Just got 10k, what to do?
So I have a very unique task at hand for my company.
We have received some funding for security I am looking for advice on what would be the best way a company could spend 5 to 10 thousand dollars.
Literally we have a budget limit for 10k and no instructions.
So my question is this, if a company had 5-10k strictly for security what would you recommend they invest it in?
It has to be something that is very transparent to C-levels, which makes it a little more interesting….
Looking for ideas…
We have received some funding for security I am looking for advice on what would be the best way a company could spend 5 to 10 thousand dollars.
Literally we have a budget limit for 10k and no instructions.
So my question is this, if a company had 5-10k strictly for security what would you recommend they invest it in?
It has to be something that is very transparent to C-levels, which makes it a little more interesting….
Looking for ideas…
Comments
-
broli720 Member Posts: 394 ■■■■□□□□□□Some kind of risk registry for projects and/or contracts for you guys to gleam metrics from. Probably more than 10k, but you'll have a good starting point. I'm not exactly sure what your company does, but something like attack tree analysis might be a good place to start.
-
N2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■Tablets the executives will love you.
In all seriousness a risk management system.
We just implemented a product by RSA and our senior leadership is absolutely going nuts over it. They ask 20 questions a day, they love it.
I work for a fortune 20 company just to give you some insight. -
networker050184 Mod Posts: 11,962 ModHard to say without knowing anything about the current environment. Seeing as how they have a budget without an end goal in site it's probably safe to assume they haven't been to security conscious in the past. Might be worth getting a professional assesment done to see what the next amount of money should actually be spent on. A good security assesment might cost more than $10k though depending on size of the network etc.An expert is a man who has made all the mistakes which can be made.
-
N2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■Networker very smooth and wise post.
Leverage the 10 grand to build a security road map for the next 5 years or so. That could get you some additional funding and get you noticed. -
ninjaturtle Member Posts: 245 ■■■□□□□□□□Always nice to get a budget to spend on some new toys, the problem is getting that budget before you've presented a design or end goal. Especially with security, as almost all security devices require licensing and/or subscriptions to keep them up-to-date.
The question comes down to how many users? This will determine the amount of juice you'll need on the device, such as a firewall. Second question would be, what do you currently have in place. You might be able to build off that, and invest the $10k as an upgrade to better secure the network. Just a couple questions I'd want to know for starters.
All in all, glad you got some money to spend. Just be a little tricky, but certainly still doable.
Cheers,Current Study Discipline: CCIE Data Center
Cisco SEAL, Cisco SWAT, Cisco DeltaForce, Cisco FBI, Cisco DoD, Cisco Army Rangers, Cisco SOCOM .ιlι..ιlι. -
Cyberscum Member Posts: 795 ■■■■■□□□□□Well this is actually going to be for one of our sister sites. The site is actually works with DoD so they decent baseline of security.
The BIG issue I see is that the C-levels in this instance are very much into devices. They love to be able to put a device in and get some kind of results from it. I know it sounds ridiculous but it is what it is. This is basically going to amount to a dog and pony.
I have been looking into devices from FireEye, seems like they have some “shiny lights” kinda devices these guys like.
...As far as users they are in the 100-150 range -
philz1982 Member Posts: 978Do your own assessment using NIST/ISO. Not only will it help solidify RA skills but it will also tell you where to spend your10k.Read my blog @ www.buildingautomationmonthly.com
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito -
kriscamaro68 Member Posts: 1,186 ■■■■■■■□□□You should spend it to get OSCP, and a GIAC cert/training. Then let them know how crappy their security is after you've learned about how to defeat it.
-
Cyberscum Member Posts: 795 ■■■■■□□□□□Some kind of risk registry for projects and/or contracts for you guys to gleam metrics from. Probably more than 10k, but you'll have a good starting point. I'm not exactly sure what your company does, but something like attack tree analysis might be a good place to start.
Great idea, but a budget buster for sure. Isnt there somehting called McAfee Orchistrator that does this for cheap? -
Cyberscum Member Posts: 795 ■■■■■□□□□□Tablets the executives will love you.
