NOREX logo


Send us your contact info and we'll give you a personal tour of our amazing platform:


Security Initiatives for 2018



Our first WebForum of the new year was held recently, focusing on IT Security Initiatives. More than 120 members shared their strategies and recommendations. 


Default image 10

Our first WebForum of the new year was held recently, focusing on IT Security Initiatives. More than 120 members shared their strategies and recommendations. 

IT Security Budgets

We started with an overview of IT Security spending trends, which are generally up. Many of the participants said they can get additional funding as issues arise.

Shane I.: “I have a similar situation at our organization. If security issues arise we can usually get the budget approved.”

John B.: “I think the only rule of thumb is that, in today's world, security spending will become a bigger percentage in the future and it is also very dependent on industry.”

MSSP usage

Many organizations are turning to third-party providers for IT Security…known as MSSPs…Managed Service Security Providers. Those who use MSSPs seem primarily to use as an augment to internal security efforts.

Julie F.:  “We use for some functions, but not all.”

Shane I.: “We use SecureWorks to augment our small security staff.”

Scott J.: “I've heard some of the costs for an MSSP can run 10k/month.  Is that high or low?”

Stephen T.: “10K is plausible.”

Greg C.: “That is low but cost depends on what the service is providing.”

Stephen T.: “We use Red Canary (end point), SecureWorks (crititcal network infrastructure) and a small regional ClearNetwork (additional observation), Tripwire (MSSP support).”

Mukta S.: “We use TCS and Herjavec and yes 10k is good estimate.”

SIEM tool usage

Many participants felt the addition of a Security Information and Event Management tool is critical.

Ahsan B.: “SIEM is very necessary, require proper tool and right resources. We use LogRythm.”

John F.: “Biggest fear is not only paying for a SIEM but needing to hire four people to run it.”

Shane I.: “We use Splunk for troubleshooting every day.”

Kari K.: “Rapid7 IDR/MDR is our new SIEM and we are satisfied.”

Jeff S.: “Splunk.  Yes, it takes a lot of setup time but it saves much more time down the road.”

Ken K.: “If you are a small shop - IBM QRadar, Log Rythm.  If you have a few people to dedicate to it look at Splunk or ELK (open source).”

Chip vulnerability

Many participants are taking steps to guard against the recently announced chip vulnerabilities. Staying up to date on patching seems to be the most common approach.

Jeff S.: “We've been through the standard updating.  Now the challenge is "patching the patches".

Bret M.: “Patch and we added security awareness for our users.”

David S.: “I understand that you want to start with external facing devices.”

Kari K.: “Identify inventory of potential impacted systems (including cloud apps/hosts), force system owners to collector vendor recommendations, submit remediation plan while adding indicators of compromise to protection systems.”

2-factor authentication

Also known as 2FA, this is a an extra layer of security that requires not only a password and username but also something that only that user has on them. It seems to be seen as “best practice” although there is a lot of user pushback because it makes access more complicated. The usage of a security token was the most recommended 2nd factor. Sometimes called an authentication token, it is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key fob.

Jose K.: “2nd factor saved some users from hackers changing direct deposit info.  Please do implement MFA.”

Rick H.: “All of my O365 admins have 2FA enabled - I'm trying to push it org wide but getting resistance.”

Matt M.: “We use it for all remote access and for certain critical apps.”

Randy M.: “We implemented RSA 2FA for people who connect externally.”

Alex P.: “Deployed MFA to most users using Microsoft MFA, also have some users using Smart Cards. Any remote access requires MFA.”

Joshua M.: “Using 2FA with smart cards, and often it is much faster to login using a 4-8 digit pin than using a 14+ character password.”

Security Frameworks

Other categories of discussion involved the adoption of recommended security frameworks from the National Institute of Standards (NIST), and The Center for Internet Security (CIS) which provides the top 20 Critical Security Controls methodology.  We took a poll asking for participants to share their most beneficial security policy or procedure recently adopted:

Your security policies should be crafted specifically to your organization and comply with your security framework and any applicable standards

Password management and consolidation

Mobile Issue: MDM (Apple Program) (DEP)

NIST Framework as basis for Cyber Security Framework (our Board of Directors is very happy with framework)

We sell into the defense market (among others) and they require NIST 800-171. That framework provides very good coverage on the basics. Great place to start. NIST 800-53 is applicable to government owned systems, not industry.

We also use vulnerability management through Rapid 7, but love how much our phishing has decreased once we started tagging all external emails with an [External] in the subject


Security training for staff.

Not terribly recent, but the most beneficial thing we've done is remove administrative privileges from everyone who doesn't need them (enforcing least-privilege).

device encryption and MDM

Buy in from C level management who actually lead by example.

Rolling out security awareness training through using KnowBe4.

Security awareness training requirements

Sailpoint to manage access control

Human firewall, users watching for suspicious activity or emails.

