The Big Picture: Building a security program from the ground up in 365 days

um i want to take a moment to thank our some of our sponsors up here if you don't if you haven't already uh step outside after this presentation and check out the interviews we have out there uh but but thank you to sans institute to cerner sumo logic turner red canary thank you all very much we couldn't do it without you i'm going to go ahead and turn the bike over this is hudson bush he's been a if any of you all have ever tried to put together a comprehensive security roadmap getting started is very difficult but we thought what a better way to start the first track of track two than uh kind of a big picture

of the security roadmap and with that i will turn thank you very much okay so um normally i start off saying you don't need to take pictures of my slides because they will be online but in this case i got locked out of github because yeah i haven't figured out the mfa yet so um take pictures if you'd like i have an old version of this on my website that i'll plug at the end um if you need me to send these slides reach out on twitter um so big picture building security program from the ground up um i have not given this talk since pre-play a lot of things have changed in two years my role has changed a lot two

years i've tried to revise a lot of things but if what i talk about does not match the slides because i thought of something on the fly um background here is that um i have worked for a lot of small companies i've done consulting pretty much my entire career up until about two years ago so i just did not see anyone talking about the basics and even more than the basics talking about like how you roll that out or just even the big picture which is where i've changed this to a little more this i used to call this talk of starting scratch building security program from the ground up in 365 days um title now sounds a little more

applicable to some people because you may not actually be building from scratch but even if you're not a cso or security manager or the only security staff this stuff should be able to give you a good foundation of the many avenues in security um also this could probably be an eight-hour um training so in so i will podcast um so let me get to audience participation i will not be having a q a two reasons one a lot of us men are dicks and we use q a as a chance to tell women speakers that how he would have given the talk so i like to lead the way and say hey men are being abusive you do

not need to do a q a because yeah don't don't do that but then two um i have a lot to cover and i will not have time so if you have questions find me after tweet me find my email i'll send you know hey if you have questions in the middle you can yell um if i mumble or talk too fast which i will i promise yelp yell at me i won't get offended um same with if i use an afternoon or concept you don't understand i'm going through things quickly i try to elaborate but i mean not talk about goals a little bit but um big i i had a huge grc background but i

also do a lot of technical so um a lot of us are nerds that like to think from the technical first and not think of the big picture and how everything fits in so i'm going to try and move the needle a little bit and say hey let's think about how these things fit in and not just cool i made a shiny product um if if you're not someone who has to do what i'm talking about directly you know i'll touch all the things it still gives you a starting place if you're new to the industry this should give you a research point for a lot of things i may talk about something you've never heard

of um because you may not have ever had to do policies or whatever i end up talking about um if you are doing this hopefully i've done some of the research for you give you resources to bring to your management so you don't have to make this stuff up and the biggest thing that i like to do and we also do is talk about our mistakes so that other people don't need to repeat them i've already made these mistakes you should make original new mistakes so um phases this that's really small um usually it's a much bigger screen but um if you want to take a picture these are just how i carve things up but also nothing is

linear you may walk into an organization and need to do phase four or three or two in whatever order but um there is a reason i've structured it this way because i have to structure it some way but also things are not going to be done in parallel um things are going to be done in parallel not a linear process so i like to kind of if you're building this in a year which not everyone's going to but if you are actually trying to implement this in a year i like to carve it into quarters start with quarter one phase one um planning and discovery gotta understand what you have before you just buy things um

analysis and documentation you know gonna do some of that parallel but again um document what you just learned in the previous quarter um and then actually do some things in phase three and then phase four looking forward planning for the future the idea is that once you started phase one you're probably gonna do it the whole way down you're not just gonna like okay i only spent three months mitigating now i'm done three months documenting i'm done no i'm not going that way so phase one planning and discovery um there's a reason that um asset management is you know the beginning and one of the core things of um cis it's you can't secure what you don't know so uh we'd

like to we like to come in and think hey you know i really need this new firewall all right we talked to a vendor at a con and i need this product um at some point i used to almost every slide have a little red balloon pop up and say do i buy things yet people didn't think it was as funny as i did and people thought it was annoying so i got rid of that but you can imagine in your head every and the answer will always be no like pretty much to the very end you could probably get a go a year without buying things unless you really are starting from a horrible place um

so a bit of background about me that i did not talk about i didn't introduce my employer so if i knew there is watching i am doing that now i work at tt electronics uh british manufacturing is something you've never heard of but we make a lot of small things that end up in a bunch of things so so and then we actually we own a company called torotel that's over in olathe you might have heard that so um a lot of this is very manufacturing focus i'm gonna try to talk into some of you that might have to do with that deal with other things but um there's very good bias towards windows and those

things but i try and make things universal or possible so um very first stage of discovery um you need to build a framework this isn't just like i'm going to make a bunch of things up and do industry best practice industry best practice does not exist everyone has a different idea there's not one set of it work from a framework a vendor agnostic framework don't just say oh i'm going to use microsoft security architecture because at some point you're going to buy something not microsoft that's not going to fit in there so um i will talk in about three slides about why i think iso is really cool and also some reasons you maybe don't want to use

it um csf cis controls but also um if you're doing compliance that's your framework if the reason you i'm gonna talk about it in three slides but i'm gonna intro for a second because you need to understand why the company cares about security um you know why you care about security and a lot of times we don't stop and think okay this company i mean maybe they just got breached maybe it's a small company and the owner sell a bunch of stuff about ransomware and doesn't want to lose his nest egg um more than likely it's it's either breach or the government told me to it's regulation so um [Music] i i have been brought in most places

because the clients see that a lot here so if you're having to do cmmc you missed 800 171 pci even it's less of a framework but start from there don't just say cool i'm also going to implement iso do what the business wants you to do if it's you know protect us from ransomware then maybe don't even start with the framework maybe just go to um cisa and download their ransomware playbook and go through what they tell you to do and that's your framework for year one um if all you care about friends and more protection um but these are just three examples um again iso is money you know when you buy the standard

and then money to get certified but i will talk in a piece about that resource assessment understand do you have any technical resources are you outsourcing um what's your budget what infrastructure do you already have are there some old servers in the closet these degree purposes i'll talk a lot about that because i like to build frankenstein's closet seams with no staff and no dedicated hardware i think it's fun um but i'm a masterpiece so you may not want to do that but i'll explain to you how you could um then in discovery if you want to asset discovery you want to understand your software and hardware you need to understand what you have um

in user education um has there been anything and honestly it's probably the first thing i'd implement is some sort of phishing simulation which i don't really like but maybe i would much more prefer uh i'll talk about why i don't like fishing simulation and all that but um i i really like the idea of using a survey or a quiz to stuff their stay safe online that may be a little basic but understand where your users are what they think maybe even do a survey to say what you think about it and security do that at the beginning understand it really helps with metrics and all of that and then you know use results of any survey for

targeted user training you don't have time to train your entire user base probably at first when you're doing a bunch of other nonsense so um yeah so figure out who needs to be trained first [Music] i um know why it's that way so okay policies and architecture once you've kind of understood what you have um this may be later once you've done enough time for analysis but this is something that too many people do involve everyone hates policies for one big reason um someone comes in and goes oh cool i'm gonna write like military grade or whatever you know thinking if you're if you're military or baby sure do those things military grade doesn't exist um but whatever you can

talk about that later um but do not write policies for with this ideal this is the perfect security look and see what you are currently doing in the organization and then add 10 25 whatever you can slowly move the needle because if you start with this ideal thing then no one's going to follow it because it's 180 or a completely different you know lane even than what you're doing and no one can follow it so don't write impossible policies um also i've talked about the plot this is one of the big thesis of my talk is don't start from tools and work instructions and individual processes up try whenever possible unless there's one process that's just broken you have to

do that first but don't start from the bottom which is you know the actual implementation try and start from the top at policies and architectures um understand what you're doing and why you're doing it before you talk about the who when and how um so um i will the next slide i'm just going to really briefly just explain a little more what policy procedure standard and all that is um i could do a whole probably four hour training on architectures and grc i'm not gonna do that i'm gonna spend like 30 seconds on that slide but the high level policies are what are we doing architectures are why are they doing it how do they interconnect um what's the

strategy and the vision the actual term is views and viewpoints um and mission but it's really the why and the strategy it's not hey we click this button on our security mail gateway on our spam filter it's more how does this spam filter fit in with our bigger picture and what do we want it to do and then the policies are if you have an exception how you manage that not just someone says i can't get email from raytheon okay whitelist all emails were right now don't do that write your policies and procedures to understand that and start from the beginning um and then i'll let so policies are what go down to architectures which are why procedures

