Robust Defense for the Rest of Us

let's get started Russell Mosley okay thank you and thanks for coming to my presentation so my presentation is called robust defense for the rest of us and it's a response to the DEF CON 25 CFP and the generalization that small businesses are terrible at information security so everybody knows that Def Con is a hacking conference right you may not know that they have a defensive track listed on their CFP that you can submit presentations to I was reading their CFP and this is the description for it how to hackers defend their networks servers and applications in a world where only the largest enterprises can afford a robust defense what can you do to have a chance at surviving modern

class attacks and that caught my attention only the largest enterprises can afford a robust defense I hear this a lot and I have to disagree size and budget don't equal better information security having a robust defensive posture isn't about what you can afford having a robust defense is about what your organization prioritizes and chooses to do regardless of the size its your policies processes and procedures that determine your success not how much you spend in fact I think that small organizations can be more effective at information security than large organizations if they want to be because they have some advantages over large organizations small organizations can configure more granular policies because we only have to allow access to services

and sites that are needed for our business requirements and those business requirements are much narrower than large organizations so it's easier to define business requirements and implement things like lease privilege in a smaller environment we also have less static to sift through you know we have fewer users we have fewer amounts of log data that we have to analyze we also can do quick or vulnerability management mitigation than large organizations because we have a much smaller environment and as a small organization we have better knowledge of our environment than many large organizations do because one close-knit team does all of IT operations and security so in this presentation I'm going to present an argument that small

organizations can afford a robust defense and demonstrate with an example case study of a small business security program it's the security program that my team and I have built over the last 15 years or so and not only do we have to meet our standards but we have to meet FISMA which is the NIST special publication 800-53 Rev for at the moderate level for a federal government information system that we operate but we also have to pass annual SSA sixteen audits and we do CMMI level three for development so we have a lot of process that we have to have in place and I hope that this case study can also serve as a framework for other small businesses to

establish their own security program well briefly about me this is my Twitter homepage I chose the name smoke them for Twitter because I mostly just listen on Twitter I don't I don't tweet much and I like to do things like that with cars so that's what I came up with anyway I have my claim to fame and InfoSec on this slide you see there as my pin tweet right I was named the unofficial MVP of besides Chicago for doing back-to-back presentations last weekend I was pretty awesome because a presenter didn't show and I had two different presentations ready to go anyway that's me I have 17 years of experience in IT started out doing systems administration then got

into InfoSec and now I do like enterprise defense I'm responsible for IT operations and for our compliance and for meeting all those requirements I was describing additionally I'm a besides charm organizer I'm on the organizers team and I want to show you I have my b-sides charm keychain floaties with me today so if anyone wants to come up to me and find me asking anything about the presentation I'm probably the only guy here with keychain floaties hanging off my at my badge so back on topic having a robust defense isn't about how many products you buy or how much money you spend it's about your security program and all the things that you actually do I'm here

to dispel the myth that small organizations have crappy security and that the size of the organization determines how secure it is security has to be a priority for your organization no matter the size you can't rely on your vendors or hope to avoid incidents large organizations have silos right we've all heard this before and the slide here it's purchasing marketing sales and operations well there are silos for IT and it really large organizations there are even silos for information security today right you have security engineering which usually is a different depart different people then your sock analysts and those people are also different from the team you would send out to do incident response and they're all

different from the people who do IT operations so they can't have as much knowledge of your operations as you can contain into a small team and on a smaller organization large companies also tend to outsource to manage security vendors right and these companies specialize in monitoring all your log data and trying to identify like what's a real incident that you have to do something about versus just noise but they're even another step further removed from your actual IT operations and less knowledgeable of your environment additionally many InfoSec practitioners at large orgs tend to become jaded and feel like all of their efforts are worthless this is another benefit of a smaller organization you're more likely to have

a larger voice and be able to reach the decision makers and policy makers at a small organization and there are going to be less layers of red tape to get through to make changes and get things done so what does it take to have a robust defense well I think you always have to have management buying a commitment you know it has to be top-down your management has to be committed to information security executives need to understand their roles and responsibilities and they shouldn't be asking for exceptions to the rules they should set the example and make sure InfoSec is considered and consulted in business decisions and they need to be committed to investing in

resources into information security additionally to have a robust defense you have to have a minimum set of policies and procedures all large organizations tend to have these and it's not that hard for small organizations to set these up either I'm talking about things like an information security policy an information risk management policy an acceptable use policy which is actually signed by user read and signed by users before they get access to your environment that says what they can and can't do in your environment and those should also be reviewed and signed on an annual annual basis you also have to have patching procedures you know mature process to get all your vendor patches applied as

