, that’s easy.” But don’t forget about the always expanding Internet of Things (IoT). It’s no longer servers and laptops that you have to worry about but mobile phones, tablets, smart thermostats in your office or warehouse, smart televisions in the break room and more.
Do we have your attention? Look, this post isn’t meant to scare you – but it is meant to put you on guard for things to come. Are you finding hidden infections today? Do you feel confident that you can see and know when there is active C&C communication inside your network? Do you still have no idea how to wrap your head around the IoT? You are not alone! You need to understand what is going on inside your network in order to properly secure it. So start a test, get a checkup, or at the very least talk to your team and understand what you know, what you can see and where to go from here.