are your house these are work instructions these are they can you know where we are currently we have policy procedure then work instruction um and they can find each other down there but most people a procedure is also a work instruction now most people will write a project plan that has gantt and has all of those um who that's not what i mean by resource plan here i mean do we have any resources are we borrowing from i.t are we using shadow i.t for these things because you may be the only security person um so resource plan is these are the 12 security domains not com domains but you know lanes you know access control iam all those different

things these are who is responsible for these things how are you resourcing it what is your budget and then next is roadmap we want to do roadmap first but we can't until we understand what why how and who when we do the when and even the the individual the specific this what is you know that we need to protect about against ransomware there's a specific what down here which is technical controls now roadmap comes later probably three six nine months in not immediately so this is like i said i'm going to talk about this for seconds but um i have a link to it this is um compliance forge um it's their um i think they call it their governance

framework google it um but if you're having direct policies i mean if you are not a technical writer have someone else do this don't learn a new skill find someone illegal or hire an intern something like that that can do this but it's really key you know your policies your objectives your standards and guidelines and this is really good because we want to start with like secure baseline config but we need enough standards before we do that but secure baseline configs are great i mean and do that before you even say exactly how you're going to implement it through intune or gpo or puppet or whatever however you're implementing it for your environment make sure you flow down top down or from

here left right um but this is great if you have to do grc and you know nothing about grc i define drc gov governance regulations and compliance essentially the whole policy side of things and moral it's governance so again good resource cannot dive into that so cool don't know why they're separated like that threat modeling this is key um threat model at every single stage don't just buy this tool because it's a cool shiny thing um you need to know what you're protecting and what you're protecting against you need to know what the biggest threats in your industry are there are ways to do that u.s cert things like that is one of the easy ways to look at in

you know reported breaches in your industry and see what kind of attacks are out there against you even some of it you can tell you know is it going to be opportunistic or is it going to be apt um chances are most companies unless you're at a big you know fortune company you're you're dealing with opportunistic attacks um people don't know if people don't know who you are without you explaining it in a paragraph like i had to explain then chances are you're not dealing with apts so um threat modeling um is you know it's kind of risk assessment and business impact assessment is getting into more of the grc side of it estimate what happens in business if x

happens and what the likeliness of x happening is chances are you can't really get into those numbers that cost i mean big firms have huge teams that are just doing risk and they're you know so um this is where i like to get into we've always heard the defender's dilemma that attacker only needs to exploit one weakness and a defender needs to protect against all weaknesses um it's almost this picture of like a boat that's leaking and like you feeling like you need to close every single hole no i really like to flip that on his head it's not this defeatist attitude the reality is um a defender needs to make it too expensive for an attacker to exploit a

target given the value of that target you may not know the exact dollar amount but no attacker is going to spend hours and hours and hours if you've closed a few holes so figure out what the most likely you know weigh in is and protect those first don't do the cool thing don't this whole slide will pretty much be boiled down so don't spend an entire year protecting against like spectre and meltdown when you have like you you have remote desktop you know for 339 open to the internet do the thing that the attacker is actually going to get in on they're never going to worry you know popping you with a spectre meltdown zero day if they can get in

much easier so figure out how they're going to do it and what they're going to try and get to before you waste time on the cool shiny thing but and a lot of this comes down to do not build a security program like it's a blog post or a talk where you need to be all cool and sexy this is not a sexy talk um and the first year of these things is not sexy it's not cool it now everyone leaves because i said hey this is a boring topic listen to the rest of it please um but it's i mean do the basics i don't even like calling them that because they're not basic but

do the fundamentals first do the uh do do the the things that are actually going to bring you so talk with management um should probably do this the whole way around but i i can only put so many slides in here so and i can only put it in a certain order so i should probably do this day one but then also kind of at the end of the quarter i like to you got to be checking in with management from day one you should probably understand business objectives um what what are they trying to protect i talked about it a little more in compliance and all that but do we care about intellectual property are you

making cuts you know like commercial off-the-shelf products that you can find respect by googling like maybe you don't care about intellectual property maybe you only care about compliance maybe you only care about ransomware maybe you care about export control needs figure out what the business cares about um it's small business really usually it's i'm gonna protect my nest egg and there's some old owner that doesn't you know that doesn't want the company to die before he does so understand why you're doing it and monitor that um understand what security policies procedures and standards are there because chances are there's something chances are bad you need to rewrite it um when you're talking about management i

like to increase buy-in this um uh jake malwardjink uh jake williams just gave a really good talk on this i did not think it was recorded but i think he published slides on um it don't i think he called it something like don't talk nerdy to me um and it's you know explaining blue team to the two executives um but he you know there's been a big talk of the last five years about don't make security just a cost center trying to make a profit center he pretty much says no vet [ __ ] um security is never going to make the company money um the the keynote actually broke that a little bit unless you're selling