quickly as possible you have to have Incident Response procedures even if your Incident Response procedure is call this company that you know we've set up in a relationship with and they're gonna come in and do response you need to think about that kind of stuff in advance you also need to have baselining procedures for deploying systems and you should ideally have a ticketing system with an authorization and approval process us to have a robust defense you also need to try to implement the basic principles of info second I'm talking about default deny least privilege and layered defenses we've all heard about these and I argue that they can be done more easily at a small organization than

at a really large organization that might have been around for longer than the internet right and when they first put in there their first firewalls and email everything was wide open well now you have to go back and change all that it's a lot easier at a smaller organization you also have to be flexible and adaptable to emerging threats you need to be able to deploy patches quickly and with a smaller environment I think that it's easier to do that than at a large organization and lastly you have to leverage your home-field advantage right people say in information security that the attackers only have to be right once and the defenders always have to be right well I

don't think that's entirely accurate because you have to take into consideration home-field advantage your knowledge of your environment gives you a huge advantage over your adversaries when it comes to InfoSec right so it's critical that you have deep knowledge of your environment in your people who are doing your security and your Incident Response right so how well you can concentrate that knowledge into those people I argue will make them more effective and a smaller organization that smaller team is going to know a lot more about all of your environment than in a large siloed environment so for our case study the company that I work for is a small business in the DC area we

have about 40 employees right not very big you wouldn't think of a company that size generally is having a really mature security program and that's you know what I'm here to talk about so we have about 40 employees we are a technology company we're not like a construction company or something we are a technology company so we have a lot more resources than maybe other small companies do my team is a staff of six people it might sound like a lot for a company with only 40 but again we have to maintain a lot of compliance requirements for SSA 16 for our FISMA moderate ATO for our federal system that we run and for CMMI

level 3-4 for development a couple other interesting things we mostly operate on Prem systems so we have about 250 servers at two locations today and we don't use many cloud services we're not using office 365 we're not using Google Docs we're not using Dropbox or knew that we tend to run everything on Prem and try to retain the knowledge of the environment and configure them you know as locked down as we can so I'm going to highlight our implemented security controls at various levels and I apologize I can't take the time to describe all of the tools and things that we have implemented in advance because of the the 25 minute time slot but I tried to

get everything I want to mention on the slides so if there any tools like you haven't heard of you can go back and look at the slides or you can come find me again I'm probably the only guy here with besides charm floaty keychains the the red and blue I'd be glad to talk to anyone about anything that we're doing after the presentation so starting with perimeter protection we manage our own infrastructure our routers switches VLANs everything in our data center and we have a real data center it's a raised floor 3,500 square foot data center with crack unit its ups everything because we've been doing this since the 80s it used to be full of mainframes now we

have like eight to ten racks of equipment but it actually is a data center it's not a closet okay and we try to do everything ourselves with regard to hardware so you know we install all the servers we install all the network year when a drive fails they ship us the drive we put it in we try to retain that knowledge in our small group of people so some of the layers we have implemented we're doing RFC 1918 and land protocol filtering out at the router it's just stopping all that stuff out there and everything is behind a firewall cluster we don't have anything on the perimeter exposed everything is behind a firewall cluster we've

implemented geo protection so geo protection if you don't know you can block IP addresses by what country they've been assigned to so we actually block everything from outside the United States from coming in to our environment not a lot of large organizations can do that not a lot of small organizations can do that well we can because of our business requirements this is all talking about with you know the basic principles of InfoSec default ania least privilege we don't need to get there they don't need to get here so we we just don't allow it now if somebody you know wants to attack us sure they're aprox in other ways that they can get past

that but it's just a simple method to knock off a whole lot of noise that would otherwise have to deal with similarly we've implemented the sans storm center block list which is something that's been around for at least 15 years it's just a simple like crowd-sourced list of the top I think it's 20 or 50 attackers that they see every day from everyone who submits information to them and you can download the list for free off their website there are scripts you can download to throat and IP tables and actually a lot of enterprise products including the one that we use have a checkbox block everything that's on the stand the sandstorm Center block list so we've

implemented that we use CloudFlare for public dns and their raft for our public websites as another you know layer of defense for those public systems and we run our own on-prem gps and TP time servers you know they're kind of they're actually a fun thing to implement and then we don't have to reach out on the internet for NTP to pull it out in time data for network segmentation I think this is something that's also easier done in a small environment right we have a dedicated piece you an internal we have a dedicated internal servers LAN and we have multiple customer DM Z's physically segmented so no traffic can go you know from one to another without

