The ideal security stack - part three

If you provide services to companies with compliance requirements, that must drive your choice of offerings, usually based upon one of the accepted security frameworks such as NIST, CSF, or a daunting number of others. Even in the absence of such requirements, it makes sense to become acquainted with a framework and to use it to guide your security strategy. However, in my case, I view things from the standpoint of perimeter, endpoints, and data pathways.

Read part one and part two of this series.

Perimeter

It surely is true that “the perimeter” means less than it once did. Some industries have always had highly distributed work forces, such as field sales. But with some notable exceptions nearly every business has seen its workforce migrate to remote or at least hybrid work. But the reality is, most businesses still have some on premise equipment and therefore, a perimeter to protect. Unless all your traffic is tunneled or otherwise “backhauled”, there is no substitute for a modern firewall/UTM (unified threat management) device.

In addition to traffic routing and inspection, most modern UTM devices can also provide heuristic analysis (by diverting suspect traffic to the cloud for “detonation” and analysis), as well as features such as WiFi6 (802.11a/x) and WPA3, as well as SSLVPN termination. With the much faster firewalls on the market today you can also enable DPISSL (deep packet inspection of encrypted traffic) and Layer7 traffic inspection. We even see DNS filtering is moving into UTMs today. A modern Firewall/UTM truly is the Swiss Army Knife of perimeter security.

Endpoints

No matter what your workers use for daily productivity, they must be properly protected. That includes, at the least, effective patching of the OS and applications, internal vulnerability scanning, managed detection and response (MDR), DNS filtering at every endpoint, and managed encryption of the mobile endpoints too.

MDR typically combines signatureless AV protection, a threat hunting element, and a SOC (security operations center) parsing endpoint logs and responding rapidly to identified threats. These are critical functions today.  We also encrypt our endpoints wherever practical. That might seem like overkill, but every barrier to data loss (even if devices are stolen) is surely worth pursuing. And device encryption is easy.

No discussion of endpoints is complete without touching upon IoT as well. Enumeration is the first step, as you cannot protect what you do not know is there. The next step is to segment IoT to the greatest extent you can. Finally, be sure to implement vulnerability scanning that you can extend to IoT as well. That’s why I call them the Internet of Threats.

M365 Endpoints

With so many attacks now aimed at or propagated by means of hosted mailboxes, it seems only natural to me to treat them as endpoints, just like your desktop and laptop machines. For that reason, we do not sell “bare” M365 seats. We include email filtering, dedicated anti-phishing (that tags all suspect messages very clearly), comprehensive backup of OneDrive, Outlook, Sharepoint, and Teams, and log reading and response services for every mailbox on every tenant.

Most of us would agree that mail filtering is critical, but I was not onboard with dedicated anti-phishing until I came just a few keystrokes away from being phished myself. Log reading of the tenants might strike you as optional, but so much of the malicious activity focused on M365 tenants is readily discernible if someone is watching. Logins from unlikely locations, from several locations far apart physically but proximate in time, and the creation of forwarding rules that surreptitiously reroute messages are just the first three such red flags that come to mind.

Data Pathways and Destinations

This covers several issues, including securing access to on-premise machines or cloud destinations by means of MFA (multi-factor authentication), as well as either SSLVPN or better yet, proxied RDS (remote desktop services). We must also provide some degree of DLP (data loss protection), whether you are protecting physical pathways (USB connected devices) or logical pathways (data leakage by email or to remote data stores such as Dropbox, Google Drive, or others). This starts with discovering where your clients’ data resides. If you want to scare yourself, just try to figure out all the places a dozen users store data and how it is protected.

The Keys to the Kingdom

The most glaring omission here is user training, and without that, we will lose this battle. For many of us, web-based end user training is a check-box item. But it has become increasingly apparent that this is not enough. Security is a process, not a product, and a key component of that process is user training. Ultimately, securing your sites must be a collaborative effort, and that means you must find a way to engage your clients in the process. This means that training must be a focus topic during every review, that user training must be elevated to a strategic priority by your clients, and that user training must become as important to them as it is to you.

If you provide services to companies with compliance requirements, that must drive your choice of offerings, usually based upon one of the accepted security frameworks such as NIST, CSF, or a daunting number of others. Even in the absence of such requirements, it makes sense to become acquainted with a framework and to use it to guide your security strategy. In my case, I view things from the standpoint of perimeter, endpoints, and data pathways.