The case for a security program
Modern corporations are fully dependent on their IT infrastructure for their daily operations. Securing an IT infrastructure can be a daunting task. Fortunately, there are common best practices that have found success for some of the biggest companies in the world. These best practices share common traits that can be duplicated to match almost any environment.
Before we begin, let’s examine the past failures of many security professionals. As security managers, we must understand that the most secure environments, regardless of the sophistication of your tools or the talent of your staff, will eventually be compromised by the weakest link in your controls. So how do we manage these weak links? Let’s start by identifying them.
Employees
Employees are the easiest and most successful target for attacks. All the tools and money in the world can be circumvented by one careless data entry operator on a Friday evening. For instance, a well-managed SSO and multi-factor authentication mechanism will prevent attackers from accessing your environment even if a user account is compromised. In the last six months I have responded to two different critical incidents that demonstrate otherwise foolproof tools like MFA are not as effective as once believed. In each of these incidents, the victim accepted an MFA challenge even though it was in off hours and they were nowhere near a computer. In both instances, the employee lacked the foresight and patience to understand what the consequences of the actions were.
In another example, attackers flooded many employees with SMS phishing (smishing) messages. The attacker would use the same methods that other social engineers use by creating a sense of urgency to the victim and the victim’s willingness to please. For these instances, the attacker posed as the CEO and asked the victim to buy gift cards for some VIP clients. All too often, this attack can pay dividends.
In the final example, we can discuss the plague of phishing emails sending users to a portal identical to Office 365 or Okta in an effort to harvest passwords. Based on my own internal phishing education campaigns through multiple companies, this tactic is effective about 20 percent percent of the time.
In all these examples, the one common denominator is the employee’s actions. Despite the millions we spend on firewalls, EDR, and building a rock-solid security program, they can all be taken down with the irreplaceable weak link of our own employees.
Poor Understanding of Your Threat Landscape and Internal Resources
When building a secure application, a practiced developer would incorporate the concept of a threat model into their workflow. In this, they will often draw out the flow of data and communication in their application while detailing factors like application libraries, encryption types, TCP ports etc. This amount of detail and the time needed to build a threat model is rarely given to corporate IT infrastructures. Taking the time to gain understanding and build a visual representation of your environment is rarely considered but will pay dividends throughout your time in an organization.
Starting with the network, work to gain an understanding of all the ingress and egress points in your environment. This is far more challenging than you might expect. Consider the following real-world examples:
- Five years ago, a manager approved a cable modem and Wi-Fi attachment to their administrative assistant's computer so they could remote into their desktop on the weekends.
- A vendor set up an ISDN line to an ISP for management of an HVAC system
- Developers created remote desktops in your AWS DEV environment to remote into directly from home. This environment has a direct backend to your datacenter.
- A legacy VPN concentrator hasn’t been updated in ten years and uses a fall back authentication mechanism with local accounts.
- Tucked away in a legacy firewall configuration is TCP/22 allow rule inbound for PCAnywhere from the 1990’s.
Now we also face the problem of the fuzzing edge to our network infrastructure. Modern IT infrastructures have a variety of means in which to interact with users. These include SaaS based web portals, SMS texts, mobile emails managed by users, BYOD devices and so on. How can this cause problems for you? Let’s take the following real-world examples:
- You have allowed your developers to access your cloud-based Confluence app from their own mobile devices through the Android mobile app. One of your developers has a root compromised phone. Has your Confluence infrastructure been compromised?
- A new employee checks their email through a web portal from an internet cafe in Singapore. They forget to sign out and you have no confidence in the security of the computer they logged in from. How can you know if this employee's account has been compromised?
As worrisome as securing your network is, we also face the problem with poorly maintained software. I shudder to think about how many instances of vulnerable SolarWinds are still running across the world. Let alone vulnerable web browsers, application libraries etc.
Are you beginning to see the problem? As your infrastructure grows and ages, all these scenarios become not only possible, but likely.
Despite what technical sales representatives might claim, there isn’t a single holistic solution to these problems. Rather, you must coordinate your efforts and resources to formulate a plan and process to gain control and visibility into your environment. Confused? Don’t worry, we’ll clarify this below:
The Need to Build a Security Program
Finding security solutions is like shopping for skinny jeans -- one size does not fit all. Instead, we need to build a team of people, processes, and tools that will develop into what we call a security program. A complete security program should have, at minimum, the following pillars:
Network Security
Like the air we breathe, modern computing environments rely on the network for their functionality. The network Is a foundation for IT security and requires skilled employees and top tier tools to properly manage. This not only includes traditional firewall, switch and vpn configuration, but WIFI access and cloud configurations as well. Most modern network security practitioners should understand cloud solutions and how to integrate them into your traditional model.
