Our first WebForum of the new year was held recently, focusing on IT Security Initiatives. More than 120 members shared their strategies and recommendations.
IT Security Budgets
We started with an overview of IT Security spending trends, which are generally up. Many of the participants said they can get additional funding as issues arise.
Shane I.: “I have a similar situation at our organization. If security issues arise we can usually get the budget approved.”
John B.: “I think the only rule of thumb is that, in today's world, security spending will become a bigger percentage in the future and it is also very dependent on industry.”
Many organizations are turning to third-party providers for IT Security…known as MSSPs…Managed Service Security Providers. Those who use MSSPs seem primarily to use as an augment to internal security efforts.
Julie F.: “We use for some functions, but not all.”
Shane I.: “We use SecureWorks to augment our small security staff.”
Scott J.: “I've heard some of the costs for an MSSP can run 10k/month. Is that high or low?”
Stephen T.: “10K is plausible.”
Greg C.: “That is low but cost depends on what the service is providing.”
Stephen T.: “We use Red Canary (end point), SecureWorks (crititcal network infrastructure) and a small regional ClearNetwork (additional observation), Tripwire (MSSP support).”
Mukta S.: “We use TCS and Herjavec and yes 10k is good estimate.”
SIEM tool usage
Many participants felt the addition of a Security Information and Event Management tool is critical.
Ahsan B.: “SIEM is very
necessary, require proper tool and right resources. We use LogRythm.”
John F.: “Biggest fear is not only paying for a SIEM but needing to hire four people to run it.”
Shane I.: “We use Splunk for troubleshooting every day.”
Kari K.: “Rapid7 IDR/MDR is our new SIEM and we are satisfied.”
Jeff S.: “Splunk. Yes, it takes a lot of setup time but it saves much more time down the road.”
Ken K.: “If you are a small shop - IBM QRadar, Log Rythm. If you have a few people to dedicate to it look at Splunk or ELK (open source).”
Many participants are taking steps to guard against the recently announced chip vulnerabilities. Staying up to date on patching seems to be the most common approach.
Jeff S.: “We've been through the standard updating. Now the challenge is "patching the patches".
Bret M.: “Patch and we added security awareness for our users.”
David S.: “I understand that you want to start with external facing devices.”
Kari K.: “Identify inventory of potential impacted systems (including cloud apps/hosts), force system owners to collector vendor recommendations, submit remediation plan while adding indicators of compromise to protection systems.”
Also known as 2FA, this is a an extra layer of security that requires not only a password and username but also something that only that user has on them. It seems to be seen as “best practice” although there is a lot of user pushback because it makes access more complicated. The usage of a security token was the most recommended 2nd factor. Sometimes called an authentication token, it is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key fob.
Jose K.: “2nd factor saved some users from hackers changing direct deposit
info. Please do implement MFA.”
Rick H.: “All of my O365 admins have 2FA enabled - I'm trying to push it org wide but getting resistance.”
Matt M.: “We use it for all remote access and for certain critical apps.”
Randy M.: “We implemented RSA 2FA for people who connect externally.”
Alex P.: “Deployed MFA to most users using Microsoft MFA, also have some users using Smart Cards. Any remote access requires MFA.”
Joshua M.: “Using 2FA with smart cards, and often it is much faster to login using a 4-8 digit pin than using a 14+ character password.”
Other categories of discussion involved the adoption of recommended security frameworks from the National Institute of Standards (NIST), and The Center for Internet Security (CIS) which provides the top 20 Critical Security Controls methodology. We took a poll asking for participants to share their most beneficial security policy or procedure recently adopted:
Your security policies should be crafted specifically to your organization and comply with your security framework and any applicable standards
Password management and consolidation
Mobile Issue: MDM (Apple Program) (DEP)
NIST Framework as basis for Cyber Security Framework (our Board of Directors is very happy with framework)
We sell into the defense market (among others) and they require NIST 800-171. That framework provides very good coverage on the basics. Great place to start. NIST 800-53 is applicable to government owned systems, not industry.
We also use vulnerability management through Rapid 7, but love how much our phishing has decreased once we started tagging all external emails with an [External] in the subject
Security training for staff.
Not terribly recent, but the most beneficial thing we've done is remove administrative privileges from everyone who doesn't need them (enforcing least-privilege).
device encryption and MDM
Buy in from C level management who actually lead by example.
Rolling out security awareness training through using KnowBe4.
Security awareness training requirements
Sailpoint to manage access control
Human firewall, users watching for suspicious activity or emails.
