BSidesSF 2023 - Building an Endpoint Security program from scratch (Nishith Shah)

all right let's get started so today I'm here to talk about how to build an endpoint security program from scratch for an organization I got a lot to cover here today so let's just quickly get started so the things that I will be talking about today is why it is important to have an endpoint security program that I'll talk about what are endpoints and why determining your scope important talk about security threats in this space program goals creating a maturity model talk about identifying your key stakeholders and lastly I'll talk about how the execution on this program would look like great uh so before I dive deep in a topic I want to briefly introduce myself my name is nished I currently work at Netflix where I lead their endpoint security program I got it over a decade of Enterprise security experience by working in different companies and education institutions like Harvard Salesforce to name a few all right so you must all be wondering like why it is important why does my company need to have an endpoint security program why do I need to build something I got enough things to worry about so the answer is like as you all probably know in today's day and age where anybody can work from anywhere and pretty much use can any of that devices to access your company resources that's a huge security risk gone are the days when people were able to use their corporate testers in a control settings and those were the means that they were able to access your computer resources now what is pretty much is accessible from any device at anywhere so think of it as like your employees who are constantly using their endpoints to access your internal data your financial data your customer data what if those endpoints get impacted I'm not talking about just your company or devices but your mobile devices your tablets your personal devices I know certain companies companies have a BYOD policy so if those endpoints gets compromised all of those things that your your employees are able to access are impacted as well that's why it's really really important to have a comprehensive endpoint security program for your company let's talk about endpoints so over the years I heard many different definitions of what is an endpoint it seems like everybody has their own idea of what an endpoint is so I just want to kind of get the fact straightened out and maybe get everybody in the same page here where as I see it and I think most of you will agree with me here is an endpoint is any device that is connecting and exchanging information with your network it's as simple as that some of the endpoints that you can think of is your like physical servers your virtual servers your mobile device your tablets your laptops even your smart devices such as your printers your smart watches everything is an endpoint in my work I also seen like people misrepresenting endpoints such as that you have API endpoints in your company those are not technically your endpoints I'm talking about more which is exchanging information through devices and stuff like that so with that in mind there are some things that are some sort of a prep work that we need to do for the implementation of this program which is really critical for the success that you're trying to build here the first thing in this prep work is scope you need to determine your scope as early as possible as I was mentioning you earlier in the previous slide there are many different kinds of endpoints available in the market you have your traditional endpoints such as your desktops laptops tablets you have your non-traditional endpoints such as your printers cameras Etc you need to identify your scope online program it will help you with couple of things first it will help you prioritize on maybe like kind of Envision you where your risk lies within the company and also help you understand which Technologies and processes you need to invest in to either reduce or eliminate this risk let's say that in your company your company has a policy where they are allowing company owned devices such as Macs and windows to be used for a company resources along with use of personal mobile devices so if that's the case and those are the devices that you want to secure that becomes your scope if your company has in top of what I just mentioned how BYOD policy where people are allowed to use their personal laptops desktops to access company resources if you want to secure those then that becomes a scope as well so try to determine what your what devices are allowed in your company and identify those as a scope the other really cool thing about identifying this earlier on it will help you make informed decisions throughout your program which will be really crucial for the success of the outcome of what you're trying to do here the second thing that you want to do here is identifying and documenting all your security threads based on the business that you are that your company is doing working on based on the scope or the devices that they are allowing based on their company's culture you need to identify and document all the security threats that are applicable to you and your company in this piece if you need help you will need to you can reach out to your partners as well you can work with your legal team your detection team your compliance team and they will also be able to help you identify all the security threats that you are seeing in the space for the company solar security threats that I've seen that applicable uh data leakage data compromise you have your credential compromise you see disruption of service is happening because of a compromised endpoint so think of it again like this is not a comprehension list of all the threads that you see in this place and your threads may be different from what I mentioned here so I really really recommend you work with the internal teams and try to find out all the security threats that you see in your company next you need to identify and document your program goals at this point you have identified your scope you have identified your security threats based on that you need to identify and document all your goals to start to Define your think of video show as your program goes as a short-term goal that you want to achieve let's say in an ear or so then think of your long-term goals that you want to achieve in less than three to five years as an example if you want to implement something like a device zero trust in your company and which will roughly take you a couple of years or three years to implement everything then that becomes your long-term