Security Monitoring Tools

Summary: From firewalls to passwords to other monitoring tools, every business needs to ‘think security.’ Dave Hodgdon and Steve Ripper from Portsmouth Computer Group discuss the security monitoring tools every business should have. Listen or read more to learn about IT security monitoring tools.

Mike: WTSN’s Morning Information Center all powered today by Portsmouth Computer Group with convenient locations in Portsmouth and Dover. They’ve got a new office in Portland. We’ll hear about that in a second. Brought to you by PCGIT for world-class IT service and customer support. Check out the website, a lot of good valuable information there. PCGIT dot com. Our good friends Steve Ripper and Dave Hodgdon join us from Portsmouth Computer Group. It is Tech Tuesday today, everybody!

Steve Ripper: Good Morning, Mike!

Dave Hodgdon: Tech Tuesday, March Madness!

Mike: March Madness, Tech Tuesday!

Steve: How are your polls doing?

Mike: My brackets are busted. How about you?

Steve: I’m looking good. Duke squeaked it out for me.

Mike: What a game, huh?

Steve: That was fun. They should have lost.

Dave: But you’re in a bracket with 54 other Duke pickers.

Mike: Everybody picked Duke this year.

Dave: Everybody picked Duke.

Mike: I was reading something this morning — the odds of having a perfect bracket, coming out of the first weekend of March Madness and picking all the teams in the sweet 16 is about 281.5 trillion to one.

Steve: And through the end of the weekend there was still one person who had . . .

Mike: There’s one person. Yeah. There’s one person.

Steve: It’s the longest it’s gone into the tournament where one person . . . [crosstalk]

Dave: Who’d he pick?

Steve: It’s a good question. He didn’t say. [crosstalk]

Mike: Hopefully he picked Duke. I don’t know.

Steve: Virginia or Gonzaga.

Mike: Good to have you guys with us and for people who don’t understand what Portsmouth Computer Group does, Steve, what does Portsmouth Computer Group really do?

Steve: We’re your outsourced IT department. If you don’t have a full IT department, you’re not big enough to have an IT department in your own company, we’re going to come in and we’re going to do that for you.

IT Monitoring Tools for Security

Mike: We’ve talked a lot about security over the last few months, and we’re going to talk about monitoring tools. What is considered monitoring tools? What are we talking about here today?

Steve: We’re talking about the agents and the tools that we might use or an IT department might come into your company and track and find out what’s going on. It gives you insight into what’s going on in your network. What is going on in your network? You don’t know. You don’t know what people are trying to hit your firewall and try to get into your network. What’s going on with your servers. What’s going on on your peoples’ desktops? Are there viruses? Are they accessing things that they shouldn’t be accessing? Are they using USB drives on their computers and you don’t want them to? Are hackers trying to get on the other side of your firewall? Just putting the firewall in isn’t enough. It’s a good first step. But you need to know what’s going on with it. Who’s trying to get in through the front door?

Mike: It’s really protecting your assets in your whole company, right?

Dave: You hit it right on the butt. Our goal is to minimize your risk — similar to why a financial planner what’s to know all your data, an accountant wants to know all your data. Our job is to understand the network and we want to determine what that for that business is the biggest risk. It’s usually their data. It’s their people. Our job is to put the right stuff in place so we have an idea of what the activity is.

There’s so much going on as Steve just mentioned there. There’s so many vulnerabilities now. There’s so many people trying to get in, so you need to have the right tools to monitor stuff.

In the old days, we weren’t monitoring your switch, your wireless access points, your router. But now we have the ability to watch the traffic. Is some unusual traffic trying to come in? Is there a lot of congestion on a wireless that shouldn’t be there? We have the ability to remediate before it becomes a problem.

Why People Try to Gain Illegal Access to IT Networks

Mike: Why are so many people trying to break into these networks and break into these systems?

Dave: It’s all about the money.

Mike: Illegal money? Seriously? [crosstalk]

Dave: That’s why they call it the Dark Web. These people are just looking for a vulnerability and they’re making money and they’re making a lot of it. It’s trillions and trillions of dollars that are being made.

Mike: Obviously they’re pretty smart because they seem to be sometimes one step ahead of people. You guys are trying to be a step ahead of them.

Dave: Right.

Steve: The reason we talk about tools is because on average, for larger Fortune 500 companies, when a hacker is inside the network it is usually three to six months that they have been inside that network before detection has happened. They’ve been in there, looking at data. They don’t go in and just do something terrible right away. It’s actually an advantage to them to have a node, what we call a node, they’re inside the network to be able to get recurring data from that company.

Sometimes, they’ll use that access inside that company to get access on other companies. They’re in there and they’re basically living there inside the network.

When detection happens, they find out how long this has been going on. We use tools to try and find that out, whether we’re looking at the switches like Dave said, the firewalls, networking PCs, virus activity, intrusion detection . . . [crosstalk]

Logging, Firewalls, and Passwords

Mike: Talk about some of those example of monitoring tools. What type of things . . . ?

Steve: You’ll hear the word ‘logging’ used a lot. We want to know what’s happening with the firewalls. We have tools that will access the logs and be able to parse the logs for us. It’s really expensive and time consuming to have a human being read the logs, that’s very time consuming, you miss them.

These are tools that can read the logs and be set up to say that “I’m looking for this specific type of event.” Someone coming through a particular port or trying to get into my firewall. Access passwords being changed. That’s a big one. Dave and I talk about that all the time.

Did passwords to the accounts on the network get changed and no one knew why they got changed or who’s changing them?

