How to secure your network from the ground up
Approximately 50% of UK businesses have a basic skills gap in cybersecurity. The most common of these skills gaps are in setting up configured firewalls, storing or transferring personal data, and detecting and removing malware. For this reason, many organisations choose to outsource the building and managing their IT network, as well securing it.
But how should you approach this task?
In this blog, we will demonstrate how to secure your network by combining network security gateways such as firewalls, with more advanced cybersecurity measures such as Endpoint Detection and Response (EDR) and Managed Detection & Response (MDR), and why you’re better off using the same provider for both.
Past vs. present
Back when things were simpler, people thought of their IT estate as a walled garden. Sure, we still had security controls that made it more difficult for attackers to escalate their privileges once inside, but for many, our attention was focused on securing the perimeter. For network security, this meant focusing on firewalls, email filters and user logins (or identity and access management more broadly). Understanding the ruleset and keeping your firewalls patched and up to date was half the battle.
Nowadays, the walled garden is gone. Instead, the network looks like a teeming and ever-changing metropolis. With complex IT estates that incorporate on-premises infrastructure, multi-tenant and hybrid cloud solutions, as well as remote workers with endpoints and mobile devices, just keeping tabs on everything is a struggle – let alone keeping it secure.
Now our IT networks offer a much broader attack surface to hackers, and their complexity creates gaps and blindspots that enable hackers to evade detection as they perpetrate cyber-attacks. But as sure as the sun rises in the east we know one thing: cybersecurity shouldn’t stop at the perimeter. We should be able to detect and stop cyber-attacks at any stage in the killchain – the earlier the better.
Cybersecurity shouldn’t stop at the perimeter
Long before the walls of the garden came tumbling down with cloud and remote working, cybersecurity professionals knew: securing the perimeter is just one component of building defence-in-depth – robust security controls applied throughout the IT estate.
For everything at the perimeter of the network:
- Keep devices patched, whether they be routers, firewalls, APs, etc.
- Utilise Firewalls with Unified Threat Protection (UTP)
- Ensure this includes Web filtering, URL and Email filters to catch spam and malware
- Ensure you have MultiFactor Authentication and good Identity and Access Management controls to monitor logons.
- For everything inside the network, use:
- Endpoint Detection and Response to gather log data on suspicious behaviour from endpoints
- Managed Detection and Response to gather log data from your entire IT network
- Penetration testing to find and fix security vulnerabilities within your IT assets.
Action | Objective | |
Network side | Examine network architecture to understand topology and access privileges | Look for security weaknesses and misconfigurations that enable attackers to move laterally throughout the network once they have gained a foothold. |
Evaluate security configurations and access permissions throughout the network | Look for policy misconfigurations on the network that would enable attackers to escalate their access privileges. | |
Implement firewalls, then configure, update and patch them. | Detect and contain malware. | |
Security side | Set up EDR and/or MDR, and configure the telemetry to ingest logs from all the right sources. | Gather event data from endpoints and across the network to detect cyber-attacks in progress. |
Penetration testing for assets throughout the network to test security gaps and misconfigurations. | Find and fix vulnerabilities that attackers could exploit during a cyber-attack. | |
Penetration test firewalls and network configuration templates | Find and fix vulnerabilities that in perimeter security that could enable attackers to gain a foothold on your network. |
Although these are general principles for best practice, there are some specific nuances depending on the type of network you have.
MPLS
With an MPLS, the network topology is slightly flatter, making it easier for attackers to move laterally around the network once they have gained a foothold. However, this can be addressed with robust security policies on the network.
When clients come to Claranet to build and manage their MPLS network, we work with them to:
Build their network with security as a focus from the outset, ensuring both the gateway firewall and router configuration at sites follows best practice
Evaluate their current network and its architecture to understand what is in place and why, this helps with helping to explain improvements that can be made
Seek to understand the needs of the customer and their specific (and often varied) security requirements
Create a rule set for those firewalls that is understood and documented
Work collaboratively to plan and test the migration and then monitor the network throughout its life, patching devices through our Customer Experience and Managed Service (CXMS) teams.
SD-WAN
With an SD-WAN network, whether implementing a mesh, hub and spoke or hybrid topology, there are differing considerations. The network requires creating templated approaches to security that, where possible, can be pushed out to each site.
