By Francesco Pappalardo, CISO
June 30, 2022


In case you believe that your company's cybersecurity posture is a matter of "right tools", allow me to provide clarity.

Let's break it down: You need to understand what your company is trying to achieve (mission, objectives) and what may go wrong in the process (threats). Then, you need to evaluate potential consequences (threat impact) and what is the probability they will happen (threat likelihood). Impact and likelihood will jointly help evaluate the risk of each threat. Once evaluated, the risks need to be addressed.

Will you accept them? Will you delegate them (transfer them to others by purchasing an insurance)? Or will they be too complex or too expensive to handle to the point that you decide to postpone or even dismiss the business objectives that generate such risks?

In most cases, decision-makers chose to mitigate the risks. Here is when the tools *may* come into the picture. Tools are put in place to automate a part of the risk mitigation process. It is also essential to monitor when and where those risks become real in order to be able to timely react and contain them.

When it comes to tools, the selection can be quite challenging. The complexity of the process is positively correlated with the complexity of your organization (e.g., number of employees, type of their role, number of locations etc.), while budget restrictions can also limit the choices. Therefore, it’s necessary to consider the pros and cons of each solution and make a balanced decision, accounting for its implications.

The decision-making process becomes even tougher when you need to compromise. For instance, an open-source tool doesn’t always integrate well into an existing IT architecture, generating the need to develop an ad-hoc integration process or manually correlate the information. In this case, you will most likely need to rely on the effort of the maintenance community for support, otherwise there is a high probability of catching a bug. There are also several community solutions that offer an enterprise version. You might want to start with the former and, when your budget allows for it, you may decide to upgrade to the enterprise package.

That said, regardless of the size of your company, there are a few security tools that can be considered as the baseline of your cyber threat detection and protection capabilities. Below I have compiled a list of my suggestions, followed by fair selection tips (e.g., features for benchmarking), considering you are on a budget:

IT Asset Management Software

Even if it sounds more like a COO tool, you may have a hard time configuring your security controls if you're not sure where to apply them. Let's explore the key features of this tool:

  • Workflows or guided tasks for asset creation, update, and decommissioning
  • Asset history
  • Asset assignee
  • Integration with bar code / QR code scanners
  • Configurable asset attributes
  • Integration (native or well documented) with your EDR, DLP, NAC and SIEM solutions

Endpoint Detection and Response (EDR)

Acquiring this one can be a little challenging if you are on a budget; in this case, you may need multiple tools to "simulate" an EDR. You may also opt for a GPL solution, but their effectiveness is questioned by some industry professionals. If you haven’t made up your mind yet, you can start evaluating solutions based on the following capabilities:

  • Anti-malware and behavior detection
  • Agents available for all the operating systems (and version/kernel) in your IT environment
  • Frequent updates
  • Native integration with the major IoC providers
  • Policy segmentation by user role/group (and this is where a full IAM integration comes in handy)
  • USB and removable devices control
  • Network links control
  • Firewall policy
  • Native (or easily achievable) integration with your SIEM solution
  • Centralized console for configuration management and alert reporting
  • Support for incident investigation and response
  • Ability to automatically block or quarantine the threat or the affected endpoint

Data Loss Prevention (DLP)

Whether you are a small or a big company, I'm sure you are very protective of your intellectual capital and the PII you're collecting or processing, even if you don't have a privacy office. Therefore, a DLP solution should be among your priorities. There are several open-source projects out there, but keep in mind that not all of them are free for businesses to use, and very few of them match all the following requirements:

  • Data discovery
  • Agents available for all the operating systems (and version/kernel) in your IT environment
  • Native (or easily achievable) integration with your SIEM solution
  • Keywords, dictionary, and regular expression detection
  • Automated pre-defined data type detection (e.g., personal information, portion of software source code)
  • Predefined policies bound to most common regulations
  • Policies enforced on network, removable devices, and emails
  • Log-only or block

Network Access Control (NAC)

This is a tricky one, especially if most of your coworkers do not work on-site. Even if you have adopted the hybrid work model, your equipment must have certain features that will give you the necessary visibility into your remote network perimeter. Ideally, this solution should be a combination of both hardware and software capabilities but, considering a limited budget, you can’t really count on hardware. Therefore, you should consider deploying an agent-based solution on the corporate equipment upon operating system installation. The same approach will also work for your contractors and third parties. Your NAC solution must be capable of detecting missing operating system security fixes, missing Company EDR and DLP software, missing or unconfigured VPN client (where needed), as well as the presence of specific software or open connections that match the behavior of specific cyberattacks. Once one or more of these conditions are detected, the equipment should be directed to a quarantine zone, where appropriate remediations are proposed, depending on the case. In a nutshell, your NAC solution must have at least the following capabilities:

  • SaaS deployment of management console
  • Agents available for all the operating systems (and version/kernel) in your IT and for all the contractors or third parties you'd like to give access to your environment
  • Role-based policies
  • Remediation options depending on the broken access rule
  • Integration with your IAM solution
  • Native (or easily achievable) integration with your SIEM solution

Security Information and Event Management (SIEM)

There is no point in applying automated security controls if you don't have the ability to monitor the detection of potential violations. You can use single solutions' dashboards, but what if an attack starts from identity violation, spreads in your environment, and then silently exfiltrates data in small pieces and in different moments? This is a fairly common attack chain; if you look at each security tool’s dashboard separately, you'll miss the whole picture. You may fix the initial access violation, missing the salami data exfiltration, with slices taken from different sources and aggregated remotely outside of your control. This is where SIEM comes to the rescue. There are several open-source and "community edition" SIEM that you can consider as a starting point, but make sure that the following features are in place:

  • Use Case (rules combination) creation
  • APIs and syslog for easier logs upload
  • Role-based access (admin, viewer, and analyst)
  • Configurable dashboards
  • Automated reporting
  • Raw logs viewer
  • Event export in common formats
  • Pre-defined set of rules for common threats
  • Native integration with most common IoC providers
  • Native integration with your IAM solution
  • Native (or very well documented) integration with your SOAR solution

Security Orchestration, Automation and Response (SOAR)

This is the last piece of the puzzle, dedicated to reacting to an event that has been detected. How do you mark an event as true positive? Who should you contact, when and how? Each threat should have an assigned management procedure until it's eliminated for good. Let’s assume you have defined a workflow for each threat that you are concerned about, but will you be able to follow these workflows in full and resume a workflow that has been waiting for missing information? Will you be able to accurately execute the workflow even with tenths of open incidents? You need to be ready to answer these questions in advance, employing tools that will help you automate incident handling and response. For this purpose, I advise to consider the following characteristics:

  • Custom playbook creation
  • Native (or easily achievable) integration with your SIEM solution
  • Integration with most common IoC providers
  • Integration with your "blocking" tools (e.g., EDR, NAC and DLP).

There is also a number of other security controls out there, such as ng-firewalls, spam and phishing filters, internet proxies, and others. It would take more than one article to discuss all of them in detail. But with the information I have provided above, you will be able to assemble an essential set of tools to efficiently automate the mitigation of cybersecurity risks that your company is exposed to.

You may also like

Tuscany Offsite
Tuscany Offsite
April 1, 2022

Within a year of its founding, DuskRise has grown into a global organization with headquarters in the US and EMEA, over ...