goal here and I'll talk more about this device your trust in a future slide so bear with me for a minute and in terms of short term like if you recognize that hey I don't have a good asset inventory and that I want to solve first before I go do my device zero trust and well that will probably take me a couple of years then that becomes your short-term goal so try to identify where your gaps are what were you trying to go with your endpoints what your endpoint final state looks like and try to to determine your goals earlier on the other thing I recommend while identifying your goals is also have some kind of tracking in place which is tracking you will be able to do couple of things one is you'll be able to measure the progress that you are going to be making which of these goals and second it also help you envision what whether you'll be able to achieve this course in the committed time frame or not so have apart from identifying goals also has some kind of tracking in place as well next I highly recommend you create a maturity model for the endpoint something like actually shown inside here as well so creating a maturity model will help you really understand where you currently stand in terms of maturity for your endpoints as you probably would know that you may be more mature in some part of your controls in endpoints and less showing on us so have this kind of maturity model created while you are implementing or designing this program apart from her assessing on giving you the idea of where you currently stand it can also pinpoint where you have the biggest caps within a certain control and that's where you will be able to kind of prioritize get your resources to fetch those caps first as you see in this slides I've included an example where on the leftmost side you have some of the controls that you may want to implement for this space and then I've defined various levels for each of this when you think about that implementing something you may not be able to go from 0 to 100 in one go for some of these controls you may be trying to reach some milestones and you may be already there in certain ways of form and that's where you kind of want to achieve your final goal so this lever labels are defined in that way where you have your Milestones which are represented by level zero level one level two and then you have your final goal position level three here apart from getting your assessing your current state through this maturity model you will also be able to Envision what your final and point state would look like here let's say you implemented all these controls and you are at the final level of this level three that's what your final endpoint state would look like you can communicate to your leadership team your other teams that this is what I want to achieve in let's say three years and four years if I'm able to do everything what I mentioned to do here lastly in this section it's going to be stakeholder Management try to identify your key stakeholders as early as possible you will not be able to go further in this process without your help of your key stakeholders so I highly recommend you spend some time identify your key stakeholders and get some commitment in times in terms of time and resources to help you out with the implementations program I'm not saying that it's going to be an easy ride and everybody's going to agree with you from day one like hey yeah let's do this thing let's Implement I'm gonna give you all the resources you will have your own challenges if you do that don't be don't be worried about it talk to your managers talk to your executive sponsors talk to their teams for that matter and try to find a male ground why they are hesitating and do not not committing resources on what you're trying to solve here so all the teams that I've worked in the past came from my security team my Co-op ID team my support teams my legal that's where I found my gym that's where I found my All-Star team members so these members are going to be around and you need to kind of find out and work with them as a bonus some of my current and former Star members are present in this Cloud here as well so you shut off to all of them they know who they are so thank you for everything that they did uh apart from identifying key stakeholders um I highly recommend you build strategic Partnerships with your partners as well there may be for example a different group within a company who's trying to solve a different problem than yours but they want to implement a similar set of Technologies processes on what you're trying to do here so try to identify opportunities like this and work closely with them as as much as possible it will help you achieve tools and one it will help you maximize the use of your resources efficiency voice and second it will help you reach your goals in a much faster way so try to do this kind of stuff when you're trying to think about your key stakeholders when trying to build these strategic Partnerships all right so in the execution let's say you did everything you did all your scope identification you did all your security threads you found out what those are you found your key stakeholders and got commitment let's talk about how the execution of this program would look like the first step in this process is getting and creating uh accurate asset inventory for a company it's all the devices that are connecting your organization and which are being able to access your resources you need to have an asset inventory for your company it's not saying right like you won't be able to secure devices that you don't know of and that's basically precisely this asset inventory will help you out with this asset inventory will help you out with two key things one it will help you better understand your uh thread landscape for a company and we also help you understand and design security controls that you need to implement based on those thread landscape so try to identify try to have an accurate asset inventory as quickly as possible if you don't have one try to work with your partnership or try to work with your it team your procurement team your HR team and they will also be able to help you set up tools and process in place to help you get a better asset inventory there are also many tools that are available now in the market you have your agent base which gets deployed on all the devices through which you are able to collect device Telemetry and that becomes your foundation for your asset inventory then you have your network based agents which are constantly scanning your network traffic and based on their trying to infer your device level information