The Secret CISO: August 2019

Why all of the fuss?

Ransomware it's on the uptick in the Gartner "hype cycle". People want to sell you lots of shiny new tools that you must have to defend yourself? Why would I go to the CFO and recommend that? People will swear to you that security is "better in the cloud". It is not, they are just attempting to sell you something. Resist the temptation.

Success with ransomware defense is not a function of your tools, your network topology, or your SIEM. A successful defense against ransomware is determined by your ability to make rational decisions and move left of bang thru the "political will" minefield.

OK, now you can send me flame mail.

In his truly seminal work, "The Laws of Human Nature", Robert Green walks us through the biases that will turn your decision making away from rational thinking and enable you and your team to embrace your biases: Confirmation Bias; Conviction Bias; Appearance Bias; Group Bias; Blame Bias and Superiority Bias.

The criminals that will use ransomware to steal from you will use your normalcy bias against you. Don't let that happen. Look your lack of political will squarely in the face and say, "...not today...".

To effectively mitigate ransomware risk, we must cultivate the political will, right now, to take reasonable, cost effective action. Remember these wise words: "Cyber Security is Everyone's Job".

M&M candy or a box of rocks? You decide.

Most of us have been trained that "defense in depth" is the be all - end all of Information Security. I call that "the M&M candy" methodology: have a hard crunchy shell to protect the soft tasty center.

Most of the businesses I work with allow non-security personnel to make security decisions because these decision makers do not understand security and risk and refuse to trust the security professionals they hire. This is cognitive dissonance on a massive scale.

What I am proposing here is a paradigm shift [really just an over simplified outline] to what I call the "box of rocks" methodology: everything in the box is as hard as a rock and you just can't take a bite without breaking your teeth.

How can you become a box of rocks?

Below is my, "box of rocks" approach to ransomware defense. Granted it is not all inclusive. It is also not expensive. You probably have all of these capabilities already. If you do, you are most likely not using the capabilities below in an all-inclusive manner.

If your IT folks tell you that this approach is crazy - hire better in the future.

As always, if you follow the outline below and you get a successful ransomware attack prosecuted at your customer, that's a "you thing". If you want to ask questions about any of the ideas below, just send us an email via the comments section.

What we need to get this party started

A threat intelligence data feed [TIDF]

We'll need a threat intelligence data feed that incorporates near real time DNS and IP address white/black listing that can be consumed by all of your perimeter defense systems and your internal routers.

This allows you to mitigate the risks of vendor provided TIDF's that are universally mediocre, normalize protections across your perimeter and internal traffic management systems.

Do not default to accepting your firewall vendors schtick that their TIDF feed is awesome!

This is very high payoff and very cost effective.

A configuration management database [CMDB] capability with teeth

You'll need a CMDB that is integrated with your change management system, your vulnerability management system, your patch management system (and their supporting processes) with enough intelligence to monitor your key systems and autonomously roll back unauthorized configuration changes, in real time, without human intervention.

I'll bet this is a capability of your Service Desk Ticketing software package?

Building this is worth your time. .

Security Orchestration, Automation and Response [SOAR]

Though this is a major player now in the hype cycle, this actually drives incredible business value via risk mitigation. If you have a SIEM solution in place you probably don't have to purchase anything, chances are good that you already own the parts and pieces, you just need to do some plumbing.

Imagine a time when your employees bring in an infected device, plug it into your network, your internal router, consuming your TIDF sees the outbound connection request to a threat actor, and autonomously, without human intervention, in nanoseconds, isolates the threat from your business and dispatches a human to investigate.

Think of it like "Sky Net" but, cuddly and smelling like fresh baked chocolate chip cookies.

Integrate your SOAR tool kit with your network vendors "Network Access Control" capabilities, and your Security Information and Event Management capabilities.

Building this is worth your time.

An easy to use Password Manager that employees can't live without

We all talk a good game about password management but do any of us have an enterprise wide password manager that your employees love?

Nope.

One of my larger, international customers was also skeptical of this, but, once it was in place, it was fervently embraced by the employees simply because they could use it for personal use. Being a centrally managed, enterprise platform that synch'd desktop, phone, etc...passwords. We could mandate twenty-one character complex passwords. Automatic password changes, none of the employees had to lift a finger, they L O V E D it!

