Enterprise (or Corporate) Security Framework
Enterprise Security (or Corporate Security) is responsible for all the risk in your business assets and enterprise IT, including your endpoints, networks, offices, SaaS applications, and third party vendors. There may be some overlap in responsibilities between your enterprise security team and your product security and security operations teams, so collaboration and alignment is critical, but I’ll try to draw clear lines where the responsibilities lie. Note: This is just one standard strategy. Your organization, team, vertical, environment, and adversaries may require a different strategy.
Team Organization
Your enterprise security team needs to work closely with many different teams within your organization to be successful. Developing good relationships, alignment, and authority with these teams will be critical. Some examples are:
- IT for endpoint provisioning, SaaS/vendor provisioning, access control, identity, SSO, and more.
- HR for employee/contractor onboarding and offboarding and more.
- Office Administration for physical security.
Endpoint Security
Starting with asset management, your enterprise security team is responsible for the integrity of company-owned devices. Your team must have a complete inventory of those devices, an MDM solution to ensure that devices meet security standards, and an EDR solution for preventing and detecting malware. You may also have additional monitoring, forensics, and threat hunting tools that need to be deployable remotely.
Be sure to carefully and accurately delineate what types of devices are monitored and managed by which software. For instance, your production servers may not require MDM because they are managed by a cloud provider, but may still require EDR, and your mobile devices may require different MDM/EDR software.
It’s critical to build a robust auditing program for your company-owned devices and endpoints. If a device is shipped to an employee without being put into asset management, without being enrolled in MDM or EDR, or without having FDE or Secure Boot turned on, ensure you will be able to monitor and enforce remotely.
Note: This is just a standard endpoint security strategy. For specialized environments, complex environments, or sophisticated adversaries, you may not need EDR or you may need to replace/augment EDR with other solutions such as binary allowlisting, code signing, virtual desktop infrastructure, disposable devices, specialized hardware, hardened/custom operating systems, custom telemetry collection, custom detection engineering, and/or more.
Identity and Access Management
Everyone in your organization should have a company-managed identity. That’s a set of credentials that authenticates them as an employee to your systems via an identity provider. Remember to enforce phishing-resistant MFA.
Your organization may have many systems where different users get different levels of access, but at the identity provider level, you should have clear delineation of roles and access for different employee types, such as organizational units, administrators, temporary employees, contractors, and more. At this level, you may also want to decide what types of devices different employee types get (with a documented, and tracked exceptions policy).
Your identity provider should provide robust, detailed logs on access, that you can feed to your security operations team to detect and respond to any suspicious or malicious access and allow for robust threat hunting and investigations.
ZeroTrust/BeyondCorp
Now that you have company-owned endpoints and company identities, you may need technical controls to enforce policies such as only company-owned devices and active employees have access to certain systems. This is commonly referred to as ZeroTrust, BeyondCorp, or context-aware authentication.
You may want to enforce authentication and authorization conditions such as only allow access from company-owned devices, only allow access from a single device at a time, prevent impossible travel logins, prevent logins from certain countries or physical locations, prevent logins from devices that aren’t updated or enrolled in MDM/EDR, prevent logins from devices recently involved in a security investigation, and more.
You may also want to collaborate closely with security operations here to ensure that any denied logins are investigated as security alerts.
Communications Security
Any and all communications within your organization may be sensitive and may enable data leakage and social engineering (including email, phone, chat, files, etc.). Your enterprise security team is responsible for understanding and mitigating all potential risks from your enterprise communication systems. This may include phishing detection, training (don’t send phishing emails to your employees), access control, DLP, eDiscovery, and more.
Third Party Risk Management
Third party risk management may deserve an entire article. TPRM is usually a shared responsibility between security, compliance, legal, and finance. I recommend that the security responsibility lie with enterprise security, with product security and security operations being pulled in for specific vendors where their subject matter expertise is required.
