By Jean-Paul Bergeaux, Federal CTO, GuidePoint Security
In the recap of things seen at BlackHat and DefCon, there were several things that were intended to make the point that security tools and processes are not going to stop adversaries if they really want to get in. Each of those has a mitigation that can be engaged, some with product cost, some with time and labor. The problem is that those are just a few of the holes in the security dam that need to be plugged. The list is longer than possible to resolve.
So what do we do as security professionals charged with defending these networks and data? It appears to be a losing battle, however, there are things we can do. Things that will significantly improve the likelihood that we will either catch the adversary early in the kill chain or catch them quickly once inside and stop them.
Here are five steps that any enterprise can take. Some are worthy of a “that’s basic” response, but getting visibility, funding, and buy-in is the challenge for security teams. Here goes.
Step one: Security basics
Of course, the first place to start is to put up the most basic security controls. What many call “basic security blocking and tackling.”
- Network security with at least a Firewalls and IPS.
- End point security with AV, HIPS, Asset Mgmt. and App control.
- Vulnerability mgmt. with vuln scans and a working mitigation and confirmation procedure.
- SIEM/SOC with logging, correlation and the ability to do some incident response.
- Identity mgmt. with Identity controls, IGA, logging, and MFA.
These are basic starting points for a security architecture. There are many more products and controls to consider, but these have to be present as a starting point. If any of these are not in place, it could be worth looking at a managed service to get things up and running quicker. MSSPs, including GuidePoint Security’s, offer as-a-service for all these areas.
Step two: Clean up the environment
The biggest problem with an effective security architecture is a messy and unmanageable environment.
Data Identification and Classification: How do you secure the most important data if you don’t know exactly where it is, or if critical data is spread all over the environment across many disparate platforms? Discovery of data and classification into security classifications that make sense is key. Find the data, tag the data, collect the data, then protect the data.
Identity clean up: Identity Governance should cover this, but often doesn’t. How do you prevent unauthorized access if you don’t know WHO has access and how? How do you restrict privileged access if service accounts are not known and managed properly? One of the previously mentioned DefCon presentations pointed out that nearly every enterprise environment has un-documented privileged accounts and we at GuidePoint have seen the same thing. Identity discovery, deep and complete discovery is required.
Network clean up: This is probably one of the hardest of the three clean up tasks. Networks today are vibrant, powerful and constantly changing. How do you map your network? How do you keep it up to date? This is a very difficult, but necessary task. GuidePoint Security has found many a hole between enclaves or segments previously thought to be separated. Automated discovery and mitigation is required.
Step three: Test your environment
This is one of the few areas that I venture into “new and shiny” tools. I just think this is a critical new area that needs to be adopted now and fast. Security Instrumentation Platforms now can: Validate your security tools configurations and effectiveness.
- Validate architectural logging, alerting, API-connection between products.
- Validate SIEM receiving logs, correlation for alerts and produce correlation rules if absent.
- Validate SOC analyst response to alerts.
- Validate ticketing system creation and resolution processes.
These five validations are huge for any enterprise and otherwise nearly impossible without costly services engagements on a less often frequency. The Return-On-Investment (ROI) of this type of product is through the roof for any CISO/CIO.
Step four: Outside evaluation of your progress
Once step three, the SIP, has been running and showing improved effectiveness, the best next step is a third party sourced penetration test either by a typical pen test organization or a crowdsource pen test, depending on your organization. The reason this is after step three is because the SIP will close all the “easy” gaps and require the penetration tester to find some more serious gaps. By no fault of a pen tester, they are going to find the easiest two or three ways in the door and document those. By using a SIP to close the easiest gaps first, you will get even more value from a penetration test.
After a pen test is complete, the next outside evaluation would be engaging with a cyber security firm, like GuidePoint Security, for an architectural assessment. This assessment should provide a solid plan forward from a fresh set of eyes. Look for an offering that will not focus on theoretical and esoteric, but on real and achievable next steps and goals.
Step five: Think outside the box
Finally, we get to the part that most organizations start with, but should finish with. That’s the “new and shiny” cyber security toys. Once the first four basic steps are complete, looking for the latest innovation that can add value is fun. Here are three I picked out of the air:
-Separating out non-essential identities
Many organizations are finding that they don’t need everyone in Active Directory (AD). Administrators, maybe all internal users, maybe not. Definitely not temporary users, and possibly not contractors either. There are Identity-as-a-Service (IDaaS) that can provide access to needed resources and applications without ever adding them into the Domain as a user. The value of this is both ease of adding and subtracting them, but more importantly it limits the access to AD, and the added risk that entails.
There are two versions of deception out there worth considering, AD only deception (end point agent) and full deception platforms. If an organization runs only Microsoft, everyone and every system being in AD, then the AD only deception is the easiest and cheapest solution. That is a rare environment, and not recommended anyway. A full deception platform that can be built across a diverse network and enterprise is more expensive but adds significant value.
That term actually drives me crazy. Mainly because many security OEMs use it and just write clever rules and signatures that are NOT true behavioral analytics. True BA will learn a baseline and alert on deviations. Single User, User Type, System, Network. All of those can be baselined and create alerts when things change. When designed and tuned right, these solutions work to be an early warning system.
About the author
With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.
Image Courtesy of GuidePoint Security