What is an IT Security Stack?
Attackers are getting smarter every day, having a security plan is becoming a must. An IT security stack can help your company with all aspects of your plan.
Anything that you are doing to protect yourself. Security tools, technologies, and processes. That means your operating procedures, how you handle people, how people handle incidents as they come up. All of that to protect or react to attacks on your company’s information and assets.
At the end of this article, we are going to give you recommendations of what we feel should be in an IT Security Stack. We will discuss two levels – level one being the basics and level two being more involved.
View What is an IT Security Stack Video (33:42)
5 Areas to Consider when building your IT Security Stack
What does your company need for security? To answer that you will need to have a good idea of what you are protecting.
1. Identify IT that needs to be protected within your company
What we’re protecting, and how we do the protecting. Then detecting to know if we are protected or not. In the odd case that something gets through. How do we respond if something gets through? Even as good as you are, there is always a chance that something could get through someday. If something bad happens, what do you do to recover? All crucial areas, once going through these, then it becomes clear what your security stack should look like.
Almost as important as what are you protecting is where is it located. Is it local? Is it in the cloud? Knowing what you’re protecting and where it is located, are huge. Make sure to have documentation of this because it will change. We do recommend reviewing year after year. You can include it as part of your cyber insurance documents that they’re requiring more and more now, like disaster recovery forms.
2. Determine how to protect your company’s IT
What do we do to protect? Even with the best of intentions, sometimes something happens. Unfortunately, a lot of times it’s a person who clicks on something, maybe an email that lets it in. You can spend all the money in the world and there’s going to be at least a small gap somewhere.
Has the ability to limit or contain the impact of a cybersecurity event:
Firewall: And it’s not just a firewall, but a good firewall.
EDR/Antivirus (AV)/Anti-Malware (AM): Antivirus and anti-malware until recently used to be plenty. But now everybody’s moving to this EDR endpoint detection response. Sentinel-1 or CrowdStrike are two of the biggest in the field. EDR is more or less replacing AVAM.
Multi-factor Authentication (MFA): Anywhere and everywhere. MFA is a must-have. In some cases, it’s your last form of defense against password breaches.
Mail Filtering: It is very important, likely, everyone is already doing this in some form. Does your company want boost that up a level or not.
Operating System (OS) Security: Have you ever received an email from your IT group mentioning a version of Windows is no longer supported, it’s end of life, or they will not be doing any patches for it? They are making sure that your operating systems, servers, and workstations are all up to date and the patched is very important.
Security Awareness Training: People are often the weakest link. Security awareness training is one way to bolster that.
Device Management/Patch Management: If your company has employees using cell phones for work device management should be in your consideration of protection for employees and company data.
3. Detect threats and other risks that have compromised your company’s IT
You’ve identified what you want to protect. You put your protections in place. Next, is to make sure they are working. You’ll need to detect if something has gotten through.
Quickly uncovers threats and other risks:
Firewall: Can detect when there are issues.
EDR/AV/AM: This should be alerting you.
OS Security: If you’re having your servers and workstations remotely monitored and managed. You should be getting alerts if those patches aren’t getting applied, if something’s falling too far behind, or in the worst cases if something was rolled back by the attackers.
Dark Web Monitoring: This tells you if your company or employees are being mentioned on the dark web. Some places include this as part of their services. For example, if somebody has a bunch of passwords for sale and some of your employees are included in that, you could get some advanced warning. If someone’s saying they have data on your company, you could get an advanced warning. However, in that case, you probably are aware of it because they are trying to ransom you.
Multi-factor Authentication: This will alert you when there is someone who is trying to access something of yours. If this happens it might ask you to change the password to be safe.
People: Where do people go? Who do they tell? If they think something is not quite right.
4. Start your company’s IT protection response plan
What happens if something bad gets through and you detect it, you know it’s there, how are you going to respond? This should be mapped out ahead of time. A lot of cyber insurance companies will ask if you have a disaster recovery and response plan, which they will likely ask to see at some point. They may even evaluate this plan.
The act against threats that have made it past preventative tools:
Firewall Manager: This can give you events to look at.
EDR/AV/AM Pre-Programmed: This will give a list of things at the pay of quarantine. Your ERD will need to be pre-programmed for this.
OS Security Alerting: Alerts if patches are not applied, falling too far behind, or if something was rolled back by the attackers.
People: What do employees do if they see something or if something looks bad? They come in and their workstation has a note that says their files are all encrypted, and they have to pay some Bitcoin. While that is an obvious example, some are subtler.
An employee clicks on something in an email that they think is from a reliable source. It says their Microsoft password is about to expire. It is after they clicked on this that they realized that this was not right. Will they report it to someone? Do they know who to report this to? Your company must encourage them not to click on things that do not look reliable and if they do to report it to someone.
SOCaaS: Security Operations Center as a Service, is a service where teams of people that are experts in areas can monitor 24/7 and alert you to things that are of super high importance.
Managed EDR: These are companies that have a security center in place. They have full-time employees who are experts who would be looking at the company’s weekly events and pulling out events that need additional attention.
5. How to recover after an attack on your IT
The attackers got through and did damage. They encrypted your single server. The attackers tell you they will give you the key in exchange for an amount of money. How will your company recover?
Business Continuity/Disaster Recovery/Backup: What kind of backup does your company have in place? Or does your company have a full disaster recovery plan? Or does your company have business continuity? With business continuity the ability to bring up a virtual copy of the server from the night before.
However, it does not help if before the attackers encrypt the data they make a copy of it, which is happening more and more. The attackers have started to threaten that you cannot just restore to. They will then threaten to publish your data, which they will do.
Notification of Breach: This can be set for folders of information that you do not want to be published because if it were it would be bad for your company.
Your company may be under compliance requirements, or basic business requirements and your clients do not want to be told that you have personal data of theirs on the dark web. Your recovery depends on the IT security stack that is in place when it comes to backup, disaster recovery, and business continuity, as well as the company’s ability to detect and respond.
IT Security Stack Levels and Recommendations
Level 1 – Basic IT Security Stack
- EDR
- Firewall
- MFA on 365 and VPN
- Business Continuity
- Mail Filtering
- Security Awareness Training (Internally to keep cost down)
Level 2 – More Advanced IT Security Stack
- Managed EDR (24/7)
- Firewall with SOCaaS (24/7)
- MFA on 365 and VPN
- Business Continuity
- Mail Filtering
- Security Awareness Training (External)
Protect Your Company with an IT Security Stack
You expect your employees to aid in the effort to keep themselves and your company safe against attacks. This can be done by having an IT security stack in place that includes continuous security awareness training. Your clients are counting on your company to protect them from attackers getting their information and posting it on the dark web.
If you would like to learn more about IT security stacks or get a guide to get you started, contact one of our experts today.
Register for our IT/Network newsletter today!