Security blue teams or defenders of HN, what were the changes you made that have had the most impact in improving the resilience of your organisation to cyber attacks ?
Maybe someone will disagree, but I believe there is no shortcuts or one-fits-all solution when it comes to security. Structure of modern information systems is extremely diverse making single path approach not working in vast majority of cases.<p>My answer would be quite boring I guess but it does the job to improve resilience:<p>- Analyse your system and identify potential vulnerabilities;
- Analyse you vulnerabilities against your risk model (identify the most crucial ones);
- Mitigate risks from most important to least one;
- Rinse, repeat regularly;
1) Implement a good EDR solution. By far, I can't think of any other change or investment that has had better ROI. So much visibility! And you can quickly implement detections and controls based on attacker TTP which has a greater ROI than playing whack-a-mole with CVEs or rely on updated firewall rules,av rules,selinux rules,etc...<p>2) Log as much as possible and do something with the logs. Log everything and continue to improve your SIEM or security stack based on new threat intel.<p>3) Low effort,high ROI low hanging fruits. 2FA everything. Mutual certificate auth where i can. Turn on bitlocker. Make people use password managers,ssh pubkey auth. If you have typical corporate firewall/proxy: block any domain that isn't categorized or newly registered.<p>4) this is what I think will be good ,haven't done it IRL: segment network well. Remote management can only happen from jump boxes. Be hostile against removable drives.
5) Taking first step of NIST's incident response lifecycle seriously,preparation: Playbooks(Online and Offline),checklists,emergency communication channels. Document important assets and related contact when SHTF. And actually have a routine table top excercises and penetration tests (as the corporate wallet allows)<p>6) I hate that I put this last,but: good security tooling. Typical stuff like an in-house sandbox,dedicated DFIR platform.<p>This should go without saying: you need people to do this and it really does start from the top (leadership).
- Keep up with the latest trends (supply chain, credential leaks, etc.) and published CVEs (a CERT can help)<p>- Risk analysis with business stakeholders (maybe they care nothing for confidentiality, but tons for integrity, or there are market regulations a security expert has no knowledge of)<p>As said by jesterson, there's no silver bullet in security, only adequate counter-measure given a threat model.
Practice some red team exercises against your apps and infrastructure, or do it against a site in the wild and responsibly disclose what you found to them - then harden your systems against your tactics.
Here's a new one most aren't thinking about yet...<p>Set up live early warning system for spoofed/deep fake news feeds <a href="https://news.ycombinator.com/item?id=20748195" rel="nofollow">https://news.ycombinator.com/item?id=20748195</a>
The key is basic competence in configuration management, siem and most importantly segmentation.<p>Patch and have configuration standards.<p>Segmentation is harder. Keep systems separated and minimize admin privilege.