security services security is never going to make the company money but you have so if you're working in manufacturing secure compare security to hse to health and safety if you're working in you know software company compare it to qa this is like a asset protection you know they already have some framework they're already spending money somewhere to make sure that they don't lose their assets um you know security guards things like that equate it to that you know there's there you know no one's sitting there saying i'm not going to spend any money on hse i don't care if people lose their hands like no one's doing that make it correlated to that speak in their in

their language understand the industry that you're in like i said software qa because you know you don't want to introduce huge bugs and bring things down if it's you know health and safety cool whatever that makes sense you can um pitch security the the way to pitch security is a bit of a a bit of a profit center is the shifting left i hate buzzwords but the idea of so it's why i'm going to talk about the iso stuff again um one of the reasons i like iso even if you don't need it or getting more or less getting security certs at the business level that you may not need before you meet them so you can say

hey i know no one asked but by the way we have our sock too and we have this and we have we have iso we're doing these things and you know getting a security training your sales people on security so they talk about it right away that can be the differentiator on sales um again tailoring it to your business so it's again it's like a profit assistance center not a profit center but do as much as possible to make it seem to the business like it's not just some costs um but again there is a great talk from melbourne jake out there that can go into that in a lot more detail than i can um

he and one of the other big takeaways from that is be prepared if you get caught in an elevator or a hallway with someone from the board to have your 30 second security pitch or someone says so what do you do in security do you go oh we scared you like no no it's cool you're going to lose 20 of your budget overnight by saying something like that have an answer to that what is your mission statement how do you protect the business what are you doing um you know as soon as possible you need to talk costs and resource issues because chances are you came in and there is the budget's already fine for the year

so see if you can sneak a little bit of budget in here there because you've probably identified a few things that need to be uh replaced immediately i think i've in one two slides talk about that um so phase two analysis and documentation i talked about doing some of it but this is where all the resources and the information you gathered from phase one you start documenting um policies could probably go in here too but vulnerabilities um this is somewhat of an easy win i don't like to say easy win but um now that you've understood what's out there i understand what vulnerabilities you have you may not have a vulnerability scanner so you show down

um to scan your external vulnerabilities um you may just have to do it manually but it's also like 60 bucks a month to pay for or maybe even less i don't know what it is anymore it's like 60 bucks a month to pay for the automated stuff you could probably sneak that in on an expense report and call it a meal don't don't rely on your expense reporters but do if you need to um so if employer is watching that um so assessment um i'd like to introduce um before you just start blanking patching my passion is great but this is all about metrics and optics so like let's implement a vulnerability scanner beforehand so we can say hey here are

all of our vulnerabilities in one month of maintenance windows and patching we close all of these yeah especially you know you know it's up to you if you consider the the low ones just so that you can show bigger numbers you know this is all x so um open vas if you're trying to do internal um the reporting is not great um there is some reporting that introduced if you use volume whisperer and elk i'm out of date but i think you can still get it to integrate um use use open source if you have to if you can't you use the big names you can i'm going to talk open source time soon you have no budget but if you you can

google big phone scanners or you can talk to someone in the hallway i'm sure they'll sell you something if you have budgets um talk about generating differential reports that's huge they want to see that you're actually doing something talk about showdown um and you know prioritize these things go from the you know go go from high or even the riskiest things don't always just go high because you know stuff like like i was talking about with um spectrum meltdown those are high but talk about probability of actually happening um as soon as you can patching do it manually if you have to do it with wsus this may be a really good time to bring

in an mssp because patching sucks and every msp mssp or msb managed service writer managed security service provider so i'm gonna define things um i don't know if you you have the time if you can wrangle in it to the passion for you cool um don't just think wss is free and it's windows product it's it's not free it it doesn't work unless you have like someone really working on it so it's very high maintenance unless you have experience with it or if you just rebuild it every month then that works very well if you have the step to do that yeah the w says just breaks randomly um cool we all know about patching but don't

make patching sound simple and then also so like i said i'm talking manufacturing companies but at this point like if you're in application company do not just say cool we're going to open up a bug down so jump to this right now um same thing don't do a pen test right now because the thing is like my seven-year-old son could probably find out how to hack into you at this point um to do not spend a bunch of money on pep test unless the board really asking same thing with but you don't have the staff at this point to handle a bug bounty or handle the findings from a pet test don't don't do it you

