In the past month, more and more GCSIT clients are requesting budgetary quotes for security-related services and assets. This surge in interest prompted me to compile a prioritized list of the most requested services and assets and why they are important to control environments.
1. Anti-Virus In terms of advanced threat prevention, most anti-virus solutions are perhaps 30% effective. That being said, A/V is still a necessary evil. However, managing and responding to malware infections is an increasing drain on limited IT resources. When you factor in the amount of time spent mitigating malware infections combined with the cost of most commercial solutions (McAfee, Symantec, Kaspersky, etc.), outsourcing this function not only reduces cost, but provides real-time monitoring and response which eases the burden on limited staff resources..
2 Monitoring You can install all the firewalls and IDS/IPS appliances you want, but if they’re not being monitored threats will get past your defenses unnoticed. It’s impractical for SMB’s however, to have staff dedicated to monitoring critical perimeter defenses and infrastructure. Threat actors work 24x7x365 and organizations should be monitoring their critical infrastructure just the same. Outsourcing this critical function is not only cost effective, but also expands on any incident response capability by improving detective controls.
3 Data Protection & Business Resiliency Data disruptions happen whether you want them or not. Ensuring that data protection and recovery strategies are aligned with business processes is a challenging task that few organizations do well. Backups are a no-brainer – everyone does them. Executing a recovery process that is aligned to business risk is an often overlooked and under planned function. Backup and data protection strategies are useless without recovery strategies.
In many cases, this can be automated by leveraging in-house and cloud based virtualization technology while aligning with business recovery time and recovery point objectives (RTO/RPO). Understanding your RTO/RPOs for critical business processes is a critical first step towards developing a comprehensive recovery strategy. Outsourcing all or a portion of this business function eases staff burdens, storage and hardware capex, as well as redundant physical data centers that sit dormant 99% of the time.
1 Security Assessment Not to be confused with penetration testing, a security assessment examines all aspects of your technology control environment including administrative, physical, and technical controls. Automated and manual testing procedures provide immense visibility into an organizations environment, identifies areas of weakness, and an actionable report with detailed and prioritized recommendations for improvement that are aligned with business objectives and organizational risk factors. If you don’t know where to start with addressing security concerns, this is a good place.
2 Incident Response How will you respond to a data breach or network intrusion? Your network will be breached, it’s just a matter of when. Having a thoroughly tested response plan in place that is aligned with business objectives will shave days and weeks off of your recovery time. In a network compromise scenario, it’s important to educate first responders to proper procedures for triaging an event or valuable clues and evidence will be lost. An incident response plan identifies and documents the people, processes, and technology necessary to identify, isolate, mitigate, and recover from an active threat.
1 Network Threat Prevention You might think this is a glorified way of saying “firewalls”, but it’s not. Some of today’s perimeter defense platforms are much more than just firewalls. If you’re considering a firewall refresh, then you need to look at appliances that not only provide defenses, but also with the capability to detect and block unknown threats and correlate suspicious activity with endpoints in your environment. Appliances from Palo Alto and FireEye do just that and provide extensive visibility into all traffic within an environment as well as integrated endpoint protection capabilities. These appliances are also capable of identifying and blocking unknown threats by executing suspicious code in a virtualized sand box environment and observing behavior. The unique thing about these solutions over most other vendors is that once a new threat is discovered, their cloud based technology delivers the indicator of compromise to all appliances subscribed to that service – not just the ones in your environment. Signature-less threat detection is critical to the protection of your environment.
Every environment is unique and understanding your risks is critical to defining your control environment and aligning with business objectives. Understanding the services that IT provides to the business and how those services align with technology assets is an important first step in identify risks and defining the types of controls necessary to provide operational continuity and minimize the disruptive nature of a security incident.
The services described above are just a few of the more common security related requests that GCSIT has provided recently. We’ve also performed several forensic investigations in the past couple months that have helped our clients determine appropriate actions in response to a security incident (hint: include a forensic response capability in your incident response plan).
Start the conversation today by emailing firstname.lastname@example.org or calling us about your security concerns (there’s no charge for a phone call).