Just got 10k, what to do?

CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
So I have a very unique task at hand for my company.

We have received some funding for security I am looking for advice on what would be the best way a company could spend 5 to 10 thousand dollars.

Literally we have a budget limit for 10k and no instructions.
So my question is this, if a company had 5-10k strictly for security what would you recommend they invest it in?

It has to be something that is very transparent to C-levels, which makes it a little more interesting….
Looking for ideas…

Comments

  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    Some kind of risk registry for projects and/or contracts for you guys to gleam metrics from. Probably more than 10k, but you'll have a good starting point. I'm not exactly sure what your company does, but something like attack tree analysis might be a good place to start.
  • N2ITN2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■
    Tablets the executives will love you.

    In all seriousness a risk management system.

    We just implemented a product by RSA and our senior leadership is absolutely going nuts over it. They ask 20 questions a day, they love it.

    I work for a fortune 20 company just to give you some insight.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Hard to say without knowing anything about the current environment. Seeing as how they have a budget without an end goal in site it's probably safe to assume they haven't been to security conscious in the past. Might be worth getting a professional assesment done to see what the next amount of money should actually be spent on. A good security assesment might cost more than $10k though depending on size of the network etc.
    An expert is a man who has made all the mistakes which can be made.
  • N2ITN2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■
    Networker very smooth and wise post.

    Leverage the 10 grand to build a security road map for the next 5 years or so. That could get you some additional funding and get you noticed.
  • ninjaturtleninjaturtle Member Posts: 245 ■■■□□□□□□□
    Always nice to get a budget to spend on some new toys, the problem is getting that budget before you've presented a design or end goal. Especially with security, as almost all security devices require licensing and/or subscriptions to keep them up-to-date.

    The question comes down to how many users? This will determine the amount of juice you'll need on the device, such as a firewall. Second question would be, what do you currently have in place. You might be able to build off that, and invest the $10k as an upgrade to better secure the network. Just a couple questions I'd want to know for starters.

    All in all, glad you got some money to spend. Just be a little tricky, but certainly still doable.

    Cheers,
    Current Study Discipline: CCIE Data Center
    Cisco SEAL, Cisco SWAT, Cisco DeltaForce, Cisco FBI, Cisco DoD, Cisco Army Rangers, Cisco SOCOM .ιlι..ιlι.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    You could get a copy of metasploit pro and nexpose :)
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Well this is actually going to be for one of our sister sites. The site is actually works with DoD so they decent baseline of security.

    The BIG issue I see is that the C-levels in this instance are very much into devices. They love to be able to put a device in and get some kind of results from it. I know it sounds ridiculous but it is what it is. This is basically going to amount to a dog and pony.

    I have been looking into devices from FireEye, seems like they have some “shiny lights” kinda devices these guys like.

    ...As far as users they are in the 100-150 range
  • philz1982philz1982 Member Posts: 978
    Do your own assessment using NIST/ISO. Not only will it help solidify RA skills but it will also tell you where to spend your10k.
  • kriscamaro68kriscamaro68 Member Posts: 1,186 ■■■■■■■□□□
    You should spend it to get OSCP, and a GIAC cert/training. Then let them know how crappy their security is after you've learned about how to defeat it.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    broli720 wrote: »
    Some kind of risk registry for projects and/or contracts for you guys to gleam metrics from. Probably more than 10k, but you'll have a good starting point. I'm not exactly sure what your company does, but something like attack tree analysis might be a good place to start.

    Great idea, but a budget buster for sure. Isnt there somehting called McAfee Orchistrator that does this for cheap?
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    N2IT wrote: »
    Tablets the executives will love you.

    In all seriousness a risk management system.

    We just implemented a product by RSA and our senior leadership is absolutely going nuts over it. They ask 20 questions a day, they love it.

    I work for a fortune 20 company just to give you some insight.

    What product did you use from RSA?
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    @Networker
    There is a local comp called Caanes that does them, but they are def over the price limit of 10k

    @Philz
    We have already done a few on them and they have refused firewall upgrades and switch security. They have also opt out of patch updates becasue they conflict with thier users ease of use. Believe me, they like pretty devices from reputable companies that show them cool stuff ha ha
  • philz1982philz1982 Member Posts: 978
    Well then have your team pick some monitoring certs upgrade your seim deploy sensors so you can detect the attack while and after it happened.

    Use the rest of the money to develop an training and awareness program to work on the social engineering which is the source of 50% of attacks.
  • N2ITN2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■
    @ CS

    RSA Archer
  • H3||scr3amH3||scr3am Member Posts: 564 ■■■■□□□□□□
    I was going to mention a user training program for physical security and phishing/emails and phone communications.

    and if there is anything left over, update the endpoint A/V licensing :D nothing better then an icon in everyone's system bar telling them they're safe :D

    OR

    get websense, and block all of the non work related sites your C levels visit... they'll know it's working then :p
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    If you don't already have IDS / Flow monitoring, then buy new or retask / upgrade some older servers and build an open source IDS system. Suricata with ETPro Rules and SiLK for the sensors and maybe ELK for the manager, or the free version of Spunk, though you might have to tune the alerts down a bit. Or, flowbat is a kind cool flow monitoring solution that works with silk.

    If you want to stay with paid software, buy a couple copies of Nessus PVS and install on decent hardware at choke points.

    If you already have an IDS/flow monitoring setup, then extend it with something like Bro.

    PS, all of these can create all kinds of reports, metrics and graphs for your C-Level people, along with generating tons of operational data as well as security alerts.
  • PJ_SneakersPJ_Sneakers Member Posts: 884 ■■■■■■□□□□
    You could spend some of it on the SANS Institute Securing the Human, depending on how many users you have. That would be easy.
  • Gallager00Gallager00 Member Posts: 29 ■□□□□□□□□□
    N2IT wrote: »
    @ CS

    RSA Archer


    Just watched a demo on Youtube.

    Sounds super user-friendly.
    2016 Goals: CCNA Security, CCNA Data Center, VCP6-NV. Mostly focusing on skills rather than certs.
    2016 Completed:
    Currently reading: CCNA Security, programming books
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Well in that case, I would look for tools/products that are going to help for the (even more so than usual) data loss/breach that is coming. That's literally the laziest, worst-possible excuse for not patching.
    Cyberscum wrote: »
    @Networker
    There is a local comp called Caanes that does them, but they are def over the price limit of 10k

    @Philz
    We have already done a few on them and they have refused firewall upgrades and switch security. They have also opt out of patch updates becasue they conflict with thier users ease of use. Believe me, they like pretty devices from reputable companies that show them cool stuff ha ha
    Working on: staying alive and staying employed
  • Kinet1cKinet1c Member Posts: 604 ■■■■□□□□□□
    Device locker for usb ports and/or cd/dvd drives?
    Enhanced wifi security? (if you have wifi)
    Training as was suggested for social engineer/phishing attacks.
    Licensing audit of everyone's PC/laptop?
    Mobile iron or similar for mobile devices?

    Again, the budget might not fulfill any of them but proposing them may get you more $$$
    2018 Goals - Learn all the Hashicorp products

    Luck is what happens when preparation meets opportunity
  • GarudaMinGarudaMin Member Posts: 204
    I would say take a look at critical controls by cyber security council (link below), NIST, ISO, etc...
    Council on CyberSecurity Critical Security Controls for Effective Cyber Defense

    See where your security weaknesses (do gap analysis) are and spend money accordingly.
  • TechJunkyTechJunky Member Posts: 881
    without knowing how big the organization is, or what the industry is for, this is a very generic question. Makes it hard for anyone to help you spend that money. 10k in my organization is a drop in the bucket. Servers here cost that much.
Sign In or Register to comment.