Saturday, September 24, 2022
HomeIndustry News5 must-subscribe-to security alert services

5 must-subscribe-to security alert services

NetworkTigers on security alert services.

Security alerts help with detecting advanced cyberattacks in organizations. Most of the time, your organizations IT team gets bombarded with security alerts from several IT devices in use. However, most of these alerts turn out to be false positives. The most challenging task for your IT team would be to figure out what the normal behavior is, the false positives, and what are actual threats.

It is of utmost importance that the security team focuses on the right security alerts. Listed below are some of the must have security alerts to start subscribing to and begin sifting through the false alerts.

1.Privileged User and Account Monitoring

One of the biggest security weaknesses for an organization is its privileged user accounts. End users with endpoints can have root or administrator privileges, that can lead to infiltration with malware. This can further lead to making changes to system networks or settings, or even letting bad actors or hackers’ access sensitive data.

Dashboards should be created to monitor privileged user activity. Since the privileged accounts are entry points to other systems and applications in your network, hackers always attempt to obtain access to them and escalate privileges. With access to these accounts, there is potential to work through firewalls or the Intrusion Detection Systems (IDS).

2.Abnormal Outbound Activity

Inbound traffic is always monitored by the security teams but, are the abnormal outbound activity monitored in the same manner? External communication from your network can take place through an abnormal port or protocol. Firewall can only work on traffic filtration and may not catch everything. These external communications may be used to deploy malware, carry on command-and-control activities or conduct swarm and hive bot activities.

Mechanisms should be deployed by your security team to filter, monitor and block external communication. Typically, external communication towards an open source is normal, until the communication is not for public resources. This could mean that it is an unauthorized communication. Any suspicious activity should be checked against your security policy and malicious patterns. Security alerts can be made from your firewalls, IDS/IPS and switches to monitor these outbound activities. The best tried and tested way to monitor is with a Security Information and Event Management or SIEM.

3.Acceptable Use Policy Violations

As part of the onboarding process, every employee should undergo a security briefing along with an annual review and a sign off thereafter. Acceptable use policies are usually signed by your employees while they join but without the briefing and frequent check ins its importance may be ignored. These policies are security rules employees need to follow when it comes to organizational technologies. AUP’s protect the company’s network and resources from bad actors but they are often not monitored as intended.

Dashboards to review security alters need to be set up by security teams. Downloading torrent content, browsing through inappropriate content or phishing scams are just a few instances where your company’s network is vulnerable to malicious activity. Frequent check ins and alerts can help find endpoints with malware quickly and thus help mitigate risk factors,

4.Data Exfiltration

One of the main purposes behind advanced persistent threats (APTs) is data exfiltration or unusual port activity. Ports that are used frequently can be used to go past firewalls and IDS leading stealing of company information. Phishing scams and social media can also be used to infiltrate your company’s network. Ports like TTCP: 80 (HTTP), TCP: 443 (HTTPS), TCP/UDP:53(DNS)

Techniques used by hackers to conduct an attack is as follows:

  • Web applications: Ports can be used to access your data directly by the threat actors.
  • Backdoors: It can be used to collect files and use ports to hide traffic
  • File Transfer Protocol: Hackers may use FTP or FTPS for transferring files or may use a cloud provider
  • Windows Management Instrumentation:  This can be used to access files and mail accounts on Microsoft Outlook

To identify any malicious activity mentioned above, security alerts can be set up with network intrusion and prevention systems logs. Alerts may be set up to let your security teams know when there is data being shared externally beyond recommended.  SIEM configurations that helps identify what normal traffic looks like and sends alerts when traffic goes beyond this baseline will also be helpful.

5.File Integrity Monitoring

File Integrity Monitoring (FIM) is a tool that needs to be looked into closely. Alerts and dashboards that shows files status when there are unexpected changes made need to be set up. File access auditing lets your team know if any files were created or deleted, programs being used to execute a file and what file is being viewed. Any unusual files need to be run through an anti-virus tool to identify the malware.

Feba Maryann
Feba Maryann
Feba Maryann is a freelance journalist who writes for websites and magazines in Asia and North America. She is currently pursuing her Integrated Masters on Computer Science Engineering with a specialization in Data Science from VIT, Vellore.

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Stay Connected

Must Read

Related News