Realtime Security Monitoring
Realtime Security Monitoring
This is one of the CIS safeguards in the Cybersecurity Essentials for Business Owners booklet that we have made available for you to view for free and/or download for your own reference. A classic example of why this is important is something we just experienced. Our ITSM platform monitors our Client Security agents and one of the many things it monitors for is the last time the Antivirus DB was updated. If it has been longer than 7 days, an alert is automatically triggered and a trouble ticket is automatically generated.
The ticket will remain open until we either investigate the issue or if the issue resolves itself, the ticket may close automatically. We began getting a growing number of these tickets that did not self resolve. So we tried to trigger a manual push of updates to the endpoints in question, but that too failed. So we interactively remoted into one of the troublesome endpoints that wouldn’t do Antivirus updates and tried to invoke the update locally. That too failed with an error.
That’s when we took a look at live data packet traffic on our WatchGuard firewall at this customer location to see if there was anything that would indicate why this was happening before reaching out to our software vendor to report an issue with updates. Sure enough, we found two public IP addresses that was being falsely identified by the WatchGuard Firewall as outbound malicious traffic and being routinely blocked that was related to the antivirus updates. After adding these two IP addresses to our exceptions list updates began functioning correctly again and we began updating all of our client firewalls with these additional exceptions.
Instead of opening a ticket to tell our software vendor something is wrong with their update system, we opened a ticket to ask them if there was an update to their firewall rules that we didn’t get the memo on.
There are many aspect layers to your devices, your LAN network, your firewall and the rest of the internet. You should have a system in place that monitors everything in real time and quickly identifies an issue such as virus definitions suddenly stopped working because the software vendor changed something on their end.
Fortunately, Antivirus DB definitions are the least impactful layer of our endpoint security as our client security includes auto containment at the OS Kernel API layer that virtualizes any unknown process, making our endpoints 100% protected from ransomware and unknown processes. However, when in doubt (it can’t get a verdict result from the cloud) our Client Security will automatically treat processes it is unsure about as unknown and auto contain them. But to be PCI DSS compliant as well as compliant with several other IT regulations and security policies, you need this level of monitoring and management in place. We can help with that with our SOC2 compliant SIEM platform and our Endpoint Management and Client Security.