
Blue teams, what has had the most impact protecting against cyber attacks? - alltakendamned
Security blue teams or defenders of HN, what were the changes you made that have had the most impact in improving the resilience of your organisation to cyber attacks ?
======
jesterson
Maybe someone will disagree, but I believe there is no shortcuts or one-fits-
all solution when it comes to security. Structure of modern information
systems is extremely diverse making single path approach not working in vast
majority of cases.

My answer would be quite boring I guess but it does the job to improve
resilience:

\- Analyse your system and identify potential vulnerabilities; \- Analyse you
vulnerabilities against your risk model (identify the most crucial ones); \-
Mitigate risks from most important to least one; \- Rinse, repeat regularly;

~~~
badrabbit
What you said improves your known attack surface for sure. But what do you
mean vulnerabilities? CVE's? If so that's inadequate.

What I mean is, system and network architecture on it's own often creates
vulnerabilities for that risk model. Let's say you have product X,it is well
patched and well configured. Except!, anyone can access it from the intranet
and internet. Is this a vulnerability? Can a random attacker password spray
product X ,gain access and leverage that access for $profit? It's not exactly
a CVE but it can be a vulnerability.

I say invest in good security/IT architects.

------
badrabbit
1) Implement a good EDR solution. By far, I can't think of any other change or
investment that has had better ROI. So much visibility! And you can quickly
implement detections and controls based on attacker TTP which has a greater
ROI than playing whack-a-mole with CVEs or rely on updated firewall rules,av
rules,selinux rules,etc...

2) Log as much as possible and do something with the logs. Log everything and
continue to improve your SIEM or security stack based on new threat intel.

3) Low effort,high ROI low hanging fruits. 2FA everything. Mutual certificate
auth where i can. Turn on bitlocker. Make people use password managers,ssh
pubkey auth. If you have typical corporate firewall/proxy: block any domain
that isn't categorized or newly registered.

4) this is what I think will be good ,haven't done it IRL: segment network
well. Remote management can only happen from jump boxes. Be hostile against
removable drives. 5) Taking first step of NIST's incident response lifecycle
seriously,preparation: Playbooks(Online and Offline),checklists,emergency
communication channels. Document important assets and related contact when
SHTF. And actually have a routine table top excercises and penetration tests
(as the corporate wallet allows)

6) I hate that I put this last,but: good security tooling. Typical stuff like
an in-house sandbox,dedicated DFIR platform.

This should go without saying: you need people to do this and it really does
start from the top (leadership).

~~~
phaus
2) Log as much as possible and do something with the logs. Log everything and
continue to improve your SIEM or security stack based on new threat intel.

This is a good one. If you have a SIEM + Log Aggregation setup and you don't
have robust logging and/or aren't feeding those logs into it, you should have
saved yourself some time and burned the money you spent on it.

------
moviuro
\- Keep up with the latest trends (supply chain, credential leaks, etc.) and
published CVEs (a CERT can help)

\- Risk analysis with business stakeholders (maybe they care nothing for
confidentiality, but tons for integrity, or there are market regulations a
security expert has no knowledge of)

As said by jesterson, there's no silver bullet in security, only adequate
counter-measure given a threat model.

~~~
badrabbit
Keep up with it and do what? Threat intel is nice but quite a waste of time if
you can't adapt to new threats by implementing or adapting security controls
fast.

------
netsectoday
Practice some red team exercises against your apps and infrastructure, or do
it against a site in the wild and responsibly disclose what you found to them
- then harden your systems against your tactics.

~~~
badrabbit
Assuming you have staff that can do red teaming and more staff that can review
the results and implement changes. Purple teaming is also nice and works
better (my opinion) than red vs blue teaming for smaller teams.

------
dieFledermaus
Title is lacking the "Ask HN:" preface which probably explains the low
response/activity.

------
espeed
Here's a new one most aren't thinking about yet...

Set up live early warning system for spoofed/deep fake news feeds
[https://news.ycombinator.com/item?id=20748195](https://news.ycombinator.com/item?id=20748195)

------
Spooky23
The key is basic competence in configuration management, siem and most
importantly segmentation.

Patch and have configuration standards.

Segmentation is harder. Keep systems separated and minimize admin privilege.

------
runjake
Continuous, ongoing end user education, by far.

It must be a regular thing. Threats change, people forget, people lower their
guard.

~~~
chelmzy
I agree but it can be almost impossible to scale efficiently. My organization
has ~20,000 employees and at-least another 5000 contractors that use our email
system.

------
thedevindevops
[https://giphy.com/gifs/wolf-gladiators-
vulcan-l3mZ95PCx30Mxb...](https://giphy.com/gifs/wolf-gladiators-
vulcan-l3mZ95PCx30MxbW3C)