an explicit rule in the firewall this isn't something that's really complex to do but I think it's a lot harder in a really large environment than it is in a small environment we also have an isolated guest net and that's the only way you can get Wi-Fi in our facilities is on our guest net and this is completely isolated so we have separate cabling throughout the building to the different APs and they go to their own comcast cable modem it's something that's not very complex but I talk to other people or other companies and they're like who does that nobody does that it's like what we do why not it's simple and if people want to go out to

social media you know Facebook Twitter or whatever we don't allow any of that on our internal network because it's not core to our business but we encourage them to bring their mobile devices get on the Wi-Fi and do it from there we also don't use DHCP we don't have that many nodes we can statically assign all the IP addresses and run ARP Watch which is a free tool that alerts us when there's a new you know MAC address or IP change on the network for default deny and defense-in-depth a few items here we don't have any default outbound allow firewall rule we don't have any automatic NAT so any new object that shows up on our network it can't

pass any traffic in or out until we put in a firewall rule and we have changed control processes where they have to be approved by myself or one other person who are the authorized approvers and we approve each other so nobody can just make a change and allow something new to pass traffic we also do TLD blocking and people think I'm crazy when I tell them that we do this but you know TLDs these are your top-level domains ComNet or gov right so for our business we determined we did some analysis of logs and we determined the only ones that we actually need for anything that our business does it's like a TLDs and nowadays there's like car like dot dot

pizza like there's all kinds of crazy stuff right and in our analysis of a lot of the phishing emails that we get usually they're like dot IO or dot ru or other places where we simply don't need to get to so this is simple cut it off at the web proxy you can't get there we also do file type filtering to exclude executables on our web proxy and on our email filtering and we have many layers of email defense-in-depth because again we run our own on-prem installation of exchange so quickly the layers that we have we use Spamhaus they have a DNS block list our firewall product has a blade that does you know email

protection that you know it takes out those links removes things that look like malicious files etc it passes all the email then into another email protection gateway that's from another security company a different company that does the same types of thing and then finally it gets internal to our exchange environment we've also implemented SPF and Demark and we do attachment monitoring for DLP for user level protections we lock down all of our pcs like you would expect at any company with a really mature IT department right we have a mature group policy that you know you can't be an administrator you can't change a lot of stuff you can't install programs we've also implemented multi-factor

authentication so everyone has their username and password and they also have a token used to be a hard token now we use the the mobile app tokens because everyone brings their phone to work we don't have to give them as many temporary codes but we've implemented multi-factor authentication and for mobile device restrictions you know a lot of companies have tried to figure out how to deal with this and you can block USB ports via GPO but something that we've done in addition is we've provided everyone with power strips on their desks that have the USB ports now you can go buy these you know anywhere they have like you know two or four so we tell people hey

you know bring your phone but instead of plug into the computer plug in right there we provide it to you and that avoids a lot of people plugging stuff in now stopping to go track it down tell them don't do that etc so for content malware filtering in addition to web proxying we also use DNS filtering with what used to be Open DNS I think they're now called Cisco umbrella there's also Google's DNS there are several of these companies out there right and most of them let you use their service for free and they will block known malicious websites and they will block access to adult web sites you know based on based on the DNS but if you pay

for a subscription you can also do category blocking just like you can with a with a web proxy tool to block access to you know wide categories of things that might be offensive material things you don't want to show up on your network so it's just another layer we use the web proxy and we use the DNS filtering also our firewalls block shadow IT services so like I said we we don't let people get out - you know Dropbox or Facebook or Twitter or things like that from our internal network because it's not core to our business the way we do that is with the firewalls they block access they can identify all kinds of different shadow IT services

and we just you know block that stuff everybody knows it's part of the policies we do a lot of trainings but that's how we actually implement it we're also using system on and Splunk to automate alerting on anomalous activities on our endpoints and of course we have amateur information security awareness program that involves annual trainings and user recertification for patching we have amateur monthly process to make sure that all of our vendor patches are applied if you have to meet compliance requirements for for FISMA or for PCI they all define like a time frame like 30 60 90 days you have to apply major vendor patches right so we have a pretty mature process to make sure it gets done

everything's tract and it's automated I'm sorry it's audited by our SSA sixteen auditors every year for network monitoring we have implementations of snort IDs bro IDs our firewalls IPS product and for all of these I'm not talking about like installing it and default settings and running it right there's a lot of care and feeding involved in these tools and you have to get new signatures you have to customize them for your environment this is all stuff that that we're able to do we also run HTTP inspection on our firewall and on our web proxy if you're not doing HTTP inspection you can't you know look for those categories look for certain types of traffic if it's encrypted so

you have to implement HTTP inspection this is another thing that we're able to do and we also use shadow has anyone heard of shadow kook show of hands no one's heard of shadow so shadow is a tool that was developed by the US Navy in the 1990s and it's basically a set of Perl scripts that's like a wrapper for TCP dump and with shadow you set up filters and it records all the network traffic that you feed to it and it breaks it down into TCP dump files by the hour so we run shadow and we run it on our perimeter and we record all traffic that goes between us and the internet and we keep 90 days worth of