Password Management
Install an enterprise-managed password manager on all your employee devices. Depending on your risk tolerance, you may want to require use of it or not. Tell your employees that it’s recommended to use unique and random passwords for each and every enterprise account, to prevent account takeover and password reuse attacks.
You can rely on your password manager to generate unique and random passwords for your employees. And you can use the enterprise reporting functions to monitor for weak passwords, breached passwords, reused passwords, and more.
Vulnerability Management
Not to be confused with product security’s vulnerability discovery and management of vulnerabilities in first party products. Enterprise security is responsible for vulnerability scanning and management of vulnerabilities in all enterprise IT and vendor systems, including on-premise infrastructure, network appliances and other embedded devices, and client applications on endpoints. Turn on automatic updates and use patch management wherever possible.
Brand Monitoring
Brand Monitoring may include a large set of controls and detections including, breach/leak detection, brand reputation, detection of phishing websites impersonating your brand, detection of newly registered typosquatting domains, detection of mobile applications impersonating your brand, detection of written threats against your physical offices or staff, and more.
Part of brand monitoring may be the responsibility of your security operations team, I recommend having enterprise security in charge of controls and technology and security operations in charge of detection engineering, triage, investigation, and recovery. Of course, there should be strong collaboration and alignment to ensure that the technology, detections, and response meets the technical requirements of risk identification and mitigation.
Your brand monitoring technology and solutions should provide alerts and searching functionality that could inform and augment your security operations team’s early indicators and warnings program.
Deception Technology
Your enterprise IT network is where your security team can prepare the battlefield against adversaries. Your enterprise security team probably best understands these networks, and where best to lay canaries and canarytokens.
You may also want to collaborate closely with security operations here to ensure that detections are accurate and any alerts are fully investigated.
Physical Security
For an average technology organization, physical security is about deterrence. Surveillance cameras, electronic locks, strong doors/windows, background checks, visitor announcement/escorting policies, piggybacking/tailgating policies, and a strong perimeter are typically enough to discourage petty theft.
Depending on your organization and risk profile, physical security may also including executive protection, kidnapping insurance, and digital executive protection.
Note: This is just a standard physical security strategy. For specialized physical environments or assets, certain types of companies, or sophisticated adversaries, you may need to replace/augment these physical security controls with other solutions such as security guards, metal detectors, cleanroom policies, technical surveillance countermeasures (TCSM), airlock/access control vestibules, tinted/opaque/double-paned/bulletproof windows, blast-resistant doors and windows, a GSOC team, and/or more.
Metrics
Remember not to over-index on quantitative metrics that are misleading and easily manipulated. But your program needs some quantitative way to track itself. Here are my favorite enterprise security metrics:
Number of Endpoints out of Compliance — The number of company-owned devices that aren’t enrolled in MDM, EDR, or other required endpoint security tools, the number of devices that don’t have FDE, Secure Boot, automatic updates, or other required settings turned on, the number of devices that are not updated, and more. You may never be at 0 here, but the closer you are, they better your enterprise security program may be working.
Percentage of Active Identities — The number of identities being actively used on a daily basis during business hours over the total number of identities in your identity provider. The higher this number is, the better your offboarding process may be, the less unused privileged identities you may have, and the less likely you may be to have identities be abused. Also, change in this number is a good indicator that something is happening that needs to be investigated. You may never be at 100% here (for example, you may need break glass privileged identities that are rarely used), but the closer you are, the better your enterprise security program may be working.
Number of “Shadow IT” Vendors or Software Surfaced Per Quarter — This metric isn’t designed to count your shadow IT vendors and software (which may be impossible to determine), but how effective your enterprise security team is as discovering shadow IT. An increasing trend could represent improved trust between security and the enterprise or better controls. A decreasing trend is generally bad, but could also represent that the organization is following TPRM and enterprise security controls.
This article is part of a series of security frameworks. See the other ones here:
