“Be Proactive than Reactive” is a slogan for any NOC (Network Operations Control) or network specialist. The basic requirement is to ensure that there is no compromise activity on your network, and ensure the policies on your perimeter are intact.
Here is a support case, we faced very recently from an enterprise, which had a very large compromise attempt, and how our SEM (Security Event Management) module provided them enough information to nail down the issue completely.
This enterprise is one of a premium data centers, with multiple Firewalls deployed across the globe. Firewall Analyzer – Distributed edition is deployed, where Log collectors were monitoring their critical Firewalls, and the Admin server was managed by the Network Operations Center (NOC).
The actual request for support with us was to set up mechanism through which they could know the traffic activity for a separate subnet, that holds some critical servers which holds the backed up data, along with product customization.
Since, the subnet had mail-server, we thought of adding an “Anomaly Profile” which we normally advice to all customers as it’s not uncommon for attackers to turn a compromised system into Spam relays. With this in mind, monitoring outbound TCP/25 activity from all systems but your legitimate SMTP servers is an excellent way of catching these transactors.
Withing 15 minutes after the setup, Voila .. we struck gold !! One of their critical server had been compromised (by internal user !!) to spam relays, and some how certain conditions on their PATting rules had a small glitch that added to their existing problem. Surprisingly, it was almost invisible and was done very smartly that nobody thought this as an cause of network chock.
The moral of the story is, explore the possibility of adhering to SIM and SEM objectives to be more “Proactive than being Reactive”.
Here are some tips for your review.
1. Ensure to create some alert profiles (Normal / Anomaly), on Firewall Analyzer based on thresholds that best suit your requirement. Firewall Analyzer is a powerful tool, which can warn you the moment there is a compromise attempt on your network.
2. It is best practice for the NOC community to simulate such events by themselves to know how their devices react to these situations. We saw a minor configuration issue on their device policy that permitted this transactions. Always anticipate that the hacker community is more resourceful than you. Always check and double check.
3. Ensure all policies are tuned and optimized to secure their network. Do check Firewalls Rules Report, for more drill down.
4. Firewall Analyzer product throws strong reports and alerts, but a scheduled audit of raw logs by loading the archives to check the activities will surely provide better understanding and this should be translated towards tweaking the policies.
5. We are SIEM vendors, and do check with us constantly for any best practice to be done on the application side and get Out of the box solutions.