Can you fly a helicopter?

Not bad, we can’t either, but we’ll make your IT security a high-flyer 😊.

In addition to the technical security measures that are undoubtedly necessary, many of our customers’ inquiries stem from a certain lack of orientation, and the following questions often arise

… what are our biggest vulnerabilities?
… what will it cost us to fix them?
… what do we need to do?
… where do we start?
… when can we have solved what and in what way?
… how do we get an overview and the ability to plan?

It is no secret that the conflicting priorities of IT operations, new projects to implement, and organizational changes leave little real room to effectively address security issues. The many technical and organizational issues often make it difficult to find solutions. Structured processes are often non-existent or outdated due to time and resource constraints. Documentation is often incomplete or non-existent. At the same time, there is pressure to improve IT security. You don’t want to be the next ransomware case in the news. The effort to rebuild a compromised environment is immense and has left many with almost insurmountable challenges. Not to mention the bad publicity.

As part of our security assessments, we provide a detailed overview of the threat scenarios as part of a know-how transfer. Excerpts can be read in our blog article from Nov 16, 2022. It is important to understand that attackers also often follow a methodical approach, such as the “Unified Kill Chain” or the “mitre&attack Framework” (see example graphic below).

According to the Federation of German Industries (Bundesverband der deutschen Industrie, or Bitkom), the costs of such attacks would amount to around 203 billion euros in Germany in 2022 alone – see Bitkom article. The Federal Office for Information Security (BSI) also assesses the security situation in Germany as “exacerbated” (BSI article).

But what should companies do to protect themselves effectively?

From our point of view, the structured identification of vulnerabilities, the real assessment of the threat, the prioritization and the entrepreneurial decision of possible measures are the recipe for success. With our strategic know-how, we help our customers to position themselves for the future. The main goal is to make cyber attacks more difficult and to minimize their impact. In today’s blog post, we would like to outline an approach that can be used to achieve this goal – namely, to effectively secure an infrastructure and reduce the likelihood of a successful cyberattack.

To achieve this, a clear strategy or approach is required. This is always a combination of technical and organizational components. It is important to have a detailed plan with short-, medium- and long-term goals. This includes protecting against potential attacks, mitigating damage and recovering from an attack, and being able to respond appropriately and purposefully when an attack does occur. In the IT industry, however, things move very fast and, as the saying goes, “evil never sleeps. This is why a strategy must be regularly reviewed and, if necessary, adapted to current circumstances.

What specifically should be done?

To be clear, not every approach is equally promising for every customer; individual consulting depends on the organization’s goals. However, experience shows that Active Directory is a central pillar of most IT infrastructures. Securing identities, related infrastructure, and processes is at the core of Microsoft’s Enhanced Secure Administration Environment (ESAE). In our opinion, the following strategy has proven successful in the complex implementation of ESAE:

Step 1 / Commitment

Creating an understanding of the need to allocate resources and contingencies for dealing with security aspects is fundamentally important. A “cross-functional” and “vertical” approach within the organization has proven to be effective. In purely practical terms, a small security team may consist of technical personnel, an internal, independent security consultant, and members of middle/upper management.

Step 2 / Assessment

In order to provide our customers with a clear overview of existing weak points, we carry out a standardized assessment in the next step, which takes into account the individual customer situation. In this process, we focus on a presentation that is understandable for our customers in terms of content and graphics. Specifically, we create a risk matrix that makes each security finding assessable from a business perspective by categorizing them according to the following parameters:

• • Probability of occurrence,
  • Impact in case of occurrence,
  • Effort estimate for mitigation.

Example of a risk overview

Based on the assessment results, we propose a security roadmap to the customer. Based on this information, we develop the SECURITY STRATEGY with our customers individually – and the next measures planned with it.

The basis for the strategy is the Enhanced Security Administration Environment (ESAE) developed by Microsoft, which describes technical and organizational procedures.

We usually follow the following implementation steps:

Step 3 / Quick Wins

The risk assessment determined in the course of the assessment enables the identification of so-called quick wins. These are quickly achievable optimizations that have a major impact with little effort. Are there accounts with unnecessary access authorizations? What about password security? Are there inactive accounts that can be deleted? What are the critical attack paths that allow the entire domain to be compromised? Once these questions are answered, develop a plan to eliminate the identified vulnerabilities in the short term.

Other possible measures include updating passwords (no password should ever expire / passwords must always have an expiration date) and updating operating systems.

This step already achieves a significant security gain.

