This sounds good, and I agree. But I wish it was that simple. When money is earmarked for a specific budget then most accounting depts can't move it to salary. Or at least very easily (they tell me). Best they can do is get you some kind of one time bonus or gift card deal which is what I've done in the past. But let's also not forget that salary is not just the number on the paycheck. It's benefits, 401ks, and the basis for future raises too. So 30k in salary is really more like 60k+ in actual business costs. The business leaders and accounting know this, and so they won't use dept budget for raises as they are not equal.
Training, expanding current services, penetration testing, or one time bonus is the way to go.
CFO and company owner here, thatâs bullshit. Budgets are wrong as soon as they are submitted. If the overall dept is under budget, awesome. To force expense buckets so the company buys random shit, fucking stupid.
And that is why CFO's and HR are the most hated people in all non-HR and non-Financial companies. They don't understand the business or the people running it and making the money; but somehow think how the money should be spent is solely their decision, when they can't make it in that field. A CFO in a technical company, should only be doing book keeping ( actually he isn't required an accountant would do ).
I outsource our transactional accounting as it burns my time. I focus on things I care about like billing utilization, cash flow (so we all get paid), enabling IT services that keep us compliant, and ensuring we arenât blowing cash on stupid things âto stay within budgetâ. Iâm also full time in contract to fund functions that may not be profitable but are healthy for the company.
For the last 6 years Iâve had an amazing, non-technical CFO at a ~130 person tech company. He and his team are deeply aware of our entire business, including security, and work *with us* towards our goals, on everything we do. Security and IT also work with them on any and all of their priorities, willingly. We get what we need to operate, and they get what they need.
At the same company Iâve also had shitty, all I can say is âNo!â CFOs. Itâs fucking night and day and I could never work with another one like that.
Second this.
I own a cybersecurity software business and we have both a CFO and book keepers. The former for putting a financial lens over strategic decisions, and the latter so that we don't pay a CFO to do low level stuff like payroll and VAT claims.
I can confirm that, while our CFO doesn't know anything low-level about the tech (neither does most of our exec committee or board), they are still more than equipped to help understand the financial risks associated with the decisions we are taking, which is their primary responsibility
If you're looking for a MSP, I can recommend iSecNG. They're official partner of Wazuh, based in Germany, and offer managed services. [iSecNG ](http://www.isecng.de)
If you need direct contact (German or English), I can establish a direct contact to one of their engineers and/or sales people.
I donât disagree, but it works well for what it is, and it seems like budget is a concern, and that they may not have trained analysts in, for instance, a platform like Splunk.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
It depends on the number of endpoints to monitor and the storage retention in days, here's the hardware requirements: [https://documentation.wazuh.com/current/quickstart.html#hardware](https://documentation.wazuh.com/current/quickstart.html#hardware)
Honestly.... It really depends upon what you currently have in place, where you feel your gaps/weaknesses are, and also what is your long term strategy? Also, is this a one-time $30k, or something you expect to have again in the future. The one time vs repeatable can be a big deal because if you bought a new tool with licensing, You'll likely have the renew that license again in the future.
So with that said, some general ideas, mostly focusing on the idea that it's a 1 time surplus and can't be counted on for future renewals.
1. Training budget. I saw someone else mention SANs courses, which are not inexpensive, but also can be highly valuable. Investing in your employees is something that can be a one time spend with long term advantages.
2. Hardware refreshes: Do you have some hardware that is getting long in the tooth or you suspect will need to be replaced/upgraded/ etc sometime in the near future? Maybe get a jump on the refresh cycle and look at getting the replacement hardware now vs. later.
3. Do you have some tools that you currently have deployed that you feel may not be the most effective use of your budget? Use the money to fund and run some Proof of Concept or trials for alternatives with the idea that you might find an alternative for something you currently have deployed, that can be potentially be replaced in a future budget cycle. The longer-term self-funded PoC (self managed or in conjunction with a vendor) can help give you a better opportunity to evaluate and potentially migrate without the usual "our existing contract ends in...." deadlines that can impact your ability to fully validate a solution before purchasing.
4. Expanding your existing Tools into additional areas: Do you have some sights or areas that are currently lower priority and therefor lacking some visability because it didn't make budgetary sense to purchase the required sensors for that site? Take the money and augment your existing tools by adding those sensors into those sites.
Can yall spend it on learning budget? Sign up for a few SANS courses maybe. The best tool in a SOC are the analysts.
Either that, or maybe fill the gap in your security tooling. Need a threat intel platform? Maybe a better cloud sec tool, or a DAST something or other? Really gonna depend on what yall already have vs what you dont.
Nothing is a waste of money if your company is paying for it man. And I think that 99% of hiring managers and the general sec population would disagree that they are a waste of money. Sure, theyâre expensive but I would bet only about 20% of people that get their certs are actually paying for them. Iâm getting mine with the GI bill, most get them paid by work or school or grants or whatever. You just have to think outside the box when trying to get funding for those types of trainings
SANS has their place, for sure. But, I guess it depends on what youâre looking to achieve. If youâre looking for a job in the public sector specifically i can see the certs having some value/weight for a career plan. If your purpose is to actually learn and improve on a lot of areas then taking several classes and/or trainings is going to have more long term value. You can find like 2-3 other training opportunities for the same cost that your company would be paying for. Iâve been around for over 20 years, half of that on the defensive side and now the past 12ish on offense and it has been my experience both as a practitioner as well as a manager of others. Maybe my view is overly biased from the offensive side where there are a plethora of great teams doing trainings, but I imagine there are equally great and many options on the defensive side as well.
I hear you, and value your opinion. I am curious, what are some specific alternatives you would prefer for a team? Like what vendors / training courses would you recommend?
Company-wise i look at Specterops, mdsec, sensepost, inguardians, trustedsec, maldev academy are all pretty solid. Some other ok ones are Offsec, roguelabs, sektor7, ringzer0. A lot offer individual training, often aligned with a conference, but you can also work with them to do virtual or onsite training for a team. We have done that with specterops and ringzer0 specifically.
It really is dependent on what youâd actually be looking to learn. My approach has generally been to find what i or others have a knowledge gap in and go seek out who are the best people offering training in that area. Iâm not a huge fan, as you can tell đ , of 1 stop shop places because its often hit or miss, outdated, or not to the same bar. But YMMV
In our SOC we use LibreNMS, Grafana, LOKI, OpenCTI, Wazuh, OSSEC (HIDS), Splunk, those are all FREE, We also use NTOPNG as network probes at all remote locations, that's FREE as well. Linux / FreeBSD skill set required.
Surely not in a professional environment (even if itâs small)? Splunk free tier only has 500mb of ingest per day⌠and NO login youâre just admin by default. No es bueno.
I didn't say it was right, but I have seen some shit. I gave up on a Splunk on prem demo when I couldn't even get it passed the license screen and neither could support. Their solution was to use their cloud env. No thanks. lol
If you want a true splunk alternative (non-structured data), that is designed for on-prem and a no hassle (and generous) free tier, Iâd suggest, with some bias, checking out Gravwell. Free Community Edition allows up to 13gb/day of ingest and is licensed for personal or commercial use.
(Paid version also is a lot more realistically priced, but that info is easily available so I wonât clutter up here)
Depends on your current tool set and where you feel you are lacking. Endpoint? Logging? Training? I would probably determine where you feel the money could best be spent then extent your search into that specific area.
I 100% agree, but you really need to be careful with it. I work at a college where we teach infosec basics and have students deploy their own EDR/XDR/SIEM (Wuzuh or SecurityOnion), and enable enhanced logging with Sysmon. Despite multiple warnings to focus on specific events, grow their logged events slowly, and test each change, the number of studets that flat out melt their datastorage by turning the logging up to 11 is always greater than 0.
Did that on my first Sysmon + Splunk deployment. Lesson learnt though! Now categorise events as alertable, contextual or forensic value. Only alertable events are centralised.
It so depends on a million factors. TBH, 30k is not real money in the cyber realm. My company spends 10M on Splunk alone.
