As data breaches continue to escalate, the importance of a mature security program becomes more and more apparent to both system administrators and executives. Keeping up with the latest attacker TTPs (Tactics, Techniques & Procedures) can be daunting for even seasoned information security professionals as new research, tools and exploits get disclosed every day if not every hour.
If you don’t keep up you will be left in the dust quickly and will be less effective at your job. Because of this, building an effective security program can seem daunting, but the most important thing is to invest resources in the right places.
The number one question I get asked is just this: where do I start? How do I make sure security gets ‘baked’ into every part of my infrastructure? The answer is simple: start with the basics, and progressively work your way up.
Hardware and Software Inventory: This is probably the most critical part to any effective security program: having a detailed and constantly updated inventory of both hardware *and* software that is available on your network allows you to quickly identify systems that need to be upgraded either due to deprecation or vulnerabilities in software that has listening network services. This is especially important for things like printers, SCADA or embedded systems as they usually cannot be upgraded or regularly patched through automated means.
Vulnerability/Patch Management Program: Vulnerability scans are a must. You should be performing vulnerability scans at regular intervals to better understand your environment and your security program effectiveness.
Create a secure baseline image for both workstations and servers: This might seem simple initially, but creating a secure baseline image for Windows workstations and Servers requires some fairly in depth technical knowledge due to lot of insecure settings that are either enabled/disabled by default in windows due to backwards compatibility reasons. One thing that should be included in every baseline image is Powershell Script Block Logging, Sysmon, and some form of application whitelisting (not blacklisting). These three things alone will increase your adversarial detection and response capabilities tenfold.
Performing only these three steps will jump start your security program and provide and extremely solid foundation to build upon and eventually make it become a full-scale security program. However, along the way, you will undoubtedly encounter some obstacles which will manifest themselves in various forms which unfortunately means it is hard to provide helpful suggestions.
Here are some general ‘pro-tips’ for securing your infrastructure:
Tip 1: Always try built-in Microsoft tools
Built-in Microsoft tools are guaranteed to have a certain level of security built in. Nothing guarantees that third party vendor products adhere to the same standards. Ironically, by experience I can guarantee that most of the time ‘security products’ leave something to be desired.
Tip 2: Invest in people *not* products
If you are lucky enough to have a budget for a security program and as much as vendors might try to make you believe it, blindly throwing money at a product will not make your security problems go away. Doing this might make things worse: If you don’t have the right people to properly configure and implement X security product you are potentially adding more attack surface and rendering your network more vulnerable. It is critical to first invest in qualified professionals who know the ins and outs of whatever technology you are running to manage your network or trying to implement first. Only then can you complement your existing security controls by investing in industry recognized products which provide additional detection capabilities.
Tip 3: Compliance does not equal security
This is the most common misconception that I hear from clients. Unfortunately, complying to any standard (for example, PCI) does not mean your environment is secure.
Once you have these basics in place, you can then take your security program to the next level by performing penetration tests. You should take this step forward only when you are confident that you’re environment is relatively secure and up to date as doing this beforehand will provide no value whatsoever as it will usually result in your entire environment being compromised extremely easily by the pentester. Not only will penetration test uncover those vulnerabilities that automated vulnerability scanners will not find, it will also help you asses the overall security of the environments configuration and implementation. This is extremely important as implementation bugs/misconfigurations are usually the most devastating and impactful.
Without a doubt, performing regular pentests in your environment is an absolute necessity in order to have an affective security program. If you’ve invested your budget correctly, at this point you might even have people internally which could be able perform some aspects of a pentests for you since a lot of the most useful pentesting tools tend to be open-source, free and publicly available.