Prevention & Detection
Doing business today requires organizations to constantly evolve. But keep in mind that as you evolve and make changes to your IT infrastructure, the miscreants devoted to wreaking havoc on business networks are also constantly finding new ways to attack and destroy everything you've built up. It's almost impossible for your IT people to keep up and maintain a defensive stance, without the aid of intrusion detection systems. But here's the rub. There are hundreds of them on the market, and they all have different capabilities. Which one is right for you?
Because Cygnos is in the business of keeping pace with security evolution, we can provide you with a range of comprehensive IDS services that will enhance your in-house efforts and help you uncover the right solution.
IDS & Response Readiness
Implementing any piece of the security puzzle should be done following a robust and proven methodology that recognizes that all components must re-enforce each other and provide extra layers of depth in defense of the system. Above all, the implementation of a defensive methodology must not in any way conflict or result in the weakening of any existing components.
To Cygnos, an IDS system is part of a broader intrusion detection capability that draws on resources other than just the IDS box itself. An ID capability must be policy-based and rely on clear understanding of the organization's security posture. It entails corroborating evidence of anomalies and suspicious activities from whatever intelligence source that exists in the environment being protected.
Before embarking on the implementation of an Intrusion Detection capability, Cygnos will:
- Assess the security policy, and map it to IDS requirements:
- Unless a clear understanding is gained about which business goals the security policy is intended to support, an IDS implementation may fail to protect some of the IT resources that are vital to an organization's survivability.
- Assist in defining a response posture:
- To further define IDS requirements and capabilities - it's necessary to define a response posture. A clearly defined response posture helps in deploying an IDS architecture that focuses on collecting data that is relevant to incident response and escalation; outlines how to dispose of data that the IDS collects, and details the extent and depth of IDS detection.
- Assess the prevailing security architecture:
- It's necessary to assess the prevailing security architecture, with the objective of leveraging its features and capabilities - to further enhance IDS detection capabilities. This, in turn, results in improving the overall security of the organization as well as its response capability in the event of security breaches.
- Ensure security services work in unison:
- It's necessary to ensure that all security services, including the IDS, work in unison to protect the integrity and security of each service as well as that of the organization's data. One such mechanism is proper firewall configuration. This prevents unauthorized access to IDS system. At the same time, IDS must be designed to detect attacks directed at the firewall. Another mechanism might employ encryption to protect IDS generated data from falling in the wrong hands.
- Develop Operations and Maintenance Procedures:
- To maintain, update and routinely verify the operational sanity of IDS, it's necessary to develop operations and maintenance procedures. As well, procedures and strategies for managing and dealing with IDS-generated data, including management of false positives and negatives (among other challenges) must be developed and adopted.
- Develop and document a Threat and Risk Assessment vis-à-vis IDS:
- Before an IDS capability is deployed and trusted, it's vitally important that proper Threat and Risk Assessment (TRA) be performed regarding the proposed solution. A TRA will document the solution's strengths as well as its weaknesses and vulnerabilities. This results in a better understanding of the limitations of the proposed solution, which consequently helps organizations realize how far they can push it for help in detecting attacks and in forensic capacity.
Cygnos' IDS services include:
- Building a business case on "why have an intrusion detection system;"
- Defining components on an IDS and the methodology to follow;
- Determining the cost of implementing a strategy and ROI justifications;
- Appropriate selection of products and solutions;
- Implementation of a complete and successful strategy from A to Z; and
- Education and training.
back to top
If you don't currently know where the entry points to your network are, it will be hard to close up the gaps. Penetration (perimeter) testing will verify or negate the resilience of your IT infrastructure to attack.
Cygnos' practitioners are experts in penetration testing. We can perform a test on your network using methodologies, practices and tools commonly deployed by professional hackers. Clients can choose to engage Cygnos is internal or external penetration testing assignments, or both if desired.
At the conclusion of our testing, we will present you with a written report detailing the tests performed, the outcome, and recommended countermeasures to seal the holes and vulnerabilities we discovered.
back to top
IT Forensic Analysis
Forensic analysis in IT is the science of finding out the "who, what, where, when and why" or security breaches. The analysis is supported by materials such as a complete paper trail, logs, etc.
There a number of standards steps involved in a forensic analysis, including:
- Detailing a written methodology
- Securing the environment
- Documenting the scene
- Securing the evidence
- Labeling and readying for safe transport to the evaluation lab
- Transporting the evidence
- Conducting the evaluation
- Reporting and defending the analysis process (sometimes in court)
back to top
Ensuring that your contingency arrangements are up to scratch is as important as building a continuity plan. The plan simply won't work if your supporting continuity practices are badly flawed.
Contingency planning usually involves the following activities:
- Impact Assessment - a comprehensive list of potentially serious incidents that could affect normal operations
- Developing the Plan - detailing a range of milestones to move the organization from a disrupted status to normal operations, including aftermath, critical business functions resumption, key individuals, etc.
- Testing the Plan - by those persons who would undertake the activities if the situation occurred in reality. Results are recorded.
- Personnel Training - involved individuals are made aware of the plan, its contents and their own related duties.
Maintaining the Plan - the plan must be kept up to date and applicable to current business circumstances. Someone is usually assigned to do this. Any changes must also be tested.
back to top