In all seriousness a risk management system.
We just implemented a product by RSA and our senior leadership is absolutely going nuts over it. They ask 20 questions a day, they love it.
I work for a fortune 20 company just to give you some insight.
What product did you use from RSA? -
Cyberscum Member Posts: 795 ■■■■■□□□□□@Networker
There is a local comp called Caanes that does them, but they are def over the price limit of 10k
@Philz
We have already done a few on them and they have refused firewall upgrades and switch security. They have also opt out of patch updates becasue they conflict with thier users ease of use. Believe me, they like pretty devices from reputable companies that show them cool stuff ha ha -
philz1982 Member Posts: 978Well then have your team pick some monitoring certs upgrade your seim deploy sensors so you can detect the attack while and after it happened.
Use the rest of the money to develop an training and awareness program to work on the social engineering which is the source of 50% of attacks.Read my blog @ www.buildingautomationmonthly.com
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito -
H3||scr3am Member Posts: 564 ■■■■□□□□□□I was going to mention a user training program for physical security and phishing/emails and phone communications.
and if there is anything left over, update the endpoint A/V licensing nothing better then an icon in everyone's system bar telling them they're safe
OR
get websense, and block all of the non work related sites your C levels visit... they'll know it's working then -
wes allen Member Posts: 540 ■■■■■□□□□□If you don't already have IDS / Flow monitoring, then buy new or retask / upgrade some older servers and build an open source IDS system. Suricata with ETPro Rules and SiLK for the sensors and maybe ELK for the manager, or the free version of Spunk, though you might have to tune the alerts down a bit. Or, flowbat is a kind cool flow monitoring solution that works with silk.
If you want to stay with paid software, buy a couple copies of Nessus PVS and install on decent hardware at choke points.
If you already have an IDS/flow monitoring setup, then extend it with something like Bro.
PS, all of these can create all kinds of reports, metrics and graphs for your C-Level people, along with generating tons of operational data as well as security alerts. -
PJ_Sneakers Member Posts: 884 ■■■■■■□□□□You could spend some of it on the SANS Institute Securing the Human, depending on how many users you have. That would be easy.
-
Gallager00 Member Posts: 29 ■□□□□□□□□□2016 Goals: CCNA Security, CCNA Data Center, VCP6-NV. Mostly focusing on skills rather than certs.
2016 Completed:
Currently reading: CCNA Security, programming books -
colemic Member Posts: 1,569 ■■■■■■■□□□Well in that case, I would look for tools/products that are going to help for the (even more so than usual) data loss/breach that is coming. That's literally the laziest, worst-possible excuse for not patching.@Networker
There is a local comp called Caanes that does them, but they are def over the price limit of 10k
@Philz
We have already done a few on them and they have refused firewall upgrades and switch security. They have also opt out of patch updates becasue they conflict with thier users ease of use. Believe me, they like pretty devices from reputable companies that show them cool stuff ha haWorking on: staying alive and staying employed -
Kinet1c Member Posts: 604 ■■■■□□□□□□Device locker for usb ports and/or cd/dvd drives?
Enhanced wifi security? (if you have wifi)
Training as was suggested for social engineer/phishing attacks.
Licensing audit of everyone's PC/laptop?
Mobile iron or similar for mobile devices?
Again, the budget might not fulfill any of them but proposing them may get you more $$$2018 Goals - Learn all the Hashicorp products
Luck is what happens when preparation meets opportunity -
GarudaMin Member Posts: 204I would say take a look at critical controls by cyber security council (link below), NIST, ISO, etc...
Council on CyberSecurity Critical Security Controls for Effective Cyber Defense
See where your security weaknesses (do gap analysis) are and spend money accordingly. -
TechJunky Member Posts: 881without knowing how big the organization is, or what the industry is for, this is a very generic question. Makes it hard for anyone to help you spend that money. 10k in my organization is a drop in the bucket. Servers here cost that much.