Understanding your cybersecurity baseline allows deviance from the norm to raise red flags and alert a potential cybersecurity event.

Network Profiling – knowing how to detect security incidents on a network starts with an understanding of normal network function. Network profiling provides a statistical baseline and deviations from that baseline could indicate a compromise. Keeping a current network profile is important to make sure that the data you are using for a baseline is not out of date and ensures that the statistics you are using are accurate. Wireshark and NetFlow are a couple of tools that can be used to monitor normal network traffic characteristics. The four most important elements for creating a network profile are; session duration, total throughput, ports used, and critical asset address space. 

Server Profiling – determines what parameters are normal for a server. Including network, user, and application information. Depending on the purpose of the server, the parameters for operation will vary but will typically include; listening ports, logged in users and accounts, service accounts, and the software environment.  

Detecting anomalies on a network – Big Data analytic techniques are the most common use for detecting network attacks. They are referred to as network behaviour analysis (NBA). As mentioned earlier in network profiling, using statistics and machine learning techniques it compares normal baseline performance with current network performance.  

Common Vulnerability Scoring System (CVSS) – is a risk assessment tool that is designed to convey the common attributes and vulnerabilities in computer hardware and software systems. CVSS uses three groups of metrics to provide a risk assessment score. This score is used to help determine the urgency of the vulnerability. The three groups of metrics used are; base metric group – describes the characteristics of a vulnerability that are constant over time and across contexts: exploitability and impact metrics. Temporal metric group – measures the severity of a vulnerability over time. The severity will change in time as more patches, signatures, and other countermeasures are developed. Environmental metric group – help rate the consequences within an organization and allow them to decide what is and is not relevant to them. There are two other vulnerability information that work in conjunction with CVSS and they are; Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD). 

Risk Management – an ongoing process that an organization uses to determine the understood security risks that they are willing to take. It is the process of choosing the tools used to protect their organization. The National Institute of Standards and Technology (NIST) describe risk assessment as: …the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final . The four potential ways for an organization to respond to risk are; risk avoidance, risk reduction, risk sharing, and risk retention.  

Vulnerability Management – NIST considers vulnerability management a security practice that is designed to proactively prevent IT vulnerabilities within an organization. The idea is that by proactively managing vulnerabilities it will cut down on time and money spent on dealing with the exploitation of those vulnerabilities.  

Asset Management – keeping track of the location and configuration of networked devices and software across an organization.  

Mobile Device Management (MDM) – as members of a workplace typically use their own phones within an organization. It is best practice to assume that all devices are unsecure until they have been properly secured by the organization.  

National Institute of Standards and Technology (NIST) Cybersecurity Framework – I have referenced NIST several times throughout this blog post (and more in other blog posts) as it is very effective in the field of cybersecurity. NIST has developped and outlined a set of standards to help organizations best manage and reduce their cybersecurity risk. The core tenets of NIST framework to optimize cybersecurity outcomes can be broken down into five categories. Several of the points covered in the blog will be found categorized within these tenets. 

Identify – Develop an understanding to manage risk to systems, assets, data, and capabilities. Asset management, business environment, governance, risk assessment, risk management strategy. 

Protect – Develop and implement safeguards to ensure delivery of critical infrastructure services. Management and access control, protection processes and procedures, maintenance, protective technology. 

Detect – Develop and implement strategies to identify the occurrence of a cybersecurity event. Anomalies and events, continuous security monitoring, detection processes. 

Respond – Develop and implement strategies for how to act on a detected cybersecurity event. Response planning, communications, analysis, mitigation, improvement. 

Recover – Develop and implement strategies to maintain resilience and restore systems or services that were impaired due to a cybersecurity event. Recovery planning, improvements, communications. 

https://www.nist.gov/