Security Baseline

What are the minimum security components to achieve a reasonable level of security?

Background

In Heavy Strategy EP. 010 - Budgeting for Cybersecurity Greg Ferro & Johna Till Johnson agree that “Detection is better than Prevention”, in that same episode Greg said that he recommended SDP (Software-Defined Perimeter), Asset Inventory and EPP (Endpoint Protection Platform) for all devices.
SDP, Asset Inventory and EPP are protection technologies, so this could be seen as conflicting with “detection is better…”. However, I think what Greg is getting at is that there needs to be a minimum level of protection and that further spending on additional protection technologies is likely to be wasteful. Nearly all organizations are going to have already spent some money on “prevention tech”, it’s probably built into the network design.

So, what is the Security Baseline?

Greg provided 3 components as a starting point - SDP, Asset Inventory & EPP. I’m going to agree with two but exclude one.
I did some research into SDP after listening to the episode and I don’t think it would fit in a baseline. I can see how this would be a very effective way to limit lateral movement in the network, making it exceedingly difficult for malware or an active attacker to spread/move - but this doesn’t appear to be “commodity” parts most organizations will be able to stand-up and operate without a lot of effort. I feel SDP would belong on an “Aspirational” Security list, not a baseline.
So, what would I add to the list? I feel the ASD Essential 8 make up the bulk of the additional components. Those eight items are:

  • Application Control/Whitelisting
  • Patch Applications
  • Configure MS Office Macro settings
  • User App Hardening
  • Restrict Admin Privileges
  • Path OSes
  • MFA
  • Regular Backups

All of these will require effort to implement correctly, and a few will potentially annoy users (MFA, Office Macros, App hardening - but restricting admin privileges, if users currently have them, most of all). But the improvement in security by implementing these controls is significant.

I think there are still a few more things that we should add to this list…
While SDP might be too much of a lift for most networks, I do think that a UTM Firewall and Segmenting the Internal Network deserve to be on the list.

Having reviewed the Verizon 2021 Data Breach Investigations Report findings, it’s clear that in 2020, the largest number of attacks were Business Email Compromise and they had the highest median loss. So, we should add Mail Filtering to the list. [Yes, Ransomware gets a lot of headlines, but check the numbers for 2020, Verizon’s data is quite clear. Also, if you look at the ASD Essential 8 - Ransomware is quite effectively mitigated by these 8 items.]

The last item for the list, I believe, is Security Awareness training, also recommended by Greg & Johna - in Heavy Strategy Ep. 009 - The Metrics of IT Security.

Wrap up

Here is the full list.

  • Asset Inventory
  • EPP for all Endpoints
  • Application Control/Whitelisting
  • Patch Applications
  • Configure MS Office Macro settings
  • User App Hardening
  • Restrict Admin Privileges
  • Path OSes
  • MFA
  • Regular Backups
  • UTM Firewall
  • Segmented Network Design
  • Mail Filtering
  • End User Security Awareness Training

There are 14 items, listed in no particular order.
How does your organization compare to this list?
Do you think anything should be added or removed from the list?
I’d like to hear about this in the comments.

comments powered by Disqus