![]() ![]() Quickly create powerful cloud apps for web and mobileĮverything you need to build and operate a live game on one platformĮxecute event-driven serverless code functions with an end-to-end development experience Migrate, modernize, and innovate on the modern SQL family of cloud databasesīuild or modernize scalable, high-performance appsĭeploy and scale containers on managed KubernetesĪdd cognitive capabilities to apps with APIs and AI services Provision Windows and Linux VMs in secondsĮnable a secure, remote desktop experience from anywhere Put resources in understanding what is your normal network traffic and the external IP addresses that you need to trust to do business.Explore some of the most popular Azure products It also exposes the process information as well as web URL involved in the interaction. Defender for Endpoint can allow you to review source IP, destination IP, and the source port and destination port. Layering on Defender for Cloud Applications can also track the flows through SaaS and other cloud platforms. For those of you with a Microsoft 365 E5 license or a Microsoft Defender for Business (currently in public preview), the Advanced Threat Protection console provides similar information regarding the interaction of events on your workstations and servers. Other platforms perform similar functions and might provide as much or more information than NetFlow. Other options for monitoring network traffic You can also use cloud storage such as Azure Sentinel to store and review NetFlow information. Use resources such Splunk to store and to further analyze the information that you receive from your network. Enabling NetFlow analysis and storing it so that you can later review for patterns is key. NetFlow traffic can’t be used for just a single session it provides more information when it’s accumulated. It’s also a means to reduce bottlenecks and optimize bandwidth utilization. NetFlow isn’t just about malicious traffic. It’s not enough to enable it you need to log it so that you can go back and investigate malicious traffic after the fact. Start by pulling out your firewall manual and review if you can enable logging of NetFlow traffic. Even a small firm’s firewall can probably support this level of investigation. It tracks point of origin, destination, volume and paths on the network.įirst look to your edge devices, your firewalls and other devices that control the network traffic flow in and out of your network. Specifically, review NetFlow, a commonly used network protocol created by Cisco that collects active IP network traffic as it flows in or out of an interface. SANS recommended that you review what resources you have in place to monitor network traffic to see who might be inside your network. Having an offline backup should be a priority to ensure that you can recover in any situation. Ensure that you can recover from a ransomware attack and do not pay ransom to attackers. Last, but certainly not least, don’t become a source of funding for attackers. I also recommend reviewing the commonly attacked vulnerabilities and ensure that you have patched your network for them. I usually recommend holding off on patching until we know of any side-effects, but depending on your risk level you may want to test for updates on an accelerated basis and deploy sooner than normal. Add two-factor authentication to these connections where appropriate and consider if you need to make temporary adjustments in who connects to your network during this time. Remember, their security impacts your security. Review all virtual private network (VPN) connections to your network and where they come from. Review what business-to-business entry points come from weak links. Learn the lessons from the Maersk ransomware attacks that started from the Ukraine. Take the time to review and consider targeted entry points. Immediately we think of a cyberattack, but the root cause is often Domain Name Service (DNS) misconfigurations or core infrastructure issues. Configuration changes often introduce side effects that make you think an attack is underway from external sources. ![]() Slow down and review plans rather than make dramatic changes. Spend time on the basics and on other projects that you probably should have worked on earlier.ĭocumentation and planning are what you need to be doing now, not making changes and configuration adjustments. When reviewing your network for potential cyber threats, don’t make things worse by making misconfigurations that will create more problems. The second is that we need to pay more attention to network traffic. ![]() Too often with security issues we think the worse we may overreact and make the situation worse. A SANS Institute webcast about Russian cyberattack escalations in Ukraine presented a couple of takeaways. ![]()
0 Comments
Leave a Reply. |