Discussion in 'Business & Enterprise Computing' started by evo800v, Apr 25, 2019.
Airlock doesnt need internet
Not played with that one. My point was more that even just doing the controls requires a butt load of assessment, moreso if you have control networks too, 150k just seems way off.
You can use forwarders etc. to get around other firewalling too, there's always a way bu
I agree the amount of work is huge. This is just white listing. You add the other essential 8 and you have your work cut out for you. The biggest thing here is without someone checking these logs and SIEM systems whats the point?
That would be a 1 FTE worth of work.
And that's assuming the business doesn't assess it needs a 24/7 capability for response to said alerts generated from the SIEM
Yep, if you want to remain compliant you have to act on those alerts. It only takes a failed update or one unpatched app and you are non-compliant. Given ML3 is at 48 hours you need to have weekend staff checking on these things.
At the very least for SIEM, stand up windows event forwarding, your post incident investigators will be grateful:
This is a rehash on an earlier minimum log level doc published from MS, check the list above the linked section to get a good idea of the dragnet size.
Centralised logging for windows events can be very cheaply implemented in an air gap environment restricting you from using splunk or an event collector / forwarder
Some updates since my initial post;
Application whitelisting --> Currently going through TrendMicro apps whitelisiting atm, We are in the mix of upgrading to ApexOne for EDR solution. Since we are already a TrendMicro house, so a no-brainer.
SIEMS --> Using a product called AlienVault (opens source) for vulnerability assessment & logging.
IBM BigFix --> Patch management or apps & OSes
2FA remote lock-down --> RDP sessions & VPN accounts (AuthPoint WAtchguard vendor based)
Currently looking into USB Hardlock key for locking down PC/Laptop into local & AD accounts. Authlite is in-expensive but seems to do AD only, does anyone doing 2FA keys/smartcard in their environment to lockdown windows based system?
As previously stated, it all comes down to which maturity level you are trying to achieve? Are you just doing the top 4 or all of the E8? I'll assume L3 top 4.
You will need some kind of SIEM to monitor everything, with custom scipts, API for monitoring non generic stuff. It will need to able to automatically generate tickets so that 48 hour/daily checks are made, and actioned.
Application whitelisting - there are a few products out there, Sophos, McAfee EPO, Airlock are all I have experience with. If you don't already have something, airlock. McAfee is ok, very clunky to use, big learning curve, not the most reliable. Sophos - lockdown only does servers, so you will still need to do endpoints, bit of a waste of time, but very easy and works. Airlock is pretty good from a functionality and user perspective. Make sure they block exe, scipts, dll and installers.
Patching OS/firmware: Seems simple but isn't. If an update fails on one machine it needs to be investigated and remedied within 48 hours. LabTech tools, SCCM and custom scripts will be required for firmware updates. Might not be too bad depending on which vendor your hardware is (if you're Dell or HP shop), if you have whiteboxes you're f*ckd.
Patching applications, drivers: Once again seems simple but it isn't. Lot's of tools will only monitor, update, report on a pre set list of applications, which is unlikely to cover your LOB applications. No one solution is going to cover it all. Once again vulnerability assessments will need to be done. Ninite Solution with LabTech can handle some stuff.
Restricting Admin priviledges: Once again seems simple, but it isn't. You will need policies to control when admin accounts are created or destroyed, with auditing. Use AD to give admin accounts a 12 month lifespan. Use PS script to regularly send out lists of admins, so that they can be checked. Everything needs to be ticketed, so the work can be tracked/audited. Use MS application blocker to help make sure whitelists aren't being bypassed (as easily), you will need a foward authentication proxy to block admins from going to the internet/mail etc.
Doing 2fa at L3 is quite painful/expensive. There really is only one player in this game unfortunately.
Do note that L3 MFA does not allow soft tokens, you'll need a hardware token or biometrics, and this includes key information repositories, which may include apps which do not support MFA.
I've recently done a essential eight assessment to L3 and the org despite having in place bigfix + something else didn't get past L1 because systems weren't being rebooted, patches weren't being correctly audited and applications had not been correctly identified for the patching solution.
