Malware Fighting Tools/Guides – Part 2 , How to be an Ace CISO
December 8th, 2012 | 
Author: If one of my customers would come today and ask me to design a full method to eliminate unwanted or dangerous files in his domain, I would say “No such thing”.
One of the reasons is that you can’t keep your sensitive enviroment clean enough without damaging the users freedom and productivity. Especially VP’s.
Most of the time CISO and IT managers come to me AFTER somebody has made a 207 or 207A on their domain (that’s the police code for Kidnapping) , in that case you have a legal and usually a very big Go! From the CTO\CEO to do everything you can to stop it from happening again.
Those are the good time for software vendors \integrators who can celebrate a 100% sell rate on those companies.
But – as you guessed, those time pressed CISO’s are not always aware on which products to implement and most important which technology will give them the best results per dime for the longest time…having that said without the right consultant the will take Pain and turn it to Gain, they usually invest in the wrong methods.
Getting back to the original “bug free” request, on those special cases I would recommend a full revision in the company approach to data security, starting from bottom up.
Implementing a good solid, management backed, data security policy is not something that happened in a day, but it is worth putting a lot of effort and starts something good and harvest those applause later
Issues to consider:
– Have every user to sign that the computer\software he gets from the company are NOT his own.
– Publish a list of allowed software in your organization-saying that anything besides that list will cause issues with the HR department…
– Start by classifying and identifying your:
1) Sensitive data – “Show me your data and I’ll tell you how to protect it”
In most cases you will find that they DO NO know the location and the amount of it…this step alone take several months to complete
2) Weakest points in the LAN \WAN\DMZ
3) Everyday use data flow – this is the stream that all problems are starting from.
4) Gather and estimate your human resources, see if the team needs additional knowledge and if he can handle 911 calls and everyday tasks.
In most cases you will find 1 or 2 persons doing 5 persons jobs – this is not the kind of situation you would want to be when implementing a large DLP or SIEM project and realize your team can’t decrypt the results or lack of time to do it.
– Harden security policies on Mobile users – have smartphones and laptops use hard rules and policies without losing the dynamic of work productivity.
– Offer well known , dumb proof, productive solutions for the issues above, you can start by drilling down your AD GPO and dead users, continue with AV kill rate to start ,along with your main firewalls rules and block ratio.
– Keep your software up to date – probably the best tip I can give , no holes ,no foxes…
– Assign virtual “Data owners” – have them to take responsibility on their data in terms of backup and unwanted access.
– Pick less tools and solutions as possible for all the scenarios you can imagine – if the 911 call will arrive , the first thing you need is to act as fast as possible and you would want the best results \outcomes\ logs\ products refined and stilled to your desktop.
Now you can start thinking on wide projects like DLP, Endpoint security, SIEM, virtual security, IDS\IPS and most important – a descent monitoring system Or any other solutions that your organization needs – just make sure it fits your gold rules above.
With the outcomes of those products , you can assign an incident response team to be the task force for all kinds of alarms and events.
And since you will get tens of millions events per day, if this team can handle 10 REAL security events per day , you have scored it! Ace!
See you on part 3..
Roy Coren
Security Specialist
Posted in Malware