Don't Panic! A Guide to Proactive Security for Small Businesses

foreign

[Music] thank you everyone for coming to this talk uh we're sorry we're pausing your happy hour so thank you if you're already starting happy hour right now please share with your partners next to you or at least pass something up we really appreciate it my name is Ryan St Germain um I'm a principal consultant with there we go principal consultant with a large security company previously as a manager of information security a small company here in uh in Maryland so our talk today is going to be based on our experience in both large organization and a smaller Org the larger org we work for works with uh Fortune 500 companies doing uh proactive security assessments and tabletop so

we're going to use that experience and hopefully pass on some knowledge today I'm going to pass this on to Clarissa really quick hi everyone I'm Clarissa bury I am a consultant on the same team as Ryan I'm doing strategic advisory so that's really proactive services like you said for those big clients and before this I was a security engineer doing all that kind of you know defensive blue team work for a small company here in Maryland and I was also the I.T manager for a small non-profit in Washington DC so in this talk we're really gonna like he said go through and blend those two worlds together so what the companies that we're working with have a ton of

resources you know they'll have in-house socks and retainers with Specialists on call but smaller companies really don't have those kinds of resources and they have to be a lot more purposeful and precise with how they allocate both their people's time and the find the funding that they have so really what is proactive security put it simply it's everything that you're doing before an attack happens everything you're doing to prepare and defend right but it's really about preemptively finding and addressing any weaknesses um and fixing your processes and improving upon them so that you're ready if and when an attack does come this is really important because it makes organizations more resilient right so you're trying to prevent attacks and

better prepare we're also going to be talking a little bit about what resources are available to you that fit in with a smaller organization's priorities and we're going to go through a couple tools you can use some how to go through and think about tabletops and how to get some executive buy-in on those I'm going to hand it back to Ryan we're going to go through some documentation awesome uh so I know documentation pretty boring but as we do these larger assessments with these larger companies one of the biggest issues that tends to come up is that lack of documentation specifically run books and play books and as you know I'm sure there are a lot

of people here who work security for smaller businesses run books and playbooks are relatively more important because you're having to share roles right you're having to share hats within that organization so let's say Tom is out of town maybe Timmy and it then has to take over and run a firewall or something else right some other security control that he's not normally responsible for so one of the first most important things is that it's uh you know it's it's a common and repeatable process so things that you're doing on you know a regular basis um so let's say if it's a phishing attack as a as an example you're going in logging into the firewall right

you're you're putting maybe IP addresses in to block it or you're logging into Microsoft 365 to block a sender address right these are repeatable processes that most likely aren't going to change and potentially could be automated but one of the issues we found is that they're one they're not being created and two they're not actually being updated right so you can have a Playbook and a run book but it's not as good unless you're actually keeping it up to date because let's say you have a Palo Alto firewall next thing you know you're upgrading to checkpoint or something like that well that process is going to change so um one of the last items is it sort of

essentially paves the way to automation right so we talk about soar all the time well when you purchase a store what do you what are you gonna do with it well the whole point is that it's going to automate those playbooks and run books so if you can document those first then you have an easier path forward to moving into that sore product and that can especially be more important for small businesses who don't have a large you know security organization and there are a lot of free open source resources out there that can help get started and so this is just a very basic example obviously of a Playbook and run book process um it's pretty surprising how many

people don't actually understand what this looks like um even at Fortune 500 companies so just want to give a high level overview phishing Playbook and then it descends right down into your uh your actual run books so that's where those actual processes are going to occur so with run books and playbooks right the important part is that you actually have the security controls in place to leverage those and so this is that cyber security you know control landscape out there that we all see and as a small business like holy crap where the hell do I start right um and especially with small businesses we don't have the money so what's what's important where do I

put my my priorities and you know where do I go from here whoops so everyone knows security and depth right security young right this is what we're taught basic level but the problem is it's not being implemented and it's even more important for us small businesses because we don't have the funding to purchase all these other secured products so we need to identify the key areas that we're going to invest and that could be purchasing a product or it could just be leveraging free open source tools right so if you came to me right now and you told me to start a security program where would I invest that it would be in a Sim right because

then you can build around that and I'm not saying you have to buy a Sim you can they're a free open source products but the first part would probably be a Sim and then you can build around that with your prevention controls right you're you're getting the data in and you need to know what you're actually going to protect within your organization um the third one and it's not as sexy as the other items right configuration management we're baselining and looking for hardening of images so we're trying to harden the products and and the uh the assets that we're managing to prevent them from being uh compromised obviously right and a lot of times this is free I

