It detected BotNets, uploaders, long-term connections, game players, and unknown-host downloads, but we still continually act to stay secure.
Nowadays any security manager, due to constantly changing technology more and more, is faced with new security challenges.
Did you ask yourself:
- Is my business secure?
- Does my team have all the knowledge needed?
- Can we detect and investigate any suspicious behavior inside the infrastructure quickly?
- Is there a way to improve security in my company, help the business to avoid security risks, and to be compliant with legislation?
These things always drive me crazy. As a person responsible for overall IT security in a company, I'm always driven by this passion to be on top. At first sight, the security level of the company is quiet enough, but how can I be confident? Maybe somebody has stolen your data already, but you did not get an alert. The answers to your questions lies in continuous analysis - as the more information you get, the more you can sort it and leave only the needed information. This inevitably brings me to the end of my research - do we have full control of our assets within the environment? Or, to put it simply - how good is the change management process within your infrastructure? After this, I started to explore the products available on the internet that can satisfy my needs - asset control/inventory, change management, control of any suspicious behavior, what kind of tools and applications are used, data leakage detection, low administrative workload, professional and quick support, precise event detection or minimal false-positives, forensics, and evidence. I tested the best products from LastLine and FireEye, but there was always something that turned me off.
Finally, another product for testing was found - Anti-Malware, or APT detection solution, from TopSpin Security. This product uses both technologies – egress/ingress analysis and decoy methodology to lure and detect the malware. I was sizzling to launch it, and to check if it satisfied my needs in "defense-in-depth" strategy?
My first surprise - it was a very simple deployment, no need for technical or specific skills. I just forwarded or passed the traffic to the appliance, install the services for decoy and launch it!
Woohoo!
In order, it detected
- BotNets - not detected by IPS, AVs, or End-Point. Yes, let's clean up.
- Uploaders and long-term connections. Let's look a little bit closer. Gotcha - "Shadow IT", rarely used or not popular cloud backup services or HTTP/S file exchange services.
- Somebody serially trying to access the same Internet resource, and we dug again - gotcha, game players.
- Someone tried to download a tool from an unknown host. Gotcha - kill two hares with one shot - a new host and executable downloads.
There were many more as well.
I was surprised, or a little bit shocked. What can I say - this product crashed my confidence about us having a secure company environment. It helped me to unveil the truth, and you must constantly search for new technologies, educate yourself, and use the right solutions to protect your environment.
Just some advice - stay secure as nobody takes care of security better than you. It's not enough to simply believe that you secure and must act for security.
*Disclosure: I am a real user, and this review is based on my own experience and opinions.
