Cybersecurity & ASD4 framework

Discussion in 'Business & Enterprise Computing' started by evo800v, Apr 25, 2019.

  1. evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    Hi all,

    Our company (manufacturing industry) has pickup some high profile customers, they are requesting our systems to adhere to ASD level 2 then 3 by end of this year. We are currently engaging a consulting firm to provide some advise, the price tag with all the new proposal come over 150k+ for roughly 300 PCs

    What are everyone doing for your company for the ASD level 2 & 3? i just need some view in terms of what system you have in place for these areas;
    * application white listing
    * patching
    * SIEMS

    I know that putting in system/s doesnt make that we're in compliants, there are also massive processes that needing change as well as well a a culture shift. Just needing cost effective solutions than relying on the cyber consultant proposal.
     
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,714
    Location:
    Canberra
    To actually help you with this is going to cost a lot of time, energy and money.

    Depending on what they are actually doing, and where you're coming from - that doesn't read as a scary price to me. Remediating an environment for $500/user is *cheap*
     
    Dilbery likes this.
  3. fad

    fad Member

    Joined:
    Jun 26, 2001
    Messages:
    2,283
    Location:
    City, Canberra, Australia
    You need someone monitoring the SIEM and managing the whitelist daily. Also you will, assuming you don't have them, need to buy or get a yearly subscription to the software. So it can get expensive fast.
     
  4. Urbansprawl

    Urbansprawl Member

    Joined:
    May 5, 2003
    Messages:
    552
    Agree, 150k is very cheap and probably an underestimate of ongoing effort for annual recert/log monitoring/vulnerability management etc. If you have certifications costs, these should be passed on to the customers who require them.
     
    NSanity likes this.
  5. Dilbery

    Dilbery Member

    Joined:
    Nov 19, 2005
    Messages:
    1,153
    Location:
    Sydney, NSW
    I had to do similar remediation work in my last role, $150k is cheap considering the amount of work that needed to be done.

    For white listing I had to implement applocker (Went down the .dll path for devices too, that was fun fun fun), and for patching we already were using SCCM we just had to change how we were patching (Patching devices as the patches are released rather than pilot and test the patches etc)
     
    Last edited: Apr 28, 2019
  6. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    349
    Location:
    Melbourne
    $150k is a bargain. Is that just in consulting?

    RE: Application Whitelisting: For all levels of the maturity model it needs to apply to not only workstations but AD servers, email servers and any other server that performs authentication. The limiting factors with each maturity model is the extent of the reach (i.e Level 1 = Restrict Exe's, Level 2 = Restrict Exe's + software libraries, Level 3 = Restrict Exe's + software libraries + scripts + installers) and the method that should use used (i.e. folder whitelist or hashing)

    Patching: Endless cycle of patching. All models require you dump legacy enterprise shitware which isn't supported.. e.g. "Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions"

    SIEM: Not part of Essential Eight but it'll cost you $$$$
     
    NSanity likes this.
  7. OP
    OP
    evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    Got it, thanks for the inputs.
    So far the cost involves implementation, licensing and cross-training. The idea is to have the process implemented externally then move it inhouse after the second year. It less messy and we want to get it right the first time from someone whose been there. If we were to do this internally, it may be somewhat cheaper but may take 8 months plus...

    Anyone using IBM Big fix for their patching management?
     
    Last edited: Apr 30, 2019
  8. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,045
    Location:
    Sydney
    We use Ivanti - https://www.ivanti.com.au/products/patch-for-endpoint-manager

    We have their EPM product though, it all ties into that.

    I saw you mention white listing earlier, they also have a White listing product that is a lot easier than your standard MS based stuff. Its called Application Control, we are rolling it out now and its been quite successful. I sleep a lot better at night with it deployed.
     
  9. OP
    OP
    evo800v

    evo800v Member

    Joined:
    Jul 26, 2004
    Messages:
    524
    Location:
    Australia, Sydney, NtRyde
    Ivanti patch-management, are you using this on-premise or cloud-based? is the licensing scheme cost effective for 100+ users?
    We were at one point using Altiris before Symantec took over, since then it went downhill.
     
