Have the response team
No matter how good your organization is in risk management and implementing security measures it is certain that sooner or later it will experience a severe security incident or a breach. When this happens the only thing that can effectively minimize the impact and quickly recover from the incident is the response team equipped with proper tools and preidentified puzzles that they will be able to put together when the crisis comes. On top of that you’ll be able to use reports created by this team to identify root causes of incidents in your environment what will help you to prioritize the needed improvements. This is simply what you need to start with.
Tip: Avoid creating countless incident response workflows or detailed step by step playbooks. Experience thought me you’ll waste a lot of time and situations that fully fit your flows will almost never happen. Instead have your communication and escalation process straight, key stakeholders identified and aware of response team responsibilities, maintain and periodically test actions that are needed during different phases of incident response process like how to search for given logs, how to identify what a given hostname or IP is, who is responsible for a given asset, how to block an URL, how to lock a user account, how to contain a host etc. Instead of wasting time on keeping 50 playbooks up to date run drills and test different situational scenarios with the response team and the key stakeholders so everyone knows their puzzles and how to fit them together depending on the reality that will only become known when the incident strikes. Analyze what could have been done better during such exercises. In the end incident response is more an experience than checklist driven activity.
Cover the absolute basics
Things listed here are the absolute prerequisites to responsible cybersecurity approach. They are so basic that some of them are not even purely security but rather an IT responsibility. They should be the no-brainers but I encounter organizations that have deficiencies in these areas all too often. The ultimate goal of these is to minimize the attack surface using the most basic measures. To do them effectively you do have to have a decent CMDB first.
- Patch management – test and then deploy security updates regularly and with shortest possible delay,
- Perform regular vulnerability scanning, prioritize and manage identified vulnerabilities,
- Have a complete AV software deployment – make sure your goal is 100% coverage, keep your AV management infrastructure secure, make sure updates are distributed effectively and review your detection reports. If your solution provides host firewall feature configure and use it (if not go the default system firewall way),
- Network segmentation – the only thing worse than a flat network are systems left out with default credentials on them so do make sure segments of your networks are properly isolated with firewalls,
- Least privilege approach – identify what are the minimal privileges required by different groups of users in your organization and grant only these.
Collect and store your logs and flows
These will be needed every day. They are the starting point of investigations, compliance driven reporting and primary visibility into what happens in your environment. Depending on resources your organizations has you will find opportunities to further optimize the use of this data. Examples include threat hunting activities or advanced analytics including machine learning for entity behavior anomaly detection.
Phishing in different forms remains to be the most common attack vector. In many cases its goal is credential harvesting. On top of that we see new reports about breaches exposing users’ credentials all the time. Passwords as a single factor to authenticate are really dead. Through all these years InfoSec community failed to develop secure and usable approach to password management that would become absolute standard easy to use for all the users. Mistakes were made like nonsense password complexity rules and frequent forced password changes. Password managers help a lot but still are not in common use. For enterprise environments multi-factor authentication (at least 2 of: what you are, what you have, what you know) is now a must.
It wasn’t easy for me to identify the 5th one. There were many contenders but this being a subjective list EDR finally won despite being a relatively new invention compared to the previous ones. In my experience deploying a good EDR solution while having sufficient personnel to operate it brings the most instant value to detecting and responding to intrusions on endpoints so typically where your biggest exposure is. It’s not particularly difficult to deploy, doesn’t have many prerequisites and for organizations who can afford it can cover their full endpoint estate. I did not see many other measures that can give such levels of visibility and detection capabilities in the end resulting in the reduction of time and effort needed to detect, investigate and contain a threat. And you can’t fight something you don’t see. On top of that the collected telemetry brings opportunities to analyze the data for user behavior anomalies, trends in attack techniques, presence of newly identified indicators of compromise or even building an application inventory. Be careful though as you will need skilled staff or a good service provider to make the most out of it.