Compliance Officer
At some point in their career, every security practitioner will be faced with the impossible argument regarding the need to better secure your environment against a CFO that just doesn’t understand. The need for industry and federal compliance is the easiest way to get funding for your projects. This is where a Compliance Officer comes into play. The Compliance Officer will help you better understand what demands are placed on the organization from a legal standpoint and will help identify the gaps you have to meet these needs. This compliance is often non-negotiable, so the funding ball is often in your court. Documenting and proving compliance will also help secure cyber insurance and prove to clients your environment is secure. By creating SOC2 reports and proving you meet industry standards such as NIST2, ISO27001, PCI, GDPR and others you will open markets that your organization can not otherwise participate in. Often the highly technical members of your team will shun the compliance officer as it is an administrative position. You should Ignore them -- a talented compliance officer will make or break a security program.
Sysadmin and Endpoint Security
The importance of locking down the endpoint and ensuring top tier EDR (endpoint detection and response tools) cannot be overlooked. From my own experience I have seen a large number of attacks were prevented by removing administrative rights from corporate computers as well as the EDR’s prevention of execution or malware. A good EDR solution should give you insight into the historical actions on your endpoints as well as a global method to identify and block applications based on hash’s, behaviors, and application names. Far gone are the old anti-virus software based on known malware hashes. Using a modern EDR for endpoint security gives enterprise-wide forensics capability and remediation as well as blocking behaviors common to malware.
Often overlooked, but equally important is the ability to manage endpoints and servers for issues outside of security. Modern sysadmins require tools like Microsoft’s SCCM, Tanium, and Jamf to identify your software footprint and make configuration and software updates en masse. Remember, many security incidents arise due to vulnerable software. With an infrastructure of 10,000 hosts and servers, you’ll need centralized management if you are to keep up. Speaking of vulnerabilities…
Vulnerability Management
Suppose a new zero-day is released in the wild. How do you know if you are susceptible? How can you know the risk specific to you? The answer is by the visibility gained through a vulnerability management system (VMS).
VMS consist of scanners spread across your environment that actively log into your devices. They review software versions, configuration errors, and other key details that will help you not only visualize your environment but help to prioritize your remediation efforts. This data is stored in a central repository that can give detailed scoring based on industry standards mentioned above. A VMS program is a must and is required by many compliance standards. Using VMS along with your endpoint management software, you can be proactive about fixing security problems in your environment well before they can be exploited.
Of note: A poorly managed VMS can cause outages in applications and networks. You need to communicate when a VMS scan will run and throttle the scans and whitelist the scanners based on the observed needs of your environment. Failure to do so will cause massive outages. Ask me how I know.
Security Operations Center
A SOC is, like all the parts of the security program, is a collection of people, processes, and tools. It’s a reactive function that will monitor security events in your environment and respond to events in an effort to limit the scope of impact. The SOC will work with other teams prevent these events in the future.
A SOC functions by collecting logs from as many relevant resources as possible and sending these logs to a tool called a "security information and event management" (SIEM) platform. The SIEM normalizes these logs and compares them to known events, historical trends, and third-party intelligence feeds to decide that something is wrong.
As good as the best SIEM’s are, we still need people to double-check the findings and work toward fixing them. New tools called "Security Orchestration, Automation, and Response" (SOAR) can make quick work of fixing security incidents, but they require a strong skill set to manage. Most SOC’s still rely on carefully written runbooks and standard operating procedures for their analysts to follow. Once an incident is identified, the entire IT infrastructure must stand ready and willing to help the security remediate the problem. A specialized position called an "Incident Commander" (IC) must lead this effort. When a critical event is recognized, no one in the organization below the executive level should be able to block or hinder the remediation efforts of the SOC and IC. If you know of an organization that properly follows this model, let me know!
Employee Education Campaign
The final pillar in a security program pays the most dividend with the least number of resources -- employee education. Employees will remain the weak link in your infrastructure and training employees about cyber awareness is one way to reduce the likelihood of their misdeeds. Cyber education is important to remind employees of current attacks they may encounter but is also needed for compliance standards such as SOC2 audits. Education campaigns should also include quarterly random email phishing tests that can send the employee a fake email to gauge their susceptibility to being phished.
Building a security program with these pillars and appropriate tools will accommodate most corporate security needs. Other factors like application security and development should also be considered, but they are a specialization onto themselves. Using these pillars, and staffing accordingly, will help CISO’s secure their organization and find success in their career.
Image credit: deepadesigns / Shutterstock
Aaron Cooper is Vice President of Security Operations at Nuspire. He is a seasoned security professional and SOC manager with 20+ years experience working in a variety of enterprise infrastructures. He has several years of experience managing and designing secure network environments to meet the needs of financial and corporate customers. Throughout his experience, he has led formal classroom training and created processes for incident response and fraud operations. Aaron’s specializations also include managing security operations centers, designing and implementing highly secure and available data networks while maintaining HIPAA, SOX, and PCI compliance. He also has extensive experience with a number of intrusion detection, load-balancing, and firewall solutions.