A key aspect of responding to security events is situational awareness: knowing what is happening in your environment and why. Standard data security tools like firewalls, proxies, email filters, anti-virus reports and SIEM alerts are all common sources of data for situational awareness. However, it’s also important to have visibility into business operations. Only with a holistic view of your entire organization can you have true situational awareness.
For example, as a software company, writing and deploying software is a significant and complex part of our business operations. Naturally, this work is supported by development, test and staging environments, which are used by our engineers to create and test product features. Security teams need to be aware of all non-production environments in their organizations. Open non-production environments (or environments that re-use credentials between production and non-production systems) can be a vulnerability that attackers can exploit.
Asking questions is the key to knowledge. Here are 13 questions I have used to help paint a full view of internal operations at Code42. They are divided into four separate categories based on major categories of concern for most organizations. I hope they will help you improve your situational awareness and overall data security.
- Where are your development environments?
- Do you have the appropriate level of logging in those environments?
- How is access handled and are there controls that prevent the reuse of credentials across environments?
- Are there forgotten dev environments that need to be cleaned up?
- Where is your code built?
- Where is your code stored?
- If somebody maliciously inserted code into your environment, would you be able to detect who, when and what?
- Where are your build/CICD servers?
- Do you know what your typical deploy schedule is?
- Are you involved in the change management process and other governance bodies so you know when major changes are occurring in your environment?
- What systems and environments are going away?
- Is there a plan to keep information such as logs from those environments after the environment itself goes away, in accordance with your data retention policies?
- Will any infrastructure be reused, and if so, has it been processed properly?
While these questions are specific to software development and deployment, the data security issues they raise are relevant to businesses of all types. No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. Ensuring that tools are in place to answer these questions is vital.
Here’s one tool I use to answer these questions in our environment: Code42 Forensic File Search. It provides the visibility I need into all activity in our organization. With it, we can quickly and accurately take stock of data movement, data security risks and countless other activities. It makes it easier and faster to know what is happening in our environment and why. It provides the situational awareness that is critical for any modern organization.
Until next time, happy threat hunting!
Code42 Forensic File Search