This post comes off the back of a series of tweets I made one morning, I decided that after a long thread it was probably better to combine into one post. So here it is folks.
If you want to deploy a proper security program there are some key basics that need to be achieved, I am continually surprised how many businesses don't have a hold on the basics. If you want to jump to specific bits check out the table of contents below:
1. Asset Inventory
Having an effective up to date asset inventory is key with all of the OSes, patch status, any hardware and who has control over the asset. This is key from both an operating standpoint and risk management. It is important to maintain an up to date asset register of all your software and hardware inventories to ensure only authorised hardware and software are being used across your business. Ideally the inventory should capture the physical location, business owner and purpose of hardware together with the version and patch status of all software which feeds nicely into the next section of patch management. Tools can be used to help identify unauthorised hardware or software, these should integrate into a wider detection and response plan as described lower down.
2. Patch Management
Keeping systems up to date in line with a reasonable time frame, with a documented process is key to success. With critical systems being kept updated on at least a fortnightly basis is a good standard to follow. Additional wins are having a test environment for pre-production. It is important to play-test any major patches to systems in a non-live environment first before rolling out to the wider organisation.
Staff awareness to the threats and risks of day to day business, not just from a phishing and social engineering perspective but allowing users to adapt to their own risk model will make your business more robust with more naturally aware users
4. Detection and Response
Having an effective blue team is important, following various secure design practices and keeping logging centralized, having hosts configured and managed enabling your blue team to work smarter.
5. Perimeter Defense
As it is just as important to have a secure network, employing a layered security approach is also key rather than an armadillo. Ensure there are no glaringly obvious holes in your perimeter. Factoring this in will enable better detection and response.
6. Vulnerability Assessment and Scanning
Once you've got the basics nailed it's time to adopt vulnerability scanning and assessments, doing so will allow you to pick up quick wins and continually monitor your environment. If aligning to an effective patch management program vulnerabilities should be minimal.
7. Mitigation Planning
Next up after vulnerability assessments, align your mitigation plan to fix those that pose the most inherent risk to the business. Note any regulatory and compliance requirements in line with fixes, don't just depend on the tick box though please! 8/n
8. Penetration Testing & Objective based testing
Once you've fixed as much as you can do, move onto penetration testing all of your things looking for a weight towards manual testing and objective based testing, play test your secure design principles, does your policy align to tech. Look into penetration testing both your applications and your infrastructure but it is equally important to review your configurations and deployments from an open perspective, testing through each deployment from a white, grey and black box perspective.
9. Continuous testing and policy integration.
Following up to pentesting, it is just as important to continually review what policies are in place, how they align to technical controls and how they play out when stuff breaks. It is equally important to integrate objective based testing into manual penetration testing, do you have crown jewels on your network that you think you've secured? How about having those presumptions play-tested?
10. Red Teaming
Once you've assumed the position of fixing glaringly obvious holes in your process and tech, next up is red teaming looking at testing every facet of your security program with a focus on evading detection by your blue team and testing triage.
Typically having certain scenarios whereby your organisation is tested from different angles, incorporating aspects of social engineering, physical security, operational security are all important to consider alongside that disaster recovery plan you came up with once?
Yeah get that tested too, security is important but having a wider operational information technology program is equally important. How do you fair against your systems getting attacked from all angles by differing levels of capable attackers, do your processes align?
11. Blue Teaming
While we're on the topic of red/blue testing, it is equally important as you test things, to keep your blue team up to date, look into a tiered approach to how you do defense. Have you got a threat hunting team as well as your levels of security operations, is it in-house?
12. Purple Teaming
Red and blue make purple, ensure you're mediating your two teams effectively by integrating a purple team program to tune your defense and improve the business as much as you can till you're ready for the final form of end to end adversary testing and simulation for best results!
And thus, following the path above you'll be on your way to building out an effective security program with multi facets and angles on improving things. DMs are open if you've got questions or queries. Also feel free to reply!