Read on Twitter
If you want to deploy a proper security program there are some key basics that need to be achieved, I am continually surprised how many businesses don't have a hold on the basics. 1/n
Asset Inventory
Having an effective up to date asset inventory is key with all of the OSes, patch status, any hardware and who has control over the asset. This is key from both an operating standpoint and risk management 2/n
Having an effective up to date asset inventory is key with all of the OSes, patch status, any hardware and who has control over the asset. This is key from both an operating standpoint and risk management 2/n
Patch Management
Keeping systems up to date in line with a reasonable time frame, with a documented process is key to success. With critical systems being kept updated on at least a fortnightly basis is a good standard to follow. Additional wins are having a test env for pre-prod
Keeping systems up to date in line with a reasonable time frame, with a documented process is key to success. With critical systems being kept updated on at least a fortnightly basis is a good standard to follow. Additional wins are having a test env for pre-prod
Awareness
Staff awareness to the threats and risks of day to day business, not just from a phishing and social engineering perspective but allowing users to adapt to their own risk model will make your business more robust with more naturally aware users 4/n
Staff awareness to the threats and risks of day to day business, not just from a phishing and social engineering perspective but allowing users to adapt to their own risk model will make your business more robust with more naturally aware users 4/n
Detection and Response
Having an effective blue team is important, following various secure design practices and keeping logging centralized, having hosts configured and managed enabling your blue team to work smarter. 5/n
Having an effective blue team is important, following various secure design practices and keeping logging centralized, having hosts configured and managed enabling your blue team to work smarter. 5/n
Perimeter Defense
As it is just as important to have a secure network, employing a layered security approach is also key rather than an armadillo. Ensure there are no glaringly obvious holes in your perimeter. Factoring this in will enable better detection and response. 6/n
As it is just as important to have a secure network, employing a layered security approach is also key rather than an armadillo. Ensure there are no glaringly obvious holes in your perimeter. Factoring this in will enable better detection and response. 6/n
Once you've got the basics nailed it's time to adopt vulnerability scanning and assessments, doing so will allow you to pick up quick wins and continually monitor your environment. If aligning to an effective patch management program vulns should be minimal. 7/n
Next up after vulnerability assessments, align your mitigation plan to fix those that pose the most inherent risk to the business. Note any regulatory and compliance requirements in line with fixes, don't just depend on the tick box though please! 8/n
Penetration Testing & Objective based testing
Once you've fixed as much as you can do, move onto penetration testing all of your things looking for a weight towards manual testing and objective based testing, play test your secure design principles, does your policy align to tech
Once you've fixed as much as you can do, move onto penetration testing all of your things looking for a weight towards manual testing and objective based testing, play test your secure design principles, does your policy align to tech
Continuous testing and policy integration
Following up to pentesting, it is just as important to continually review what policies are in place, how they align to technical controls and how they play out when stuff breaks. 10/n
Following up to pentesting, it is just as important to continually review what policies are in place, how they align to technical controls and how they play out when stuff breaks. 10/n
It is equally important to integrate objective based testing into manual penetration testing, do you have crown jewels on your network that you think you've secured? How about having those presumptions playtested? 11/n
Red Teaming
Once you've assumed the position of fixing glaringly obvious holes in your process and tech, next up is red teaming looking at testing every facet of your security program with a focus on evading detection by your blue team and testing triage. 12/n
Once you've assumed the position of fixing glaringly obvious holes in your process and tech, next up is red teaming looking at testing every facet of your security program with a focus on evading detection by your blue team and testing triage. 12/n
Typically having certain scenarios whereby your organisation is tested from different angles, incorporating aspects of social engineering, physical security, operational security are all important to consider alongside that disaster recovery plan you came up with once? 13/n
Yeah get that tested too, security is important but having a wider operational information technology program is equally important. How do you fair against your systems getting attacked from all angles by differing levels of capable attackers, do your processes align? 14/n
While we're on the topic of red/blue testing, it is equally important as you test things, to keep your blue team up to date, look into a tiered approach to how you do defense. Have you got a threat hunting team as well as your levels of security operations, is it in-house? 15/n
Red and blue make purple, ensure you're mediating your two teams effectively by integrating a purple team program to tune your defense and improve the business as much as you can till you're ready for the final form of end to end adversary testing and simulation for best results!
And thus, following the path above you'll be on your way to building out an effective security program with multi facets and angles on improving things. DMs are open if you've got questions or queries. Also feel free to reply!
Threads are hard I made this into a longer blog post https://blog.zsec.uk/effective-security-program/
