Staying Calm During a Security Incident: Is It Utopia or Is It Good Design? 

By Zoë Rose, Contributor
Share Post

Picture this: the latest security breach hits the media. Front page, it is the most invasive breach yet. You decide to scan the first few sentences, bored now of all these announcements. Suddenly your stomach drops–this breach affects you. What do you do?

From my experience, most people upon receiving these notifications are at a loss of answering the “what now” questions. Many small businesses don't have a practiced incident response plan. Panic soon ensues until someone experienced is able to respond.

Now imagine for a moment, when that stomach-dropping realization happens, that instead of panic, you remember you not only have a practiced process. You know that “what now” response and your fear is drastically reduced. That world of cyber confidence does exist, and it starts with understanding your network.

Know Your Baseline Normal
Throughout the day, employees log in to the network ready for exciting challenges. They may have some variance, but over time you can start to see the routine or create a baseline for each person, system and process. This baseline plays a major part in our security program, as it allows us to know the expected so we can search for the anomalies.

Take Aruba ClearPass for example. A network access control (NAC) product like ClearPass allows policies to be dynamically assigned to devices. NAC minimizes the management overhead whilst maintaining a strong expected access and data flow for the most unpredictable of devices, such as bring your own device (BYOD) and visiting guests. As a former IT manager, I know the challenge of having to deploy even the easiest of installs across a variety of devices. However, ClearPass kept things simple. As an agentless solution, there’s no scripted installs or group policy pushes.

Now let's consider the incident response side of things. How would a NAC solution help with this? When investigating incidents, you have to start by looking at the network. What is considered normal, how is it structured, and who has access to what? Incidents are not always solved by just shutting everything down and slowly looking for a leak. The most important piece is that you need to understand the environment and spot unusual activities. Having a system actively monitoring the traffic and dynamically applying policies means that you have a documented policy list, groupings within the software, and an overall understanding of expected traffic.

Whilst there's many more to things available, I want to bring up one issue I often have with traditionally designed networks by comparing it to a house. A London house is generally created so the thick brick walls cover the outside and any window or door is locked. Whilst inside, excusing the toilet, there aren’t any locks on doors. This is how many networks are deployed, but what you might not have realized is that a network is not a house! Limiting the ability to traverse the internal network might seem excessive, but it's what reduces a breach from becoming your next moment of panic to incidents that can be handled more effectively.

Implementing controls such as NAC to reduce unneeded access and following the principle of least privilege can enhance our security without adding exceptional overhead to the management team.



  • ClearPass
  • GestaltIT
  • NAC
  • Network Security