These are things that these tools are looking at telling us, hey, did you mean to have the administrator change, because we didn’t change it and you didn’t want to change it, so who did?

Mike: What’s a normal time, Dave, for companies to make all their employees change their passwords? After how long? How many months?

Dave: It should be, depending on your industry, it should be 30, 60 or 90 days you should be in a good password policy. The weakest link, as you know we love talking about security, password is the weakest link.

I’d like to give you a little example about, think about a sting operation or if we’re doing an investigation on someone. The want to watch and collect all the data before they actually go after the arrest. These people are inside the network and they’re waiting until they see enough data. They’re moving stuff and then that’s when they’re going to sting you. They’re going to hit you when it’s going to hurt the most.

Identifying Red Flags

Mike: Is there anything that company employees or managers can actually notice within the network on the computers? Anything that throws up a red flag at all?

Steve: That’s what we’re talking about. The tools do that. Without the tools, not really. What you’re doing without tools is you’re just throwing equipment at it. Well, I’ve got a firewall and a nice switch.

Dave: I’ve got my anti-virus . . . [crosstalk]

Steve: I bought all-new PCs and I have anti-virus. But without the tools . . .

Let me ask you a question, Mike. You’re a homeowner. We talk about things like protection, detection, and response. If you put up a fence around your house and you put a security system in your home and you have the police right in your town. If you could only have one of those, which one would you pick? If you could have one of those, which one is the most important? Protection. Detection. Response. The fence, the security system, the police.

Dave: It’s hard to say. I would think that I need all three.

Steve: You would need all three but, it’s important to understand which one is . . . I’m going to answer that question for you. It’s detection. Without that security system, how do you know if your fence is big enough?

Mike: That’s a good point.

Steve: How would you know? If someone got into your house and you didn’t have a security system, how would you know that they were in your house to call the police? It’s great that you have a fence and it’s great that the cops are doing their job, they always are. But without knowing if someone got in, you don’t know if you needed a nine-foot fence. You don’t know if the fence is working. Did you spend your money the right way?

Mike: Good point.

Steve: If they’re in there and you’re in Paris doing something and they’re stealing your stuff, without the security system going: “hey, there’s someone in here.” How could you call the police?

That’s what we’re talking about when we talk about tools. The tools tell us that someone is doing something bad or there are metrics that are not good for this company.

SIEM: Security, Event, and Incident Management

Dave: The big buzzword is called a SEIM. S-E-I-M. It’s for security, event and incident management. It gives you the ability to watch what’s coming and going and when unusual traffic happens, Mike, there’s so much going on. But there’s something all of a sudden . . . this data is starting to leave the building. Wait a minute. That’s not normal. As Steve said, maybe someone changed the admin passwords.

You’re looking at these thousands of things that our security operations center, when something is very unusual, that’s when we get the alert. Then you try to react. That three to six months is a long timeframe that someone can be in there. It’s important to see if something unusual is coming and going, then you can remediate it before it gets bad.

Properly Using a Firewall

Mike: We’ve all heard the term firewall. You’ve talked about it very frequently here on this program as well. What does the firewall actually really do? Hackers can break into the firewall and knock it down?

Steve: Sure. So, the firewall — we also use the word gateway — it’s the device that connects the network to the rest of the world. When your internet provider, Comcast, FairPoint, FirstLight, whoever is coming in your door, they’re going to drag a wire in. It’s a little more complicated than that, but they’re going to drag a wire in and connect the building to the internet.

The firewall is what we come and help you with. Or an IT professional will come in and put a firewall in front of that, connect the internet to it and then connect the rest of the network to the firewall. It’s your front door. It’s your data front door.

Dave: Think of it as the key. I have the keys to open the door. I’m in my building and I have access. I might have a second key to get into the HR room, I have access to get to that.

Mike: Okay.

Dave: It’s the first gateway. Like driving down the highway, I pay my money and I get through the tollbooth and I can continue to go. There’s ways around that, but that’s the first big premise, to keep it simple.

Steve: Right. Before the internet, the front door was literally the way you got into your company. You put on a big lock, you put a security system in and you made sure that nobody could come into your company.

Mike: Right.

Steve: With the advent of the internet, there’s now two ways into your company. Someone can still break in climbing through the window. That’s one. The other way is that they hack through your internet and your firewall to get into your network. You have to do both.

Mike: Interesting stuff. We’re speaking to Steve Ripper and Dave Hodgdon from Portsmouth Computer Group. The new office in Portland has been open since March?

Dave: We opened up March 1st. We’re excited to be in Portland and it matches PCG. Portsmouth Computer Group. Portland Computer Group.

Mike: Where in Portland are you guys?

Dave: We’re up on Industrial Way in South Portland. We’re excited to be in Portland. It’s a fun town out there .. . [crosstalk]

Mike: Very nice. Conveniently located in here in Portsmouth and Dover, you can check out their website PCGIT dot com. They’re here every Tuesday, all part of Tech Tuesday. Any final words, guys?

Dave: Think security.

Mike: Think security.

Dave: Keep those doors locked. Have that fence. Have that dog. Think about where the vulnerabilities are. Think about changing your passwords. We talk about security awareness training. PCG is here to help. We’d love a call to help you out. We provide exceptional customer service. We’re looking forward to helping you out.

Mike: You can check them out at PCGIT dot com. The numbers are up there on the website. A lot of valuable information as well. Good to have you guys. Steve and Dave, thank you again.

Steve: Thank you, Mike.

Mike: Appreciate it. Always fun. [crosstalk] Tech Tuesday.

Dave: March Madness. Let’s get those tools to watch it. Let’s go March Madness.