Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
I would like to straighten the defense of the web application by talking about Intrusion Detection and Prevention Systems (IDS and IPS) as the third member of this security trio defense: WAF, RASP, and IDPS. In the previous articles, I talked about security defense technology Runtime Application Self-Protection (RASP) and Web Application Firewall (WAF).
What are IDS and IPS?
Intrusion Detection Systems and Intrusion Prevention Systems are used to detect intrusions and, if the intrusion is detected, to protect from it.
First, I will focus on explaining the differences between the WAF, RASP, and IDPS.
What is the difference between WAF, RASP, and IDPS?
I have already explained in previous articles the difference between WAF and RASP. Still, I will introduce IDPS and show you exactly why a combination of this trio is the best security choice.
Summary: IDPS is used to detect intrusions and protect from them. WAF will detect and block attacks based on rules, patterns, algorithms, etc. RASP detects the application runtime behavior using algorithms.
Why is it best to use both IDS and IPS?
To better understand why it is important to use both systems, we need to know what each of them does and doesn’t do and how combining them gives more effective protection. Each of those systems has its own types, which will be explained below.
Location and Range
These two types of security systems operate in different locations and have different ranges.
Facts:
· IDS works across the enterprise network in real-time by monitoring and analyzing network traffic.
· IPS works in the same network location as a firewall by intercepting network traffic.
· IPS can use IDS to expand the range of monitoring.
By knowing this and using both IDPS, you can cover more range.
Host-based IDS and IPS
There are a few types of IDS and IPS. I will mention them so you can know which one targets what, but there is plenty of online documentation for more information.
Host-based IDS (HIDS) is used for protecting individual devices. It is deployed at the endpoint level. It checks network traffic in and out of a device, and it can examine logs and running processes. HIDS protects only the host machine. It does not scan complete network data. Similar to this type, IPS has its own Host-based IPS (HIPS). HIPS is deployed on clients/servers, and it monitors the device level as well.
Network-based IDS and IPS
Network-based IDS (NIDS) works on monitoring the entire network. It looks out at every network device and analyzes all the traffic to and from those devices. On the other side, IPS has its own type, called Network-based IPS (NIPS), deployed within the network infrastructure. It monitors the complete network and, if needed, tries to protect it.
**NIDS and NIPS are very important to network forensics and incident response because they compare incoming traffic to malicious signatures and differentiate good traffic from suspicious traffic.
Wireless IPS
IPS also has Wireless IPS (WIPS) type that monitors radio waves (wireless LAN) for unauthorized access points, which you can use to automate wireless network scanning. Techtarget site provided ways of using WIPS in enterprise in this article. Check it out!
Protocol-based intrusion detection systems (PIDS) and Application protocol-based intrusion detection systems (APIDS)
Both protocol-based systems are the type of IDS. They both monitor traffic to and from devices. The only difference is that PIDS monitors one server and APIDS group of servers.
Network behavioral analysis (NBA)
Network behavioral analysis (NBA) is the type of IPS that looks for unexpected behavior within patterns of a network itself.
IDS and IPS modes
IDS is generally set to work in inline mode. As for IPS, it is set to work in the network behind the firewall. It can operate in both modes: as an end host or in inline mode.
For more info regarding pricing, pros, cons and features of these tools checkout the softwaretestinghelp site.
Also, spiceworks.com provided the list of the most used IDPS tools:
· AirMagnet Enterprise
· Amazon Web Services (AWS) GuardDuty
· Azure Firewall Premium IDPS
· Blumira
· Cisco Secure IPS (NGIPS)
· Darktrace Enterprise Immune System
· IBM Intrusion Detection and Prevention System (IDPS) Management
· Meraki MX Advanced Security Edition
· NSFocus Next-Generation Intrusion Prevention System
· Snort
For more info regarding pricing, pros, cons and features of these tools check out the spiceworks site. This research will also help you choose the right IDPS solution based on these tools’ features.
What is Next-Generation Firewall (NGFW) or Unified Threat Management (UTM)?
There is a modern type of technology that combines IDS and IPS with firewalls called Next-Generation Firewall (NGFW) or Unified Threat Management (UTM).
NGFW includes:
· Standard firewall features (packet filtering, stateful inspection, and VPN awareness)
· Integrated Intrusion Prevention (IPS)
· Application awareness of threats
· Detect and block risky apps
· Threat intelligence
· Upgrading security features (such as future information feeds)
· New techniques that help to address new security threats
Researchers for nomios site have gathered information and made a list of the top 5 vendors for NGFW in 2022. Also, they gave suggestions on what you should look for when choosing the right NGFW tool. Check it out!