If you're not paying somebody to use the SIEM it's a waste of money, have you defined what logging / retention needs to be done, what your threat actors are, how that's aligned to your risk posture and practical attack scenarios?
Sounds like you're diving in hard, best of luck, not trying to shit on your parade but I'd hate to see you get caught out for some of these things!
Look at PasswordState for Privileged User ACcess, then put 2FA onto that, thus you enforce 2FA to get to any server/management interface via PasswordState itself, and you dont need to get 2FA working on every other platform.
BigFix is a dogs breakfast, IBM also sometimes don't release their Fixlets (patches) until after 48 hours of release anyway which makes it impossible to achieve - depending on your software stack.
AlienVault is a good choice for FOSS SIEM. I echo Airlock as a good whitelisting tool that others have suggested. Australian as well (in fact as is PasswordState)
Ivanti looking good for patching from my evaluation so far, wasn't paying too much attention to the strict 48 hour timing, but look like it'll manage to auto install updates on a schedule for targeted systems. I'll just deal with ones that fail to start back up in the morning. Did contact HCL RE bigfix, after a long delay they got back to me with excuses about transition from IBM so haven't looked it over yet.
Ivanti whitelisting was crap though, designed around path/ntfs owner based rules, or manually populated hashes 1 file at a time. Carbon black was looking good, but once I saw a demo of airlock, didn't see the need for an eval, it had all the technical features of CB I'd plan to use, and a much easier interface, plus grouping allow rules into categories so you can come back and know when and why something was allowed will definitely be helpful.
Just bear in mind depending on how strict your assessor is against essential 8, it'll be almost certainly exception based around patching, so one system missing patch = fail.
I thought id jump in here,
before I dive down the rabbit hole, I see people using the term L2 and L3. Ive worked with the ISM my whole career and ive never used those terms.
What EXACTLY are we referring to?
if its a classification level, then before even looking to get to that. Ask the clients why? Because notoriously people over classify their data.
Also id love to know what you got for $150k? considering a documentation suite can run up to 50k depending on what you need.
oh you mean the Essential 8 Maturity model!
right, so just so I have this correct you are asking how to get to Maturity 2 in the ASD E8 top 4?
On the topic of MFA, trying to get RDGateway with Azure MFA for our vendors remote access.
Using the NPS MFA extension isn't an option as it only supports voice call / app notification with RDGateway.
Azure App Proxy should work, but I've been unable to connect on Win7 client (Because of course process control vendors still running Win 7). If the HTML5 RDWeb worked with app proxy it would've been a nice solution, but looks like that's something planned for a future release.
Claim is it'll work on 7 with the RDP ActiveX control: https://docs.microsoft.com/en-us/az...-proxy-integrate-with-remote-desktop-services ...but I feel like that's a lie. Get the usual vague errors on client, nothing meaningful on the RDGateway server logs.
Not too sure on the MS equiv but is it possible to put in a RDP proxy in front via a Netscaler or Pulse Secure type thing?
We went the NPS MFA radius extension for our VMware Horizon fleet and bolted that on the UAG. No real dramas from our remote vendor access
What are peoples real world experiences like with Ivanti for patch management? I'm reading mixed reviews around the traps. We need something to streamline and provide more effective patch management compliance.
Does anyone have experience with some of the other available options?
We used to use Ivanti's LANDesk for maybe 6 years? For a CMDB it was great and the patch management sort of worked but would randomly trigger the patch schedule from a prior weekend and patch core production systems during business hours without warning.
That kind of sucked.. Once we got WSUS we kind of just moved to ManageEngine which was complete hot garbage. That thing was made for SMB's without a domain and just isn't enterprise.
Now we're 100% WSUS and have scripted triggers via https://archive.codeplex.com/?p=poshpaig
Thanks Poshpaig looks promising for servers just need to figure out where we are blocking PSExec in our GPO'S . I Should add, I had been exploring PSWindowsUpdate as an option for this as well.
From a brief eval run, scheduling, error handling/recovery were pretty crap (compared to something cheap & simple like batchpatch), product coverage and vulnerability rating capabilities were good.
Anyone attending https://cyberconference.com.au/? Is it any good if you've been before? Apparantly you can get the members discount by signing up to an AISA membership on the spot.