Introducing the Watchtower Cyber Security Stack
What is Watchtower?
Watchtower is the cyber security stack designed and developed in-house by White Knight IT.
It is a combination of open-source and commercial software combined with an optional Unified Threat Management (UTM) device, all configured to work in harmony with our Cyber Security Operations Centre.
Ultimately it allows us to monitor the security of your IT assets in realtime, detecting security threats, and responding accordingly to those threats as they occur.
The Watchtower Stack
Here is the final v1.0 specification of our security stack, this will form the basis of security for all our customers going forward. You may use this to compare our security offerings with other IT service providers.
It should be noted however, we’re adding functionality to Watchtower on an ongoing basis, so these specs may be improved upon by the time you are reading this.
Password & 2FA Manager
We supply a password manager to assist our customers with generating and storing unique complex passwords.
Our password manager also manages two factor authentication (2FA) codes, and the encrypted seed data is backed up by us so you don’t have to worry in the event you lose your 2FA code generating device.
Security Information & Event Management (SIEM) System + Log Collector
The SIEM + Log Collector is the backbone of Watchtower. It is a cluster of servers that receive device security logs, anti-virus alerts, firewall logs, Suricata (IPS) alerts and any other security related information. The information is processed near real time and checked for patterns matching known suspicious activity.
If suspicious activity is detected, alerts are generated and sent to the CSOC, where staff analyse the alerts and investigate any security events, shutting down attacks in progress, and investigating the scope of the damage to determine if the attacker had any level of success.
Cyber Security Operations Centre (CSOC)
The CSOC is a centralised alerting and dashboarding platform.
The dashboard provides staff with an at glance overview of the security status of all devices in our care. It shows key information such as devices that have their anti-virus/firewall disabled, log in attempts using invalid credentials, firewall rules being created, administrator accounts being created and other events that we might need to look into from a security perspective.
The alerting system uses risk profiles to determine suspicious activity that requires immediate intervention, and it alerts CSOC staff using at least two communication channels. Our CSOC currently sends alerts to staff via both emails sent to a security inbox, and messages sent to a dedicated Microsoft Teams channel. CSOC staff can then refer to the dashboard for more information and determine a course of action from there.
The CSOC generates alerts for suspected serious security incidents 24/7.
Anti-virus & Firewall
We supply our customers with anti-virus & firewall software configured to alert our CSOC should any threats be detected.
Email Anti-spam & Security
We manage our customers’ Office 365/Exchange Online anti-spam and malware policies to detect for threats coming inbound by email.
We also offer an advanced anti-spam/email security service product that goes beyond Microsoft’s base implementation.
Unified Threat Management (UTM) Device
A UTM device is considered the Swiss Army knife of network security. It features a number of security measures designed to stop intruders breaking into your business network, and it sends logs and alerts to the SIEM when it detects suspicious activity.
We’ve built a UTM device that contains the following functionality:
- Firewall
- Suricata Intrusion Prevention System (IPS)
- Location based IP address filtering
- Squid non-transparent HTTP proxy with auto-configuration, URL filtering & URL logging
- Site to site VPN for securely joining multiple locations into one network
- Private & Secure DNS server using DNS over TLS to encrypt outgoing DNS queries
- DNS blacklisting of known malicious web addresses
The UTM device is an optional extra that we sell configured with integration into Watchtower.
Endpoint Detection & Response (EDR) Agent + Log Shipper
The EDR agent + log shipper links your business devices into Watchtower.
The EDR agent monitors your device collecting metrics, logs, and running commands periodically to check that the endpoint is healthy.
If the EDR agent detects something that is not right, it generates logs which the log shipper sends instantly to the SIEM for analysis and alerting of CSOC staff.
Private & Secure DNS filtering
Our DNS servers block malware and phishing websites using blocklists from projects such as OpenPhish and PhishFindR. Blocklists are automatically updated daily, and mission critical business websites are whitelisted to ensure they are never blocked.
We use DNSSEC to ensure DNS queries are legitimate and tamper-proof, and DNS over TLS (DoT) to encrypt DNS queries for your privacy.
Business Identity Spoofing Prevention & Detection
We utilise DKIM, SPF and DMARC on your email system in an attempt to thwart attackers from committing identity fraud with your business email.
We’ve setup our own DMARC report collector to ingest DMARC reports and alert the CSOC to any attempts seen by an attacker attempting to spoof your business email identity. This allows us to inform you if we see email spoofing occur, and allows you to be proactive and warn your clients to beware of fake invoices that an attacker may potentially send.
It can also assist with tracking errors that cause your email to go into recipients’ junk folder.
IT Security Advice
We believe that developing a strong IT security culture is a necessity for all businesses, and its development should never be restricted by cost.
We offer a free IT security advice service for our managed IT services customers.
If you or your staff receive emails, phone calls or anything that you think might be suspicious, we will investigate and provide a determination on the likely legitimacy, at no cost.
We will work with your staff to increase their IT security awareness, developing and promoting a good IT security culture within your business.
Be protected by our Watchtower
If you would like your business secured and integrated into the Watchtower cyber security stack, contact us to schedule a time to meet with you and discuss your business requirements.
About
White Knight IT is an IT Security, IT Support (inc. Help Desk), Business Communications, Digital Forensics/eDiscovery and Managed IT Services Provider located in Canberra ACT 2601, Australia.