Designing a Corporate Security Program from Scratch

SoCalGuy858SoCalGuy858 CISSP, GCIH, GSEC, Project+The TriangleMember Posts: 150 ■■■□□□□□□□
As I've mentioned in some previous postings, I'm in a very unique situation quite early on in my career, in that I'm part of a two-man team working to build the security department / program at my company from the ground up. As it stands now, we're still in the very early stages of existence. With that said, I'd like some input from those with experience designing aspects of information security.

To start off, a bit of broad background (commonly found info, nothing sensitive):

The company is a wireless engineering (M2M / IoT) organization, with everything from software engineers / testers and hardware engineers, to engineering production facilities, sales staff, and all of the typical corporate stuff (HR/Finance/etc.). We have multiple sites across the globe, as well as multiple remote employees, and contract production facilities. Roughly ~500 employees total.

To get a good foundation built, we’re trying to develop our initial policy set around the ISO 27000 series, integrating their points into the sub-policies we are authoring. These sub-policies will be aligned with the various headers within the ISO 27002 standard.
We are also trying to follow the SANS 20 Critical Security Controls... making our way through the list. We’ve got vulnerability management processes in place (using QualysGuard)... things are going nicely. We’ve also got a fairly decent security awareness program up and running, utilizing the SANS Securing the Human curriculum (as well as their phishing assessment system, which is awesome!). We’ve seen dramatic improvement in just two months of phishing tests...

I know this is a pretty bare-bones summary, so if anyone has any questions, let me know.

So... what would you concentrate on if you were in a brand-new security position, in a brand-new security department?
I look forward to hearing your input!
LinkedIn - Just mention you're from TE!


  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    I am a big fan of building as much visibility as you can - IDS, log aggregation, NGFW for app awareness, internal and external flow monitoring, etc. You don't necessarily need a full scale SIEM, but something like Splunk or ELK is nice to be able to pull actionable data out of the sea of logs coming in. This can help you with metrics to use when planning other controls. Like seeing malware running from /appdata might be a good reason to roll out applocker, or with Suricata you might be able to pull out UA data to show outdated flash versions or old browsers. Internal flow monitoring combined with AD logs can help find machines that are on your network, but not domain joined, thus maybe showing a need for NAC.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    ^^^start with splunk. Then, sit down and determine what software/tools you need to start planning for, such as Avecto, Bit9, Nessus, CyberArk, Rapid7, TripWire, just a few names of dozens. After you make your 'wish list,' it's time for a reality check - two people can only learn/manage a certain number of tools effectively. Plan your growth, and tie headcount to growth of tools - it's much better to have expertise, knowledge, and proficiency in 4-5 tools, than barely utilize 7 or 8, and not be able to leverage them effectively. Plus it's just wasted licensing costs. (I am going through this at the moment, and paring down what we have, to focus on what provides the most value, and to get good at what we already have.)

    Budget more than you think for training on the tools you use. If budget's an issue, look at free tools (mindful of sprawl and what I said above)

    a short list of free tools I have been keeping (but don't use, but it's nice to have knowledge of what's available for free.)

    CatBird – for monitoring virtual environments - network monitoring
    Cacti - graphing network usage
    Bro IDS
    LAPS – Microsft Tool for checking out admin credentials
    Thycotic Secret Server – password management
    Shrubbery Networks, Inc. - RANCID RANCID monitors a router's (or more generally a device's) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.
    Bulk Password Reset (Freeware Edition)

    Hopefully that gets you started. Good luck!
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    We utilize ELK (Elasticsearch, Logstash, Kibana) and have had a lot of success with it. I think the largest thing is to have the staff to actually review what you are getting. No use in collecting data that no one is analyzing. Also, have a solid plan of what you need to actually accomplish and that see what data you need in order to accomplish those goals.

