Modern corporations are fully dependent on their IT infrastructure for their daily operations. Securing an IT infrastructure can be a daunting task. Fortunately, there are common best practices that have found success for some of the biggest companies in the world. These best practices have characteristics in common that can be imitated to fit nearly any scenario. Building a security program with these pillars and appropriate tools will accommodate most corporate security needs. Other factors like application security and development should also be considered, but they are a specialization onto themselves. Using these pillars, and staffing accordingly, will help CISOs secure their organization and find success in their career.
Before we begin, let’s examine the past failures of many security professionals. As security managers, we must understand that the most secure environments. So how do we manage these weak links? Let’s start by identifying them.
Employees are the easiest and most successful target for attacks.. For instance, a well-managed SSO and multi-factor authentication mechanism will prevent attackers. In the last six months, I have responded to two different critical incidents. That demonstrate otherwise foolproof tools like MFA are not as effective as once believed. In each of these incidents, the victim accepted an MFA challenge even though it was in off hours and they were nowhere near a computer. In both instances, the employee lacked the foresight and patience to understand. What the consequences of the actions were?
Poor Understanding of Your Threat Landscape and Internal Resources
When building a secure application, a practiced developer would incorporate the concept of a threat model into their workflow. In this, they will often draw out the flow of data and communication in their application while detailing factors like application libraries, encryption types, TCP ports etc. .
Starting with the network, work to gain an understanding of all the ingress and egress points in your environment. This is far more challenging than you might expect. Consider the following real-world examples:
- Five years ago, a manager approved a cable modem and Wi-Fi attachment to their administrative assistant’s computer so they could remote into their desktop on the weekends.
- A vendor set up an ISDN line to an ISP for management of an HVAC system
- Developers created remote desktops in your AWS DEV environment to remote into directly from home. This environment has a direct backend to your datacenter.Tucked away in a legacy firewall configuration is TCP/22 allow rule inbound for PCAnywhere from the 1990’s.
Now we also face the problem of the fuzzing edge to our network infrastructure. Modern IT infrastructures have a variety of means in which to interact with users. These include SaaS based web portals, SMS texts, mobile emails managed by users, BYOD devices and so on. How can this cause problems for you? Let’s take the following real-world examples:
- You have allowed your developers to access your cloud-based Confluence app from their own mobile devices through the Android mobile app. One of your developers has a root compromised phone. A new employee checks their email through a web portal from an internet cafe in Singapore. They forget to sign out and you have no confidence in the security of the computer they logged in from.
As worrisome as securing your network is, we also face the problem with poorly maintained software. I shudder to think about how many instances of vulnerable SolarWinds are still running across the world. Let alone vulnerable web browsers, application libraries etc.
Are you beginning to see the problem? As your infrastructure grows and ages, all these scenarios become not only possible, but likely.
The Need to Build a Security Program
Finding security solutions is like shopping for skinny jeans — one size does not fit all. Instead, we need to build a team of people, processes, and tools that will develop into what we call a security program. A complete security program should have, at minimum, the following pillars:
Like the air we breathe, modern computing environments rely on the network for their functionality. The network Is a foundation for IT security and requires skilled employees and top tier tools to properly manage. This not only includes traditional firewall, switch and vpn configuration, but WIFI access and cloud configurations as well. Most modern network security practitioners should understand cloud solutions and how to integrate them into your traditional model.
At some point in their career, every security practitioner will be faced with the impossible argument regarding the need to better secure your environment against a CFO that just doesn’t understand. The need for industry and federal compliance is the easiest way to get funding for your projects. This is where a Compliance Officer comes into play.This compliance is often non-negotiable, so the funding ball is often in your court. Documenting and proving compliance will also help secure cyber insurance and prove to clients your environment is secure. By creating SOC2 reports and proving you meet industry standards such as NIST2, ISO27001, PCI, GDPR and others you will open markets that your organization can not otherwise participate in. Often the highly technical members of your team will shun the compliance officer as it is an administrative position. You should Ignore them — a talented compliance officer will make or break a security program.
Sysadmin and Endpoint Security
The importance of locking down the endpoint and ensuring top tier EDR (endpoint detection and response tools) cannot be overlooked. From my own experience I have seen a large number of attacks were prevented by removing administrative rights from corporate computers as well as the EDR’s prevention of execution or malware. A good EDR solution should give you insight into the historical actions on your endpoints as well as a global method to identify and block applications based on hash’s, behaviors, and application names. Far gone are the old anti-virus software based on known malware hashes. Using a modern EDR for endpoint security gives enterprise-wide forensics capability and remediation as well as blocking behaviors common to malware.
Often overlooked, but equally important is the ability to manage endpoints and servers for issues outside of security. Modern sysadmins require tools like Microsoft’s SCCM, Tanium, and Jamf to identify your software footprint and make configuration and software updates en masse. Remember, many security incidents arise due to vulnerable software. With an infrastructure of 10,000 hosts and servers, you’ll need centralized management if you are to keep up. Speaking of vulnerabilities…
Suppose a new zero-day is released in the wild. How do you know if you are susceptible? How can you know the risk specific to you? The answer is by the visibility gained through a vulnerability management system (VMS).
VMS consist of scanners spread across your environment that actively log into your devices. They review software versions, configuration errors, and other key details that will help you not only visualize your environment but help to prioritize your remediation efforts. Using VMS along with your endpoint management software.
Of note: A poorly managed VMS can cause outages in applications and networks. You need to communicate when a VMS scan will run and throttle the scans and whitelist the scanners based on the observed needs of your environment. Failure to do so will cause massive outages. Ask me how I know.
Security Operations Center
A SOC is, like all the parts of the security program, is a collection of people, processes, and tools. It’s a reactive function that will monitor security events in your environment and respond to events in an effort to limit the scope of impact. The SOC will work with other teams prevent these events in the future.
A SOC functions by collecting logs from as many relevant resources as possible and sending these logs to a tool called a “security information and event management” (SIEM) platform. The SIEM normalizes these logs and compares them to known events, historical trends, and third-party intelligence feeds to decide that something is wrong.
Employee Education Campaign
The final pillar in a security program pays the most dividend with the least number of resources — employee education. Employees will remain the weak link in your infrastructure and training employees about cyber awareness is one way to reduce the likelihood of their misdeeds. Cyber education is important to remind employees of current attacks. They may run into compliance standards like SOC2 audits, but they are also required for those. Education campaigns should also include quarterly random email phishing tests. That can send employee a fake email to gauge their susceptibility to being phished.