[BreachExchange] CISO: Choose Your Weapon

Thu Sep 3 10:43:31 EDT 2020

https://www.infosecurity-magazine.com/opinions/ciso-choose-your-weapon/

A good friend who's a cybersecurity consultant to SMBs shared with me
some of his dilemmas with the companies he is working with. Most of
these companies don't have a dedicated security person and the daily
tasks of maintenance and operation of security tools falls to the IT
administrator.

It got me thinking on the kind of insights I would like share with
those IT administrators or junior security officers when they have to
deploy and operate in a green field company with regard to security
tools.

Don't get me wrong; policies, procedures and what is generally known
as cybersecurity hygiene can get you far with respect to security
maturity, and maybe in a future article I will address them, but this
piece of advice will contemplate technology only.

The big challenge for those small to medium (and sometimes even large)
companies are usually a serious lack of resources both in manpower and
budget, so the choice of tool has no margin for error.

The selection of security tools must provide the best security
affordable and be manageable with the limitations of budget, manpower
and even security proficiency to operate them.

So, suppose the company can only afford three security tools (and for
the sake of simplicity let’s theorize that all tools cost roughly the
same), this is my advice for the most efficient security controls such
a security leader should have.

Number one – Sometimes this belongs more to the IT department in many
companies, the good ol' firewall. No security arsenal is complete
without it asit provides all kinds of abilities both for detection and
prevention of network attacks.

Even a basic firewall, or one, with a small set of extensions can
support IPS capabilities and even basic URL filtering (web surfing).
Most IT guys are quite familiar with its workings and can handle
firewalls with great efficiency.

Practically, managing a well maintained firewall in an SMB has a
greater chance of success than larger companies. Fewer servers, users
and challenging environments means better rules and access limitation
without myriad of constraints from business requirements. The firewall
administrator can literally shape the network and its access points
(especially by limiting and hardening external access such as the
firewall’s VPN for remote access).

Number two - The next generation anti-virus or in its more known name:
EDR (Endpoint Detection and Response). The current market of EDRs has
a wide selection of excellent solutions. A good EDR detects and
prevents many threats ranging from traditional AV signatures (which
surprisingly still carries its weight for malware detection), user
behavioral analytics and advanced attack techniques. I even
encountered EDRs that autonomously deploy different honeypots across
the endpoints to lure attackers.

Most EDRs have the same management console and agent to workstations
and servers. The ability of an EDR solution to use automated responses
to different types of threats covers a lot of old school manual
malware analysis and saves time when your network is under attack.

The downside of EDR is that it requires a good understanding of
cyber-attack techniques to differentiate between real attacks and
false positive caused by legitimate applications and users. That is
why I strongly recommend to companies with none or very small security
team to look for Managed Detection & Response when purchasing an EDR.

In spite of these tool’s amazing abilities to stop malware, it
requires experience and knowledge to fine-tune. It's worth the extra
cost to let experts handle it for you, providing quicker response time
to cyber-attacks with the peace of mind it grants.

Number three - The final contender in this very short list with good
competitors is an email security solution. Most cyber-attacks come
through this doorway. For hackers, using this attack vector is cheap,
easy and prey on the human factor which sadly will always be a weak
link.

It is important to secure that entrance to the company network. Pick a
solution that has domain repudiation, file filters, spam filters and
sandbox to look for malicious attachments. The majority of these tools
are easy to deploy and come with good pre-configured rules, which
means a quick and effective security layer without much deployment
tuning. You’ll be surprised at the sheer amount of emails those tools
block.

That’s it. Use those recommended tools wisely and you’ll get more than
decent security.

Should you stop there? Of course not. There are literally dozens of
security tools to help protect the company. Choose carefully according
to your company needs and risks.