2020 Q1-Q2 Security Updates

by admin | Dec 11, 2020

ESP has marked 2020 with a raft of new security measures – these measures being both long in the planning, expedited through discussion with a new client, and in response to increased demands for workplace mobility due to COVID-19.

These measures include:

  • Adding two 24/7/365 Security Operation Centers

  • Deploying a new SIEM solution with more advanced capabilities

  • New Security Awareness Training platform

  • Improving standards for remote workforce

  • Improved data governance controls

  • Planning & beginning implementation on additional items for Q3-Q4

24/7/365 Security Operations (2x!)

Due in part to the increase in remote workers during COVID-19, the need for deeper and more thorough security analysis propelled us to implement two new, separate managed detection and response products.

Rapid7 InsightIDR / MDR

Having used AlienVault for correlating company-wide security logs and metrics since 2013, ESP opted this year to transition to an even more comprehensive platform combined with 24/7/365 dedicated security analysts. Beginning in 2019, we evaluated Exabeam, Logrhythm, and other industry leaders, before deciding on Rapid7’s InsightIDR / MDR platform.

By correlating events from Active Directory, Microsoft 365, and other sources, we know who attempts to login, when, from where, and how.

Through InsightIDR, we collect intrusion detection, firewall, server and service logs, and are able to digest and present these for quickly identifying security threats and responding to them in real-time.

ESP’s internal Intrusion Detection System feeds into Rapid7 InsightIDR, allowing us to quickly identify threats and pivot to targeted log-searches across everything from authentication logs to VPN access to SentinelOne.

In addition to our own security log review procedures, our team is augmented by an SLA-backed Security Operations Center (through Rapid7’s MDR platform) staffed with industry professionals who live and breathe information security.

Through this platform, we are now ingesting over 25 million events, or about 15GB, per day – and growing! – all of which is data used to keep member data safe.

New IDS

As a part of the deployment for InsightIDR, we added a new Intrusion Detection System which scans all traffic between servers for attack patterns – one component, Squert, also lets us browse captured traffic data related to alarms, so we can analyse threats at the packet level:

Blackpoint MDR

An additional solution we implemented, Blackpoint provides us with a third set of eyes on the security state of our infrastructure, this time specifically looking for indications of an active malicious actor attempting to compromise and pivot through the network.

Blackpoint, like Rapid7 or SentinelOne, can also quarantine assets in response to a network threat, and additionally gives insight into actions such as the use of a new USB device or use of powershell.

Darn USB headsets

Quickly after any threat is uncovered, a dedicated analyst is notified and reviews the available information to determine whether (and to what extent) a real threat is present.

Blackpoint analyst responding to our environment at 1:26 AM on a Saturday

New Security Awareness Platform

To help mitigate the risk associated with ever more advanced spear-phishing campaigns and the statistical reality that most breaches are the result of employee err rather than a technically sophisticated adversary, we have implemented the KnowBe4 training platform and integrated it into a yearly training cycle.

KnowBe4

KnowBe4 has a wide array of training spanning from entry level content to high level security training. The various forms of training, videos, quizzes, articles, and scavenger hunts to name a few, provide an in-depth level of knowledge in an easy to digest format that breaks up the monotony of normal security training. The tracking and scheduling system makes it easy isolate users who require training and automatically assign said training to them to ensure everyone is up to date on current practices.

Shaquille Worthy

Through Knowbe4, ESP provides routine bi-annual security awareness training in addition to quiz-based learning assessments, and quarterly phishing campaigns are used to gain insight into the real state of employee awareness.

We’ve ramped-up training in the last round, in response to a higher rate of clickthroughs on a simulated phishing campaign

Standards for Remote Work

For those ESP employees who have been working from home for the last several months, we’ve used a combination of automated asset inventorying and manual validation to ensure that all endpoints (remote or not) are covered with a set of agent-based applications to monitor and respond to security threats.

Agents for remove workforce

SentinelOne helps security analysts by providing detailed timinelines and process trees of detected threats

  • SentinelOne – Implemented in 2019, this AI-powered antimalware solution can automatically respond to even novel threats, providing detailed timeline and process information

  • Rapid7 – 24/7 managed detection and response agent, which collects security information from each endpoint

  • Blackpoint – 24/7 managed detection and response agent, which focuses on detecting real-time malicious actions and breaking the kill chain

  • Automox – Policy-driven automated patch and software management solution

  • Duo MobileMultifactor authentication solution used for remote access to ESP resources

Fileserver Enhancements

The humble file-server is no exception to our efforts this year – this may apply more to corporate data specifically than the other items, but we’ve built new technical controls to govern how our files are stored and monitored:

  • Strong encryption is required in transit and at rest

  • Granular permissions for each share and folder are governed with a declarative YAML configuration, applied twice-hourly by puppet to prevent drift

  • Azure Information Protection (see below) monitors the server for signs of sensitive data

  • Host-based agents, including from Rapid7, are configured for monitoring overall security as well as file integrity/access monitoring

Configuration example

apps:attributes:type: Genericpath: Approved Appsname: Approved Appsdefault_access:- All Staffdefault_admin:- IT- Programmingdirectories:drivers:path: Drivers and Utilitiesowner: IT

apps:type: Genericaccess:default:granted_users:myuser:- fullgranted_groups:Interns:- read

Plans for the next six months

For Q3-Q4, ESP has begun the process of implementing several other solutions to further enhance our security posture; some of these are listed below:

  • Wazuh – Additional host-based intrusion detection system, with file integrity monitoring (to complement the functionality of Rapid7) and centralized vulnerability management (to replace the functionality previously used in AlienVault)

  • Azure Information Protection – Microsoft product which allows us to automatically detect sensitive data, as well as to provide selective encryption and authorization functionality for individual files and emails

  • Eramba Enterprise – New Governance, Risk, and Compliance software suite designed to facilitate faster audit cycles and to map between identified risks, compliance items, technical controls, policies and procedures

Wazuh

We began working on this product in early July, and have gotten roughly half-way through deployment. Primarily, we are using it to cover these key areas:

  • Vulnerability assessment

  • Security baseline measurement

Wazuh provides intuitive dashboards for discovering and researching vulnerabilities