Cyber defense is much more than security. “Security” can be misleading since it encourages people to think in terms of secure or insecure. This way of thinking leads to an overemphasis on preventative measures. Just like the human body, you need many more layers than that. A good cyber defense will also focus on deception, detection, and response in addition to prevention. In this video, we cover the four most important principles of cyber defense.

#1 Security Architecture:
You can’t defend what you can’t see. It’s really hard to build strong cyber defenses if the foundations aren’t sound. Security architecture is about improving visibility in the network through segmentation. You also want to maintain a good asset inventory and map to quickly identify what’s even there. Implementing policies like blocking removable media or blocking protocols are also architectural in nature.

#2 Security Monitoring:
Every asset connected to the network needs to generate telemetry. This gives you visibility into the activity occurring on them. Network traffic itself should also be sent to an IDS sensor like Snort or Zeek to generate security data from it. These logs should be aggregated and synced to a centralized location for monitoring. A team of analysts can build systems to detect and alert on anything anomalous. This team serves as the backbone of the network’s cyber defense.

#3 Implement Choke Points
For effective security monitoring, it’s key to limit the paths devices can communicate on. Blocking outbound traffic by default is the best way to do this. What is allowed to traverse the network then needs closer inspection. The best way to do this is to force clients to use a local DNS resolver or web proxy to access the Internet. Any traffic not destined for these inspection points is automatically suspect. What does go through can then be analyzed against blocklists or a reputation scoring service. Choke points not only restrict an attacker’s maneuverability but also make it easier to conduct proper cyber defense.

#4 Harden Systems with a Security Baseline
Systems running default configurations are highly vulnerable to generalized attacks. Deploying a security baseline on your assets ensures a consistent level of hardening against them. It also helps with managing change configuration on your network. Authorities like CIS, NIST, DISA, or vendors will all provide recommendations for different types of systems. These include operating systems, applications, phones, and network appliances. Whether it’s scripts, Group Policy Objectives, or Ansible playbooks, they’ll also offer ways to automatically apply baselines too.

00:00 Intro: How to Improve Cyber Defense For Your Network
01:11 The Biggest Misconception in Cyber Security
02:52 Traditional v. Modern Cyber Defense
05:02 Security Architecture & Building a Defensible Network
07:44 Principles of Security Monitoring: Assets & Endpoints
09:40 Create Choke Points In Your Network For Inspection
12:11 Collect Traffic With Network Security Monitoring
14:13 Hardening Systems with a Security Baseline
16:52 Strategies for Implementing Your Cyber Defenses

👍 LIKE AND SUBSCRIBE 📺

----- Resources -----

Rob Joyce’s talk at USENIX Enigma 2016:
https://www.youtube.com/watch?v=bDJb8WOJYdA

#CyberDefense #DFIR #Cyberspatial