A good friend who's a cybersecurity consultant to SMBs shared with me some of his dilemmas with the companies he is working with. Most of these companies don't have a dedicated security person and the daily tasks of maintenance and operation of security tools falls to the IT administrator.
It got me thinking on the kind of insights I would like share with those IT administrators or junior security officers when they have to deploy and operate in a green field company with regard to security tools.
Don't get me wrong; policies, procedures and what is generally known as cybersecurity hygiene can get you far with respect to security maturity, and maybe in a future article I will address them, but this piece of advice will contemplate technology only.
The big challenge for those small to medium (and sometimes even large) companies are usually a serious lack of resources both in manpower and budget, so the choice of tool has no margin for error.
The selection of security tools must provide the best security affordable and be manageable with the limitations of budget, manpower and even security proficiency to operate them.
So, suppose the company can only afford three security tools (and for the sake of simplicity let’s theorize that all tools cost roughly the same), this is my advice for the most efficient security controls such a security leader should have.
Number one – Sometimes this belongs more to the IT department in many companies, the good ol' firewall. No security arsenal is complete without it asit provides all kinds of abilities both for detection and prevention of network attacks.
Even a basic firewall, or one, with a small set of extensions can support IPS capabilities and even basic URL filtering (web surfing). Most IT guys are quite familiar with its workings and can handle firewalls with great efficiency.
Practically, managing a well maintained firewall in an SMB has a greater chance of success than larger companies. Fewer servers, users and challenging environments means better rules and access limitation without myriad of constraints from business requirements. The firewall administrator can literally shape the network and its access points (especially by limiting and hardening external access such as the firewall’s VPN for remote access).
Number two - The next generation anti-virus or in its more known name: EDR (Endpoint Detection and Response). The current market of EDRs has a wide selection of excellent solutions. A good EDR detects and prevents many threats ranging from traditional AV signatures (which surprisingly still carries its weight for malware detection), user behavioral analytics and advanced attack techniques. I even encountered EDRs that autonomously deploy different honeypots across the endpoints to lure attackers.
Most EDRs have the same management console and agent to workstations and servers. The ability of an EDR solution to use automated responses to different types of threats covers a lot of old school manual malware analysis and saves time when your network is under attack.
The downside of EDR is that it requires a good understanding of cyber-attack techniques to differentiate between real attacks and false positive caused by legitimate applications and users. That is why I strongly recommend to companies with none or very small security team to look for Managed Detection & Response when purchasing an EDR.
In spite of these tool’s amazing abilities to stop malware, it requires experience and knowledge to fine-tune. It's worth the extra cost to let experts handle it for you, providing quicker response time to cyber-attacks with the peace of mind it grants.
Number three - The final contender in this very short list with good competitors is an email security solution. Most cyber-attacks come through this doorway. For hackers, using this attack vector is cheap, easy and prey on the human factor which sadly will always be a weak link.
It is important to secure that entrance to the company network. Pick a solution that has domain repudiation, file filters, spam filters and sandbox to look for malicious attachments. The majority of these tools are easy to deploy and come with good pre-configured rules, which means a quick and effective security layer without much deployment tuning. You’ll be surprised at the sheer amount of emails those tools block.
That’s it. Use those recommended tools wisely and you’ll get more than decent security.
Should you stop there? Of course not. There are literally dozens of security tools to help protect the company. Choose carefully according to your company needs and risks.