Every company invests a percentage of its budget towards technology. Security solutions includes tooling for endpoint security, network security, cloud security, data security, and identity access management. Not every solution will be covered in this post, and I will not go into vendor specifics. In no order of priority, every company should have these 10 IT Systems in place.
EDR/AntiVirus
Endpoints are laptops, desktops, servers, and virtual machines. They are often the first to get compromised and all need to be secured from bad actors. This is where AntiVirus and Endpoint Defender Response (EDR) solutions come in. AntiVirus offers real-time malware protection, blocking known threats and alerting analysts of malicious activity. EDR solutions can identify suspicious behavior and enable analysts to respond to a security incident.
How many times a month do you read about computers being compromised and spreading ransomware throughout a company? An antivirus solution could have prevented the malware from running in the first place. EDR software could have detected the suspicious behavior and quarantined the device from communicating with the rest of the network, preventing the malware from spreading.
It cannot be emphasized enough how crucial it is to deploy software on endpoints that can monitor, protect, and prevent attacks.
Although Microsoft has improved its Windows Defender product, it is the first hurdle any attacker is going to clear for creating malware. It is enabled by default on every Windows computer after all.
SIEM – Logging
The Security Information Event Management (SIEM) collects system, application, cloud, and networking logs in a central location. Analysts can investigate alerts, visualize data, and monitor their IT environments.
This provides visibility for the Security Operations Center (SOC) to perform their investigations. For example, an employee downloads a malicious file from a website, the malware elevates its privileges to admin and starts connecting to a botnet. A SIEM can log all this information and correlate these events for an analyst to investigate which websites the employee visited, what the malware is doing on the machine, and where its communicating to.
VPN – Virtual Private Network
No, I am not talking about consumer VPN products you might have heard from your favorite influencer.
With the rise of remote working, employees need a Virtual Private Network to securely connect to the office network to work on their projects. An enterprise VPN is going to be a split tunnel VPN that allows internal routing to go through, and external access through the employee’s own Internet Service Provider. Consumer-based VPNs are full tunnel routing all traffic through the VPN for security and encryption.
VPNs are the best way to access resources remotely without having to expose assets to the public internet. VPN gateways, clients, and infrastructure must be protected heavily, as they could allow anyone access to the corporate network.
Proxy – Internet Traffic Inspection
Another key point is once a device or user is connected, anything can happen on a network. It is important to monitor the traffic ingress and egress; and determine if it is malicious/inappropriate usage. This is the best way to block traffic that is not meant to go out of your corporate environment. NSFW or malicious.
Segmentation & Firewall
Typically home networks are flat, meaning that once a device is connected, it can communicate to every other device on the network. With the spirit of least privilege access, organizations should never have a flat network. If devices do not need it, they should not access different network segments.
The best way to segment networks is by using Virtual LANs (VLANs) and Firewalls. VLANs will separate where on the network a device or application will communicate. Firewalls will allow or block cross-network communication when talking to different parts of the network.
Generally speaking, networks should be separated by intranet, DMZ, extranet, production separated from development, and BYOD/IoT devices to be their own isolated network.
Backups
It’s always good to have backups of systems. Whether it is a system image or an application configuration. Backups should be taken regularly and are essential for dealing with a ransomware incident. Everybody needs a backup, and you will be glad you backed it up before things went wrong.
To minimize the risk of data loss, follow the 3-2-1 backup rule. Keep 3 copies of your data, stored on 2 different types of media, with 1 copy kept off-site.
Multifactor – Authentication
Every month, there is a new article about a leak of billions of passwords hitting the internet. Here’s an article about that happening recently.
As cybersecurity professionals, we get it, passwords alone are no longer secure enough to protect accounts. Multifactor authentication provides security by checking that the user authenticating has their smartphone or biometrics. In today’s threat landscape, MFA should not rely on sending a text message to phone numbers due to attacks like SIM swapping. MFA should be done with a mobile authenticator app or a device like a yubikey.
Email Security
Email is the lifeblood of professional communication over the last 25 years on the Internet. Everyone online has an email address.
Not every emailer has their recipients’ best interests in mind. Any IT security-related exam will tell you all the various Phishing techniques that can be done through email. So it is imperative to have good technologies in place to block suspicious looking emails, including those that contain suspicious attachments.
Technology is not the only solution to this problem. The best way to defend against email based attacks is training. Employees should know the signs of a phishing attack and learn the processes of reporting it to the IT department.
Patch Management
What good are securing servers and workstations if they are not up to date on security patching? New exploits come out all the time. For example, a JavaScript framework React had a critical vulnerability named React2Shell, which allowed attackers to remotely execute code on any affected machine with an HTTP request. Updating software is the best way to avoid being vulnerable.
Microsoft releases a patch for Microsoft Windows machines on every second Tuesday of the month. Linux does not have a fixed timeline for releaseing patches, they are released whenever they become available.
Vulnerability Scanning
Lastly, vulnerability scanners can bring attention to analysts what technologies should be addressed, the priority it should be fixed in, and to catch concerns early before they become an issue. It is too common for organizations to keep old devices around because they run an applciation that stopped receiving updated years ago. Vulnerability scanners can call out these old devices and justify that they reached the end of their lifecycle.
As mentioned before, patch management is a good way to knock out the easy wins. However, some applications or software require a more in depth look to remediate the vulnerabilities.
