Cybersecurity agencies from the Five Eyes alliance—encompassing the UK, Australia, Canada, New Zealand, and the US—have jointly issued new guidance urging manufacturers of network edge devices to improve forensic visibility[1].
The guidance focuses on devices like firewalls, routers, virtual private network (VPN) gateways, internet-facing servers, operational technology (OT) systems, and Internet of Things (IoT) devices. These devices are the first line of defense in most organizational networks, and cyber attackers are increasingly targeting them. Their strategic position at the edge of networks makes them attractive targets, as they handle a significant portion of corporate traffic. This makes it easier for attackers to monitor, intercept, and exploit this data if left unsecured.
Many edge devices do not support endpoint detection and response (EDR) solutions, leaving a critical gap in network security. State-sponsored and financially motivated threat actors often exploit these gaps. These devices also frequently suffer from irregular firmware updates, weak authentication protocols, and insecure default configurations. This combination of factors creates an environment ripe for exploitation.
One of the most pressing issues is the limited logging capabilities of many edge devices. Security teams struggle to detect breaches or investigate malicious activities effectively without comprehensive logging. This lack of visibility can delay response times and let attackers cause more damage before being discovered.
The Five Eyes guidance strongly encourages device manufacturers to include robust logging and forensic features as standard. Building in these features by default supports network defenders in detecting suspicious activities more easily and conducting thorough investigations following any intrusion. This proactive stance shifts the responsibility back onto manufacturers to build security into the foundation of their products.
Recent threat activity and manufacturer accountability
The guidance references numerous attacks targeting devices from major manufacturers. In response, agencies like the Cybersecurity and Infrastructure Security Agency (CISA) have issued ‘Secure by Design’ alerts, urging vendors to address specific vulnerabilities and improve overall device security.
These alerts include calls to eliminate operating system (OS) command injection vulnerabilities and secure small office/home office (SOHO) routers against specific threats, such as those posed by the Volt Typhoon group. CISA has also emphasized eliminating default passwords in shipped software and devices, as these are common entry points for attackers.
The heightened risks associated with unsecured network edge devices mean organizations must safeguard their networks proactively. A cyber breach can result in devastating financial losses, operational disruptions, and reputational damage.
Proactively addressing the risks of edge computing
Businesses must select network devices that meet the recommended forensic visibility requirements. This approach will enhance their ability to detect and respond to cyber threats and ensure compliance with evolving regulatory standards. Staying ahead of these regulations can prevent potential legal complications as cybersecurity guidance increasingly shapes legal frameworks.
Robust event logging is a key aspect of forensic visibility, letting security teams capture critical telemetry data, including authentication attempts, configuration changes, and anomalous traffic patterns. Organizations need sufficient logging to detect breaches, analyze attack timelines, and implement effective threat mitigation strategies. Security information and event management (SIEM) systems and extended detection and response (XDR) platforms rely on high-quality log data to correlate security events and generate actionable alerts. Companies should consider investing in cybersecurity infrastructure that supports comprehensive monitoring and incident response capabilities, particularly at the network edge.
With robust logging and real-time monitoring, Snare helps security teams to stay ahead of cyber threats. With Snare Central and its ability to collect syslogs from almost any syslog source, even if it has not seen them before makes it ideal to collect and safely store your forensic log data from your network devices away from the systems generating the log data, and be available for analysis when needed. Explore how Snare can enhance your security posture today by getting in touch with our team or booking a demo.
For more details on these cyber threats, refer to the original CISA guidance and the NCSC-UK’s guidance on digital forensics and protective monitoring.
