Some of you guys have insane resources, capital, people, that you can throw at the problem until it's solved.
Unfortunately, that's not all of you. Or maybe it IS you, but you're not going to spend anymore time than necessary to make sure that you have the basics covered.
Here's the short list.
1. Review the following list of security solutions and make sure that you have answers for each one of the security solutions/products that apply to you.
http://www.cloudauditcontrols.com/p/requirements-checklist.html
2. Find the hardening guide for each one of the products that you have installed and make sure you focus on reducing the attack surface and exploitability of the systems by implementing moderate to complete hardening on the systems.
3. Ensure that you have basic segmentation implemented to protect multitier applications.
4. Implement traffic filtering for external-facing applications. I'm a big fan of these guys. No affiliation whatsoever. Look at some of the other offerings that they have as well.
https://www.incapsula.com/website-security/https://www.incapsula.com/website-security/
If you want one of the best peer-reviewed security standards that I believe is actionable and reasonable to implement, consider PCI DSS. There is some overlap between some of the requirements. It still requires a moderate amount of interpretation. I've done a tremendous amount of work in and around the standard, and I'm not speaking flippantly or borrowing from someone else's opinion when I state these things.
Here's a short blog post that contains distilled requirements that I consider must-haves:
http://www.cloudauditcontrols.com/2012/03/practices-for-protecting-management.html
5. Final additional considerations not required specifically by most regulations and standards. [a] Consider Network Behavior Anomaly Detection such as Fire Eye. [b] Consider white listing, sandboxing, persistence, and other measures to limit attack surface, attack vectors, escalations, attack persistence.
This is typically when I tell organizations that are uncomfortable making product decisions to engage a reputable security-focused reseller. Of course I have my favorites for different situations. But I don't know your environment. My brother founded and runs https://www.criticalstart.com. I've used some of his guys in the past for different assessments. Good work. Another couple that I like are https://www.redlegg.com and https://depthsecurity.com. Both founded by stand-up guys that care about the customer and care about getting it right.
This blog is about understanding, auditing, and addressing risk in cloud environments. Systems and architectures are rapidly converging, hiding complexity with additional layers of abstraction. Simplicity is great for operations - as long as risks are understood and appropriately addressed.
Wednesday, April 20, 2016
Tuesday, April 5, 2016
CVE Analysis Spreadsheet - 2015 through 2016 Q1
Simply navigate to the documents tab and look for CVE Analysis spreadsheet.
Subscribe to:
Posts (Atom)