How to run Security Operations on a budget

Introduction

The objective of this blog post is to offer helpful guidance to small businesses and non-profit organisations that are categorised under the "Cyber Security Poverty Line." These entities often lack adequate financial and human resources to implement extensive security measures. Nevertheless, it is crucial for organisations of all sizes and budgets to work towards the development of a robust security posture. As American cryptographer, Bruce Schneier rightly said, "Security is a process, not a product" and this principle should be kept in mind.

Know your assets

In my opinion, the first important step that organisations should take to secure their network is to create a list of all assets they possess. This will help to map out your attack surface and identify where to place security controls. The Center for Internet Security (CIS) provides a free spreadsheet to create a Configuration Management Database (CMDB) that can be used to manage assets.

CIS Benchmarks

Once you have a comprehensive asset list, the next step is to follow a recognised framework. CIS Benchmarks from the Center of Internet Security (CIS) is one such example as it is globally recognised and consensus-driven. It offers guidance on how to achieve a strong security posture. You can follow this framework systematically and make gradual improvements to your security controls. This makes it an effective starting point for small businesses without the resources to invest in expensive cybersecurity solutions. CIS provides a complete list of all their benchmarks here.

Business requirements and risk

Balancing business requirements with risk in security operations, particularly when operating on a budget, requires a nuanced approach. Begin by comprehensively understanding the business's operational needs and goals. This includes the data that needs to be protected, the systems in use, and the types of threats relevant to your business sector, etc. Equally important is performing a risk assessment to identify potential vulnerabilities and threats to these assets and operations. Risk can be quantified in terms of potential financial loss, reputational damage, or operational disruption. With this information, prioritise resources based on the severity and likelihood of each risk. A cost-effective approach is to focus on mitigating high-impact, high-probability risks.

Cost-effective changes

Implementing changes that do not require third-party services should be your first point of consideration. The most obvious of these changes is enabling 2FA which is extremely useful in mitigating phishing attacks. Additionally, start reviewing your access management policies to ensure that user accounts do not have higher privileges than required. You can also ensure that all servers are properly patched, thereby reducing the risk of attackers exploiting vulnerabilities.

Another change that does not require spending money is to use application whitelisting, which can be done natively on Windows. This is a good example of a solution that can be of much benefit to organisations with limited resources or budgets, such as those without EDR tools in place as it ensures that only processes approved by an administrator can run, preventing potential malware from being downloaded and executed by users.

Enabling logs for visibility

One of the most important things for organisations will be to ensure that logs are enabled. This will allow you to investigate and build a chronology of events if an alert is triggered. Endpoint logs are a good example of this. On Windows, this can be achieved free of charge with the use of Sysmon. This will allow you to detect and log suspicious network connections, identify malware that tries to hide its activity by using common process names, and track registry modifications that are associated with common attack techniques, etc.

The vital role of a firewall

By setting up specific rules and policies for what traffic is allowed and what is not, a firewall can prevent unauthorised access to sensitive information, block malware, and safeguard against other threats. Again, if you do not have the budget, there are a number of free solutions out there.

IPFire is one such solution that is open-source and includes a range of features such as being able to create DMZ, allowing organisations to segment their network and keep sensitive resources separate from external-facing assets. It also provides tools for setting up VPN access, allowing employees to securely access the network from remote locations. Additionally, IPFire includes an IDS/IPS system that detects and blocks malicious traffic in real-time, helping to protect the network from threats. Overall, IPFire is a powerful and flexible firewall solution that can help businesses of all sizes protect their networks and assets.

To ensure that an organisation's firewall is meeting best practices, it is advisable to refer to the CIS Benchmarks when setting it up.

EDR is still possible

An EDR tool will be one of your strongest defences against threats. Opting for a market-leading EDR that boasts extensive threat intelligence and is equipped with the latest data is the optimal choice. However, if financial constraints prohibit this, an alternative option is OpenEDR. This tool still offers many advanced features such as machine learning and behavioural analysis, similar to the offerings of leading EDR vendors like CrowdStrike and SentinelOne. Moreover, Christian Vrescak's SANS research paper attests to OpenEDR's commendable performance in detecting a majority of the adversarial simulations it was subjected to with the use of Atomic Red Team.

Secure Email Gateway

The implementation of a SEG will safeguard your organisation from the potential risks of receiving and opening malicious emails. This is achieved through a combination of content filtering, which scrutinises the message's language for indications of spam, reputation filtering, which blocks known malicious IP addresses, and blocking of emails flagged as spam by other organisations. One option, which is both open source and highly rated, is RSPAMD.

Ingesting Logs and Creating Alerts

The inclusion of multiple security tools in your network marks a significant stride towards achieving a robust security stance. However, the distribution of data across various platforms can hinder you from being able to spot threats on your network. In this regard, a centralised platform for data examination, such as a SIEM tool, proves highly effective. By consolidating data from a range of applications, including endpoint logs and firewall logs, a SIEM tool enables the creation of alerts. This is an important feature for organisations seeking to fortify their security posture. Although the cost of SIEM tools is often steep, an open-source tool such as Elastic Stack (ELK) offers a viable alternative. Another advantage is that the ELK platform provides detection rules on its GitHub page, which can be leveraged to establish alerts for ingested logs.

Testing your detection capabilities

At this point, you will have many of the necessary tools to log and detect malicious activity. However, it is essential to note that the mere presence of such tools does not guarantee perfect performance. Conducting tests with actual malware on your network is unwise due to obvious risks. Nevertheless, there are now several Breach & Attack Simulation tools available that can be safely used to simulate attacks within your environment. Although such tools can come at a hefty cost, there is an open-source option called Atomic Red Team that allows for the simulation of attacks based on the MITRE ATT&CK Framework, completely free of charge. To effectively utilise this tool, I have created a comprehensive blog post titled "How to Test Your MSSP with Atomic Red Team."

A threat-informed defence

One way to build a threat-informed defence is through the use of a threat intelligence platform. MISP is a well-regarded open-source tool that can be used for this. It will allow organisations to share threat intelligence, in particular IOCs. It also provides contextual analysis which will aid you in finding threats that are specifically targeting your sector. MISP can also be integrated with other security tools to automate various workflows, such as threat hunting with SIEM and EDR solutions.

Security Awareness

Researchers from Stanford University carried out a study entitled "The psychology of human error: People make mistakes" which found that approximately 88% of all data breaches are caused by an employee mistake. This highlights the significance of implementing awareness training as a powerful measure. There are several methods to achieve this objective, such as using phishing simulation campaigns, which can be easily created on the Gophish open-source platform. Alternatively, one can incorporate training sessions into employee induction programs, educating them on how to identify phishing emails, reporting them promptly, and introducing them to designated security analysts for any further enquiries or concerns.

Conclusion

In summary, this is not a conclusive list of all steps that need to be taken. However, it does cover some of the most fundamental issues that should be considered by any organisation. One thing to take away from this post is that the absence of budgetary resources should not result in ceasing Security Operations. Instead, turn your focus towards reputable frameworks such as CIS Benchmarks and NIST, and engage with reliable open-source projects supported by others in the security community. It is also important not to forget that security is a continuous process and the development of a robust security posture requires consistent effort over time.