Network Providers (ISPs and Hosting Providers) often prioritize inbound threats but overlook outbound security and threats from their customers’ devices, which can cause problems later on.
Understanding the security risks within a network better, as well as learning the difference between inbound and outbound security and what data collection resources exist, is essential.
Let’s have a look at both of these terms:
- Inbound security refers to external or internal threats targeting your network and its users.
- Outbound security refers to threats that originate within your network that attack other networks, companies, and users.
You can manage your subscriber network’s inbound and outbound security in essentially four steps:
- Identify your data resources.
- Come up with a way of managing the data.
- Determine the threat sources
- Address the threats your subscribers pose to your network interfaces, subscribers, and networks.
What is Inbound Security?
Inbound Security protects your infrastructure and users from threats inbound from the Internet (including your network and others).
What do Network Providers do for Inbound Security?
Network Providers and Enterprises use mitigation tools such as firewalls, IDSs, IAMs, blocklists, spam filters, and malware scanners to block these threats.
What is the state of your Inbound Cybersecurity?
Network Providers hosting over 95% of Internet traffic today are making headway on inbound security.
And more than 98% of the compromised accounts and computers still sit within Network Providers, and achieving 100% security for providers is impossible due to the diversity of device types, software, and patch status within these networks, the cleverness of some threats, and the unknown nature of others.
Therefore, for a Network Provider, the best Inbound Cyber Security measures will include the following:
- An inventory of all mitigation tools and services
- Systems that face subscribers, the outside world, and a definition of the cybersecurity logs they produce.
- Blocklists used in the organization (3rd party and internally produced), the most common being an email blocklist.
- Honeypots in your network act as sensors for abnormal machine activity.
- The ability to
- Correlate all internal incident reports by a subscriber.
- Notify subscribers to repeat problems.
- In near real-time, restrict subscriber access or flow rates based on the severity of the problem or repeat abuse patterns.
- Blocklist and notify the originating network’s abuse team of repeated inbound attempts for attacks (incidents) like:
- Login attacks
- Port probes
- DDoS attacks
- A long-term plan for addressing gaps in the plan above (see 7 reasons why you need AbuseHQ).
What is Outbound Security?
Outbound security protects the Internet from compromised systems, user accounts, or bad actors within your network.
What do Network Providers do for Outbound Security?
Network Providers use cyber security tools (often homegrown) that let them understand, track and act upon (remediate) them:
- Inbound abuse reports from other Networks, Security Providers, Intellectual Property Holders, Child Protection Services, Government and Police, and various other services.
- Inbound abuse hits their systems from their own network in the same manner as the inbound abuse reports.
What is the state of your outbound cybersecurity?
It’s important to remember that your outbound traffic is always another machine or user’s inbound traffic.
While Network Providers host more than 95% of the traffic on the Internet today, most still need help with their outbound security response. This is because of the diversity of incident types, reporters, and report formats.
Many providers struggle but never regain control of their network, and the number of infected machines and abuse grows.
Stepping back, for a Network Provider, the best Inbound Cyber Security measures will include the following:
- An inventory of all abuse report addresses
- If you have acquired companies in the past, some of these addresses could be going to different places.
- Suppose you have more than one abuse@ address to report different types of abuse. In that case, you are only inviting trouble, and it is also challenging to automate when using multiple destinations since forwarding reformats original messages.
- The ability to
- Correlate all external incident reports, regardless of type, by the subscriber.
- Identify the incident type to be able to apply different rules for different kinds of issues.
- Notify subscribers quickly, initially, of repeat problems or when you might have more detail.
- Automatically and in near real-time, restrict subscriber access or flow rates based on the severity of the problem or repeat abuse patterns.
- A long-term plan for addressing any gaps in the plan above.
Additionally, a well-managed Abuse Desk (or SOC or Cyber Security Operations) that handles the network abuse@ role address can help to minimize the damage caused by their user’s compromised hosts, fraud, spam, stolen user credentials, and other types of abuse.
Making Inbound and Outbound Security work together
It is often said that your “outbound” is someone else’s “inbound,” but we should add, “except if you are a network provider.”
In the case of the Network Provider, your outbound is often also your inbound, adding complexity to remediation efforts. If you think of your inbound and outbound cybersecurity (acting on incidents) efforts in two different buckets, you will always be behind the bad actors in your network.
Conversely, a Network Provider with a long-term plan of bringing together all internal and external incident reporting and managing all subscriber-facing remediation efforts from a single communications and provisioning platform has a far better chance of ridding their network of bad actors.
Fortunately, purpose-built AbuseHQ can make managing inbound and outbound cybersecurity a breeze. If you want to learn more about how to make cybersecurity, SOC, LegalDesk, and AbuseDesk teams faster and simpler to manage, then reach out to us at [email protected].