  10. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,045
    Location:
    Sydney
    I've got it on-premise as we use it for imaging etc as well. I'm not across their cloud offering.

    I'm licensed for 1000 endpoints and the full endpoint management suite including patch management was 40k or so. It patches more than just MS, they have a patch feed that downloads patches for loads of applications - Dropbox, Adobe etc.
     
  11. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,718
    Location:
    3350
    Does it do the full patch remidiation, additional steps like registry keys as per the MS KB articles and revalidation of compliance?
     
  12. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,045
    Location:
    Sydney
    Yes, Ivanti actually have a team building the patches and the platform downloads from them. You can also create your own patches in it with multiple steps etc.
     
  13. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    259
    Location:
    ACT
    Adding on to this, how are people restricting administrators from internet access and sending emails?
    Application patching, there are lots of products.
    OS patching either WSUS or vendor product.
    Application white listing can use applocker or vendor product.

    No idea how to block domain admins from using the web / accessing email. Is it best to use a web proxy to block admin accounts using IE (will this work for edge?) and then block other browsers with the app whitelisting?
     
  14. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,473
    Location:
    Canberra

    Most places I see, admin accounts do not have an email account. so no email.

    GP forced proxy settings (wpad etc.) and app whitelisting. Chrome and FIrefox support GP restrictions.

    and if you subscribe to the admin workstation recommendation/requirement, ensure those workstations do not have external access - vlan/routing/firewall whatever. lock admin account usage to only those workstations.
     
    NSanity likes this.
  15. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    349
    Location:
    Melbourne
     
  16. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    259
    Location:
    ACT
    Admin having a specific email account isn't relevant, if the Admin has access to an email client or web client then any email account can be used, so doesn't meet compliance.

    Good idea, we have this for application policies on a few of the routers, I should be able to use it to block internet for groups of users without issue.

    Thanks people.
     
  17. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,473
    Location:
    Canberra
    As with everything security: layers.

    combined with whitelisting policy and restricted/removed internet access, you get compliance.

    There's no one policy to cover every need for every customer/business.
     
  18. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,447
    Location:
    Brisbane
    Has anyone used/evaluated a good product for application whitelisting? I don't want to go down the applocker path, Carbon Black and Ivanti I've only read some vague brochures on, but get the impression they probably don't provide hash based whitelisting for scripts/libraries. Similar to those, I did evaluate Thycotic Privilege Manager, which is in the same boat, only supports exe whitelisting, management wasn't great, but it was comparatively cheap and also had some privilege elevation features we'd probably use.

    Airlock looks like one of the few which does apparently support app/library/script, but didn't have any elevation features, does also have the benefit of looking like it was written in this decade. Someone suggested Mcafee application control, I was pretty well put off by reading their install documentation.
     
    Last edited: Jun 14, 2019
  19. fad

    fad Member

    Joined:
    Jun 26, 2001
    Messages:
    2,283
    Location:
    City, Canberra, Australia
    Airlock is really easy to deploy and control. Mcafee has a whole suite attached to the EPO. So if its just whitelists its alot of work. Also they don't seem to keep their versions up to date.
     
  20. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,778
    Location:
    Brisbane
    Isn't it the essential eight?

    The effort in deploying application whitelisting really shouldn't be underestimated.

    A SIEM (not cheap) you either need to pay for an outsourced SOC to pay attention and alert (not cheap) or pay for somebody to review it (not cheap). You'd want to first define your threats, risks and likely scenarios and align your approach to that. You said you've got manufacturing, leading me to think you've got a control network.
    Cool, how is that being monitored, you're highly unlikely to be allowed to just push a new security solution onto those. Want to use crowdstrike or similar on the OT network? Stiff shit, it needs net access.

    If you're looking to checklist this you're gonna be disappointed, because to be patching at a level 3 is gonna need some solid evidence to back that 48 hour period up.

    If somebody is stupid enough to say they can get you there for 150k you should either run for the hills from them, or rub your hands together and have lawyers ready to back you up when you inevitebly sue them for fucking it up.
     
    Last edited: Jun 20, 2019

Share This Page

Advertisement: