It may be helpful to work a process around your threat model to help determine your path. You start with a list of what it is that you're trying to protect. That may include sensitive data, service availability, your general user base and so on. From that list you examine each point and come up with a list of threats. Someone might steal the data or make your ecommerce site unreachable. When you're done with that you have a threat model. Let's rank the threats by severity and risk and determine which ones need to be mitigated first. Using this process I would be able to determine, for instance, that protecting sensitive data is my highest priority and the cost of someone walking off with it would be immeasurable to my reputation. Based on this I would deploy a DLP solution to track data and enforce data controls. There are some core products that will make up any security posture though so another way to consider this is just to list the security appliances we see commonly deployed and fill in the gaps:
1. NGFW - this is usually going to be your first security appliance - includes your hooks for VPN and IPS.
2. EPO - Endpoint protection is equally important
3. Web Gateway - this is protecting one of your biggest threat vectors
4. Email Gateway - this is protecting the other
5. SIEM - You have enough stuff that you should be tracking things closely
6. ATD - Plugs into all of the other pieces to fill in the unknown gaps
There are also cases where it makes sense to have solutions that would include a standalone IPS, full-blown DLP, database protection or other types of products but I think the above list is a good foundation.
Thanks Andy, this should help.
We currently have VPN, IPS, ePO, Email Gateway, DLP, SIEMs will be leaving us in 2017. It was not a very good solution to begin with and now leaves us wondering if we look for a replacement or go in another direction. (FYI no it was not a McAfee product) Do we do SIEMS or ATD since we are limited in budget. We do need assistance with web security. We have a lot of push back with the internet access and flexibility therfore at this time it is pretty much an open door. SCARY! I am thinking ATD would be more advantageous for user security reasons but then, it seems a waste not to utilize all the logs we have to monitor network activity, security control activity, etc.
I think I need to prepare a list of security concerns, come up with questions based on this information and present them to the group that ultimately decides the path to take for discussion. Based on that outcome, we should know what our next step will be.
It would be nice to have a pre-made list of security questions/concerns to bounce off of
Web Gateway + GAM will go a long way towards protecting your users. Given the amount of data sources you have, I would probably add a SIEM before ATD though.
Hi sol. While protecting your company's assets is always the top requirement, you'll need to factor in any compliance requirements...for example, if you have to comply with PCI - DSS (do you handle credit cards in any way) then a SIEM will be essential. Also, I agree with andy777 - a SIEM will help to tie all those logs from all those security systems together: correlated alerts, reports. Remember, ATD will tell you is it "sees" malware, but not whether or not it got in or was blocked. Good luck on which ever path you choose.
I would love to hear from other organizations to see what they are doing and what their experienc is.
I agree with both of you, I think the SIEMs would provide a good understanding of the activity within the organization and direct us to suspicious activity to address. We do deal with PCI. We have Trustwave testing and we use a DLP. We are a healthcare organization so the security is very important especially with Healthcare becoming a major target which is driving this debate.
I believe "boys and their toys", how should I put it "FUN" stuff that will only provide a report like you said, "sees malware" isn't going to protect us from a loss. I can't tell you how many times i have heard... fireeye was not at fault for the Target incident and that might be true... but in my mind, if i spend hundreds of thousands of dollars on a product and give up another essential tool for it.... that product dang well better STOP malicious activity from causing a loss of data or compromise our network. An additional level to virus protection should be just that.
In my opinion, a product costing hundreds of thousands to implement should have prevented the attack by stopping the activity from spreading but it didn't do that because it can't and that is where I can't see the justification of advanced threat detection when your end result is to prevent an attack and loss of data or network resources. cool looking does not prevent a crisis.
Someone with the knoweledge/experience should write a blog on this topic... What are your security needs, your end goal and how to reach it.
We are about to undertake an Attack Path Mapping exercise. Rather than trying to 'boil the ocean' identify your business key assets and then look at your existing technology and infrastructure to determine weaknesses and then map those onto coutermeasures.
You could also take a look at ISO 27001 and 27002 which will help you come up with InfoSec best practices and an InfoSec Management System ISMS.
After you know your weaknesses that leave your key system and information vulnerable you can identify best investment decisions without wildly spending lots of money on the wrong or inappropriate solutions.
Volunteer Moderator - Business Products
Certified McAfee Product Specialist - ePO