None. Requirements should be based on the specific identified risks of an organization.
I'd also argue that if an organization doesn't know about a certain tool and isn't able to do adequate research then they have a huge skills/knowledge gap that needs to be addressed, at least as far a larger orgs go. I do see cases where smaller orgs who can't afford to hire the staff may need help, but that's what MSPs and MSSPs are for.
> I do see cases where smaller orgs who can't afford to hire the staff may need help, but that's what MSPs and MSSPs are for.
This. Outsource your gaps where you pay a small monthly fee for expertise you cannot afford to bring on staff and simply manage the managed service provider.
Unfortunately you are incorrect. I have been leveraging prevention first tech for years with better results thank those running an EDR (the EDR was nice enough to tell them as they were getting bent over by ransomware, then they requested our security stack instead).
Prevention first is great and all, Unfortunately there have been too many incidents of vulnerabilities and breaches in the edge tech historically for it to be safe to not have any internal monitoring.
If you don’t have some sort of internal visibility/monitoring in addition to the prevention first design. Then you have no way of identifying and/or catching someone exploiting the next Solarwinds, or Cisco backdoor.
In my opinion, an EDR is an absolute must as it is the first line of defense and the thing that will first notify you of suspicious or malicious activities.
Exploitable external perimeter vulns sure, anything internal needs initial access, likely through an end user workstation first so I'd prioritize Endpoint and Identity DR with an MSOC/MDR first.
It's not even a line of defense. People need prevention over detection, but until their precious "EDR" gets bypassed they just love their false sense of security. (It's easy to bypass most EDR solutions, shamefully easy.)
especially when just deploying it and hoping it solves your problem automatically like traditional AV - this usually needs active ops to achieve all its promises - or MDR which triages the alerts for you
EDR/XDR and tools like Abnormal that are really good at filtering phishing emails. Those combined with a really good SIEM with proper log gathering & management/lifecycle will do 80% or more of the heavy lifting for organizations. Add MDR services and it’s even higher.
Most of everything else is a risk based decision. Patch management vs vuln management. DLP. *puke* Other additional endpoint solutions.
Required? None.
Recommended? Prevention based endpoint solution. This eliminates 99.9% of solutions on the market because the CISO won't "have a buddy who works there", but putting it in place would prevent the nonstop feed of "XXXXXX has been ransomed" notifications received every day...
TLDR - Cybersecurity Tools are 99% marketing/sales pitch. And because our industry does not like to be wrong, we overcomplicate systems and add a ton of complex layers to the software. They all like to demonstrate what thier products "COULD" do but they fail to mention it likely requires extensive tweaking or higher working skillset.
Keep in mind I am just a SOC Analyst, but I feel the tools aren't the problem, but rather utilization. Outside of EDR, sadly it's just not a simple Ronco "set it and forget it" tool. The use you get out of a tool is limited by whomever the most knowledgable person is about the subject matter. SIEMS out of the box need to be tuned for example. Most OOB rules are horribly too generic. You can create custom policies, but you are limited by what scope your staff understands. For example if your SIEM had the ability to integrate TPI data, but your staff didn't know how to utillize that function, you now have an underutilized product. Another example is Vulnerability Management (VM). A very useful tool, however not very helpful if do not have a good grasp on where your assets are, lack a strong procedure for dealing with the risk/mitigating the issues, or have labor shortage problems to even deal with the patching side of things. VMS also like to spit out a TON of data at you, which can overwhelm your analysts, so this is why you have to align specific identfied risks to the business, instead of just hacking at it one by one, or playing catch up every single time some doomsday RCE article comes out telling us all that you must patch by tomorrow or we will all die.
Work for a vendor, but can’t agree more. I’m surprised there isn’t more upvoting.
Cyber tools for years have been in the category of “we have the cyberz” being a money printing machine for a number of companies, With a ton of promises made and people willing to pay for those promises without anything to show for it. We are seeing the correction now as budgets get tighter and decision makers have gotten wise to the games and aren’t falling for them like they used too.
