Regular SOP / checks during heightened attack periods

There's been a couple of weeks that we designate as critical periods that we need
extra vigilance in security SOP / checks.

What are the checks & SOP that normally people put in place for such vigilant
checks?

a) hourly (or twice daily) check of IPS logs ?

b) any way we can check for suspicious source IP that never access our websites
    & environment ?

c) I'm based in a country where we hardly heard that source IP are rarely known
    to be source of malicious activities, thus one suggestion came up that after
    office hours, we block all source IP from foreign countries from coming in.
    However, there are too many subnets/IP to key into the perimeter firewalls
    to do such blocking (& unblocking the next morning when office hours resume),
    so is there any subnets, hopefully less than 50 (in particular, I'm looking at USA,
    Russia & its former states like Ukraine, Lithuania etc, China & Europe countries
    such as Germany, France, UK, Spain) that we can key into our rules to block?
    Appreciate if anyone can provide such a list of subnets

d) I'm assuming that our monitoring/alerting systems (eg: Tivoli, BMC Patrol)
    may not be necessarily alert us of suspicious traffic other than what we have
    in place that traffic of abnormally (ie much higher than usual) high bandwidth
    will be detected & investigated.   I've seen Bash vulnerability that barely use
    any bandwidth with Intrusion systems registering only 2-3 attempts : is there
    any way to monitor & be alerted of such suspicious/malicious attempts
    other than constantly checking the IPS logs (which can run into hundred over
    thousand records in a day)

e) guess we have to be constantly updating AV & IPS signatures, possibly on
    daily basis : I'm inclined to incorporate those critical ones & those of medium
    & low severity ought to be tested over several days before just deploying
    them: have seen quite a number of IPS signatures triggerring service or
    application disruptions.  We may end up DDoS ourselves with these over-
    zealous measures

f) Guess need to ensure backups are successful

g) Any other ?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FrankCrastCo-founder and CEOCommented:
Hello,

In addition to some of the steps you have outlined abive, you may also want to add vulnerability assessments using a risk-based approach. For instance, scan your most critical systems (e.g., web-facing servers, workstations/laptops, and database systems that host sensitive data) for higher severity vulnerabilities and mitigate them. Do this for both network vulnerabilities (via internal scans) and web scans (via external scans for application bugs).

Depending on the size of your company's environment and scanning tools you have available, you could start with those vulnerabilities that have known exploits, can be exploited via easy skillset (or automated tools) and can be done via remote access. I'd first close off those and make sure all internet facing systems are fully up to date and patched as well.

Another area to consider for SOPs is password management and privileged access. Double check and make sure passwords (especially those used for privileged access, cloud access and default/system accounts) have been changed to meet your SOPs.  Privileged passwords should be changed every 90 days and always after someone leaves the firm or changes roles.  Just a few more to add to your list. :-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.