Big companies and large government agencies have large, dedicated IT support and cyber security teams working to protect their systems and data. IT responsibilities are often divided into separate teams that are then able to focus on their area of responsibility.
Small to medium sized enterprises (up to about 200 staff) tend to put all their IT security needs in the hands of a small group of staff or a Managed Service Provider (MSP) that are also tasked with providing day to day IT support and management.
In many cases, this works well.
However, IT support teams are, by their very nature often focused on reactive, day to day support, installation, and management tasks, often with undesirable consequences such as ad-hoc attention to strategy and policy and a focus on “tactics” rather than governance and strategy.
As a key organisation manager, you need to ask yourself “is your Cyber Security up to scratch”?
If the security basics are not implemented, then a SIEM (Security Information and Event management) solution will likely generate significant incident alerts that will be impossible to manage. For example, if you have your CEO’s email address publicly available on the website, it is highly likely hackers are already attempting to hack the account using scripts to attempt to determine the password using brute force.
Here is a list of our 9 Practical Cyber Security Tips that should be implemented before considering a SIEM solution.
1. Multi-factor Authentication
Protect all cloud-based user and administrative accounts using Multi-Factor Authentication (MFA). MFA requires users to provide at least two different ways to identify themselves. The most common methods being a password and a code. The code is often sent via SMS to their mobile phone, to an email address, or is obtained from an Authenticator application.
2. Restrict Execution of Malicious or Undesirable Software
All computers should be protected via the use of effective Anti-Virus/Anti-Malware software. Ideally, this software is centrally managed and capable of generating alerts to system administrators to enable ongoing tracking and reporting of incidents.
For organisations with a higher level of security requirement, implementation of software that performs “application whitelisting” may be desirable. This software only allows pre-approved applications to be executed and provides a very high level of application security. However, it comes at a cost and is generally not particularly desirable for personal devices (BYOD). The implementation of application whitelisting requires management buy in and a commitment to saying “No” to end user requests for non-standard software.
3. Implement System Access Controls
Protect all on-premises and cloud-based systems with appropriate system access controls, such as:
Use of access permissions to limit access to data to authorized users only
Limiting access to corporate devices only
Preventing the synchronisation of data to personal devices via OneDrive, Dropbox, and other applications
Implementing Geo-blocking and other techniques to reduce the attack surface as much as possible
Geo-blocking is the implementation of processes to block access from certain countries based on the perceived location of their internet network address. It is not foolproof as a hacker from overseas can utilise a VPN in the desired country to obfuscate their location, however, in our experience, well over 99% of all malicious connection attempts come from a few specific overseas countries.
4. Limit Devices
Limit the devices that staff use to work with corporate data, especially the use of personal devices.
In the small to medium enterprise, most personal devices are unmanaged with varying levels of anti-virus software, no standard update processes and no management control. In an ideal world, staff should be issued with corporate devices that conform to a standard operating environment and are managed effectively. Staff members that login to corporate resources from one or more unmanaged personal computers, tablets or phones, especially on an intermittent basis, are likely to trigger anomalous warnings. For more information, refer to our blog post “The Trouble With BYOD”).
5. Follow Best Practice
Ensure best practice is followed for:
On-premises server and workstation configurations
Network equipment configuration
Cloud solution security processes
For example: The use of Windows Home, non-domain joined devices or drive mappings using different credentials to access server resources are likely to trigger background security events, leading to “false positive” alerts. Whilst users and system administrators may not generally notice these issues, a SIEM solution may generate hundreds or thousands of alerts per day.
6. Implement SSL VPNs
Implement VPN solutions that utilize SSL functionality to provide cross platform compatibility and multi-factor authentication (username, password and SSL certificate).
VPNs using PPTP and SSTP generally only utilize single factor authentication. Hackers identify these services and then attempt random combinations of usernames and passwords to login. If the combination is simple, they get access and if the combination is complex, it can generate thousands of alerts and lock out user accounts. There are also security issues with PPTP VPNs and these are no longer usable on Apple devices.
7. Perform Database Logging
Ensure publicly accessible database systems have appropriate logging capabilities implemented.
Loss of data from a database containing customer details (e.g. online store, membership portal, product support portal) may be subject to privacy breach notification legislation. If your database does not log accesses appropriately, it may be difficult to comply with that legislation. If the database generates useful log data, then a SIEM solution can be used to identify anomalous activity, generate alerts and allow the implementation of system improvements to prevent breaches before they occur.
8. Implement Systems Governance
Whilst it may be desirable to outsource or delegate IT support, a chief decision makers responsibility is to ensure appropriate systems, processes and controls are in place. Whilst not technically required for a SIEM solution to work, implementing appropriate system governance will make implementation easier and provide better results.
9. Provide Security Training to Staff
Provide suitable security training to your staff.
Whilst staff training is not necessary for a successful SIEM implementation, the biggest risk to data is from internal threats. Staff should undertake security awareness training and be able to identify malicious activities such as spam, scams, phishing attempts and ransomware.
Special Note
This list is not meant to be an exhaustive list of all recommended security practices, merely those that need to be in place before implementing SIEM.
We have made the assumption that your current IT service provider has implemented processes such as effective backup and recovery, disaster planning and the regular application of operating system and application updates.
Many dedicated cyber security organisations have a "bells and whistles" approach to SIEM with high costs outside the budget of many SME's. If you'd like to discuss whether our solution is appropriate for you, please complete our cyber security questionnaire and we'll get in touch to book a time to chat.
Commentaires