Security Baseline
Background
In Heavy Strategy EP. 010 - Budgeting for Cybersecurity Greg Ferro & Johna Till Johnson agree that “Detection is better than Prevention”, in that same episode Greg said that he recommended SDP (Software-Defined Perimeter), Asset Inventory and EPP (Endpoint Protection Platform) for all devices.
SDP, Asset Inventory and EPP are protection technologies, so this could be seen as conflicting with “detection is better…”. However, I think what Greg is getting at is that there needs to be a minimum level of protection and that further spending on additional protection technologies is likely to be wasteful.
Nearly all organizations are going to have already spent some money on “prevention tech”, it’s probably built into the network design.
So, what is the Security Baseline?
Greg provided 3 components as a starting point - SDP, Asset Inventory & EPP. I’m going to agree with two but exclude one.
SDP is an interesting technology. It appears to be the Zero Trust approach Fortinet has adopted - and possibly others, I haven’t investigated the other vendors as much. I don’t think SDP or Zero Trust would fit in a baseline list. They are very effective at limiting lateral movement in the network though, making it exceedingly difficult for malware or an attacker to spread - however, the current effort to implement, for most organizations, is high. I feel SDP and Zero Trust would belong on an “Advanced” Security list, not a baseline.
So, what would I add to the list? I feel the ASD Essential 8 make up the bulk of the additional components. Those eight items are:
- Application Control/Whitelisting
- Patch Applications
- Configure MS Office Macro settings
- User App Hardening
- Restrict Admin Privileges
- Patch OSes
- MFA
- Regular Backups
All of these will require effort to implement correctly, and a few will potentially annoy users (MFA, Office Macros, App hardening - but restricting admin privileges, if users currently have them, most of all). The improvement in security by implementing these controls is significant and worth working with users to achieve.
There are still a few more things that we should add to this list.
While SDP might be too much of a lift for most networks, I do think that a Next Gen Firewall and Segmenting the Internal Network deserve to be on the list.
Having reviewed the Verizon 2021 Data Breach Investigations Report findings, it’s clear that in 2020, the largest number of attacks were Business Email Compromise and they had the highest median loss. So, we should add Mail Filtering to the list. [Yes, Ransomware gets a lot of headlines, but check the numbers for 2020, Verizon’s data is quite clear. Also, if you look at the ASD Essential 8 - Ransomware is quite effectively mitigated by these 8 items.]
The last item for the list, I believe, is Security Awareness training, also recommended by Greg & Johna - in Heavy Strategy Ep. 009 - The Metrics of IT Security.
Wrap up
Here is the full list.
- Asset Inventory
- EPP for all Endpoints
- Application Control/Whitelisting
- Patch Applications
- Configure MS Office Macro settings
- User App Hardening
- Restrict Admin Privileges
- Patch OSes
- MFA
- Regular Backups
- Next Gen Firewall
- Segmented Network Design
- Mail Filtering
- End User Security Awareness Training
There are 14 items, listed in no particular order.
How does your organization compare to this list?
Do you think anything should be added or removed from the list?
I’d like to hear about this in the comments.