Just got 10k, what to do?

Cyberscum

So I have a very unique task at hand for my company.

We have received some funding for security I am looking for advice on what would be the best way a company could spend 5 to 10 thousand dollars.

Literally we have a budget limit for 10k and no instructions.
So my question is this, if a company had 5-10k strictly for security what would you recommend they invest it in?

It has to be something that is very transparent to C-levels, which makes it a little more interesting….
Looking for ideas…

broli720

Some kind of risk registry for projects and/or contracts for you guys to gleam metrics from. Probably more than 10k, but you'll have a good starting point. I'm not exactly sure what your company does, but something like attack tree analysis might be a good place to start.

N2IT

Tablets the executives will love you.

In all seriousness a risk management system.

We just implemented a product by RSA and our senior leadership is absolutely going nuts over it. They ask 20 questions a day, they love it.

I work for a fortune 20 company just to give you some insight.

networker050184

Hard to say without knowing anything about the current environment. Seeing as how they have a budget without an end goal in site it's probably safe to assume they haven't been to security conscious in the past. Might be worth getting a professional assesment done to see what the next amount of money should actually be spent on. A good security assesment might cost more than $10k though depending on size of the network etc.

N2IT

Networker very smooth and wise post.

Leverage the 10 grand to build a security road map for the next 5 years or so. That could get you some additional funding and get you noticed.

ninjaturtle

Always nice to get a budget to spend on some new toys, the problem is getting that budget before you've presented a design or end goal. Especially with security, as almost all security devices require licensing and/or subscriptions to keep them up-to-date.

The question comes down to how many users? This will determine the amount of juice you'll need on the device, such as a firewall. Second question would be, what do you currently have in place. You might be able to build off that, and invest the $10k as an upgrade to better secure the network. Just a couple questions I'd want to know for starters.

All in all, glad you got some money to spend. Just be a little tricky, but certainly still doable.

Cheers,

MrAgent

You could get a copy of metasploit pro and nexpose

Cyberscum

Well this is actually going to be for one of our sister sites. The site is actually works with DoD so they decent baseline of security.

The BIG issue I see is that the C-levels in this instance are very much into devices. They love to be able to put a device in and get some kind of results from it. I know it sounds ridiculous but it is what it is. This is basically going to amount to a dog and pony.

I have been looking into devices from FireEye, seems like they have some “shiny lights” kinda devices these guys like.

...As far as users they are in the 100-150 range

philz1982

Do your own assessment using NIST/ISO. Not only will it help solidify RA skills but it will also tell you where to spend your10k.

kriscamaro68

You should spend it to get OSCP, and a GIAC cert/training. Then let them know how crappy their security is after you've learned about how to defeat it.

Cyberscum

broli720 wrote: »

Some kind of risk registry for projects and/or contracts for you guys to gleam metrics from. Probably more than 10k, but you'll have a good starting point. I'm not exactly sure what your company does, but something like attack tree analysis might be a good place to start.

Great idea, but a budget buster for sure. Isnt there somehting called McAfee Orchistrator that does this for cheap?

Cyberscum

N2IT wrote: »

Tablets the executives will love you.

In all seriousness a risk management system.

We just implemented a product by RSA and our senior leadership is absolutely going nuts over it. They ask 20 questions a day, they love it.

I work for a fortune 20 company just to give you some insight.

What product did you use from RSA?

Cyberscum

@Networker
There is a local comp called Caanes that does them, but they are def over the price limit of 10k

@Philz
We have already done a few on them and they have refused firewall upgrades and switch security. They have also opt out of patch updates becasue they conflict with thier users ease of use. Believe me, they like pretty devices from reputable companies that show them cool stuff ha ha

philz1982

Well then have your team pick some monitoring certs upgrade your seim deploy sensors so you can detect the attack while and after it happened.

Use the rest of the money to develop an training and awareness program to work on the social engineering which is the source of 50% of attacks.

N2IT

@ CS

RSA Archer

H3||scr3am

I was going to mention a user training program for physical security and phishing/emails and phone communications.

and if there is anything left over, update the endpoint A/V licensing nothing better then an icon in everyone's system bar telling them they're safe

OR

get websense, and block all of the non work related sites your C levels visit... they'll know it's working then

wes allen

If you don't already have IDS / Flow monitoring, then buy new or retask / upgrade some older servers and build an open source IDS system. Suricata with ETPro Rules and SiLK for the sensors and maybe ELK for the manager, or the free version of Spunk, though you might have to tune the alerts down a bit. Or, flowbat is a kind cool flow monitoring solution that works with silk.

If you want to stay with paid software, buy a couple copies of Nessus PVS and install on decent hardware at choke points.

If you already have an IDS/flow monitoring setup, then extend it with something like Bro.

PS, all of these can create all kinds of reports, metrics and graphs for your C-Level people, along with generating tons of operational data as well as security alerts.

PJ_Sneakers

You could spend some of it on the SANS Institute Securing the Human, depending on how many users you have. That would be easy.

Gallager00

N2IT wrote: »

@ CS

RSA Archer

Just watched a demo on Youtube.

Sounds super user-friendly.

colemic

Well in that case, I would look for tools/products that are going to help for the (even more so than usual) data loss/breach that is coming. That's literally the laziest, worst-possible excuse for not patching.

Cyberscum wrote: »

@Networker
There is a local comp called Caanes that does them, but they are def over the price limit of 10k

@Philz
We have already done a few on them and they have refused firewall upgrades and switch security. They have also opt out of patch updates becasue they conflict with thier users ease of use. Believe me, they like pretty devices from reputable companies that show them cool stuff ha ha

Kinet1c

Device locker for usb ports and/or cd/dvd drives?
Enhanced wifi security? (if you have wifi)
Training as was suggested for social engineer/phishing attacks.
Licensing audit of everyone's PC/laptop?
Mobile iron or similar for mobile devices?

Again, the budget might not fulfill any of them but proposing them may get you more $$$

GarudaMin

I would say take a look at critical controls by cyber security council (link below), NIST, ISO, etc...
Council on CyberSecurity Critical Security Controls for Effective Cyber Defense

See where your security weaknesses (do gap analysis) are and spend money accordingly.

TechJunky

without knowing how big the organization is, or what the industry is for, this is a very generic question. Makes it hard for anyone to help you spend that money. 10k in my organization is a drop in the bucket. Servers here cost that much.