What security controls are best of breed within the current market for detecting or blocking bad actors? How can enterprises and organizations operationalize and scale a practice to detect the activity even if one security control fails?
Jerod B.
STRATEGY & SOLUTIONS ADVISOR AT A CYBERSECURITY FIRM
South Carolina, United States
The best preventative controls are strong identity and access management (IAM) programs combined with strong application security programs. For building these two programs, leverage the Identity Defined Security Framework and the OWASP Software Assurance Maturity Model. The best detective controls are logging and monitoring and a security information event management (SIEM) system. For logging and monitoring, leverage the NIST Guide to Security Log Management. Free SIEMs like Graylog and OSSEC are terrific, although leveraging a managed security service provider (MSSP) is better for scaling this practice, especially if those MSSP’s offer managed detection and response (MDR) services.
Anand V.
ENTERPRISE SOLUTIONS ARCHITECT & TECHNOLOGY CONSULTANT
Chennai, India
Security controls can be in the form of technology. The controls need to protect the office premises and the virtual controls. The various solutions that can help to use are intrusion detection systems, XDR, EDR and WAF. This should also include privacy controls like data encryption in motion, data at rest and in transit. The basic encryption should be AE256 and not reversible. If there are more cloud controls then we should implement CCMatrix controls from CSA STAR. There should be at least two levels of detection, identification, and remediation of the bad actors. They should be also integrated with SIEM tools and enterprise management tools. The companies should have multiple tools within their platform’s strategy. Those should be complementing each other if one fails. The system should have enough resilience and should come with the latest disaster recovery and backup procedures. The organizations can outsource these activities, so that they can be scaled. Nevertheless, it is always good to have an internal SOC team to monitor the same. It is useful to get integrated with DLP tools and have an automated backup with the same. Education and awareness are needed to scale and sustain these practices, and to avoid human error.
Katerina R.
IT-MANAGER AT A MULTINATIONAL
Athens, Greece
Intrusion detection and prevention systems, like Trendmicro, Fireeye, Checkpoint, Cisco would be useful for you. They would have to be installed in all company endpoints and servers and also cloud systems. An anti-phishing solution would prevent phishing within the organization. The above brands also have such solutions. E-mail protection systems ensure that emails are clear from viruses and spyware. Threat emulation (Checkpoint TE in the cloud) is useful to open attachments and links in isolated environments that are not part of the rest of the network. This way, if any harm is made, it stays there and does not spread. Implementing awareness trainings for personnel is beneficial (KnowB4 is such a solution). Frequent Penetration testing (at least quarterly) and also Vulnerability Assessments (preferably by an external provider and not one of the security vendors or inhouse) are recommendable. SIEM and SOC systems could also be useful, depending on the size of the organization. Apart from that, Multi-factor Authentication systems for internal logins (to the network), as well as a remote access to company’s systems or cloud solutions are relevant points to look into. Cisco DUO or Microsoft are really good solutions.