close some of the gaps before you waste that money um and i guarantee you board and all that that people are going to be asking hey why didn't you join a pen test yet because it's a waste the pen test red team is a waste of time at this point it's uh you know a defensive person can tell you where the gaps are wait until you've closed and not in the gaps and have enough staff to deal with the findings so um sorry if you think of pen

this is something that um we have come up with a unique way of doing it here it shouldn't be unique the reality is i think it should be very integrated with security um and there should not be these silos but um we have no incident response staff what we have is anyone in it management can be an internet manager and you have you know people who are subject matter experts on email or iam or network or platform wherever the breach is they there's a skills matrix and they get called in for incidents that is a cool way to do it it's cool to upskill people it's a cool way to you know limit resource use

um and budget but if you need to if you think you're getting rich enough that you need a managed protection response team cool um you can also you know have a retainer with fire eye maybe dragos whoever your you know whatever industry you're in so um but yeah so we have our cert team is very screened and distributed but um that is a cool model make sure you have policies procedures playbooks or constructions there are a lot out there the scottish government has some really cool ones actually sisa has some good ones um you're if you are in you know certain industries there's a cert or an ice act that will probably give you a specific

one for your industry oil and gas all that there's a bunch of ones especially if your government there's probably specific tailored ones for you but um also understand breach reporting um talk to legal about this in compliance um requirements you know privacy breaches and all that there's you know ccpa and gdpr but then um you know there's with cmmc which is in the military you know supply chain space it's like 72 hours after it detects preach you have to talk to the fbi to find who talks to the fbi if you need something special that um to report like cmmc and defaults and all that you need to have a certificate so that you can upload it to

the portal make sure you have that well in advance test these things you don't have to bring in a firm to test these you can do tabletop pretty easily you know just you know find it you can find ttp's um tactics techniques and um but you can find you know you can run through attack um minor attack run through all of these things do that before you pay a company you know make sure you have even the basics you know and you know who your team is and all of that have these things defined have people's phone numbers so you can call them have you know their time zones don't you know count on people being available

certain times we're a global team so we have one for each region and we don't have someone in a region and people have to kind of okay cool and do you agree to get called at midnight and you know have those things have toilet time which is taking time off in lieu of have those things set up if you're borrowing people from their normal job please give the chance to if your incident responder has worked like three weeks straight without um out sleep give them some amount of time off any compensation don't just pay them in pizza that's not enough um change management's not necessarily your job but um it will be if it doesn't happen so um make sure

the organization is implementing change management with peer review please not just someone recommended a change they talked to some manager and this got approved like require peer review and not just peer review that says i agree like that's not enough have a real peer review system there have been times you know that i have seen an alert come in at midnight and gone and investigated we have new global admin there's change requests that i wasn't a global admin on office 365 there was change that i was aware of to add a consultant in for that reason also probably don't be a global admin if you don't need to i'll talk about principle of least privilege in a second but yeah um change

management you need to do it and peer review is great because there are security risks that you know you may not be aware of um even track changes that you don't think require approvals this would be called a normal change established procedures for normal changes things like database database failover and little things that may happen all the time but track them if you can if you just track them as tickets track every change that you can feasibly do um if you don't have your help desk you may have a system for it if you don't use the google form use excel use the use internet or sharepoint if you have that kind of stuff don't

you can buy something right away if you aren't using it but like excel is you know good enough for almost everything you need to do here um phase three mitigation and remediation again you may discover something right away with the vulnerability that you need to patch day one because you discovered that something hadn't been patched in some amount of years some systems that didn't exist or that no one knew existed um but um this is when i really think you should start remediation but you may find some obvious ones um discovery for at least privilege um you can use powershell to discover all sorts of things if you're in windows environments but there are other things

talk to people we uh i worked with an organization years and years ago where the domain administrator password was like common knowledge but we couldn't change it because it was common knowledge so literally set up right in front of the building and every person that walked in you kind of just asked hey um i forgot the admin password can you give it to me kind of broke down everyone's name figure out how many people and then start working with those people that hopefully you don't have to do that um but yeah um i also worked in a place when i was doing merger and acquisition where they had um domain users in domain admins don't do

that fix that right away the reason for that one was that what if someone needs to remote desktop over the vpn to their computer okay there's a lot easier ways to do that even just remote desktop users but there are ways to do that through privileged delegation just look up active directory delegation don't don't do that um so talk to people about those things um there's powershell scripts for discovery there's bloodhound and pink castle which will tell you a lot of these things um too much information and do not blindly implement everything between castle recommends like right away you will break things if you like one two three jesus at a time do it slowly so you know

what bro what you will break things um definitely speaking from experience um you have a lot of local admin you won't know why if you have engineering or software development staff they need it because solidworks are something um requires it and something breaks you can use pracmon um sysinternals tool on windows to see what process that's failing on and it is great um reduction of privileged av accounts you're going to have like nine at least my experience you're gonna have like nine disabled accounts for whatever reason in stimulant domain admins remove those immediately they don't need to be there that's an easy way um report on these metrics report on every metric that you can through this

um i can also i have given an eight hour talk on just after directory security and i talked like two hours on lease privilege so um i've talked for a long time about this easy wins i don't like ignored easy but um yeah okay so um firewall roll closures figure out you're gonna have all sorts of stupid rules do those right away figure out how to move you know things from port 3389 to using vpn or something like zscaler if you're using it session lockout chances are people can stay logged in forever implement a session lockout these are pretty easy prelogon advisory your legal team won't love you but you won't care too much these are easy things you can do without

too much anger do not implement five-minute session logouts ever or honestly even 15 minutes can really piss people off sometimes because every time i sneeze my computer locks out you know figure it out maybe move it down slowly if people are used to leaving their computer open for hours and hours at a time do it slowly account auditing um you're going to have hundreds accounts that don't um they haven't been logged into in forever there's a lot of ways to detect that to that work with hr to figure out what you can remove um have some sort of um permission review quarterly work on that change service account admin passwords that's not an easy win that's very

difficult for service accounts but do it use managed service accounts group managed service accounts and windows do it that's a huge win a service account this domain admin has been you hopefully at this point it's not from admin anymore you can um sean metcalf has a really good blog on how to um reduce service account permissions but like change the passwords please they haven't changed in a very long time in some cases um yes replacement and renewals um good chance to increase security with easy wins um tough renewals but also actually using the tools that you have so um antivirus edr i know that we hate it and we say it doesn't actually stop things

but like to talk to the incident responder if you would actually and looked at the antivirus logs he probably would have caught the attack like months ago but you ignore it so like yeah um if you're using some weird legacy antivirus try an upsell to edr it's usually not that much more money if you're in some cases you're paying for er you're not using it um like use it do that before you pay for some extra tool you know before you get some team if you're not actually looking at your evr logs you're not looking at these things you're not actioning them then um yeah don't pay for something until you're using what you have um network

refresh you you know i've worked in places that have 20 year old asas um this is in the cisco asa firewalls um it's really easy win sometimes because even if it's a lot more money to put in you know fortinet or palo alto or whatever you get places that are paying for like 50 meg and they're getting like half the bank because their asa has been failing for the last 10 years um so sell them on faster internet and and that's an easy one um sometimes you may have really old consumer grade wireless access points i've seen this way too many times replace those with ones with radius people will love you again because you'll speed up their

wireless um so yeah that afternoon i should change now because it means something different than it did two years ago so um okay yeah network refresh switches all of that you know figure out maybe you're using an mpls and you can save money going to sd-wan figure that out um mainly do these if you can save money um at this point i still don't agree with spending money um i like the antivirus and edr a lot because you can do um what a sales person is silence called it is poor man's app white listing you may not have the resources to implement app blocker but you can do a lot of those things with evr tools in kind of a

roundabout way uh you can also get removable media control out of most of these which is great so you don't you know so you can white list those things and act and just block by default um unknown removable media how am i doing oh cool oh i didn't get last one collapse this goes into the um it's local admin password solution there actually was talk a few years ago at cactus con on it's called something clever like running laps around laps there's powershell way to do this better but change your local admin password lapse is a way to do it automatically do not if you're using um if you have passwords in your policy and

you're setting it that way don't do it um the lapse is great it's fairly easy to not easy to roll out but you know if you baseline and excluded your sql servers and a few other things like that at first then you can do it fairly quickly um okay i've been talking fast i got here quicker than i thought so i may ramble about some other things too phase four looking forward this is budgetary planning all of that it's lessons learned and moving it into the next year this is really where you should probably get your roadmap this is really where you're going to start potentially buying tools if you have budget um really start doing maybe some of the fun

stuff or at least planning for it again i'm big on metrics and measuring progress because again so much of this is convincing people why security matters in the direction of doing things and moving the needle um distribute a survey and see how people are happy with you how they're not happy you know give them a chance to complain um so it will measure your use user pain and perceived improvements could have hopefully listened to me at the beginning distributed a survey um allow suggestions some of them you can discard because they're long rants about how i should be allowed access to everything because you should trust me because i'm some great engineer and take it with a grain of salt um

and then you know even do self-assessment with your team and you know figure out where you're at any differential reports do another gap analysis at some point you i must have gotten over that slide at some point but gap analysis is essentially um some people actually don't know this term i thought it was pretty universal but um do a gap analysis at at the beginning and essentially say here's where we want to be and here's where we are what steps and what order we need to do to get there to do another gap analysis and say cool are we actually as far as we thought we are do more vulnerability scans measure your progress on prepare your survey i just

talked about that um you know but really anything you've done documented in detail bullet it in slides make sure everybody of substance to your company knows all the things you've improved um another thing i really like to do um that now i have a little bit of time to talk to is i i really like to not just implement a security tool and um essentially piss off or slow people down think of like i was talking about with the firewall think of ways that your security tool can make people's lives easier click on security um talks says something to the extent of that um security is extreme operational uh excellence it's how can we uh ideally security is the way that we

push to get new software new hardware that will run much better for people you know upgrading windows 10 or 11 should improve people's lives side note i love that windows 11 is requiring tpm i know a lot of people hate it but it is a ballsy move for windows to obsolete old hardware because their biggest problem is legacy systems and interoperability and um yeah so that is great um but moving to those things just moves the needle so much but it also emphasizes to people hey this makes your life easier i haven't talked much about a scene i actually got rid of that because i can give a long talk about building from elastic so um

let's talk i think i have this budget preparation um so set priorities for findings in the last slide you know whatever you found whatever you need for the next year whatever people's pain points are pay attention to it reevaluate your threat model maybe it's changed maybe the industry's changing the year re-evaluate think about an mssp for a sock um so something that i've done is um elastic search is great two years ago was actually not even as great but i still loved it back then um now it's actually they sell a scene so it's free they even have a free edr i've not tested it can't speak to that but they bought me anything which was good back

then and i trust the last thing not great things but some cool idea that you could use is essentially um find out where your old hardware is there's probably enough of it build it a jbod just a bunch of disks um there's bad jokes in there too but um you so so build that out and build centos or now ideally like rocky linux one of those things an elastic and at first you can make it a data lake send all of your stuff there send all of your logs use it just for um you can use it just for compliance and reporting at the end but also there's so much basic rules in there and it's free

um and you know they encourage you to buy some licenses and it's probably good you'll need some support if it's just you but a lot with old hardware and minimal time and money you can you you can do a lot of elastic it'll be your theme you we've even had some luck in getting level one help desk to um essentially level one sock you know they know they're users so if you give them like a azure risky sign in um they can call that user up right away and say hey are you actually in sweden are you actually in tunisia um all those things and i actually i really like those things that come from how fast comes

from someone trusted i don't want to train users to just give security information to random people they've never emailed before so really trying to build that chain of trust um because i mean those are our phishing contexts in our social engineering context right is hey you know um there's a security alert put your information in here don't train your users to give strangers information if you don't know the user try and get a trusted person and email them um so that actually works really well um but you you can you know people love that kind of skill and um so if you can farm out some of your low level stock stuff if you don't actually have to talk to it

and help desk sometimes they love it and then also sell them on hey um email guys our active directory guys by the way here's a bucket of blogs if you want to check anything you know we're checking for security but you may want to check for error logs sell them on hey while you're installing this agent i just want to tell you all the cool things you can get out of here you know network guys may find failures earlier because um they can want their love so don't don't silo this don't make tools only usable for you if you can farm it out to other people um do everything you can to make people's lives easier not harder don't be a time

step try and be a value-add um but you may just at this point say hey this sucks stuff the security operations stuff is hard let's go to an mssp um find a good one there honestly if you're small go to a boutique one that deals with your industry and it's local i love i've i've worked at boutique mfps small msds and mssps my entire career they've been great they can also suck but you can usually find out reputation pretty quickly especially something like b sites you know talk to people here hey that company any good no they suck okay ignore them um start working on mfa hopefully you've turned some of it on by this point

