Mature Controls at Any Size
This is a followup to an old article I wrote called A Mature Security Program at Any Size where I laid out security processes and procedures that you could implement and scale at any size organization.
In this article, I will do the same thing for a set of basic controls you can implement and scale that any size organization should have.
Endpoints are often one of the most neglected areas of a security program. Most breaches occur on endpoints: exploits and malware are delivered to endpoints, malware is installed and persists on endpoints, endpoints have access to valuable resources, and endpoints are where exfiltration happens.
The three things every endpoint security program needs are:
- Device Management (MDM) — Your base set of controls to track and manage your endpoints. A good MDM solution will give you asset management, remote locate, remote wipe, remote lock, policy enforcement (disk encryption, auto-update, auto-lock), software management, and the ability to run arbitrary scripts.
- Prevention, Detection, and Response (EPP/EDR/NGAV) — Then, you need something more powerful. There are only a few good options in this space, but the most important thing is that detection is based primarily on indelible cyber threat-intelligence. If the primary detection mechanism is machine learning or signatures, then you’re not in a good place.
- Intelligence — Finally, you need a way to ask questions about your endpoints to perform investigations and threat hunting. Think about the set of things you want to monitor live and historically on your endpoints, like processes, installed applications, open ports, browser extensions, and more. Think about the speed and frequency of which you need this information.
Another often neglected part of a complete security program. Almost all of your adversaries will attempt to deliver attacks through e-mail. Even if they don’t eventually succeed, you’ll often see them start with e-mail, because it’s the easiest, cheapest delivery method.
I think a good e-mail gateway solution has three features:
- Prevention and detection of malicious (exploits or malware) attachments and links. Typically this can be done by detonating links and attachments in a sandbox and performing dynamic analysis.
- Prevention and detection of business e-mail compromise and generic social engineering and phishing e-mails. I like to see fancy features here like fuzzy image matching for identifying phishing websites and e-mail address reputation checking and domain age checking for identifying suspicious e-mail addresses.
- A rule language to write my own custom e-mail filters.
While most security operations teams strive for 100% visibility, it’s often simply an impossible goal because of shadow IT, shadow engineering, and simply requiring too many resources.
So, to cover your blind spots, gain extra visibility, and to better track your adversaries you should invest heavily into deception technology.
- Put honeypots inside your internal network. The first thing most adversaries do when they get a foothold is take a look around for juicy targets. Have your honeypots look juicy (but not too obvious) and monitor for port scanning and file share enumeration.
- Place honeytokens inside your sensitive file stores and documentation repositories. API keys and domains can be particularly valuable indicators and warnings.
- Use fake employees to get a sense of where your adversaries are collecting intelligence about your organization and who your adversaries are.
This should be pretty self explanatory:
- Enforce 2FA wherever possible (in order of efficacy: U2F, TOTP, SMS).
- Encourage your employees to use a password manager.
- Use SSO to help enforce 2FA, have centralized logging for your SaaS platforms, and enable auditing access to your SaaS platforms.
Your security operations team will be responsible for incident detection, handling, response, and recovery, as well as threat intelligence, brand monitoring, and more. But before your operations team can do any of those things, it needs data.
Have a log management or SIEM platform that can do these three things:
- Log Ingestion, Management, and Search — The platform needs to logically manage logs from all the places where you have logs and allow you and your teams to efficiently search it during an investigation.
- Rules and Alerting — In addition to search, you’re going to want a simple, but featureful rule language that you can write alerts in. Then you want to be able to have those alerts surfaced to you in an easy workflow for your team.
- Integrate threat intelligence.
Don’t overthink this one, AWS Cloudwatch does all of these things. If you’re worried about cost or vendor lock-in, don’t be afraid to start with an MDR or a cheaper product until you have a team to properly manage and make proper decisions.