Conclusion
You should combine IDS and IPS because of three things: response, protection, and impact. If you decide to use IDS, the testing will stop at the detection phase but using IPS based on settings and policy testing will also include the prevention. Because IPS reacts immediately, it gives a certain layer of protection aside from detecting malicious activity. However, there are false positives possible using IPS that will end up shutting your network.
Organizations often set up Integration Detection Systems to handle the logs and notifications/alerts, routers, firewalls, and servers to fight threats.
A better solution would be using a combination of IDPS and setting it up when planning security. In the future, when the organization grows and needs better protection, it will be possible to use IDS/IPS solutions for additional networks, servers, or devices.
Also, depending on the organization’s security needs and cost restrictions, NGFW can be a good choice too!
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
The information comes from a 2021 AdvisorSmith survey of 1,122 small business owners and managers. Yet, a whopping 61% of them aren’t concerned about falling victim to cyberattacks. They think they’re “too small to be a target.”
Bad actors target small businesses and small-to-medium-sized enterprises (SMEs) just as frequently (if not more so) than established organizations. Websites get hacked, email accounts get compromised, and sometimes, employees even steal sensitive information.
While it’s understandable for budget-conscious SMEs to put cybersecurity measures on the back burner, it just isn’t worth the risk. Especially when there are simple actions organizations of all sizes can take to improve their security tenfold.
Before we dive into our top five cybersecurity tips for SMEs, let’s take a moment to better understand what factors might make your organization an easy target.
Why SMEs Are Easy Targets for Cybercrime
As previously mentioned, many folks assume adversaries solely target enterprise companies because they provide larger opportunities for blackmail profits.
What they don’t realize is that SMEs are often targeted by chance, not by choice. Cybercriminals may impersonally wade through lists including hundreds of business names without doing much research into organizational holdings.
With that said, SMEs and enterprise-level companies alike are often chosen for the following reasons:
1. Money
Most cybercriminals carry out attacks for financial benefits. Naturally, receiving direct payments from victims is the most efficient way to profit from an attack. They usually lock down assets, before demanding a ransom to unlock them.
Intellectual property (IP) is a highly motivating asset to steal. Criminals know that an SME will pay big to get it back as a leaked IP can bring a small business down to its knees. Some hackers also sell breached assets, data, and information in the black market for profit.
2. Company Damage
Alternatively, some attacks are politically, competitively, or ideologically motivated. Though it may sound like the plot of a thriller movie, disgruntled former partners, business rivals, and unhappy employees have all been known to hijack organizational systems.
A successful cyberattack can cause major damage. They can wipe data, cause downtime, or even drive a total business shutdown. In addition to depleting bottom lines, they can ruin consumer trust. Breached SMEs also risk facing compliance ramifications, especially if the breach affected other consumers and other third parties.
3. Access to Resources
Cyberattacks can also be aimed at leveraging the company’s resources and relationships. For example, cybercriminals may target your business as part of a larger DDoS attack, to steal customers’ personally identifiable information (PII) for financial fraud, or just to hijack your computer resources for crypto mining.
4. Testing Tactics
Software engineers aren’t the only ones who run tests! Cybercriminals sometimes experiment with new tactics and attack vectors on smaller businesses before targeting the big fish in the pond.
SMEs are an easy target in such cases because the criminals expect their defenses to be weak. Don’t allow your organization to be someone’s stepping stone to a more high-impact target.
5. Becoming a Casualty in a Supply Chain Attack
Finally, SMEs are sometimes victims of circumstances. An attack may target a large vendor’s asset and infect the entire supply chain, spreading out to customers, other third parties, and even SMEs that interact with the compromised assets or parties.
These unintentional attacks may still end up crippling businesses. There are many other reasons why SMEs make easy targets for criminals. But the bottom line is that SMEs’ resource limitations can make them attractive and impactful targets to cybercriminals.
Whether you’re the target of an intentional attack or a victim of an unintentional attack, the implications of a security breach can be dire.
It’s better to take a proactive approach to cybersecurity than deal with potential financial, legal, and reputational challenges down the line. Below are five simple measures that can help you to improve your business’s cybersecurity even on a budget:
1. Implement Multi-Factor Authentication
Leveraged credentials such as passwords cause 61% of data breaches. Implementing multi-factor authentication can help in reducing these breaches.
Multi-factor authentication (MFA) is a security method for protecting access to online resources by utilizing multiple (often two) factors to verify a user’s identity. The MFA requires an additional form of identity besides a password. This can be a security key, biometric data, one-time passcode (OTP) via email or SMS, or a push notification from a supported smartphone or tablet app.
Implementing MFA has many benefits, including securing your resources even if your passwords have been compromised.
Antivirus software is great at stopping known malware threats. But admins must keep systems up to date in order for them to work properly. This is why it’s important to stay on top of patch management. Your computers, servers, and operating systems should always be patched.
System patch management is critical because patches often fix bugs and address security vulnerabilities in operating systems. For the modern business with distributed workforces and a variety of work devices and operating systems, manual patching can be a headache. Consider cloud patch management solutions within unified toolkits like the JumpCloud Directory Platform.
A firewall is a security system that filters network traffic and prevents unauthorized access to your network. Besides blocking unwanted traffic, firewalls also protect your systems from malicious software infections. It prevents unauthorized access to sensitive company data. They are an invaluable tool in web traffic management.
With a dependable firewall in place, only trusted sources and IP addresses can access your systems. Firewalls often differ based on their structure, functionality, and traffic filtering methods. Some of the most common firewalls include:
Firewalls are crucial components of any perimeter-based cybersecurity. For your network and devices to be protected, you need to properly set up and maintain your firewall. Always ensure your firewalls are up to date.
4. Enforce Strong Password Policies
All your cybersecurity efforts can go to waste if you have ineffective password policies. Besides emphasizing strong passwords that are difficult to crack, you should also encourage your employees to change their passwords regularly and not share them with other people. Implement multi-factor authentication as discussed above.
People within your organization can pose significant security risks too. Insider threats happen when people with access and privileges abuse them. This is why it’s crucial to carefully consider who needs access to what.
Implementing the principle of least privilege will protect your resources from insider threats. Additionally, it makes it easier to monitor compliance and makes it easier for your employees to access the resources they need instead of having to sift through everything.
For SMEs with lean budgets, cybersecurity can feel unattainable. But you can’t afford to completely skip on security.
The five simple, cost-effective actions outlined above can significantly improve cybersecurity without breaking the bank. There are also affordable tools such as JumpCloud, with a la carte options, that can help SMEs streamline security efforts in a centralized platform.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive requires that federal civilian executive branch (FCEB) departments and agencies perform automated discovery every 7 days and identify and report potential vulnerabilities every 14 days. Additionally, it requires the ability to initiate on-demand asset discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.
To meet these requirements, agencies will need to start with an accurate asset inventory. Most agencies will attempt to leverage existing solutions, like their vulnerability scanners, to build their asset inventories. It seems reasonable to do so, since most vulnerability scanners have built-in discovery capabilities and can build asset inventories. However, they will quickly learn that vulnerability scanners are not up for the task and cannot help them sufficiently and effectively meet the requirements laid out by CISA.
Let’s take a look at why agencies need a solution solely focused on asset inventory, in addition to their vulnerability scanner, if they want to tackle CISA BOD 23-01.
Asset inventory is a foundational building block
Every effective security and IT program starts with a solid asset inventory. CISA BOD 23-01 reinforces that imperative. Specifically, it states, “Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.”
What does this mean? FCEB agencies looking to meet the requirements outlined by CISA BOD 23-01 must be able to discover managed and unmanaged devices connected to their networks. Internal and external internet-facing assets must be cataloged with full details and context. All within the timeframe outlined by CISA.
So now, the question is why vulnerability scanners can’t be used to meet the requirements laid out in the directive.
The challenges of asset inventory with vulnerability scanners
As the number of devices connecting to networks continues to grow exponentially, agencies need to stay on top of these devices; otherwise, they could provide potential footholds for attackers to exploit. However, common issues like shadow IT, rogue access, and oversight continue to make it difficult to keep up with unmanaged devices. BOD 23-01 highlights the importance of identifying unmanaged assets on the network. That’s why the need for a fully comprehensive asset inventory is the key to adequately addressing the directive.
So, why can’t vulnerability scanners deliver on asset inventory? Most vulnerability scanners combine discovery and assessment together, resulting in slower discovery times, delayed response to vulnerabilities, and limited asset details. As a result, most agencies are left wondering how they can do a better job building their asset inventories.