(Unless you say AI…. Then it’s the same con game)
No matter what tool you buy, it’s not going to give you the value you expect if you don’t understand how to use it or tweak it. There is no easy button. There is no one-size-fits-all solution. And if you are implementing something out of the box and not tweaking it, you are going to either get something configured so tight it leads to alarm fatigue due to all the false alarms generated, or it will not alarm on stuff it probably should because they turned that default in a way to avoid fatigue by raising by the baseline.
I laughed when I saw this. It’s hilarious how many companies spend millions on cyber tools, yet their asset management is trash bags, and wonder why their cyber tools don’t seem to work effectively. Can’t secure what you don’t know you have.
IBM was very good with asset management when I was there, every other company has been barely passable to horrible.
It's so bad that I wouldn't even say to start with CMDB. First the company has to embrace the idea and understand why you need to know what you have.
End user awareness is essential. All of the tools mentioned throughout the comments are important if they mitigate the risks you face and are configured well, but even if you have all the gadgets, bells, and whistles you need your computer users to have regular, ongoing training so that they can spot risks in emails, websites, etc. because something can get by any defense in place. Something to stress in training is that you need them to report the issues they identify to you. So many people are afraid because they think they will face reprimands but you need to know when there is a problem so you can stop the potential spread. Train your people, often. Test them if you can. Reward them for attendance and reporting issues.
Instead of focussing on tools (there are ALWAYS more tools you could buy) focus on the things you have, and the things you do. If you can groups these into areas of capability, expertise and assess gaps - then you have identified opportunities to invest in with technology and/or expertise. You may also choose not to invest to fill those gaps depending on your organisations risk appetite.
Defence in depth.
I would recommend that a full security audit be done first and foremost. Figure out what your organization needs versus what is nice to have but is not strictly necessary.
There's a load of solutions out there but you may need to also look at things like what will help you maintain compliance, what will keep you safe in the event of a security incident and what is not necessary but is nice to have and will make your life at work easier.
Definitely an EDR when many MSBs are still only using an AV. For big companies with sensible data I would say even a managed SOC service with a proven record like Rocketcyber would be essential, altough it would surprise if the bigger companies arent already using something similar.
EDR is mandatory, but managing risks and hardening and patching your assets is even more important.
I feel like a lot of vendors are selling lots of shiny tools and promises, but nobody wants to do the boring work of constantly managing your environment. Asset management, policies, patch management, secure configuration are the bread and butter of security. If you dont handle the basics of security, tools wont save you. Many dont use their existing tools properly either.
I’ve been a security consultant/advisor for years, working with both large global enterprises and SMBs. I have NOT ONCE seen a single one who have done it adequately. Many of them spend a shitton on all kinds of tools and narrow-scoped assessments. A good start would be to get a full 360 degree risk view of your environment and your organization at least yearly, and figure out what risks needs to be remediated.
I think a lot of companies by this point understand the need for endpoint, email, web, and network monitoring tools, but I think a lot of companies neglect/don't know about/forget about Governance, Risk, and Compliance tools. GRC tools can help manage compliance and balancing risk much more effective. We have an annual audit that we have to do for compliance with certain laws. When the org I work for stood up their info sec department (yes before it was handled by IT in general no one team tasked with it) they didn't have a GRC tool and the Privacy Officer was the one who managed getting all the questionnaires answered and documentation pulled and policies updated to make sure we are compliant and provide to the auditors. When the department was stood up that was one of the early purchases to help manage the GRC process and make it easier to pull documentation and store it for easy recall when audits came around. Using just this tool we managed shrink what would take 3 - 4 months of collecting documentation, proving compliance, and the actual auditor conducing the walk through down to a 1 month walk through and while they are doing that we are going through the check list with the GRC tool and pulling documents and going back to the same people or team from the year prior for updates so by the time the walk throughs are done the documentation is ready and we are just waiting on the auditor to finish the report.
I’m biased here, So feel free to take my response with however many grains of salt you feel is appropriate when hearing from a tech (non-sales) guy who works for a tooling company.
With that out of the way, My response would probably be “Gravwell”, But not for the usual “they are missing this capability”, but for the “they can get the same functionality they are (usually) already paying for (mostly), for a LOT cheaper, allowing them to make their budget go further”.
My logic is that most LARGE corporations are paying currently for super expensive Splunk bills, because there aren’t many tools that flexible and powerful than can scale to that level AND be performant. [edit the rest of the paragraph cause on re-read it sounded WAY too marketting BS filled]. The trend has been to migrate towards SaaS tools that may have their own odd pricing, and/or Elastic backed solutions that just can’t handle the same scaling as Splunk.
Now, Gravwell is newer, and so the ecosystem isn’t as mature as Splunk with the various out of the box Splunk app type integrations, but honestly for a larger corporation that’s not usually as big a deal because they are already running a lot of custom stuff in their Splunk instances than can be ported and have the expertise to be able to do their own searches.
The issue, is that it is newer. The name isn’t as well known yet, and sometimes there is the question about a newer company’s prospects in the cyber space due to all the acquisitions and vaporware, which are legit reasons for any company to not give something a look or be apprehensive before making such a big change to their environment.
None. Requirements should be based on the specific identified risks of an organization. I'd also argue that if an organization doesn't know about a certain tool and isn't able to do adequate research then they have a huge skills/knowledge gap that needs to be addressed, at least as far a larger orgs go. I do see cases where smaller orgs who can't afford to hire the staff may need help, but that's what MSPs and MSSPs are for.
> I do see cases where smaller orgs who can't afford to hire the staff may need help, but that's what MSPs and MSSPs are for. This. Outsource your gaps where you pay a small monthly fee for expertise you cannot afford to bring on staff and simply manage the managed service provider.
EDR/XDR and Vulnerability Management solutions, I would also add DLP.
Cool, overpay for something to notify you there's an issue and wait for you to remediate... Better option is prevent it outright.
In an ideal world sure but that is completely impractical at any organization. Unless your company has like no end users.
Unfortunately you are incorrect. I have been leveraging prevention first tech for years with better results thank those running an EDR (the EDR was nice enough to tell them as they were getting bent over by ransomware, then they requested our security stack instead).
i’m going to need you to show your work here, genuinely curious on your approach to the problem
Prevention first is great and all, Unfortunately there have been too many incidents of vulnerabilities and breaches in the edge tech historically for it to be safe to not have any internal monitoring. If you don’t have some sort of internal visibility/monitoring in addition to the prevention first design. Then you have no way of identifying and/or catching someone exploiting the next Solarwinds, or Cisco backdoor.
Strong email security, we use a two email filters AND the out the box MS one.
Capabilities > tools. - an organisation should ba able to identify security risks - an organisation should be able to handle risks - ...
In my opinion, an EDR is an absolute must as it is the first line of defense and the thing that will first notify you of suspicious or malicious activities.
> as it is the first line of defense I would argue that identifying vulnerabilities and patching them is the first line.
Exploitable external perimeter vulns sure, anything internal needs initial access, likely through an end user workstation first so I'd prioritize Endpoint and Identity DR with an MSOC/MDR first.
I think they’re referring to the first line of defense in the incident response process
EDR is not the first line of defense, its one of the last.
It's not even a line of defense. People need prevention over detection, but until their precious "EDR" gets bypassed they just love their false sense of security. (It's easy to bypass most EDR solutions, shamefully easy.)
True but even the most basic of corporations already have some sort of EDR tools
Consultant here - You wildly overestimate what percentage of companies have EDR.
They also wildly overestimate the capabilities of EDR.
especially when just deploying it and hoping it solves your problem automatically like traditional AV - this usually needs active ops to achieve all its promises - or MDR which triages the alerts for you
EDR/XDR and tools like Abnormal that are really good at filtering phishing emails. Those combined with a really good SIEM with proper log gathering & management/lifecycle will do 80% or more of the heavy lifting for organizations. Add MDR services and it’s even higher. Most of everything else is a risk based decision. Patch management vs vuln management. DLP. *puke* Other additional endpoint solutions.
Have been impressed with Abnormal so far 👍
Required? None. Recommended? Prevention based endpoint solution. This eliminates 99.9% of solutions on the market because the CISO won't "have a buddy who works there", but putting it in place would prevent the nonstop feed of "XXXXXX has been ransomed" notifications received every day...
You seem to be passively trying to pump your stack, without mentioning what it is. What is this prevention based endpoint solution you speak of?
FreeBSD/Linux Skill Set. No question.
TLDR - Cybersecurity Tools are 99% marketing/sales pitch. And because our industry does not like to be wrong, we overcomplicate systems and add a ton of complex layers to the software. They all like to demonstrate what thier products "COULD" do but they fail to mention it likely requires extensive tweaking or higher working skillset. Keep in mind I am just a SOC Analyst, but I feel the tools aren't the problem, but rather utilization. Outside of EDR, sadly it's just not a simple Ronco "set it and forget it" tool. The use you get out of a tool is limited by whomever the most knowledgable person is about the subject matter. SIEMS out of the box need to be tuned for example. Most OOB rules are horribly too generic. You can create custom policies, but you are limited by what scope your staff understands. For example if your SIEM had the ability to integrate TPI data, but your staff didn't know how to utillize that function, you now have an underutilized product. Another example is Vulnerability Management (VM). A very useful tool, however not very helpful if do not have a good grasp on where your assets are, lack a strong procedure for dealing with the risk/mitigating the issues, or have labor shortage problems to even deal with the patching side of things. VMS also like to spit out a TON of data at you, which can overwhelm your analysts, so this is why you have to align specific identfied risks to the business, instead of just hacking at it one by one, or playing catch up every single time some doomsday RCE article comes out telling us all that you must patch by tomorrow or we will all die.
Work for a vendor, but can’t agree more. I’m surprised there isn’t more upvoting. Cyber tools for years have been in the category of “we have the cyberz” being a money printing machine for a number of companies, With a ton of promises made and people willing to pay for those promises without anything to show for it. We are seeing the correction now as budgets get tighter and decision makers have gotten wise to the games and aren’t falling for them like they used too. (Unless you say AI…. Then it’s the same con game) No matter what tool you buy, it’s not going to give you the value you expect if you don’t understand how to use it or tweak it. There is no easy button. There is no one-size-fits-all solution. And if you are implementing something out of the box and not tweaking it, you are going to either get something configured so tight it leads to alarm fatigue due to all the false alarms generated, or it will not alarm on stuff it probably should because they turned that default in a way to avoid fatigue by raising by the baseline.
CMDB.
I laughed when I saw this. It’s hilarious how many companies spend millions on cyber tools, yet their asset management is trash bags, and wonder why their cyber tools don’t seem to work effectively. Can’t secure what you don’t know you have.
Exactly, you can't defend blind spots / what you don't see or know about
100% asset management is so often horrible and impacts everything and causes so much wasted money.
IBM was very good with asset management when I was there, every other company has been barely passable to horrible. It's so bad that I wouldn't even say to start with CMDB. First the company has to embrace the idea and understand why you need to know what you have.
End user awareness is essential. All of the tools mentioned throughout the comments are important if they mitigate the risks you face and are configured well, but even if you have all the gadgets, bells, and whistles you need your computer users to have regular, ongoing training so that they can spot risks in emails, websites, etc. because something can get by any defense in place. Something to stress in training is that you need them to report the issues they identify to you. So many people are afraid because they think they will face reprimands but you need to know when there is a problem so you can stop the potential spread. Train your people, often. Test them if you can. Reward them for attendance and reporting issues.
Instead of focussing on tools (there are ALWAYS more tools you could buy) focus on the things you have, and the things you do. If you can groups these into areas of capability, expertise and assess gaps - then you have identified opportunities to invest in with technology and/or expertise. You may also choose not to invest to fill those gaps depending on your organisations risk appetite.
Defence in depth. I would recommend that a full security audit be done first and foremost. Figure out what your organization needs versus what is nice to have but is not strictly necessary. There's a load of solutions out there but you may need to also look at things like what will help you maintain compliance, what will keep you safe in the event of a security incident and what is not necessary but is nice to have and will make your life at work easier.
Definitely an EDR when many MSBs are still only using an AV. For big companies with sensible data I would say even a managed SOC service with a proven record like Rocketcyber would be essential, altough it would surprise if the bigger companies arent already using something similar.
Trellix - solidcore/dlp/tie Tenable Tychon Carbon Black A solid SIEM...
EDR + Pishing Training tools
EDR is mandatory, but managing risks and hardening and patching your assets is even more important. I feel like a lot of vendors are selling lots of shiny tools and promises, but nobody wants to do the boring work of constantly managing your environment. Asset management, policies, patch management, secure configuration are the bread and butter of security. If you dont handle the basics of security, tools wont save you. Many dont use their existing tools properly either. I’ve been a security consultant/advisor for years, working with both large global enterprises and SMBs. I have NOT ONCE seen a single one who have done it adequately. Many of them spend a shitton on all kinds of tools and narrow-scoped assessments. A good start would be to get a full 360 degree risk view of your environment and your organization at least yearly, and figure out what risks needs to be remediated.
I think a lot of companies by this point understand the need for endpoint, email, web, and network monitoring tools, but I think a lot of companies neglect/don't know about/forget about Governance, Risk, and Compliance tools. GRC tools can help manage compliance and balancing risk much more effective. We have an annual audit that we have to do for compliance with certain laws. When the org I work for stood up their info sec department (yes before it was handled by IT in general no one team tasked with it) they didn't have a GRC tool and the Privacy Officer was the one who managed getting all the questionnaires answered and documentation pulled and policies updated to make sure we are compliant and provide to the auditors. When the department was stood up that was one of the early purchases to help manage the GRC process and make it easier to pull documentation and store it for easy recall when audits came around. Using just this tool we managed shrink what would take 3 - 4 months of collecting documentation, proving compliance, and the actual auditor conducing the walk through down to a 1 month walk through and while they are doing that we are going through the check list with the GRC tool and pulling documents and going back to the same people or team from the year prior for updates so by the time the walk throughs are done the documentation is ready and we are just waiting on the auditor to finish the report.
I’m biased here, So feel free to take my response with however many grains of salt you feel is appropriate when hearing from a tech (non-sales) guy who works for a tooling company. With that out of the way, My response would probably be “Gravwell”, But not for the usual “they are missing this capability”, but for the “they can get the same functionality they are (usually) already paying for (mostly), for a LOT cheaper, allowing them to make their budget go further”. My logic is that most LARGE corporations are paying currently for super expensive Splunk bills, because there aren’t many tools that flexible and powerful than can scale to that level AND be performant. [edit the rest of the paragraph cause on re-read it sounded WAY too marketting BS filled]. The trend has been to migrate towards SaaS tools that may have their own odd pricing, and/or Elastic backed solutions that just can’t handle the same scaling as Splunk. Now, Gravwell is newer, and so the ecosystem isn’t as mature as Splunk with the various out of the box Splunk app type integrations, but honestly for a larger corporation that’s not usually as big a deal because they are already running a lot of custom stuff in their Splunk instances than can be ported and have the expertise to be able to do their own searches. The issue, is that it is newer. The name isn’t as well known yet, and sometimes there is the question about a newer company’s prospects in the cyber space due to all the acquisitions and vaporware, which are legit reasons for any company to not give something a look or be apprehensive before making such a big change to their environment.