Search

Home > Packet Pushers - Weekly Show > Show 260: Design & Build 7: Security In Small/Medium Enterprises
Podcast: Packet Pushers - Weekly Show
Episode:

Show 260: Design & Build 7: Security In Small/Medium Enterprises
Category: Technology
Duration: 00:00:00
Publish Date: 2015-10-23 13:13:10
Description:

Sometimes on Packet Pushers we talk about the bleeding edge or waffle on about the future. But sometimes we like to stand firmly in the hot aisle, screwdriver in hand, laptop at the ready, and get something done.

The Design & Build series is intended to help you do just that. In this installment we re talking about security.

When it comes to security, we tend to think in terms of firewalls, intrusion prevention appliances, log analyzers and so forth. But that gets expensive. What sort of security infrastructure could you design and build on a budget? Our guest has some ideas about that.

The Packet Pushers talk with Jay Swan, Operations Security Engineer at GitHub, about how small and medium-size organizations can build robust security and operational practices without having to spend a ton of money.

We’ll talk about the principles of good security, why we need to get negativity out of the industry, and how to make the most of tools that can serve both security and operational needs.

Show Notes:

Level Setting

  • What s different about the small/medium enterprise?
    • 100 – 2000 employees (roughly)
    • 0 – 1 FTEs working on security
      • often a part time position or split between part-timers in server/network team
  • Unhelpful negativity in the Infosec world needs to go:
    • Phrases that aren t uncommon:
      • they were so dumb that
      • they deserved to get hacked
      • if you can t do [insert security thing here] you should just quit
    • Paralysis by analysis:
      • You can t even get started if you don t :
        • have full executive support
        • start with a security policy
        • classify your data
        • have a comprehensive IR plan
        • etc.
    • Reductio ad absurdum:
      • We can t stop the bad guys so we shouldn t even try
    • The organizational freakout:
      • we got hacked:
        • freak out and go on a vendor spending spree
      • we got a negative security audit
        • freak out and go on a vendor spending spree
  • What I m NOT talking about:
    • compliance
  • Caveat:
    • You DO need to have permission to monitor and capture traffic on your network.
  • My position: be positive, do what you can.
    • Better than something that s not as good.
    • Do *something* today.
    • Start by considering:
      • What s easy
      • What has the biggest effect in your environment
      • What can be used for ops and security simultaneously
    • Find the intersection of those three and do that
  • Then, build on your success to get funding/staff/etc.
    • Sadly, finding bad guys is actually a good way to get funding…
  • Security is a great way to build general-purpose professional skills
    • So do it even if it s not super easy.

Principles

  • People and skills before product
  • Dual ops/security functions 1st
  • Adversarial model
    • Remember the bad guys are humans
  • Risk = threat * vulnerability * cost
    • In SME you probably don t know detailed threat info
    • Learn by industry sector
    • Vulnerabilities are known knowns, unknown knowns, and unknown unknowns
      • infinite tail chasing
      • prioritize!
    • Costs
      • industry and company specific
      • reduce own costs, increase attacker costs
  • Remember to credit Practical NSM by RB
  • Free *before* commercial, not necessarily in lieu of
    • doesn t mean you shouldn t buy
    • it means trying free first teaches you the right questions to ask

Dual Ops/Security Stuff

  • Asset discovery and inventory
  • Configuration management and change tracking
  • NetFlow
  • Log EVERYTHING
    • Start with:
      • Infrastructure (easy)
      • Windows
      • VPN
      • Firewall
  • Monitor first
  • Patching
    • Use commercial security reports to prioritize
    • Automate!
    • The metasploit connection
  • Learn how to use pcap in every product that supports it
    • Routers, switches, WAN Opt, phones, firewalls, etc.
  • Process auditing
    • Microsoft Sysmon
    • Difficult, but SO valuable for both ops and security
    • Not the place to start, but worth learning about early and piloting or doing targeted deployment

Products and Controls

  • You might not need a fancy firewall
    • discuss – NGFW
    • IOS ZBFW
    • Stateless ACLs
    • Host firewalls
  • If you can blow some real money on one big ticket item:
    • a GOOD malware-blocking proxy server
    • or if you re cloudy: cloud proxy or DNS black hole service
  • IDS / NSM
    • Security Onion!
    • IDS/Proxy feedback loop
  • Email filtering
    • STARTTLS is probably free!
    • Don t punish or embarrass employees who get phished
    • Employees are pretty good at informing IT about phishing if they don t fear IT; very helpful!
  • VPN / 2FA
  • The AV discussion
  • The vulnerability scanner discussion

Professional Development

  • Learn how DNS, HTTP work
  • Get your Wireshark on

Links:

Jay Swan on Twitter

Jay Swan on GitHub

Show 192 – Logging Design & Best Practices

Security books by Richard Bejtlich

The post Show 260: Design & Build 7: Security In Small/Medium Enterprises appeared first on Packet Pushers.
Total Play: 0

Some more Podcasts by Packet Pushers

800+ Episodes
Packet Pushe .. 10+     1
2K+ Episodes
Packet Pushe .. 80+     3