In part 2 of this series, we will discuss the deployment of security tooling to support your InfoSec program and protect your company. RedSquall is not affiliated with any of the companies or vendors mentioned in this article. The topics below are purely the opinions and observations of our engineers, who have worked with hundreds of companies and teams to secure their environments.
This post aims to give start-ups an idea of what tooling is considered "table stakes" for an InfoSec program and what is a "nice-to-have." Thousands of security tools are available today that fit into the categories we discuss in this article; some provide significant security gains, and others do not. The hope is this article will give start-ups the correct information to utilize their limited resources in the most effective way possible to secure their companies.
A Note on Managed vs Unmanaged Infosec Services
One of the main constraints for start-ups is headcount. When creating a new InfoSec program, start-ups should almost always opt for managed services where applicable. Generally speaking, managed services provide the following:
Reduces the need to grow your security team for niche roles quickly, I.E. Detection Engineering
Security engineers are hard to hire
Once deployed, managed services provide almost immediate security gains instead of the slow ramp-up and deployment time of self-hosted technology.
Managed services are often "good enough" for most companies.
As your company grows, you should plan to outgrow some of your managed providers. In-house security teams can absolutely perform better than managed providers because they will know your environment intimately, whereas managed providers have hundreds of customers to cover. Managed providers are an excellent bridge between brand-new and mature InfoSec programs.
Many other tools exist to fill security functions, such as threat intelligence, deceptive technology, training, etc. While these are also important, RedSquall believes the following core technologies are essential for start-ups to address in the first 12 months of starting an InfoSec program.
Endpoint Detection and Response (EDR)
Deploying an antivirus across your workforce is generally considered a table-stakes security practice. EDRs are a leveled-up version of classic antivirus software that provides significantly enhanced capabilities to defend your user workstations and compute workloads from compromise.
EDR is a must-have and provides immediate security gains once deployed and requires minimal maintenance in the future.
Since your employees are a common target for compromise, protecting their workstations is critical. Deploying an EDR adds to your defense-in-depth strategy by protecting malicious software from executing and giving an adversary a foothold in your environment. If a user is phished or downloads a malicious application, the job of the EDR is to block execution and alert your security team of the event.
Deployment to your workforce is straightforward, especially if you use remote management tools like Mobile Device Management to deploy software to your workstations.
Deploying EDR to your compute infrastructure significantly enhances your ability to detect and respond to a compromised system. Whether you use on-prem or cloud-hosted compute resources, deploying EDR sensors to these systems should be in your 12-month roadmap when building your infosec program.
Managed vs Unmanaged:
Most major EDR vendors offer a managed service for responding to alerts on your endpoints. Anytime an alert is triggered from your EDR, the managed service will triage, respond, and remove any malicious software or actors that have compromised the host. These are almost always trained humans in the loop who are experts in endpoint incident response. Using one of these managed services is a great way to avoid expensive IR hires at the early stages of building your infosec program.
Cloud Security Posture Management (CSPM)
The vast majority of start-ups these days are cloud-native, leveraging services from one of the primary cloud providers. Especially in the early days of a new company, services are spun up and forgotten about, leading to increased attack surface. A CSPM is critical in identifying and fixing insecure cloud resources before they are exploited.
Cloud providers offer native solutions that fill some of the roles of 3rd party CSPMs. For example, Amazon offers Guard Duty, Config, and Security Hub for identifying security issues in both configuration and abnormal activity in logs. These can be a cost-effective solution but generally are not as feature-rich as some of the 3rd party options.
The leading CSPM vendors operate similarly, mostly deployed via IAM roles or service accounts into customer accounts or projects. From there, these platforms routinely scan the cloud infrastructure for vulnerable configurations, host-based vulnerabilities, internet-exposed services, and privilege escalation paths. Some of these platforms integrate directly with your SDLC to perform various levels of code scanning to identify vulnerabilities before they hit runtime.
Once deployed, CSPMs will fill multiple security roles, many of which will be customer compliance requirements. Let's look at a few such features that are becoming common in the major CSPM vendors:
Vulnerability Scanning: The main 3rd party CSPMs on the market will perform host-based and container vulnerability scanning of your assets. Often, this can allow you to forego purchasing a dedicated vulnerability scanning product and provide solid coverage of your cloud estate. Additionally, these platforms have integrations with common ticketing products such as Jira, allowing you to create tickets in your engineering team backlogs automatically.
Threat Detection: The main CSPM providers have expanded their capability to provide near real-time threat detection by directly integrating cloud audit logs, host-based scans, and deployed agents. CSPMs are not a replacement for a SIEM or managed detection and response service, but they can fill a monitoring gap until you reach a point where you are ready to bring a SIEM into your organization.
Data Loss Prevention: Some CSPMs can scan your cloud services for sensitive data types and alert you when found. For example, suppose an engineer exports data from production for use in a test, and it contains real SSNs; CSPMs could identify this data if it's stored in services like S3, RDS, etc, and alert you to its presence.
Inventory: Since these platforms have access to your cloud environment, they can produce great inventory reports of your services. Knowing your cloud footprint and the services running within it is critical not only from a security and compliance perspective but also for billing. Solid inventory tracking allows you to identify and shut down costly workloads that are running but no longer used.
A CSPM should be at the top of your priority list for deployment in the first 6-12 months of starting an InfoSec program. The security gains are enormous, while the upkeep of the platform is relatively low. The major drawback to CSPMs is price. The size of your cloud estate drives the cost, especially with regard to compute workloads.