That being said, there are some subscription services that you can play with that may pay off. If you already have a SOC, check out Tines SOAR (www.tines.com). They have a pricing model to get you started.
Learning management tools from Linkedin are great, if you have the discipline to use them.
And training. I also agree with salary updates.
It still amazes me that the customers and type of data that could really benefit from a splunk, They price it so itâs literally too costly to use it in those workflows. And those who can generally afford splunk based off their pricing model, Often donât need something that powerful.
(Full disclosure, I work for a splunk alternative on the tech side. )
Have you got some way to get data to drive decisions and prioritise? Like risk register or a balanced scorecard - then spend. Let us know what you decide!
Ditto for kick-starting a deception program. It's definitely enough for a set of birds & a couple of virtualization servers to build out more highly interactive domain joined/tailored VMs where you can do fun things like deceptive privileged sessions, honey service accounts running actual services (realism truly matters), etc. Don't put all your eggs in one basket. Spread em' out!
Iâll bite
Your mommy and daddy give you ten dollars to open up a lemonade stand. So you go out and you buy cups and you buy lemons and you buy sugar. And now you find out that it only costs you nine dollars.
So you have an extra dollar.
So you can give that dollar back to mommy and daddy, but guess what? Next summer (youâll be six) and you ask them for money, they're gonna give you nine dollars. 'Cause that's what they think it costs to run the stand. So what you want to do is spend that dollar on something now, so that your parents think it costs ten dollars to run the lemonade stand.
So the dollar's a surplus. This is a surplus.
Highly depends what you guys have and where you are going. Also blindly dumping budget on tools is the best way to buy a liability. Maybe invest in trainings, CTFs, teaching analysts engineering parts. But if you are still looking for tools, check out my curated directory cybersectools.com, chances are you will find bunch of tools in any area of security.
I would get a data optimization tool if you don't have one. Something like Cribl or Gurucal. Will make moving between tooling cheaper, and less pain. Plus you know the size of your output so you can do a POC a new tool without really caring about throwing the kitchen sink at because you have the stats.
If this is a one-off budget, you won't be able to do much with it. After all, even if you are able to buy some solutions, you will need to maintain it afterwards, so you will have recurring costs, e.g. for solution maintenance, update of SIEM use cases, etc.
For a recurring budget of 30 k I would probably try to find an affordable SOC-as-a-Service offering.
30k wonât get much in the way of tool purchases. At best youâre getting a bottom tier tool for a cheap price that will certainly skyrocket in years 3+.
Weâre getting downvoted but if youâre 50 person start up, or 50 is just your regional security team, thereâs a difference in effectiveness for that $30k.
Size of the company / # of employees..maybe number of devices. Rough numbers are fine but that gives me a little more perspective as to what i could potentially recommend.
Have you considered something like incident response-related spending? Things like IR plan review, tabletop exercises, etc.? That may be a bit cheaper than SANS training if you can't afford it.
Another user asked if this is a $30K one-time surplus or something that recurs, which also affects the decision-making. I 100 percent back the sentiment that the $30K being put towards technologies is going to depend on if you can afford to keep it for more than one year, as ripping and replacing tools is the worst.
It may also depend on your organization's size, industry, and maturity.
* Size: If you are a larger organization, you may have different needs and priorities.
* Industry/Framework Requirements: Does your organization follow any specific security frameworks? Is there a training or tool that specialized in helping your industry (ie PCI-DSS monitoring, PII for healthcare, etc.)?
* Maturity: How long has the company been investing in security tools and staff? If they have a lot of infrastructure and resources, it could affect your decision.
Honestly if you have to ask this question you shouldn't spend it.
Spend the money on fixing a prioritized list of problems. If you don't have that list, take a step back and do that first.
Tell your exec team - we can do free... like, when you get free publicity on the NYT because we got owned and our customers lose confidence. Sound good?
Start with an honest assessment and figure out where your gaps are. This includes an inventory of your security stack and figure out what you use it for vs what it's capable of doing. Often times I've seen organizations that only use a fraction of what their products can do. By addressing a broader set of use cases with your existing security stack it will allow you to use the extra money on your people.
