Building a Security Program – Getting Started
Building a security program for an organization can be overwhelming. If you don’t have anything in place for managing information security, you’re probably already behind the curve. Information security is quickly becoming a baseline requirement for organization’s of all sizes, from mom and pop shops to start-ups to Fortune 500s. Large organizations are being increasingly targeted by malicious threat actors and malware campaigns, and breaches have been proven to cause significant impacts to reputation and stock pricing. While smaller organizations are now being required by larger organizations to have certain elements of a security program in place before even being allowed in the door for contracts and partnerships, including things like penetration testing and continuous monitoring.
So with all these things pressing organizations to actively engage in security, we see many times that companies are just trying to check the box still. Other times, we see companies trying to purchase and implement really expensive security tools, without having the baseline controls in place or the resources to manage the new tools. A more effective approach is to develop a strategic plan for implementing security in your organization, based on realistic risk, return on investment for processes/toolsets, and what’s most important for your organization. Security isn’t a one-size fits all venture, so it’s important to maintain perspective on what’s most important to you. Let’s start by walking through some considerations and suggested starting points for building a security program.
Initial Considerations when Building a Security Program
When building a security program, planning is key. You want to develop a roadmap of where you want to be. It’s also important to be realistic when building out this vision, and take things like your organization’s security budget and resources into account. The easiest way to start creating this vision is to lean on a security best practice standard that fits your company and industry. We’ve discussed selecting a best practice standard previously, so it may be a good time to familiarize yourself with what’s out there and the benefits/drawbacks of each. For most organizations, and especially those without a formal security program already in place, the CIS Top 20 is a fantastic place to get your footing before diving into a more niche standard.
At this point, you may find it helpful to bring in outside help. Leveraging a firm that specializes in information security can help bring valuable insight to this planning process, ensuring that you get the most bang for your budget. An outside firm can also provide insight into what others in your industry are doing, and what works and doesn’t work for organizations of your size. A best practice gap analysis helps make sure you don’t waste time spinning your wheels and implementing solutions that aren’t the right fit.
Finally, before we dive into some good starting places for security, it’s important to note that a successful information security program is about much more than tools and boxes with blinking lights. You have to think about your security program on a curve, where you’re starting at the bottom and focusing on foundational elements such as policies, processes, and procedures which can then build into more advanced capabilities. Trust the process, and don’t worry so much about what tools you need or don’t have at the beginning. Once you build a process you can better understand what tools will help solve the problems you’ve got.
Now let’s look at some foundational controls (based off the CIS Top 20) to consider in order to get started:
1. Inventory of Hardware
You can’t protect what you don’t know know about. That’s why step 1 is simply figuring out what you have from a technical device perspective, documenting it, tracking it, and controlling the addition/removal of hardware items in the future. Your inventory should include everything, including printers, laptops, desktops, network devices, switches, routers, firewalls, servers, etc. Anything that plugs into your network, you should track and know about. Depending on the size of your organization, software can help with this process in the future. But a spreadsheet works great when you’re just trying to get an idea of what’s out there. Make sure you are documenting serial numbers, physical location, asset owner, business purpose, IP addresses, hostname, etc. as a starting point.
2. Inventory of Software
Are you seeing a theme? Inventorying the software on your corporate assets helps you gain control of what you have vs. what you need. The less software you have to maintain, the smaller the attack surface for an adversary to attempt to exploit and the smaller management footprint associated with updating software on your network. Why do some computers have multiple remote access clients on them? Are these really necessary for your organization?
3. Vulnerability Management
Now that you know what you’ve got from a hardware and software perspective, you have to understand some aspects of your organization’s baseline risk profile. Establishing a baseline of what vulnerabilities exist in your environment will help quickly knock out low hanging fruit, build a model for comparison so you can show improvement over time, and show you where further improvements can be made in things like your hardening process, software update process, or software development processes. The best way to do this is with regular vulnerability scanning in the beginning, looking at both your internal and external network footprint. Quarterly is probably a good place to start, in order to fix items in between scans. But as your organization matures, you can easily increase the frequency of these scans to more effectively manage changes to your network, quickly identify risks, and reduce the overall exposure of your network.
4. Control Administrator Privileges
This is usually a pain point for organization’s that are moving from the Wild West to a more structured security program, but I promise it is worth the effort. When every user in your organization has administrative level privileges over their own system, it is impossible to control changes to configuration and software that is installed. Removing admin privileges from regular users, restricting who has local admin/domain admin access, and making sure the same local administrator password isn’t used throughout the organization (via something like LAPS, which is a conversation for another blog) will immediately increase your security posture and make a significant compromise much more difficult to pull off for an adversary.
5. Develop a Hardening Process
In order to maintain a secure environment, you’ve got to control what gets connected to the network. The starting place for that is with your hardening process. This refers to what you do to a new laptop or server before you issue it to an employee or put it into production. This should be a documented process based on an industry standard that details what configuration settings to change to prevent security issues, what updates to apply, what software to install (antivirus, etc.), and how to turn on the host-based firewall. Your hardening process should be a living document, that gets reviewed and updated regularly, including when items identified in vulnerability scans are fixed to prevent them from being re-introduced.
6. Logging
This is one of those evolutionary processes that should grow with your organization, but starting out, any logging is better than no logging. Ultimately you want some sort of Security Incident and Event Management (SIEM) tool to centralize the collection and correlation of all your log data, but that can be pricey. Starting out by making sure logging is turned on throughout your network and alerts are set up from devices that support them is a good start. Use best practice recommendations to tune this event data so when you do send it to a SIEM it is already somewhat tuned. Also, you can consider some free options to start centralizing log data such as OSSEC or an ELK stack.
This should more than enough to get you started thinking about some good ways to kick off building a security program in your organization or to help improve and mature your current security program. We’re always available if you want to talk through any of these foundational controls, strategic security planning in general, or even if you want some help performing a gap analysis to sort through your security program and develop a roadmap.