Combining discovery and assessment slows everything down
Vulnerability scanners typically combine asset discovery and assessment into one step. While on the surface, this appears to be efficient, it is actually quite the opposite. In regards to asset discovery, CISA BOD 23-01 specifically requires that FCEB agencies perform automated discovery every 7 days and identify and initiate on-demand discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.
Because vulnerability scanners leverage a lot of time-consuming checks, they’re not able to scan networks quickly enough. Add in the complexity of highly-segmented networks and maintenance windows, and it is nearly impossible to effectively utilize vulnerability scanners for discovery and meet the timing requirements outlined by CISA.
Under the new directive, assessing the potential impact of vulnerabilities becomes even more urgent. Agencies will need to perform on-demand discovery of assets that could be potentially impacted within 72 hours, if requested by CISA. When security news breaks, agencies need to respond as quickly as possible, but vulnerability scanners slow down the process. In a scenario like this, it would be more efficient to have a current asset inventory that agencies can search–without rescanning the network. This is particularly useful if agencies know there are specific assets they need to track down, they can query their existing asset inventory to identify them immediately.
For example, let’s say a new vulnerability is disclosed. Vendors will need some time to develop the vuln checks, and agencies will need to wait for the vuln checks to become available. Once they’ve been published, agencies can finally start rescanning their networks. Imagine waiting for the vuln check to be released, and then delaying the rescan due to scan windows. Without immediate insight into the potential impact of a vulnerability, agencies are playing the waiting game, instead of proactively being able to assess the risk.
How agencies can speed up discovery
So, what can agencies do? Let vulnerability scanners do what they do best: identify and report on vulnerabilities. Complement them with a dedicated solution that can automate and perform the discovery of assets within the timeframe set by the directive. In order to accomplish this, the asset inventory solution must be able to quickly and safely scan networks without a ton of overhead, be easy to deploy, and help security teams get ahead of new vulnerabilities.
Agencies need to have access to their full asset inventory, on-demand, so they can quickly zero in on any asset based on specific attributes. This information is invaluable for tracking down assets and investigating them, particularly when new zero-day vulnerabilities are uncovered. When the new zero-day is announced, agencies can find affected systems by searching across an existing asset inventory–without rescanning the network.
Meet CISA BOD 23-01 requirements with a dedicated asset inventory solution
It is increasingly evident that decoupling discovery and assessment is the most effective way to ensure that agencies have the data needed to accelerate vulnerability response and meet the requirements outlined in the directive. Because let’s face it: vulnerability scanners are really good at vulnerability enumeration–that’s what they’re designed to do. However, they really miss the mark when it comes to discovering assets and building comprehensive asset inventories. Because vulnerability scanners combine discovery and assessment, they aren’t able to scan entire networks quickly, and at times, they don’t fingerprint devices accurately.
As a result, many agencies are wondering how to meet the requirements outlined in CISA BOD 23-01 if they can’t depend on their vulnerability scanner for discovery. Agencies will need to start looking for a standalone asset inventory solution that is capable of performing unauthenticated, active discovery, while also enriching data from existing vulnerability management solutions.
How runZero can help agencies focus on asset discovery
runZero separates the discovery process from the vulnerability assessment stage, allowing agencies to perform discovery on-demand. Because runZero only performs discovery, it can deliver the data about assets and networks much faster than a vulnerability scanner. Customers have found that runZero performs scans about 10x faster than their vulnerability scanner, allowing them to:
Get a more immediate day one response to new vulnerabilities.
Gather as much information as possible about assets while waiting for vulnerability scan results.
That means, while waiting for vulnerability assessments to complete, agencies can already start digging into their asset inventory and identifying assets that may be impacted by a vulnerability. runZero regularly adds canned queries for assets impacted by newly disclosed vulnerabilities and highlights them via Rapid Response. Users can take advantage of these canned queries to instantly identify existing assets in the inventory that match specific identifiable attributes. For example, querying by hardware and device type can narrow down assets to a specific subset that may be affected by a vulnerability. All of the canned queries can be found in the Queries Library.
All in all, runZero is the only asset inventory solution that can truly help FCEB agencies stay on top of their ever-changing networks. By decoupling asset discovery from vulnerability assessment, agencies will gain visibility and efficiencies, while meeting the requirements set by CISA BOD 23-01.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
