In the wake of Russian troops entering Ukraine, the UK National Cyber Security Centre (NCSC) is urging UK organisations to follow its advice and bolster their cyber security defences.
The advice, entitled “Actions to take when the cyber threat is heightened” was originally published in January 2022 and includes a list of recommended actions, including:
- Check systems patching
- Verify access controls
- Ensure defences are working
- Review logging and monitoring
- Test backup and DR processes
As a provider of secure networking technologies, in particular Cato Networks’ SASE solution, we wanted to share some best-practice advice that current Cato customers could follow to enhance their security stance:
Lock down your admin access
MFA should be in place for all admin users. Use the built-in events discovery (effectively a SIEM running within Cato) to filter admins who haven’t logged in recently and disable them. Admins that don’t make changes (such as auditors) can be downgraded to view only accounts.
This is also a good opportunity to review API keys and revoke any that are no longer required.
Review SDP user account usage
Any stale accounts can be disabled or deleted. Ensure that directory synchronisation and SCIM groups are appropriately configured and filter all manually created SDP users for unexpected third-party users. Also check any user-specific configuration settings that override global policies - do not expose the organisation to increased risk.
Tighten access controls
Cato provides a wide range of access control features including Device Authentication, Device Posture, MFA, SSO, operating system blocking and Always-On connectivity policy. Make sure you implement as many of these essential features as possible and minimise user-based exceptions to global policies.
Implement strong firewalling
Cato’s next-generation WAN and Internet Firewalls are both identity and application aware. They enable nuanced control over all network traffic across the WAN and to the Internet, from all sites and mobile users. Both firewalls should be enabled with a final “block all” rule.
Start logging everything
One of the main benefits of cloud-based security solutions is their built-in agility, allowing real-time scaling of utilities such as logging. Cato customers can enable flow-level logging for all traffic across their environment, then use the built-in SIEM and analytics dashboards to perform forensic analysis on real-time and historic data.
Enable TLS inspection
Another feature made possible by the cloud is ubiquitous TLS inspection - regardless of source, location or destination. Cato SASE automatically detects TLS traffic on non-standard ports and can be controlled by fine-grained policies to avoid disrupting traffic to known good destinations and to comply with local regulations regarding sensitive traffic decryption.
Enable enhanced threat protection
The exploitation of supply chain vulnerabilities has been on the rise in recent years, with ransomware gangs targeting weak links to gain access to high value targets. Cato’s IPS and next-gen anti-malware are specifically designed to complement the base-level firewalls and Secure Web Gateway by inspecting the traffic which is allowed through for suspicious and malicious content.
Ensure 24x7 detection and response
Threats don’t just occur Monday to Friday between the hours of 9am and 5pm. If you don’t currently have a 24x7 incident response system in place, consider your options. If you don’t have the resource internally, consult with a Managed Detection and response service provider to ensure you are covered.
Whilst these practices are applicable specifically to SASE users, they are just as relevant to all businesses. The original NCSC advice also covers broader topics such as security patches and back-up / disaster recover processes. However, if you’d like to talk to us about hardening your network security, call us now on 020 7749 0800 or email firstname.lastname@example.org