The first hour of a security intrusion prudent, says experts
How a business acts in the first sixty minutes following a cyber security intrusion are prudent, according to Ixia.
The company says the actions taken within the first hour of a security intrusion can make the difference between minimal impact and major fallout.
According to Stephen Urquhart, general manager ANZ at Ixia, the first sixty minutes is known as the ‘Golden Hour’. he says there are a number of things organisations can do to detect and respond to an intrusion within this this timeframe.
“An unauthorised digital intruder will often do the largest amount of damage, such as network sabotage or intellectual property theft, within the first hour of a successful attack,” Urquhart says
“The implementation of inline security tools can help to minimise the damage done in the first 60 minutes,” he says.
There are three key types of security technology to consider:
1. Inline security tools
Inline security tools can monitor and respond to unusual network activity, such as unauthorised intrusions, in real-time, letting businesses reduce the likelihood of an information breach following an attack.
Inline security tools include intrusion prevention systems (IPSs), firewalls, security information and event management (SIEM) systems, threat analysis tools, and data loss prevention tools.
2. Bypass switch
A bypass switch lets organisations put inline security tools in service or take them out of service without disrupting the network. This provides more flexibility when a security tool needs updating, moving, or replacing.
Bypass switches also provide a fail-over capability. Although some security tools have bypass capabilities built into them, this sometimes doesn’t work in certain situations where software malfunctions. The additional bypass switch prevents this from being an issue.
3. Network packet broker
A network packet broker can be used as an additional measure that is inserted after the bypass switch and before the network security tool. This provides another level of analysis to pick up suspicious data.
A network packet broker can provide more flexibility with high availability solutions, tool chaining for better analysis, and data filtering, reducing the likelihood of tools being unnecessarily loaded.
“If organisations have these three elements in place, they will have a better chance at identifying and responding to an intrusion incident before it becomes a problem, and be in a better position to minimise recovery times if things do go awry,” Urquhart says.