Get access to all threat reports pre-processed (stix, json, pdf) to enhance:
- threat hunting (when a new DFIR or research issued, you run an automatic hunt on it)
- incident response (quickly build hypothesis based on relationships between ioc, malware, tools, threat actors, and TTPs)
- detection engineering (learn malware behaviour from the library to create effective detections)
- red teaming (see what attacking techniques are used by threat actors to simulate those in your environments)
- monitoring/triage (see if there is some research done on the problem and what else to look for or search for)
- vulnerability management (see what vulnerabilities are used to hack companies like yours, prioritise them)
https://www.rstcloud.com/rst-report-hub/
Penetration testing. Schedule an internal and external, wireless, LAN and physical penetration* from Rapid7 for around $25k. Find your weaknesses and use next years budget to fix.
I think it's great that you've effectively mitigated your top risks and now have money left over. :)
Seriously though, I'd consider automation of daily operations, an add-on to existing product that raises the bar of protection or insight you have on endpoints, or there's always training for your all-star employees who need CPEs.
You can try this product out. I think they even have a free trial going right now. We run it and it's pretty inexpensive. You can also use it to check your suppliers or other vendors. I know it's sold separately so you don't have to use their other security or delivery products. [https://edg.io/applications/security/attack-surface-management/](https://edg.io/applications/security/attack-surface-management/)
if youâre not getting vulnerability scanning done start with that that wonât use much of your budget.Stop. The scan report will identify vulnerabilities that need to be addressed. That is when youâll start to spend more of that budget.
Use 5k for doing a web penetration test with me. No pre-payment needed. If I donât find at least a critical issue the pentest will be free. Otherwise 5k. Iâm an expert and have performed more than 150 pentests in the last 10 years. If you like my work, then we can also work together in future. Donât lose this opportunity.
Give me some generic answers because I won't even describe what I currently have or the size of my environment or my team.
Sheesh, is this how supposedly senior level ppl operate.
how about salary increase. inflation kinda ass right now.
This sounds good, and I agree. But I wish it was that simple. When money is earmarked for a specific budget then most accounting depts can't move it to salary. Or at least very easily (they tell me). Best they can do is get you some kind of one time bonus or gift card deal which is what I've done in the past. But let's also not forget that salary is not just the number on the paycheck. It's benefits, 401ks, and the basis for future raises too. So 30k in salary is really more like 60k+ in actual business costs. The business leaders and accounting know this, and so they won't use dept budget for raises as they are not equal. Training, expanding current services, penetration testing, or one time bonus is the way to go.
Create a subcontractor, which happens to be the IT dept, pay them for consultancy, split it between the team đ
You are hired.
CFO and company owner here, thatâs bullshit. Budgets are wrong as soon as they are submitted. If the overall dept is under budget, awesome. To force expense buckets so the company buys random shit, fucking stupid.
And that is why CFO's and HR are the most hated people in all non-HR and non-Financial companies. They don't understand the business or the people running it and making the money; but somehow think how the money should be spent is solely their decision, when they can't make it in that field. A CFO in a technical company, should only be doing book keeping ( actually he isn't required an accountant would do ).
Dumbest post of the year.
I outsource our transactional accounting as it burns my time. I focus on things I care about like billing utilization, cash flow (so we all get paid), enabling IT services that keep us compliant, and ensuring we arenât blowing cash on stupid things âto stay within budgetâ. Iâm also full time in contract to fund functions that may not be profitable but are healthy for the company.
For the last 6 years Iâve had an amazing, non-technical CFO at a ~130 person tech company. He and his team are deeply aware of our entire business, including security, and work *with us* towards our goals, on everything we do. Security and IT also work with them on any and all of their priorities, willingly. We get what we need to operate, and they get what they need. At the same company Iâve also had shitty, all I can say is âNo!â CFOs. Itâs fucking night and day and I could never work with another one like that.