Conducting mandatory assessments based on data classification including pen testing.

Using phishing/social engineering tests with reports to get management aware of human risks.

PCI DSS Requirements

2 factor authentication

If I had to pick just one, I would say phishing our own employees a couple times a year and then providing them with their results.
(Close runner up - Vulnerability Management with Rapid7; removal of local administrative access on devices.)

Risk acceptance requiring executive sign-off commensurate with risk dollar amount being sigend off on

Written, defined policies for all staff

Security awareness training

Vulnerability Detection solution

Internal training, phishing tests, 2 factor authentication, 17 digit pass phrases, C level support

Security Awareness

Mandatory phishing training for all  users

Application security testing and remediation.

Replace passwords with passphrases. 15 character minimum, no other requirements.

CMMI (Carnegie Mellon Maturity Index) 16 different domains.

PCI policy

Data classification and access control policy

Password Management

Risk Acceptance process requiring sign off by top management and summarized reporting up towards the board

Compartmentalized admin rights or removed admin rights. No longer local admin on all PCs.

Required Security Awareness Program and Strict Password Policy

Employee awareness

Security tools

Another poll asked what is the most beneficial security tool recently adopted:

Intrusion Prevention System, network appliance (FireEye NX), end point protection (FireEye HX), web filter (OpenDNS)



Tenable - vulnerability scanning
KnowBe4 - Security Awareness Training/Phishing


Rapid 7 InsightVM, KnowBe4

Sophos UTM firewalls. Includes IPS, web and email filtering.

Palo Alto Traps for endpoint protection

Mimecast, end-user training with KnowBe4.


security training

WatchGuard TDR

Mimecast & Sophos Endpoint Protection.

Splunk SEIM

Rapid7 Nexpose, Metasploit, and Splunk, Kali Linux

Next Generation FireWall



Autotask: for patching and asset management-Tripwire and Coalfire: vulnerability scanning tool-Duo and Okta: MFA and SSO

User education -   KnowBe4

Rapid7's Nexpose/Insight VM

Mailfilter (Proofpoint) or EDR (Cisco AMP)

Phish alert button, 3rd party app patching

Phishme, Cisco Firepower, Cisco Iron Port, Cisco Websecurity, AristotleInsight

Between KnowBe4 and Rapid7

AMP for Endpoint

Forescout Counter ACT

Qualys vulnerability management solution

PhishMe service with Outlook reporting tool (PhishMe addin)

GFI languard

Veracode static code scanner.





Nessus scanning tool.  Finds vulnerabilities on servers.


1] Security Awareness Program -
2] KnowBe4



RApid7 Nexpose

upgraded firewalls

Next Gen A/V - Palo Alto Traps

Key Take-aways and comments

Current state of security in many industries, we have a lot in common.

There are a lot of tools in the security market

Giving ideas of what others are doing in Security in 2018

Learning about the tools used in securing the enterprise was helpful.

Great information -looking forward to transcript

Good topics and good discussions

Others are dealing with many of the same issues.

The unique applications that others are using and the recommendations based on that use or lack thereof.

It was very informative and this topic generated a lot of key points to the information surrounding security

Some great recommendations for a SIEM as well as managed security providers

Always great to hear how others are dealing with similar situations or to confirm our own approach.

We seem to be similar to our peers.

IT security spending is increasing. Many organizations are using managed security services. Most organizations appear to be following NIST or CIS 20 frameworks.

Good knowledge sharing.

The CIS controls and benchmarks provide a good framework.

Going to follow up on the ISO 27002 and NIST framework info-gathering.

Tools for managing security risks are only as good as they are deployed and configured. There were quite a few considerations to managing security risks and there is a vast array of topics or avenues to cover.

Great forum, an exciting place to learn from others in the same field.

How important security is and tools that can help you manage security.


Informative. Interesting. Picked up some topics to further research

It was good.

First session, was not sure what to expect.

Good topic, very broad, can be revisited with more focused topics.

There was a lot of material covered

good to hear other people's prospective and how they've tackled security in their organization

Met expectations.

Packed full of info...maybe this should have been a two-part webinar.

It was great. I did find some topics more important than others.

This was a great session with very useful information

Well done format overall.

I really appreciate the opportunity to hear from others in the same position as myself.

This was very useful for seeing what other tools and frameworks other organizations are currently using.

A bit much to take in for just one Forum

I liked the format and the real world input from other companies

It was nice to hear that others are/have been using the same or similar tools to manage passwords, anti-virus, and other security topics; makes me feel like we are on the right track as well.

Very well organized and orchestrated

Overall I enjoyed the WebForum, however there was a lot of content to keep up with for someone like me who is fairly new to security.

Cloud Computing Compliance Data Management Disaster Recovery/Business Continuity Human Resources IT General Management Mobile Technology Network Infrastructure Security