Conducting mandatory assessments based on data classification including pen testing.
Using phishing/social engineering tests with reports to get management aware of human risks.
PCI DSS Requirements
2 factor authentication
If I had to pick just one, I would
say phishing our own employees a couple times a year and then providing them
with their results.
(Close runner up - Vulnerability Management with Rapid7; removal of local administrative access on devices.)
Risk acceptance requiring executive sign-off commensurate with risk dollar amount being sigend off on
Written, defined policies for all staff
Security awareness training
Vulnerability Detection solution
Internal training, phishing tests, 2 factor authentication, 17 digit pass phrases, C level support
Mandatory phishing training for all users
Application security testing and remediation.
Replace passwords with passphrases. 15 character minimum, no other requirements.
CMMI (Carnegie Mellon Maturity Index) 16 different domains.
Data classification and access control policy
Risk Acceptance process requiring sign off by top management and summarized reporting up towards the board
Compartmentalized admin rights or removed admin rights. No longer local admin on all PCs.
Required Security Awareness Program and Strict Password Policy
Another poll asked what is the most beneficial security tool recently adopted:
Intrusion Prevention System, network appliance (FireEye NX), end point protection (FireEye HX), web filter (OpenDNS)
Tenable - vulnerability scanning
KnowBe4 - Security Awareness Training/Phishing
Rapid 7 InsightVM, KnowBe4
Sophos UTM firewalls. Includes IPS, web and email filtering.
Palo Alto Traps for endpoint protection
Mimecast, end-user training with KnowBe4.
Mimecast & Sophos Endpoint Protection.
Rapid7 Nexpose, Metasploit, and Splunk, Kali Linux
Next Generation FireWall
Autotask: for patching and asset management-Tripwire and Coalfire: vulnerability scanning tool-Duo and Okta: MFA and SSO
User education - KnowBe4
Rapid7's Nexpose/Insight VM
Mailfilter (Proofpoint) or EDR (Cisco AMP)
Phish alert button, 3rd party app patching
Phishme, Cisco Firepower, Cisco Iron Port, Cisco Websecurity, AristotleInsight
Between KnowBe4 and Rapid7
AMP for Endpoint
Forescout Counter ACT
Qualys vulnerability management solution
PhishMe service with Outlook reporting tool (PhishMe addin)
Veracode static code scanner.
Nessus scanning tool. Finds vulnerabilities on servers.
1] Security Awareness Program -
Next Gen A/V - Palo Alto Traps
Key Take-aways and comments
Current state of security in many industries, we have a lot in common.
There are a lot of tools in the security market
Giving ideas of what others are doing in Security in 2018
Learning about the tools used in securing the enterprise was helpful.
Great information -looking forward to transcript
Good topics and good discussions
Others are dealing with many of the same issues.
The unique applications that others are using and the recommendations based on that use or lack thereof.
It was very informative and this topic generated a lot of key points to the information surrounding security
Some great recommendations for a SIEM as well as managed security providers
Always great to hear how others are dealing with similar situations or to confirm our own approach.
We seem to be similar to our peers.
IT security spending is increasing. Many organizations are using managed security services. Most organizations appear to be following NIST or CIS 20 frameworks.
Good knowledge sharing.
The CIS controls and benchmarks provide a good framework.
Going to follow up on the ISO 27002 and NIST framework info-gathering.
Tools for managing security risks are only as good as they are deployed and configured. There were quite a few considerations to managing security risks and there is a vast array of topics or avenues to cover.
Great forum, an exciting place to learn from others in the same field.
How important security is and tools that can help you manage security.
Informative. Interesting. Picked up some topics to further research
It was good.
First session, was not sure what to expect.
Good topic, very broad, can be revisited with more focused topics.
There was a lot of material covered
good to hear other people's prospective and how they've tackled security in their organization
Packed full of info...maybe this should have been a two-part webinar.
It was great. I did find some topics more important than others.
This was a great session with very useful information
Well done format overall.
I really appreciate the opportunity to hear from others in the same position as myself.
This was very useful for seeing what other tools and frameworks other organizations are currently using.
A bit much to take in for just one Forum
I liked the format and the real world input from other companies
It was nice to hear that others are/have been using the same or similar tools to manage passwords, anti-virus, and other security topics; makes me feel like we are on the right track as well.
Very well organized and orchestrated
Overall I enjoyed the WebForum, however there was a lot of content to keep up with for someone like me who is fairly new to security.