Step 4 / Introduction of a tiering model

The idea behind tiering is to separate critical from non-critical systems and to limit or control access accordingly. For this purpose, systems are divided into so-called tiers, with highly critical systems usually being grouped in Tier 0, server systems in Tier 1 and user-related systems in Tier 2.

Based on the tiers, controlled access control is configured. This means that lower tiers cannot access systems of higher tiers, and conversely, access can take place on a use case basis (not across the board). For example, a client from Tier 2 cannot access a domain controller from Tier 0.

System classification

First, the systems are classified into the respective tier (Tier0, Tier1 and Tier2). For this purpose, each relevant system is analyzed according to, among other things, the criticality of the data processed, the use of the software employed, the operating system used or the interfaces used.

Implementation of an Organizational Unit (OU) structure

When implementing a secure OU structure, Microsoft recommends subdividing it into the various tiers; the permissions are set on these OUs in such a way that the inheritance of the domain heads to subordinate OUs is prevented. In addition, account operators, for example, are removed from the permissions. After that, highly privileged accounts and systems can be moved to the associated OUs. We’ve captured exactly what this looks like in our Troopers blog article with talk.

Implementation of Privileged Access Workstations (PAW)

Administrative activities are often performed by office workstations. This creates the risk that unauthorized access can steal information such as credentials for administrative accounts that use the same device. In unprotected environments, such attacks often lead to attackers being able to penetrate all the way to the domain by taking over other highly privileged accounts. For this reason, we recommend the use of separate PAWs to access security-relevant systems. This way, “normal” office activity is separated from administrative activity.

Examples of implementations in customer situations can be read in the following blog article.

Step 5 / System Hardening

System hardening strives to configure a system in a way that greatly minimizes misuse and vulnerability. System hardening is defined, for example, by the National Institute of Standards and Technology as “a process designed to eliminate an attack opportunity by patching vulnerabilities and disabling unneeded services.” Predefined configuration sets (e.g., CIS benchmarks) are used to configure systems securely. Depending on the applications operated, settings may have to differ, but as many settings as possible should be implemented. In addition, access rights that are necessary for operation are analyzed and minimized (least privilege principle). This helps to prevent the attacker from gaining access and spreading further in the event of an intrusion into the system. The advantage of individual hardening is that it can be adapted to the company. In conjunction with the aforementioned PAWs, hardening forms a major step toward overall security.

Most customers configure system hardening manually via Group Policies (GPO’s) at great expense. Through our hardening solution “Enforce Suite” we enable managed hardening, which significantly reduces operational effort. You can read more about this in our blog article.

Step 6 / Definition and optimization of operational processes

“What I can do today, I’ll put off until tomorrow”. Unfortunately, this motto often means that unpopular organizational matters are left undone. This is all too often the case with security issues. But there are solutions for this as well. Together with the customer, we define security-relevant processes, so-called Standard Operational Procedures (SOP’s) and implement them in the operational IT business. Do such processes already exist? If so, which ones? Does it make sense to generate new ones? Common processes in IT are, for example, standard procedures for distributing and updating operating systems and software, as well as processes for assigning authorizations or checking the necessary accounts. For service accounts, the password is often never or only very rarely changed Password change processes or the introduction of Group Managed Service Accounts help enormously here.

On request, we support our customers in operational business or take over tasks as part of our managed service portfolio.

Implementation of logging and SIEM (security information and event management)

With the measures described so far, we achieve the reduction of the attack surface of our customers. In order to maintain the achieved status in the ongoing operation and to get an overall view of the security situation in organizations, it is absolutely necessary to monitor security incidents/events. For this purpose, event and logging data as well as process information are collected in central databases, correlated and evaluated.

Based on a set of rules to be created, an automated alert can then be issued and, if necessary, acted upon. For example, events can be pre-filtered for the Operation Center, allowing staff to take appropriate action (e.g., isolate a client in the event of a virus attack).

Since implementing and operating such a solution is often very costly, customers are increasingly turning to Managed Detection and Response Services (MDR). This relieves the customer of the burden of evaluating and responding to security events through an external service. However, processes that describe exactly what should happen in the event of a failure still need to be created. We are happy to help with this as well.

Conclusion

In our experience, the topic of security is “scary”, confusing and often simply overwhelming for many customers. The tasks that need to be accomplished often seem insurmountable. From our point of view, analyzing the current situation and defining a sustainable IT strategy is the first step on the way to improved security. It creates the ability to act by describing threats, measures, decisions and actions in concrete terms.

We are here to help you along the way with advice, hands-on support, and our extensive expertise in IT security. Together, we can ensure that your digital data is protected from threats and that you can enjoy the benefits of a secure and reliable IT system.