Case Study – Ourselves!

As the saying goes, sharing is caring but first, some background. Most of our infrastructure has been in the cloud for close to ten years i.e. email, security and management consoles, etc. Early on, our endpoints were domain-joined but that proved cumbersome for us as we spent the majority of our time off-LAN, working remotely or were at customer sites. As cybersecurity service providers we lead by example and make a point of using the same technologies and tools that recommend for our customers.

Our core endpoint security consists of several tools and layers. We’ll start from the foundation and work our way up the stack:

  • Trapezoid FIVE – If you can’t trust the hardware, how can you trust the software? Firmware is everywhere, from your laptop to IoT device to datacenters to the cloud. It is even part of the NIST Cybersecurity Framework. Using Trapezoid FIVE, we monitor the BIOS integrity of our systems for unauthorized changes.
  • OpenDNS Umbrella, specifically the Roaming Client provides security management and reporting from the endpoint, network, and web perspectives. Our systems benefit from the same Community Threat Intelligence feeds that we provide for our customers.
  • CylancePROTECT – All modules are fully enabled and enforced. File security is set to Auto Quarantine with Execution Control. Files are examined pre-execution.  Memory Violations are terminated. The CylancePROTECT services and applications are protected against tampering. The Application Control module is enabled and prevents creating or even saving an unauthorized application (Portable Executable or PE) file let alone running it. ScriptControl is fully enabled and will block unauthorized ActiveScript, PowerShell scripts, or MS Office Macros from running. Objectively, fully locking down scripts was the hardest aspect but critical for the prevention of file-less malware. Lastly, the Device Control module allows the usage of only authorized devices.
  • CylanceOPTICS – The OPTICS endpoint detection and response (EDR) tool is deployed with a custom-developed ruleset that also aligns with the MITRE ATT&CK Framework.
  • OPSWAT MetaDefender Cloud – All web downloads are scanned with over 35 antimalware engines in the MetaDefender Cloud system.
  • HerdProtect – As CylancePROTECT only monitors Portable Executable (PE) files, we also regularly scan our endpoints with HerdProtect’s 68 independent antivirus scanners. This ensures an explicit check of data files such as MS Office, Adobe, and image files.
  • McAfee GetClean – We have a long relationship with McAfee and continue to work with the company, notably with the Joint Development Program. We use this tool to help provide McAfee with information on known clean system images and files.
  • DUO Beyond – Authentication to our local systems requires multifactor authentication using DUO. In addition to requiring MFA, we are also enabling usage of Yubikey Two Factor security keys wherever possible.
  • BitLocker – All local volumes are fully encrypted using Windows BitLocker.
  • Windows and application updates are installed within one month of release. Patch management is primarily monitored using Patch Manager Plus Cloud but also with DUO’s Device Health application.
  • RoboForm Everywhere manages my passwords. I’ve been using it for a very long time. LastPass is the other popular app for this. We never save passwords in browsers.
  • User accounts never have administrative rights – not now, not next November, never! Check out the latest BeyondTrust report on Microsoft vulnerabilities.
  • Device management is performed using several tools and layers subject to the individual device’s specifics. Cisco Meraki’s MDM system is the most common and the ability to manage our own systems as well as customers’ systems, firewalls, switches, and wireless devices simply more efficient.
  • Finally, our online presence, or our digital risk, is monitored using a combination of opensource tools like Google Alerts as well as private tools deep/dark web tools, including but not limited Digital Shadows and SpyCloud.

The commonly stated trade-offs for security are performance and convenience. As security is our business, it cannot be compromised for convenience. That said, if I really had to nitpick, the one area that might be considered inconvenient would be the authentication process with MFA. In reality the few extra seconds required to use the DUO app on our phones is truly trivial. Technology is constantly evolving and we’re always looking at ways to improve.

As for performance, we have long believed in making the right investments in computing devices up-front. We favor business-class computers, currently the HP Zbook Workstations. We also made the switch to solid-state drives (SSD) ten years ago and haven’t looked back. My current system is a five-year-old HP Zbook 14 G2 with dual SSD drives and 16GB RAM. It runs as well now as the day I purchased it. Only when I am simultaneously running several virtual systems do I long for more RAM. More recent models like the Zbook 15u support 32GB RAM. Over time that too will improve. The longevity is partially due to the choice of hardware (platform, RAM, SSD) and partially due to our carefully, curated security stack.

Bonus Tip: An easy way to improve the performance of a Windows system running on a standard hard disk is to use a USB key and enable ReadyBoost. This nifty feature has been around since Windows 7 and does a really good job improving performance. Note that you should format and dedicate this key to the computer and not use it for moving files around. A small, high-speed 16GB key is ideal and can be connected to a USB port somewhere on the back or side, where it will be out of the way and that you won’t be tempted to remove.

I hope you found this information useful. If you have any questions about the information provided, please do not hesitate to contact me.