and lastly you have your browser extension based uh softwares available which are installed on all your browsers and will also be able to work in a similar way as your agent built where we're trying that where they're able to collect device level information for the for asset inventory the one benefit that I see with browser based is those are really lightweight if you're worried about your performance and things like that that comes with agent this is the solution that you might want to look into the second thing I want to mention here is prioritization you need to have some kind of prioritization methodology when you're trying to implement something from this program it's really important to have this method so that you are able to have your resources used in a more efficient way so that you can bring down your risk for the company in a more meaningful way one of the prioritization methods that are used in the past is through a risk-based approach where I try to identify my riskiest users in my company I try to look at things like what teams that they are part of what position they are in what kind of access they have I look into my security factors like hey is this user been when I was trying to do a phishing exercise how many times the users have failed this exercise what are the security incidents and threats that have happened in my company and what uses that part of that thing and what caused this incident in the first place so try to work with your partner try to work with your detection team through thread Intel team and they will be able to help you pull up these numbers second in the list I try to identify my riskiest device I tried to look for whether the device is a personal loan or company or whether it's enrolled in endpoint management or not what security tools are present what kind of data expression does it have any secrets on it if those answers come yes then that becomes my risque device I try to combine these two data like you have your scaled user with your skills device and that gives you a prioritization list the main beauty of this thing is you don't have to use this prioritization just for your endpoint related stuff you may be having your different initiatives like you may be looking for compliance training you may be looking for passwordless in your company you can pretty much use the same method for other initiatives as well third thing in this list is endpoint management so for folks who doesn't know it's a process of managing and securing your endpoints the process is really important as it will help you secure your information that's stored on the device and the device itself as well there are many commercial of the shell products available now in the market so you need to reinvent the whole bill like JF and intunes and Google MDM but these products are really specific to the osis that they support so if your company is only using Mac and windows then you can pretty much use like jamf and into your angle MDM will not work because it only supports on Chromebooks so it's really critical to identify your scope and the asset inventory earlier on that can help you make informed decisions just like this what products you need to buy what technologies will be supported on your devices there's a common notion that mdms are generally used for increasing productivity for zero touch Provisions but can also do much more things than that it can help you with your Fleet visibility it can help you build your secure by default controls it can help you for incident response activities the other thing it can help you out with too is doing a remote lock and wire let's say in an event or an employee loses their device or a cell phone in a conference on a train or something happens you can issue a remote lock and why whatever you want to do at that point an MDM is a solution that can help you out with that the next thing is security tools and configuration let's say you identify some of the secured biggest security threats in your company and you are in the process of either eliminating or reducing it so you may be looking at hey I want to implement a new control or a new process or a new configuration before you dive deep into that process of researching a new vendor or the new conflicts or something like that try to gather enough requirements or all the requirements from all your key stakeholders I'm not just talking about security requirements here I know we are a security person here but there are also like different kind of requirements you have your operational level requirements you have your performance level requirements so try to work with your system engineering team your support teams who are going to be impacted with this new uh changes that you're trying to over and gather all those requirements earlier on let's say you've done all those stuff and you are able to identify all your key requirements the next step in the process is to identify your key vendors like which vendors are able to solve this problem and trying to go after and which of them are able to satisfy most of my requirements while doing research it's very common that you may not find a single vendor and that's okay you can work with the engineering team go get those built in-house and that's the whole notion behind like buy versus Bill like if it's something available it's it's appropriate you may want to go with that and it's not you may want to build something custom in-house there's nothing wrong with each of them there's only like pros and cons with each of them so then you so you just need to confirm with those like what is going to make more sense for you after you identify a key a couple of vendors that gonna help you out with this problem try to run a quick POC try to test it out on your testing machine and see if everything is working as intended or not there may be things that may not be able to some men are not able to satisfy versus somebody who's trying to get you may be able to solve your problem but not able to satisfy some of the requirements so try to run a quick POC and see which one vendor makes sense for you still this is not a time to even go for diploma and it still has one step to go here which is the testing phase where try to find your diverse sets of users and devices through which you want to implement something try to collect as much feedback as possible so that you are able to test thoroughly before you're trying to implement something and the last step in this process is deployment when are we trying to you gather everything you got the requirements you identify your tool your vendor you did testing now is the time to communicate that's the most cruc