    At my job I am mainly the only person who is performing analysis with ELK. I have a back-up, but beyond looking for the big stuff (file integrity in our case) he hasn't dove into as far as I have (we're short staffed and he has his own job duties to worry about). As an example of how useful these tools can be in the right hands I give you the following investigation I worked on. OSSEC is our agent for monitoring and part of it involves a series of alert levels. That information is parsed by Logstash and then sent to Elasticsearch for our review in Kibana. We see a low number of level 10 alerts and they typically relate to multiple failed logins. One day I was reviewing the data and I saw a huge spike in level 10 alerts. I move from the dashboard to a more detailed one and run the query again. As I review the details I see it wasn't multiple failed logins, but an application error. This error in particular was extremely important for us to know about.

    I took my data and reached out to the stakeholder in regards to the error. It's now an investigation and I have a vague idea of what happened, but I need them to confirm my suspicions. Ultimately, with my analysis, I found a step in their procedures that they had missed and also found that they fixed the error without reporting it in the first place. I was able to write a specialized query that now alerts me to the error and I was also able to go back through past data to find other occurrences.

    Morale of the story? You might as well not collect it if you aren't actively analyzing it and from the sounds of it, your team is too small to do what you will ultimately end up being responsible for.
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Get an ITIL Foundation book, they have a lot of best practice recommendations in terms of what documents and policies you need to have. You can add to those the various obejctives from the ISO-IEC 27000
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Texas CISO Council has released this as well:
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□

    To start with a foundation:

    1. Continuity of Operations (COOP)

    2. Disaster Recovery Plan (DRP)

    3. Contingency Plan (CP)

    4. Hardware List

    5. Software List

    6. Topology

    7. System Security Plan or system security design artifact

    8. Configuration Control Board (CCB)

    9. Configuration Management Plan

    10. Ports, Protocol & Services (PPS)Worksheet
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    You want to consider using the 20 Critical Controls as a path to building your department:

    Asset management is a key place to start. Know what you have and what is running on them.
    Currently working on: Linux and Python
  • SoCalGuy858SoCalGuy858 CISSP, GCIH, GSEC, Project+ The TriangleMember Posts: 150 ■■■□□□□□□□
    Thanks for the tip, all!

    @Veritas -- Already working on the 20 CSCs! Great baseline!
    LinkedIn - Just mention you're from TE!
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    SANS Securing the Human curriculum

    How was this? I need to look at some training solutions for our company.
  • jamthatjamthat Member Posts: 303 ■■■□□□□□□□
    tpatt100 wrote: »
    How was this? I need to look at some training solutions for our company.

    Same, I priced it out but didn't pull the trigger..would love to hear some personal experiences. For now, we're going with death-by-powerpoint
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    I wasn't all that impressed. It felt VERY general. I wanted our users to know what to look for when they get a suspicious e-mail. Hover over the link, does the sender's e-mail address look right, are there broken images, etc.
    Currently working on: Linux and Python
  • SoCalGuy858SoCalGuy858 CISSP, GCIH, GSEC, Project+ The TriangleMember Posts: 150 ■■■□□□□□□□
    I definitely agree with veritas that it's quite general, especially for a shop like mine where more than half the staff "knows computers" (e.g. developers, systems engineers, etc.). It gets the job done, though, and for now, will help us in achieving the security awareness requirements of ISO 27002.

    The one feature that I do like, though, is the phishing awareness utility. Custom phishing e-mails, "gotcha!"-style training, and some awesome reporting functionality.
    LinkedIn - Just mention you're from TE!
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Everybody's listing technical controls. They're doing it wrong. The two biggest things you need are

    1) Executive support and active involvement. Have a monthly mtg with a steering committee made up of VP or execs. They don't need to know how to run Splunk, but they need to know how it helps the company's bottom line.

    2) A risk-based approach to security. Don't buy anything at first. Not to sound like COBIT, but identify the risk, assess/prioritize the risk & controls, select and implement the best cost/benefit controls (these are not always technical controls), and monitor to see if they're working.

    You can throw tons of money and systems into your network, but you really need to sit down, figure out what the biggest likelihood/impact is of x, y, or z happening, and focus based on that.
  • SoCalGuy858SoCalGuy858 CISSP, GCIH, GSEC, Project+ The TriangleMember Posts: 150 ■■■□□□□□□□
    Thanks for the input! Good strategic-level ideas!
    LinkedIn - Just mention you're from TE!
Sign In or Register to comment.