No more forgotten password Service Desk Telephone Calls!

All accounts, including service and daemon accounts are now, at a minimum, twenty-one characters and complex.

A major step in the right direction.

Inexpensive, a major risk mitigation.

Protection Profiles for high risk groups of employees

Check box / one size fits all security solutions waste resources (labor and money). Develop "Protection Profiles" - bundles of minimal technical controls, tools, capabilities, for groups of high risk employees. They get to feel like James Bond, they will love it.

Make Multi-Factor Authentication a key component of your first "political" Protection Profile group, their adoption of these James Bond style "cool kids" capabilities will make it political kryptonite for nay-sayers re: future adoption.

Easy to explain to the Board, CEO and CFO. It just, plain and simply, makes great business sense.

Define and Implement Minimal Technical Controls for your public facing web servers and API's

Incorporate the OWASP top ten controls into your public facing web presence. Introduce in phases, getting closer to our mythical "box of rocks" each quarter.

Building this is worth your time.

Define and Implement Minimal Technical Controls for your internal and external web services, capabilities and protocols

Develop your own, "Secure Cloud Computing Architecture [SCCA]" plan, mature it each quarter.

Start out slow and pick up speed as everyone becomes comfortable with the capabilities.

Privileged Access Workstation [PAW] Model

Adopt a PAW approach, use it, mature it. Never administer a zone of "high trust" from a zone of "low trust".

Building this is worth your time.

Airgap your crown jewels

Basing disaster recovery and business resumption planning [DR/BRP] around traditional VMWare solutions in a remote data-center makes the assumption that your attackers are stupid. They are not, they are highly skilled criminals that run highly profitable businesses. They will break into your backup system, follow the bread crumbs to your DR/BRP site, encrypt your backups, then attack your online, operational systems. Pants around your ankles, you will be gasping for breath, or....you can take proactive steps, NOW.

You need to thoroughly document your key business processes, understand how they are "plumbed" thru your data center and cloud environments.

What will it take to restore these business critical, business processes in a disaster?

Who cares about your data backups if you don't really know how the business process is plumbed and you cannot re-create this plumbing to make your business processes function?

Think about it...

The world has evolved beyond servers in your data center or cloud. It's all about understanding and protecting your business critical - business processes.

Don't believe me? Call your CFO and ask him/her...

Building this is worth your time.

Implement Microsoft's "Red Forest" approach to protect Active Directory

Imagine what it will be like the morning NO ONE can log in...to....anything...don't be that person.

Implement "Zones of Trust" within your enterprise

Using the FIPS 199 approach, identify what is truly important, segment the truly important stuff into "zones of trust", utilize your labor dollars and budget to protect what it truly important. Ignore the rest until you have some unstructured free time...(yes, that is a joke)

Develop a program to manage - Ports, Protocols and Services - Normalizing, Documenting and Monitoring Network Traffic between zones of trust

Review the Defense Information Security Agency [DISA] "ports, protocols and services" methodologies for reference.

Integrate with your SOAR Program.

Effective Messaging Management Practices

Your IT folks need to understand how the river that is your network, flows thru your enterprise and where to focus your controls to minimize risk.

Do your email "dispatch" process rules, effectively scan email or chat as it moves from desk to desk?

Do your email "external" processes effectively implement "mail transport rules" that scan email inbound and outbound from your business?

If you asked your IT guys these questions what would they say?

Do you have the political will to convert all inbound embedded URL's into simple strings of text, making them "un-clickable"? To watch your phishing concerns become a thing of the past?

Empower your Security Department to take control of Security "stuff"

Fund and staff a "Security Architecture" team that is autonomous and reports to the CISO or CIO.

Listen to them.

Develop an actively managed, structured, system and application software hardening program. Use the CIS baseline library to increase hardening on a quarterly cycle.

Implement an ITIL RACI matrix approach, making your Security Department "accountable" and your IT department "responsible".

Your Board of Directors will thank you.

Implement Centralized Authentication and Authorization [AuthN & AuthZ] for your UNIX systems

Integrate this into your Active Directory infrastructure.

Implement Centralized Authentication and Authorization [AuthN & AuthZ] for your NETWORK systems