53 min
Blumira Sponsor #3 - Emily Eubanks, more actionable events, incident response help, and more BrakeSec Education Podcast
-
- Tech News
In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges.
ADDITIONAL RESOURCES
OUR REDDIT AMA
https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/
MFA
https://attack.mitre.org/mitigations/M1032/
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984
https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/
INCIDENT RESPONSE
https://www.nist.gov/cyberframework/respond
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
POWERSHELL BEST PRACTICES
https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/
https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security
https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/
https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/
RISK: A lack of MFA where available or using SMS based MFA for critical applications.
Please do not use SMS based MFA for critical applications. [6] [7]
This is an easy layer of defense that has historically been very effective [5]
One-Time Passwords (OTP) good but [8] FIDO U2F better
Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key).
MITIGATION:
Blumira requires use of MFA
MFA related detections (e.g. AWS, Duo)
BLUMIRA HELPS:
Incident Response Procedures
RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes.
A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared.
If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4]
The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there.
Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi))
MITIGATION:
Workflows
Blumira helps with this by providing built-in guidance with workflows.
Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion.
provides additional details to help operators make informed decisions in response to new findings.
Finding analysis
BLUMIRA HELPS:
Recent or Frequent IT Staff Turnover
RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment
Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they
In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges.
ADDITIONAL RESOURCES
OUR REDDIT AMA
https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/
MFA
https://attack.mitre.org/mitigations/M1032/
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984
https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/
INCIDENT RESPONSE
https://www.nist.gov/cyberframework/respond
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
POWERSHELL BEST PRACTICES
https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/
https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security
https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/
https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/
RISK: A lack of MFA where available or using SMS based MFA for critical applications.
Please do not use SMS based MFA for critical applications. [6] [7]
This is an easy layer of defense that has historically been very effective [5]
One-Time Passwords (OTP) good but [8] FIDO U2F better
Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key).
MITIGATION:
Blumira requires use of MFA
MFA related detections (e.g. AWS, Duo)
BLUMIRA HELPS:
Incident Response Procedures
RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes.
A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared.
If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4]
The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there.
Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi))
MITIGATION:
Workflows
Blumira helps with this by providing built-in guidance with workflows.
Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion.
provides additional details to help operators make informed decisions in response to new findings.
Finding analysis
BLUMIRA HELPS:
Recent or Frequent IT Staff Turnover
RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment
Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they
53 min