Discussion in 'Business & Enterprise Computing' started by evo800v, Apr 25, 2019.
Airlock doesnt need internet
Not played with that one. My point was more that even just doing the controls requires a butt load of assessment, moreso if you have control networks too, 150k just seems way off.
You can use forwarders etc. to get around other firewalling too, there's always a way bu
I agree the amount of work is huge. This is just white listing. You add the other essential 8 and you have your work cut out for you. The biggest thing here is without someone checking these logs and SIEM systems whats the point?
That would be a 1 FTE worth of work.
And that's assuming the business doesn't assess it needs a 24/7 capability for response to said alerts generated from the SIEM
Yep, if you want to remain compliant you have to act on those alerts. It only takes a failed update or one unpatched app and you are non-compliant. Given ML3 is at 48 hours you need to have weekend staff checking on these things.
At the very least for SIEM, stand up windows event forwarding, your post incident investigators will be grateful:
This is a rehash on an earlier minimum log level doc published from MS, check the list above the linked section to get a good idea of the dragnet size.
Centralised logging for windows events can be very cheaply implemented in an air gap environment restricting you from using splunk or an event collector / forwarder
Some updates since my initial post;
Application whitelisting --> Currently going through TrendMicro apps whitelisiting atm, We are in the mix of upgrading to ApexOne for EDR solution. Since we are already a TrendMicro house, so a no-brainer.
SIEMS --> Using a product called AlienVault (opens source) for vulnerability assessment & logging.
IBM BigFix --> Patch management or apps & OSes
2FA remote lock-down --> RDP sessions & VPN accounts (AuthPoint WAtchguard vendor based)
Currently looking into USB Hardlock key for locking down PC/Laptop into local & AD accounts. Authlite is in-expensive but seems to do AD only, does anyone doing 2FA keys/smartcard in their environment to lockdown windows based system?
As previously stated, it all comes down to which maturity level you are trying to achieve? Are you just doing the top 4 or all of the E8? I'll assume L3 top 4.
You will need some kind of SIEM to monitor everything, with custom scipts, API for monitoring non generic stuff. It will need to able to automatically generate tickets so that 48 hour/daily checks are made, and actioned.
Application whitelisting - there are a few products out there, Sophos, McAfee EPO, Airlock are all I have experience with. If you don't already have something, airlock. McAfee is ok, very clunky to use, big learning curve, not the most reliable. Sophos - lockdown only does servers, so you will still need to do endpoints, bit of a waste of time, but very easy and works. Airlock is pretty good from a functionality and user perspective. Make sure they block exe, scipts, dll and installers.
Patching OS/firmware: Seems simple but isn't. If an update fails on one machine it needs to be investigated and remedied within 48 hours. LabTech tools, SCCM and custom scripts will be required for firmware updates. Might not be too bad depending on which vendor your hardware is (if you're Dell or HP shop), if you have whiteboxes you're f*ckd.
Patching applications, drivers: Once again seems simple but it isn't. Lot's of tools will only monitor, update, report on a pre set list of applications, which is unlikely to cover your LOB applications. No one solution is going to cover it all. Once again vulnerability assessments will need to be done. Ninite Solution with LabTech can handle some stuff.
Restricting Admin priviledges: Once again seems simple, but it isn't. You will need policies to control when admin accounts are created or destroyed, with auditing. Use AD to give admin accounts a 12 month lifespan. Use PS script to regularly send out lists of admins, so that they can be checked. Everything needs to be ticketed, so the work can be tracked/audited. Use MS application blocker to help make sure whitelists aren't being bypassed (as easily), you will need a foward authentication proxy to block admins from going to the internet/mail etc.
Doing 2fa at L3 is quite painful/expensive. There really is only one player in this game unfortunately.
Do note that L3 MFA does not allow soft tokens, you'll need a hardware token or biometrics, and this includes key information repositories, which may include apps which do not support MFA.
I've recently done a essential eight assessment to L3 and the org despite having in place bigfix + something else didn't get past L1 because systems weren't being rebooted, patches weren't being correctly audited and applications had not been correctly identified for the patching solution.
If you're not paying somebody to use the SIEM it's a waste of money, have you defined what logging / retention needs to be done, what your threat actors are, how that's aligned to your risk posture and practical attack scenarios?
Sounds like you're diving in hard, best of luck, not trying to shit on your parade but I'd hate to see you get caught out for some of these things!