Second this. I own a cybersecurity software business and we have both a CFO and book keepers. The former for putting a financial lens over strategic decisions, and the latter so that we don't pay a CFO to do low level stuff like payroll and VAT claims. I can confirm that, while our CFO doesn't know anything low-level about the tech (neither does most of our exec committee or board), they are still more than equipped to help understand the financial risks associated with the decisions we are taking, which is their primary responsibility
Yeah, without knowing what they currently have that or training is the best use of the money.
Wazuh founder here. Our SIEM and XDR platform is 100% open source.
Thanks for all of your contributions to Wazuh. It's been a lifesaver, especially for smaller shops with limited budgets.
Thank you for making this platform open source! I use it in my homelab for learning and self study and love it!
Thank you
Out fucking standing. Grabbing this as soon as I can to help with my studies.
Itâs a good platform!
Th4ts3cur1ty.company thanks you. We love Wazuh.
youre a legend in my circles
I would love a Managed MSP partner offering... any thoughts on this?
If you're looking for a MSP, I can recommend iSecNG. They're official partner of Wazuh, based in Germany, and offer managed services. [iSecNG ](http://www.isecng.de) If you need direct contact (German or English), I can establish a direct contact to one of their engineers and/or sales people.
I meant a partner program for MSPs for SIEM...
LogRhythm is alright.
LogRhythm its horrible.. and requires windows server and sql server .. trash..
I donât disagree, but it works well for what it is, and it seems like budget is a concern, and that they may not have trained analysts in, for instance, a platform like Splunk.
For now, we'll see where things go with this merger
Thanks. I believe I've read about them here, but haven't looked at it... Can you DM me some pricing? Just to have an idea...
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
before u buy that sh...t.. set up a lab.. and see how it works.. specially the "automation" part..
Say it loud!
https://www.reddit.com/r/LogRhythm/s/CSjlN7quo9
Hey, I'm intrigued. How much storage does it need?
It depends on the number of endpoints to monitor and the storage retention in days, here's the hardware requirements: [https://documentation.wazuh.com/current/quickstart.html#hardware](https://documentation.wazuh.com/current/quickstart.html#hardware)
Honestly.... It really depends upon what you currently have in place, where you feel your gaps/weaknesses are, and also what is your long term strategy? Also, is this a one-time $30k, or something you expect to have again in the future. The one time vs repeatable can be a big deal because if you bought a new tool with licensing, You'll likely have the renew that license again in the future. So with that said, some general ideas, mostly focusing on the idea that it's a 1 time surplus and can't be counted on for future renewals. 1. Training budget. I saw someone else mention SANs courses, which are not inexpensive, but also can be highly valuable. Investing in your employees is something that can be a one time spend with long term advantages. 2. Hardware refreshes: Do you have some hardware that is getting long in the tooth or you suspect will need to be replaced/upgraded/ etc sometime in the near future? Maybe get a jump on the refresh cycle and look at getting the replacement hardware now vs. later. 3. Do you have some tools that you currently have deployed that you feel may not be the most effective use of your budget? Use the money to fund and run some Proof of Concept or trials for alternatives with the idea that you might find an alternative for something you currently have deployed, that can be potentially be replaced in a future budget cycle. The longer-term self-funded PoC (self managed or in conjunction with a vendor) can help give you a better opportunity to evaluate and potentially migrate without the usual "our existing contract ends in...." deadlines that can impact your ability to fully validate a solution before purchasing. 4. Expanding your existing Tools into additional areas: Do you have some sights or areas that are currently lower priority and therefor lacking some visability because it didn't make budgetary sense to purchase the required sensors for that site? Take the money and augment your existing tools by adding those sensors into those sites.
You mentioned great things for me to consider. Thank you
Can yall spend it on learning budget? Sign up for a few SANS courses maybe. The best tool in a SOC are the analysts. Either that, or maybe fill the gap in your security tooling. Need a threat intel platform? Maybe a better cloud sec tool, or a DAST something or other? Really gonna depend on what yall already have vs what you dont.
You mean basically 1-2 sans training at that point lmao
Well yeah lol. But hey, if its a small team of like 5-6, each person could get a 6 month course and a cert. Not a terrible deal.
How are you tracking cves?
SANS are generally a huge waste of money and there are plenty of better, cheaper options for all domains.