Internet traffic on disk in our data center so that when we see something that looks like they might have clicked on a link that took them to a phishing site or you know insight that we know could be infected we simply go back pull the file from the our look at the traffic and start our analysis from it it's a great tool it's free it's just another another thing that you can do for system monitoring we run Splunk and we send all of our event logs from all of our network devices all of our servers even all of our pcs go into Splunk and we have a lot of searches that generate alerts for us I'm gonna

talk more about in a moment we also run whatsup which is an availability monitoring tool and a performance monitoring tool as well as a Veeam one for our VMware environments so daily ticket reviews so we have an automated process that generates ticket for tickets for us and alerts and we have a couple of different ways that we do this so like I said all of the logs get sent into Splunk right on Splunk we have one two five minute searches that identify real high severity issues you know things like a problem with a router or a signature for a ransomware and those will send us text messages to every one of my team's phones and then

we have other searches that we've customized that generate tickets for us every day to look at things like VPN logins route have been logins print jobs email attachments and every swipe of building keys in our environment right a lot of big companies look at this stuff too but I think in general they're automating looking for things that they think are abnormal or like you only look at the fails right not the successes well this goes to my argument in a small environment we look at the successes and the fails every day on all of those things we have to review tickets that show it so we know what our normal operations look like better than a large

organization would that's only getting alerts on fails or things that they defined you know maybe months or years ago we know what it looks like every day for configuration management we're running ansible for configuration changes to all of our linux environment we use VMware templates to deploy servers into our VMware environment and we have PC images to make sure that all the PCs are deployed the same way and all the change control is monitored in our ticketing system we also do our own vulnerability scanning we run automated weekly scans with necess we do manual scans pre deployment with necess and Burke for our development staff we use some other tools as well but these are

the primary and we also do automated daily web scans by security security as a vendor where it's like 25 bucks a month they'll scan 10 websites for you so we have public sites and in addition to all the monitor we're doing we have them hit them every day and they look for you know indicators of compromised or that we're behind on a version of WordPress that kind of thing you want to know about and get fixed so it's just another way of inexpensive way of monitoring your environment for instant response we have pretty mature I our policies and procedures and we do annual IR team role based training with all my staff we also have monthly staff

meetings and during our staff meetings we do post mortems for any instance that came up that month we have an implementation of kaku-san box in our environment which is a great open-source tool that you can fief Iles you can feed URLs that you think might be suspicious and it'll do a lot of analysis and it'll give you a score and give you a lot of ways that you can go do further investigation we also run like I said bro and manual traffic dump analysis from the shadow logs we also have experience running autopsy and some other open and source forensic tools for discs so that's a very brief overview of the security program that we've implemented

one thing I didn't mention earlier I said the team is six people right we have one dedicated InfoSec person one person that that's their title that doesn't have any other roles and responsibilities like systems administration database administration we're able to do all the things that I talked about with six people and one dedicated so in conclusion you know the statement that only the largest enterprises can afford a robust offense I think is false you know not all small businesses are hopeless when it comes to information security small organizations can afford a robust defense and for the reasons that I described they can be more effective in some areas than larger organizations so I wanted to quickly say

thank you to krosang who was my mentor for the presentation and if there's any time taking questions what's your approach for our remote access like for remote workers like working from home and VPN access do you allow those in the network or you're not required to have that a good question we we are we do have a VPN it's not available to everyone so the one of the VP's actually has to sign off for VPN access for someone so if you're a developer for us you don't automatically get VPN access it tends to be worked out when people are hired you know how much remote work they're gonna do versus on-site and if there's a business need we do give them

VPN it's a fully set VPN products that we deploy

if they have VPN access then the only thing that they can do through the VPN tunnel is windows remote desktop that's actually something else I should have probably mentioned in the slides but if you the people that we have given in VPN access they don't just have like wide open the only its configured on the firewall so the only thing they can do is RDP to the internal network to their corporate PC that's it so whatever rights that we've given them from their corporate PC then they can get out to that once they once they get in thanks and thank you very much