15. Threat Detection and Prevention

Previous Next

2025.1

In order to preserve the integrity of data that Niche Studio stores, processes, or transmits for Customers, Niche Studio implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access. This include threat detection and prevention at both the network and host level, as well as threat intelligence monitoring.

Policy Statements

Niche Studio policy requires that:

(a) All critical systems, assets and environments must implement realtime threat detection or prevention.

(b) Network-level threat detection and prevention must be implemented using:

  • Cloudflare WAF rulesets for web application protection
  • Ansible-managed host firewalls on all servers
  • Tailscale network segmentation and access controls
  • Network intrusion detection through Wazuh agents

(c) Host-level threat detection and prevention must include:

  • Wazuh agents on all servers for security monitoring
  • File integrity monitoring and log analysis
  • Malware detection and prevention
  • System hardening through Ansible configuration management

(d) Threat intelligence monitoring must utilize:

  • Australian Cyber Security Centre (ACSC) threat intelligence feeds
  • AusCERT security advisories and threat reports
  • Cloudflare security events and threat intelligence
  • DigitalOcean and Binary Lane security notifications
  • Industry-specific threat intelligence relevant to client projects

(e) All threat detection systems must be configured to:

  • Generate alerts for suspicious activities
  • Maintain comprehensive audit logs
  • Support incident response procedures
  • Integrate with centralized monitoring systems

Controls and Procedures

System Malware Protection

  1. All end-user workstations and production systems must have antivirus running. The default anti-malware solution used is Wazuh. The anti-malware solution will include protection against malicious mobile code.

    • Next generation endpoint protection agent may be used as an equivalent solution.
    • Hosts are scanned continuously for malicious binaries in critical system paths. Additionally, if supported, the agent is set to to scan system every 2 hours and at reboot to assure no malware is present.
    • The malware signature database is kept up to date, changes are pushed continuously.
    • Logs of virus scans and alerts are maintained according to the requirements outlined in System Auditing.

  2. Detected malware is evaluated and removed following the established incident response process.

  3. All systems are to only be used for Niche Studio business needs.

Firewall Protection

Firewall protection is implemented at the following layers

  • Network - including provider firewalls and security groups (DigitalOcean Firewalls, Binary Lane controls) as well as on- premise firewalls between the office networks and the Internet.

  • Host - local firewalls are enabled on the user endpoints as well as servers (compute and database instances in Binary Lane and DigitalOcean are protected by provider security groups)

  • Application - web application firewall (WAF) and content distribution are configured at the application layer to protect against common web application attacks such as cross site scripting, injection and denial-of-service attacks.

Network Intrusion Detection

Intrusion Detection for On-Premise Internal Networks

  • Niche Studio leverages Wazuh for network security of its on-premise environments.
  • Wazuh features stateful firewall inspection and intrusion detection/prevention (IDS/IPS) of applicable incoming and outgoing network traffic. Attacks and suspicious network activities are blocked automatically.
  • Niche Studio IT manager is responsible for configuring the firewall and IDS/IPS rules and review the configuration as least quarterly.

Intrusion Detection in Hosted Environments

Niche Studio implemented a real-time threat detection solution by monitoring server logs and network traffic.

  • Cloudflare logs are monitored by Wazuh
  • Network traffic logs are sent to and analyzed by Wazuh.

Additional monitoring is provided by our infrastructure service providers Binary Lane and DigitalOcean.

Host Intrusion Detection

Host based intrusion detection is supported via one of the following:

  • On Windows and macOS systems: Wazuh agents for malware detection and behavior-based endpoint threat detection.

  • On Linux servers: Wazuh agents for activity monitoring, vulnerability scanning, and threat detection. This includes all virtual instances running in the cloud environment.

Web Application Protection

Niche Studio leverages Cloudflare services to protect web applications against common attacks such as SQL injection, cross-site scripting, and denial-of-service (DoS/DDoS) attacks. The services used include Cloudflare WAF, Rate Limiting, Bot Management, and DDoS protection.

Centralized Security Information and Event Management

Security events and alerts are aggregated to and correlated by one or both of the following solutions:

  • Wazuh
  • Internally developed security automation tooling

Threat Intelligence Monitoring

Intelligence Feeds

Additional intelligence feeds are received automatically through some of the 3rd party security solutions that have been implemented on the networks and/or endpoints. The data gathered through these external intel feeds is automatically used by the security solutions to analyze events and generate alerts.

Regulatory Requirements Updates

The Security and Privacy Officer actively monitors the regulatory compliance landscape for updates to regulations such as HIPAA, PCI and GDPR.

14. Configuration and Change Management 16. Vulnerability Management