Security Information and Event Management (SIEM)
SIEMs have been a cornerstone of mature InfoSec programs for a while. They act as the central aggregation point for security logs and generally support some form of rule creation to allow security teams to generate alerts based on log data.
A well-maintained SIEM with dedicated detection engineers constantly tuning and improving alerts is a security boon. SIEMs can be a great asset in detecting malicious activity within your environment. Conversely, if a SIEM is not maintained, it can quickly become a noisy mess and lead to alert fatigue, ultimately getting ignored. SIEMs are also expensive relative to other security products. Start-ups should consider starting with a Managed Detection and Response platform that manages logging and alerting as a service. These vendors will typically integrate directly with your log sources and provide dedicated analysts to review alerts in your environment and conduct investigations. These platforms will keep alerts up to date with the latest threats, so you don't have to hire dedicated security engineers to do it for you.
Vulnerability scanning is another staple of an InfoSec program and is required by various compliance standards and often by customers. Fortunately, products like CSPM and EDR often already include this capability, reducing the need to buy dedicated vulnerability scanning products. Given the significant security gains from CSPM/EDR, start-ups should consider leveraging these to satisfy vulnerability scanning instead of buying another tool.
A note on Dynamic Application Security Testing (DAST)
DAST falls into the realm of vulnerability scanning and has a place. However, the success of DAST tooling depends heavily on the applications it is used against. DAST can effectively identify issues in straightforward applications with relatively simple workflows, but if your product involves complex user input or integrations with 3rd parties, DAST tooling has difficulty getting deep into code paths in these scenarios. Also, you should have a dedicated test deployment of your product for DAST testing instead of running against your production environment.
Static Application Security Testing (SAST)
"Shift-left" security has become a common phrase in the security world. The idea is that you detect vulnerabilities earlier in your SDLC before they hit runtime and are exploitable by an adversary. One way this is achieved is through static analysis of your source code using SAST tooling. SAST is typically integrated into your version control platform and build system and identifies vulnerabilities in your source code and dependencies that make up your application. Start-ups should strive to have a SAST solution deployed in their SDLC within 12 months of starting an InfoSec program.
Quite a few SAST vendors exist in the security space, both free and paid. Fortunately, like runtime vulnerability scanning, other platforms you may invest in will likely have some SAST capability, specifically CSPMs from the top 3 vendors that dominate the market. Additionally, major version control systems like GitHub are starting to support SAST natively within their platforms.
Note: Deploying a SAST tool is the easy part... Once running, you will likely see thousands of vulnerabilities in your tool's dashboard. Your teams must develop a triage plan to burn down the backlog and remediate new issues. The importance of ownership within your codebase cannot be overstated. Knowing who owns what code and what vulnerabilities are key to successful remediation.
Mobile Device Management (MDM)
MDM technology allows a company to centrally manage user devices such as laptops, corporate phones, etc. MDM typically falls in the realm of IT tooling, but its security implications are significant. MDM allows security teams to enforce security controls across a company, such as deploying antivirus software, enabling disk encryption, and pushing security patches.
The first time an employee at a company loses a laptop that may or may not have disk encryption enabled is often a wake-up call that the org needs to manage systems carefully. Employees will lose laptops; your data will be on these hosts; make sure you have them properly configured because there is very little you can do once the system is gone. MDM platforms allow you to remotely lock or wipe systems to protect your data if you lose control of the system.
Data Loss Prevention (DLP)
The idea behind many DLP platforms is to detect when data is mishandled or put in insecure places. Here are a couple of classic DLP examples:
An engineer sends a Slack message containing a credential.
HR accidentally shares an employee's Social Security Number internally with Google Drive.
Finance exports expense reports containing credit card numbers and attaches them to email.
While DLP vendors tend to advertise their ability to detect a malicious actor trying to exfiltrate sensitive data, this capability is generally easily defeated. DLP is effective at protecting against accidental data leaks as opposed to a malicious actor. DLP can also extend to user workstations through installed agents and track data moving from SaaS to user workstations and even to personal data stores like DropBox. DLP can also extend to your cloud infrastructure, but the major CSPM vendors are building this into their products, eliminating the need to purchase a product specifically to monitor cloud data.
Unless driven by customer requests, DLP typically falls into the "nice-to-have" bucket for start-ups standing up an InfoSec program. Initial DLP deployments often have an initial tuning overhead, requiring security engineers to spend time reducing false positive rates and triaging historical findings. Once deployed, you should scan your SaaS, like Google Drive, Slack, etc, for historical DLP violations and remove them. Triaging these findings takes significant time, which you need to fit into your security roadmap.
With the vast majority of breaches originating from social engineering, especially through email, securing your employees from this attack vector is critical. Fortunately, many email providers have native email security features, often based on your license type. Additionally, there are several major email security vendors on the market that are extremely effective at reducing malicious emails from landing in your employee inboxes. If your email provider offers email security features such as malware and link sandboxing, you should absolutely use it. If your InfoSec team determines you are still having issues with malicious email, consider investing in a 3rd party solution to improve your coverage.
In today's world of technology, there are limitless security tools and products to spend money on. Unfortunately, there is no "one size fits all" security roadmap for start-ups to implement. Stick to the security fundamentals, bring in best-in-class vendors, and give your security team the agility and support to adjust as needed. Threats will continue to evolve and change; avoid complacency at all costs. Best of luck!