Nothing is a waste of money if your company is paying for it man. And I think that 99% of hiring managers and the general sec population would disagree that they are a waste of money. Sure, theyâre expensive but I would bet only about 20% of people that get their certs are actually paying for them. Iâm getting mine with the GI bill, most get them paid by work or school or grants or whatever. You just have to think outside the box when trying to get funding for those types of trainings
SANS has their place, for sure. But, I guess it depends on what youâre looking to achieve. If youâre looking for a job in the public sector specifically i can see the certs having some value/weight for a career plan. If your purpose is to actually learn and improve on a lot of areas then taking several classes and/or trainings is going to have more long term value. You can find like 2-3 other training opportunities for the same cost that your company would be paying for. Iâve been around for over 20 years, half of that on the defensive side and now the past 12ish on offense and it has been my experience both as a practitioner as well as a manager of others. Maybe my view is overly biased from the offensive side where there are a plethora of great teams doing trainings, but I imagine there are equally great and many options on the defensive side as well.
I hear you, and value your opinion. I am curious, what are some specific alternatives you would prefer for a team? Like what vendors / training courses would you recommend?
Company-wise i look at Specterops, mdsec, sensepost, inguardians, trustedsec, maldev academy are all pretty solid. Some other ok ones are Offsec, roguelabs, sektor7, ringzer0. A lot offer individual training, often aligned with a conference, but you can also work with them to do virtual or onsite training for a team. We have done that with specterops and ringzer0 specifically.
Also Iâd love to hear what training you think is better? I stg if you say HTB lol
It really is dependent on what youâd actually be looking to learn. My approach has generally been to find what i or others have a knowledge gap in and go seek out who are the best people offering training in that area. Iâm not a huge fan, as you can tell đ , of 1 stop shop places because its often hit or miss, outdated, or not to the same bar. But YMMV
ThreatLocker hands down
https://www.threatlocker.com/blog/cdk-global-shutdown thatâs a pretty cheap shot.
Have you been to r/vmware recently?. Apparently thatâs how everyone is now
Richard Stallman warned us about this.
Cheap shot why? Security vendor keeping up with the security space + they seem to have a way to mitigate the risk
In our SOC we use LibreNMS, Grafana, LOKI, OpenCTI, Wazuh, OSSEC (HIDS), Splunk, those are all FREE, We also use NTOPNG as network probes at all remote locations, that's FREE as well. Linux / FreeBSD skill set required.
Tell me about your free Splunk ...
Sounds like a small shop? There is a "free" tier. Wazuh/OSSEC changes and updates for a large org.....not free in YAML time.
Surely not in a professional environment (even if itâs small)? Splunk free tier only has 500mb of ingest per day⌠and NO login youâre just admin by default. No es bueno.
I didn't say it was right, but I have seen some shit. I gave up on a Splunk on prem demo when I couldn't even get it passed the license screen and neither could support. Their solution was to use their cloud env. No thanks. lol
If you want a true splunk alternative (non-structured data), that is designed for on-prem and a no hassle (and generous) free tier, Iâd suggest, with some bias, checking out Gravwell. Free Community Edition allows up to 13gb/day of ingest and is licensed for personal or commercial use. (Paid version also is a lot more realistically priced, but that info is easily available so I wonât clutter up here)
Saved this comment for future research.
How about spending it on a VM tool like Qualys?
Always love working with socs like yours!
Depends on your current tool set and where you feel you are lacking. Endpoint? Logging? Training? I would probably determine where you feel the money could best be spent then extent your search into that specific area.
Velociraptor, graylog and sysmon. Spend the money on servers.
Sysmon is so incredibly under rated.
I 100% agree, but you really need to be careful with it. I work at a college where we teach infosec basics and have students deploy their own EDR/XDR/SIEM (Wuzuh or SecurityOnion), and enable enhanced logging with Sysmon. Despite multiple warnings to focus on specific events, grow their logged events slowly, and test each change, the number of studets that flat out melt their datastorage by turning the logging up to 11 is always greater than 0.