if you're using active directory odd light can actually be great offline is a it is a very cheap small mfa solution it's wonderful if you're using on-premise stuff um look at it it and i mean cheap like perpetual licenses for like ninety dollars a user they have to lose money um network overhaul i talked about that chances are at least in manufacturing where i've always worked is chances are you have a flat network with layer juice which is dump switches yeah do your suggestions for renewal replacement just talk about that hardening um look at your industry they're making hardening guidelines i've always worked in the military supply chain um middle adjacent stuff so i use

dod sticks start from high and move your way down again this is a place with hardening baseline do not just say cool here's every single setting don't go to like microsoft for someone's best practices because microsoft has like 1200 settings at least in just their windows 10 baseline don't don't just turn those on overnight you yeah it'll be horrible turn you go hide like dod stinks hi or cis go you know high down implement those maybe even one setting at a time slowly and have pilot proofs um principle of least functionality comes into that turn off things you don't need separate out server resources talked about scene acronym i kind of made up because there's network based or hardware or

network or post intrusion detection or prevention systems use don't pay for it use smart circada one of those two whichever makes sense chances are one of your vendors will sell you um enrichment rules for them and then use uh bro as well because it's not really an idea but people call it that it's behavior analytics for your um it's you know anomaly detection for your number so um maybe vcap if you have the resource for it uh oh i said bro i'm in c sorry um and then a hard time updating that in my head and then um moloch is really cool for pcap um don't keep those very long because you'll fill up your

hardware very quickly um cool at this point hopefully you've chucked them in more than two times but if you haven't present your budget re-review the whole infosec as an asset protection center or ways that you can embed left into sales um present your compliance improvement goals not just compliance to you know nist or whichever you're trying to comply with but also to your internal policies present your differential reports and explain some advanced concepts um chances are they've been asking you questions like pen tests or different things um tell them why i know don't just give a quick note tell them explain to them hey i have a plan this is all my roadmap here's why i don't want to bug bounty

tomorrow because i'm gonna overwhelm our team and there'll be a bunch of bugs out there that people now know about as responsible disclosures so um tldr not everyone knows what that means you guys spend less time on the internet than me for whatever reason a lot of people didn't know tldr is too long and read um so that's everything i've covered um do things based on priorities don't just make [ __ ] up in your head um threat model all the things um you know again don't make it up in your head discover things know what's out there asset management educate all the users not really i actually recommend educating your high risk users something i didn't talk

about that i promised to get back to is that is um fishing simulation i hate it you can do it if you need to but i hate it because it just breaks your trust with users if you have something like proofpoint it'll tell you who are your risky clickers who your various tech people target them you can see reports in almost every email gateway who's clicking the links go to them first don't drink users trust figure out you know proofpoint will say hey we sent this email to this person because we didn't think it was risky then they clicked it after we realized it was riskier before blah blah blah and so you should probably talk to this

person because they've done that like 36 times this month and that's real things that happen um so yeah to try not to do anything to break stress with your users don't lie to them i i just think there are ways to do fishing training well also don't just turn on uh not before with every rule i've heard horror stories there's one in there that's like talk to hr because you've got uh you you've been accused of sexual harassment that's a really good way to never be able to do fishing simulation again and no yeah if they went to like a head of sales or something um and they went and yelled and said why are you accusing me

of this i've never blah blah and then if someone's that defensive it probably means they did but that's aside from this um that's probably a good red red herring there um but don't don't do things that break use or stress just don't probably make that a whole slide because we like to be manipulative and sleazy um back up all the things um do it disaster recovery business continuity figure out your rtos rpos if you don't know all those hopefully you have a backup team um i like to open source all the things i think they're great and i don't always trust vendors um and a lot of times with open source it's easier to take your data somewhere else

because there's more interoperability if you have budget maybe don't and then buy all the things eventually hopefully you've listened to me and you have not bought anything this year okay um resources um if you're taking pictures some of this is outdated i'll give it a second picture this is an older version of this is on my website which again is in two slides but cuts through a bunch of the resources that i mentioned cool the resources continued [Music] lots of cool things um again slides online implement these free-ish things before you pay money um and then my website is homebrewedsec.com um there's one in one of these online uh once i figure out how to get into github

i will publish today's talks um there's a hashtag at the bottom i'll check it if you i guess i didn't read pro that at the beginning but if you have any thoughts on this talk or you've been live tweeting i hope you tagged it with infosection 365 and then um you can mean tweet me or subtweet me on twitter and the conference plug um i'm sure you'll probably introduce this but you know give feedback if i didn't explain things and i stopped let me know i'd like to improve this site given this talk a bunch of times and every time i make changes so tell me how to make changes