mean you look at CIS you look at stigs you can Baseline uh your asset during the uh the deployment phase to disable obviously you know services that you're not looking to actually implement or leverage right like if you're deploying a a non-web server you're not going to enable IIs so you need to ensure that it's disabled or you need to make sure the Powershell you know script block logging is on like these basic items so configuration management is one it's like one of the third more important items that we've found uh fourth and fourth and final one is ticketing and case management you know we have a lot of these products like even a Sim right

they're generating alerts if there's an incident alert fire right but where do they go and the majority of the time they're going to a single mailbox or they're going to a distribution list and a lot of times that's like a single point of failure so you want an area to actually track and manage these uh alerts in right so that you can you know obviously for auditing ability but also for tracking of um your ttps and your iocs and so then you can leverage that and then that builds upon your Automation and we'll talk about a little a little bit of a security product and help you with the automation of that so quote unquote free Solutions right we

go on GitHub we have all these options out there but the problem is these aren't really free they're free to take right but there's a management cost to all of these so when we're looking at the uh the the landscape of free Solutions we need to keep that in mind and there are certain considerations that we need to take into account before actually leveraging and then implementing that within our environment and the first one is is it actively supported so a lot of times we'll go into GitHub we'll find a um we'll find a project right and while it hasn't been updated in what two years and issues are piling up we don't see any replies from

the contributor I mean it's open source we sort of we sort of you know expect that at the end of the day sometimes right um but that's a huge item to look for because you don't want to implement something that you're then not going to have support for especially if you you know if you buy like a product like RSA for secure ID right you're getting support with that product so with these open source ones you're the support which sort of then goes into cost of administration so you need to understand what you're implementing because then it becomes a potential Tech debt you need to understand if the people that are going to be managing

this are going to be able to actually manage this if they have the capability especially with new Security Solutions nowadays which are Appliance based right and are leveraging a lot of containerization so if you don't understand containers and all of a sudden you're open source let's say surikata goes down you know what's your support options there you can reach out to the community obviously but you're not reaching out to that premium support that you normally would with a commercial product uh the third one being uh security updates like I mentioned a lot of these products are virtual appliances so they're built on Linux distributions and I've seen a lot of times where we download these products or these free

Solutions and they're running on an out of date let's say Ubuntu distribution that hasn't been supported in one or two years so when we're we're looking for free Solutions we need to identify what's actually being run in the background it's sort of like when we're when we're looking for uh like an s-bomb or something like that for commercial solution we need to identify what's going on in the background so that we can continue to support that and the fourth and final one is Integrations with existing platforms right you want to get a platform or security Solution that's going to integrate with other items within your environment because then you know you're not going to go out

and have to replace additional items just because you brought this one new security solution in and that's not just limited to a free solution right I mean if we're going out to buy a Palo Alto product we want to ensure that it's going to work with our other products as well so one of the prod projects that I love and I mentioned you know case management earlier is the high project um obviously you know you can collect items in there with cases management it integrates with a lot of different products especially with its native API uh but what's awesome and I want to point on here is that the metrics collection you know we talk about

metrics and our eyes rule a little bit but one of the items that you should identify is your log Source collection and take metrics on where those logs that are actionable actually come from because a lot of times you know if you're working with a Splunk license right it's based on volume so if you're just ingesting data for no reason if it's not actually helping you and it's not actionable what are you sort of paying for right so you need to be able to identify and track what log sources are helping you at the end of the day I'm sure you all have seen the high project but I'll give you a nice little screenshot here

uh second is email security I mean I'm sure we have security administrators here all the time right we're we're uh responding to people who decided to click on something that was obviously a fish but at the end of the day it's going to continue to happen um so one of the projects that I wish was around when I was still a security engineer was the sublime security project I don't know how many people here who have worked with it but it's it's pretty damn awesome um one of the problems right now that we have with our current Security Solutions let's say Microsoft 365 proof point you name it you don't really have any insight into what it's basing its

decisions on right it's not like snort where you can go in and edit a rule it's pretty much its own proprietary decision-making product and at the end of the day normally all we can do is add a email address or an IP address that we want to block right that's pretty much all the control we have maybe you can add attachments stuff like that but we need a way to build rules out based on the properties of an email sort of like an IDs rule or let's say um a Sim rule right and that's where the message query language of sublime security comes in you can write a rule based on an actual email itself and I

have a screenshot so you can see that but I highly recommend you guys check it out one of the biggest advantages of this platform is that it natively integrates into email Solutions so you don't have to go to your i-team uh I.T engineer and say hey I need to set up a new MTA right you can integrate natively with Microsoft 365 IMAP or even Google workspaces if you want and so this is this is just a little screenshot on the left you have the email and then on the right you have the rule and so you can see that the attachments headers all this breaks down and this is essentially just an email that you can ingest into the system and

then write rules based on that so this is open source you guys can check it out uh I'll leave a link within the uh within the slides so we have a lot of options out there right in terms of security controls free platforms stuff like that but at the end of the day you know if you say okay well I want to integrate Zeke I want to integrate circata um you know you name it you've already got two or three things that you're going to need to maintain and that's where these security platforms come in it's one platform essentially to manage them all to rule them all right everything's in one you update the platform itself it updates the sub

components so like Siri cotta and you name it so security young in Wazoo are a great place to start if you want an all-in-one solution as like a Sim IDs file Integrity monitor things like that I'm going to pass it on to Clarissa and she's going to talk about tabletop exercises

so we covered a bunch of the more technical side of things the documentation the tooling but now we're going to get into a little bit more of the people side of proactive security so this is really what I do every single day I make tabletop exercises for our clients um at its you know basis form a tabletop is really just you know creating a scenario of an attack Gathering the people that would be involved in responding to that attack and then playing through how you would respond to it as a team and these can be as big as or as small as you want you know you could get a few people from the technical team do

something very specific you know how would we um recover from backups if we needed to for this one system you know things like that or you can make it a cross-team exercise which can actually be really helpful bringing in other stakeholders into the cyber security or incident response process so you know you think about bringing in Executives or legal or Communications um whatever other teams you might have in your organization that could be that could benefit when you're thinking about tabletops um there's not really enough time in this talk to go through the actual design process um in the specifics but some some ways to think about you know you want to think about the scope first so what

processes are you trying to test what is the company most at risk for um think like a threat actor what are they looking what would they look for in your organization what would be valuable to them and how would they go and get it and then you can kind of build your scenario backwards from there um you know thinking about really that those end results that you're looking for those processes you're trying to test if you're looking to test your your technical team's abilities to respond you don't really necessarily need to spend much time on some of the communication side and you know vice versa you also really want to think about your audience so their level of technical

expertise if you're bringing in some of those other stakeholders from other teams some of your Executives maybe who don't have as much of a technical background you want to make sure that you're formatting your scenario to fit with the information that they would need in an actual incident and the role that they would play so build those facilitation questions and the scenario around that information you also really want to be conscious of tone so in the tabletops that I do people often get very nervous I've had people you know on the first slide of our table tops uh the director of it security says you know my Palms are already sweaty I'm a little nervous

already you know it's a you want to make sure that you're making it very clear throughout the process both in the build up and at the beginning of the scenario that this is a learning exercise it's not an exam it's not an assessment the goal isn't to answer every question perfectly and be completely right the goal is as a team to work through your processes learn from it practice it and also find areas to improve as well I've included a couple resources here you can Google these um just you know those keywords and you'll find it it's also linked and we're going to post these slides um but one thing to really consider with the resources that are out there for

free about designing table tops is they're often aimed at bigger organizations organizations that have a lot of specialization in their roles and so they're going to talk a lot about having a designated Incident Commander and having a designated person to do each different role and that might not be the case for smaller organizations where those roles really blend together

so another thing that you want to really think about is capturing that institutional knowledge that you might have so everyone knows that there's someone at your organization who's been there 25 years who knows every single thing about every server but that knowledge doesn't doesn't necessarily get transferred to other people so through a tabletop exercise it's a really great opportunity to cross-train your employees and capture that information in a concrete way now you might be thinking all this stuff that we talked about is so great but how do I actually get my leadership to do it now you want to really quantify that risk leadership loves a cost analysis so explain the financial impacts of a cyber

incident you know really just kind of talk about that when you're pitching some of these ideas how will these proactive measures really help you defend against this you know talk about why it's important to practice responding to an incident or you could run a smaller incident that you might not need um you know their their authorization for and then kind of show the results of them so here's what we learned I'd like to do this on a bigger scale across the company and bring in some other teams it can also really help to get stakeholders from other sides of the organization involved an easy way to do this is looking at compliance requirements so you can get legal or HR

on your team if you map the ways that these different proactive measures will correlate to the compliance Frameworks that you need to you need to comply with or even how these proactive measures would make you look good to cyber Insurance a lot of cyber insurance is ask do you do tabletop exercises do you have these different tools do you have someone who um who can practice who knows how to do the disaster recovery processes that you have in place and then obviously showing instead of telling so tabletop exercises yet again are a great way to do this but also um showing them how these different tools work what you know what is useful about them and illustrating also how cyber

instance progress a lot of Executives might not be familiar with this um and showing them about you know what it is you're doing as a responder can be really helpful I had a tabletop actually where um in the middle of the tabletop it was a management level and they had one technical security like instance response responder um excuse me response person there and in the middle of the tabletop they realized they're asking him to do four different things at once and so they wrote down and authorized him to get three new people for his security team right in the tabletop all right so that is actually all we have for today you can find us if you

have more questions at the happy hour right after this or on Twitter you can also find our slides um posted on GitHub at this address thank you foreign