3 Stages of Data Center Security: From Threat to Remediation

Written by Joe Kozlowicz on Wednesday, January 8th 2014 — Categories: Cloud Hosting, Colocation , Cloud Hosting, Colocation, Networking and Fiber, Security, VMware

Security. When it comes down to it, security is the main reason many executives are wary of cloud hosting. It’s a good reason, too. It takes a bit of faith to put critical business data into external infrastructure. Managed cloud security services offer peace of mind as dedicated NOC staff keeps watch 24 hours a day for incoming threats, both taking precautions and responding to attacks as soon as they are detected. The three stages of managed security services are:

1) Prevention – antivirus and firewall
The best way to stop a digital attack is to prevent one, and the best way to do that is through a combination of antivirus tools, firewalls, and other prevention systems. Antivirus tools actively scan server storage disks and running processes to discover and isolate malware (software designed to collect and steal information or damage file systems) based on an existing registry of common bugs and viruses. Firewalls are a software layer, generally installed on their own network machine, that examine the network packets entering and leaving the network, deciding which should be forwarded to their destination. Secure login procedures and authentication certificates like secure socket layer (SSL) let mobile users enter otherwise secured networks.

Intrusion detection and prevention systems are also used to discover and potentially halt network break-ins. By using vulnerability assessment, which means monitoring user and system activities, while assessing file integrity and scanning for recognizable attack patterns and user policy violations, IDS can recognize suspicious activity and alert IT staff (while IPS can actually take immediate action based on previously established administrator rules, dropping network packets or blocking traffic from a suspicious IP address or port).

3 Stages of Data Center Security2) Active monitoring
Network operations center (NOC) staff keep an eye on reports generated from the above tools as well as visibility reports built into virtualization software and network management. This is security monitoring. Log management software collects the log events from across the network (what IP addresses are accessing what servers and when, what files are being added or deleted, the resources currently used on each server and by each virtual machine, etc). By keeping a watch on these records, the NOC can spot attacks as they happen. Web application scanning and security information and event management (SIEM) strategies also come in at this level. SIEM systems also collect logs and documentation and combine them in a single location, from user devices, networks, servers, and even software like firewalls and antivirus. A profile of the “normal” system is necessary for the system to determine anomalies.

3) Response and remediation
Once evidence of a digital attack or hacking attempt is discovered, careful steps must be taken. No electronic tools should be used for communication about the hack, as hackers tend to keep an eye on their target networks to see if they’ve been discovered and need to cover their tracks by deleting logs and masking their traffic. The hack should be reported to web hosting partners, technical staff, and the police/feds (the Computer Emergency Response Team is dedicated to hacking incidents). Log information can be used to figure out how access was gained, and these security holes should be plugged. Passwords need to be reset; two-factor authentication considered if it is not already in use (via an additional, randomized and time-sensitive password delivery device); and staff need to be questioned (many incidents are inside jobs). IP addresses may need to change. Once control is regained, backups can be used to restore any damaged information.

New viruses and malware are developed every day, meaning constant vigilance and up-to-date virus definitions are vital. Attacks by individuals or botnets are generally designed to steal information or disrupt service rather than break down systems and often can not be detected or avoided until it is too late. Even the most prepared security expert will tell you a denial of service attack (DDoS) often must be simply endured. The best tools besides network monitoring and firewalls are employee training and encryption, which help guarantee secure access by authorized users only.

Posted By: Joe Kozlowicz