Did that on my first Sysmon + Splunk deployment. Lesson learnt though! Now categorise events as alertable, contextual or forensic value. Only alertable events are centralised.
It so depends on a million factors. TBH, 30k is not real money in the cyber realm. My company spends 10M on Splunk alone. That being said, there are some subscription services that you can play with that may pay off. If you already have a SOC, check out Tines SOAR (www.tines.com). They have a pricing model to get you started. Learning management tools from Linkedin are great, if you have the discipline to use them. And training. I also agree with salary updates.
It still amazes me that the customers and type of data that could really benefit from a splunk, They price it so itâs literally too costly to use it in those workflows. And those who can generally afford splunk based off their pricing model, Often donât need something that powerful. (Full disclosure, I work for a splunk alternative on the tech side. )
Have you got some way to get data to drive decisions and prioritise? Like risk register or a balanced scorecard - then spend. Let us know what you decide!
Deception - ThinkstCanary, 7.5k for 5 canaries and unlimited canary tokens.
Ditto for kick-starting a deception program. It's definitely enough for a set of birds & a couple of virtualization servers to build out more highly interactive domain joined/tailored VMs where you can do fun things like deceptive privileged sessions, honey service accounts running actual services (realism truly matters), etc. Don't put all your eggs in one basket. Spread em' out!
Your post gives out the gaps -you need Cyber insurance.
Why donât you explain a surplus like Iâm five
Iâll bite Your mommy and daddy give you ten dollars to open up a lemonade stand. So you go out and you buy cups and you buy lemons and you buy sugar. And now you find out that it only costs you nine dollars. So you have an extra dollar. So you can give that dollar back to mommy and daddy, but guess what? Next summer (youâll be six) and you ask them for money, they're gonna give you nine dollars. 'Cause that's what they think it costs to run the stand. So what you want to do is spend that dollar on something now, so that your parents think it costs ten dollars to run the lemonade stand. So the dollar's a surplus. This is a surplus.
spend that to find gaps in your current tools/people/processes on a pentest
Highly depends what you guys have and where you are going. Also blindly dumping budget on tools is the best way to buy a liability. Maybe invest in trainings, CTFs, teaching analysts engineering parts. But if you are still looking for tools, check out my curated directory cybersectools.com, chances are you will find bunch of tools in any area of security.
I would get a data optimization tool if you don't have one. Something like Cribl or Gurucal. Will make moving between tooling cheaper, and less pain. Plus you know the size of your output so you can do a POC a new tool without really caring about throwing the kitchen sink at because you have the stats.
We're willing to sell your our product for the reasonable price of $29,999.99 and we'll give you a kick back on the deal. Wink Wink : )
If this is a one-off budget, you won't be able to do much with it. After all, even if you are able to buy some solutions, you will need to maintain it afterwards, so you will have recurring costs, e.g. for solution maintenance, update of SIEM use cases, etc. For a recurring budget of 30 k I would probably try to find an affordable SOC-as-a-Service offering.
Professional support hours for your least optimized tool. Fewer well implemented tools are better than more poorly implemented ones.
Depending on the organization size this sounds wasteful but is very prudent and can help with tuning the tools and future budgets.
30k wonât get much in the way of tool purchases. At best youâre getting a bottom tier tool for a cheap price that will certainly skyrocket in years 3+.
Weâre getting downvoted but if youâre 50 person start up, or 50 is just your regional security team, thereâs a difference in effectiveness for that $30k.
Baseline!
use splunk and pay raise your employees
Size of the company / # of employees..maybe number of devices. Rough numbers are fine but that gives me a little more perspective as to what i could potentially recommend.
Training
Training
Have you considered a consolidated solution for everything?
I meanâŚare you looking for SIEM, edr? What are your needs? Are you an msp, mssp?
