How to be Sure Your Security Solutions are Working for You–Not an Attacker.
Oh, what a year it has been! So far, 2017 has been full of mega breaches due to patching issues, more Internet of Things (IoT) related attacks, and ransomware causing organizations pain. While we had more events, the challenges from 2016 remain true today. In short, companies are still struggling to figure out where best to spend their budgets to get the most value from their investments, while also improving detection and preventing security threats to their environments.
Due to compliance standards, most organizations are spending their budgets on four primary security solutions:
- Perimeter Security Solutions – Firewalls, IDS/IPS, and WAF
- Endpoint Protection Solutions – Anti-Virus/Anti-Malware
- Log Management and SIEM Solutions
- Patch Management Solutions
These four types of solutions can consume as much as 50-60% of your overall security budget, and historically, each one has some significant issues when it comes to realizing a perceived value or return.
Perimeter Security Solutions
From the attacker’s point of view, firewalls do little more than control what you are allowing into your network. Relying on a firewall alone to stop an attack is an exercise in futility; therefore, most now come with IDS/IPS features. At the very least, these features can attempt to block an attack when they see a known form of attack against the system.
As we’ve stated in the past, the argument to go to a “NexGen” firewall is that it provides visibility into the services you are allowing into and out of your network. This visibility lets you see what type of activity is leaving your environment, be it an attacker who has successfully compromised your network, or a rogue employee sending all your intellectual property to his private email account.
Endpoint Protection Solutions
We always start our talks about AV/AM solutions with a simple poll of the room. We ask if anyone present has any faith in their current AV solution and its ability to protect them. Two years ago, we’d rarely get anyone who would raise their hand. Now, we get about 10% of the room raising their hands. What makes these folks so confident? Simple–they switched to a newer solution, namely NexGen Antivirus with EDR features.
We’ve repeated it the last couple of years: “Stop wasting money on traditional/signature-based Antivirus.” It hasn’t been a viable solution for nearly a decade from the attacker’s perspective. Meanwhile, innovative solutions like Cylance, CrowdStrike, and SentinelOne have come along and consistently stopped a significant amount of old and new malware (85% or better), while also providing visibility of events on the endpoint through their Detect and Respond technologies. The value these technologies provide are significant in that you can stop worrying about the current crop of malware and go back to work to solve more challenging issues.
Log Management and SIEM Solutions
While we can spend hours talking about all the problems these solutions have individually, at the heart of the matter is that log management is an enterprise discipline and needs to be given the enterprise commitment it deserves to have any chance of getting a value out of the investment. This commitment includes working with the various logging sources and their administrative groups to get some degree of confidence that you are logging the information you need, as well as a commitment to the appropriate staffing for taking advantage of its alerting capabilities. In short, if either one of these areas doesn’t get the commitment it needs, your solution is going to fail you.
Patch Management Solutions
The adage of “free comes with a cost” has never been truer. We’ve seen more time and money wasted on trying to make free or “nearly free” solutions viable for organizations. The problem here is that most organizations fixate on patching a single solution without trying to figure out how to get the most coverage possible. For example, how many organizations do you know use WSUS or SCCM from Microsoft to distribute patches? The answer is many–but when you look at the deployed patches, the vast majority are just duplicating what is being sent out via Windows Update–namely just Windows OS patches. When queried on strategies for patching desktop apps like Office, browsers, or anything Adobe makes, we commonly do not get an answer, or we get pointed to the 3-4 people responsible for rolling the hundreds of patches into packages for WSUS/SCCM deployment. Is this really an effective use of people’s time? What about patches for MacOS or Linux systems?
The point here is that the goal should be to automate as much as possible and deploy as quickly as possible. Patching is a race condition; how fast can you deploy these patches before the attackers are exploiting the vulnerability at scale? If you are struggling to patch in less than 90 days (a requirement for compliance standards like PCI), as well as provide patch updates for as much as 75% of all the solutions in your environment, maybe it is time to look at an enterprise patch management solution like BigFix, Tanium, or Ivanti.
The day-to-day challenges for organizations are real. Did you choose the right technology? Do you have the right procedures in place? Do you have enough staff to cover all that you are trying to do? These challenges resurface every year for organizations, as well as a search for guidance on what else they should be doing. Thankfully, we at DirectDefense have gone through these challenges ourselves, and can assist you in qualifying the quality of the technologies and procedures you have in place–all from the attacker’s point of view.
At DirectDefense, we pride ourselves in providing practical and realistic security strategies that assist our clients in meeting their security goals for the year. If you’d like to hear more about how we can assist you, please contact firstname.lastname@example.org.