When clients come to Claranet to build and manage their SD-WAN network, we work with them to:
- Build with security as a focus from the outset. Ensuring all device configuration follows best practice
- Evaluate their current network and its architecture to understand what is in place and why, this select the most appropriate topology and build a template driven approach
- Seek to understand the needs of the customer and their specific (and often varied) security requirements
- Create a ruleset firewalls and test its efficacy, supported by the use of orchestration tools such as a FortiManager which is used to roll out delivery and changes to each site
- Then migrate the customer to the new network, ensuring monitoring and reporting is in place which will be used by our in life teams. Patching of devices remains a key element of service as does UTP
Theoretically, although the attack surface of an SD-WAN network is larger, the hub and spoke topology makes it easier to isolate a particular site, if the attacker has gained a foothold but not escalated their privileges.
Protection is a key consideration with any network. It enables us to combine firewalls, antivirus, and intrusion detection, into a single appliance. It analyses network traffic, filters malicious content, and protects against various threats.
A network is a network is a network. Right?
From the perspective of your SOC provider, whoever manages your network shouldn’t matter – a network is a network is a network. Assuming that your SOC have a complete picture of your IT estate and are able to ingest the right logs from the right sources, they should be able to detect the signals of a cyber-attack and contain it.
If this is true, what are the benefits of choosing the same provider to manage your IT network and secure it? Simply put: speed, simplicity and completeness. While some organisations fear the pitfalls of vendor lock-in, we aim to dispel these myths.
Fears of vendor lock-in | Benefits of vendor consolidation |
“What if they mark their own homework? If the same company are building and managing my network, how can I be sure that they are thorough when they secure it? Don’t they have a vested interest in telling me it’s secure even if it’s not?” | By working together with our networks team to get a clear understanding of how your network was built, architected and managed, our SOC team is better able to monitor and secure your network completely, with no gaps or blindspots. It gives us a headstart on your business, your data and your threat landscape and allows us to build a seamless service quickly. Our SOC teams work to strict SLAs for triaging and investigating alerts, no matter which network it comes from. Trying to get two different MSPs to collaborate to offer the same level of service requires time, effort and resources. |
“Is it a business continuity risk to have one vendor doing multiple things? If that vendor is compromised, then both my network and security providers are out of action.” | Choosing a managed service provider entails conducting thorough due diligence, including understanding their protocols for backup and disaster recovery and failover in the event your MSP is targeted in a cyber-attack or they suffer some significant disruption to their business. A bigger supply chain means a larger attack surface and therefore more likelihood of operational impacts from supply chain attacks. Just as you must factor risk management into your supply chain, Claranet also thoroughly evaluate the technologies we provide to our customers, putting backups and emergency protocols in place to ensure that supply chain risks are not passed on to you. |
Having multiple vendors means I can make them compete against one another to offer a better service. | Because time is money, having multiple vendors costs you more to manage them, wiping out any savings made by driving the cost lower. The time cost involved in managing a complex vendor landscape can slow down response times and create gaps in coverage which introduces potential security and compliance risks. Having one MSP means no one can pass the buck and blame your other provider’s failings. For everything that goes wrong (and right) you have one point of contact. |
Having one provider narrows my options for what is available. They will just try to sell me what they have, rather than the best solution on the mark. | An expert, multidisciplinary MSP can become your specialist IT consultant, providing solutions to problems long before they have occurred, and even assist in reporting your outcomes to your senior leaders. A strategic IT partner can offer seamless end-to-end managed services at scale, providing the ability to grow and change with your business in the long-term. While day-to-day, you benefit from having unified SLAs across multiple technology areas. |
When it comes to detecting cyber-attacks, speed matters.
At Claranet, our network and cybersecurity teams collaborate closely for the benefit of our customers. We are a multidisciplinary MSP with expertise across cybersecurity, cloud, networks, workplace computing, digital applications, and data and AI.
For our customers, the practical benefits abound when it comes to delivering a complete and holistic managed IT services. But nowhere is this more evident than in the event of a cyber-attack. You don’t want your SOC waiting on responses and information from your network provider in the midst of a cyber-attack. Having all of the information at their disposal enables SOCs to take the right decision on your behalf and act fast to prevent attacks from spreading further. Consolidating network and endpoint security under a single provider makes it easier to detect threats early, quarantine them faster and maintain consistent policy enforcement.
There are many metaphors and analogies in cybersecurity, but they are all designed to explain one thing: it is difficult to secure, monitor and protect your entire IT estate from every attack at all times. But, as this article has shown, using a multi-specialist MSP for both your network and security needs gives you a much better chance than using multiple providers and hoping there are no blindspots.
To talk to our experts about to build, manage, monitor and secure your IT network, get in touch with us today.