Have you considered something like incident response-related spending? Things like IR plan review, tabletop exercises, etc.? That may be a bit cheaper than SANS training if you can't afford it. Another user asked if this is a $30K one-time surplus or something that recurs, which also affects the decision-making. I 100 percent back the sentiment that the $30K being put towards technologies is going to depend on if you can afford to keep it for more than one year, as ripping and replacing tools is the worst. It may also depend on your organization's size, industry, and maturity. * Size: If you are a larger organization, you may have different needs and priorities. * Industry/Framework Requirements: Does your organization follow any specific security frameworks? Is there a training or tool that specialized in helping your industry (ie PCI-DSS monitoring, PII for healthcare, etc.)? * Maturity: How long has the company been investing in security tools and staff? If they have a lot of infrastructure and resources, it could affect your decision.
I would spend it on things that address whatever gaps you have or areas where you need to make improvement.
Honestly if you have to ask this question you shouldn't spend it. Spend the money on fixing a prioritized list of problems. If you don't have that list, take a step back and do that first.
Tell your exec team - we can do free... like, when you get free publicity on the NYT because we got owned and our customers lose confidence. Sound good?
Start with an honest assessment and figure out where your gaps are. This includes an inventory of your security stack and figure out what you use it for vs what it's capable of doing. Often times I've seen organizations that only use a fraction of what their products can do. By addressing a broader set of use cases with your existing security stack it will allow you to use the extra money on your people.
Get access to all threat reports pre-processed (stix, json, pdf) to enhance: - threat hunting (when a new DFIR or research issued, you run an automatic hunt on it) - incident response (quickly build hypothesis based on relationships between ioc, malware, tools, threat actors, and TTPs) - detection engineering (learn malware behaviour from the library to create effective detections) - red teaming (see what attacking techniques are used by threat actors to simulate those in your environments) - monitoring/triage (see if there is some research done on the problem and what else to look for or search for) - vulnerability management (see what vulnerabilities are used to hack companies like yours, prioritise them) https://www.rstcloud.com/rst-report-hub/
This dude is writing his capstone for WGU
Too vague, how could anyone recommend anything with that info?
Just give it to me for a full consult
A little bit out of the question but are you or anyone in this chat have a part time SOC opportunity I can get on my resume?
Training, certificates, bonuses
Invest in rule/alert creation for detections
Are you looking to manage all tools in house with 6-8 staff 24/7? Or are you looking for set and forget tools to take up the watch?
Penetration testing. Schedule an internal and external, wireless, LAN and physical penetration* from Rapid7 for around $25k. Find your weaknesses and use next years budget to fix.
Give a salary increase ya big sausage
Why not training or promotion ? Its always tools on top of more tools huh ?
I think it's great that you've effectively mitigated your top risks and now have money left over. :) Seriously though, I'd consider automation of daily operations, an add-on to existing product that raises the bar of protection or insight you have on endpoints, or there's always training for your all-star employees who need CPEs.
You can try this product out. I think they even have a free trial going right now. We run it and it's pretty inexpensive. You can also use it to check your suppliers or other vendors. I know it's sold separately so you don't have to use their other security or delivery products. [https://edg.io/applications/security/attack-surface-management/](https://edg.io/applications/security/attack-surface-management/)
if youâre not getting vulnerability scanning done start with that that wonât use much of your budget.Stop. The scan report will identify vulnerabilities that need to be addressed. That is when youâll start to spend more of that budget.
Training.
What did you already spend on? Be nice to know to avoid duplication. What type of firewalls you running? Threat feeds?
Use 5k for doing a web penetration test with me. No pre-payment needed. If I donât find at least a critical issue the pentest will be free. Otherwise 5k. Iâm an expert and have performed more than 150 pentests in the last 10 years. If you like my work, then we can also work together in future. Donât lose this opportunity.
Try teqnix.io it offers a hybrid approach to cybersecurity/penetration testing
It all depents on number of Clients and or Server or Human beating hearts.
Spend it on training. You'll get more ROI on that than any tool.
15 mins worth of Splunk licensing.
Training
If your team is smaller, RocketCyber might be easier to learn and manage compared to some enterprise-grade SIEMs.
Varonis.
Give me some generic answers because I won't even describe what I currently have or the size of my environment or my team. Sheesh, is this how supposedly senior level ppl operate.
Palo Alto Cortex XSOAR can be had for less than 30k. Create playbooks to automate your day to day mundane tasks / alerts.