The original post: /r/cybersecurity by /u/rdpnov10 on 2024-12-22 18:51:07.

Hi all,

I’ve been tasked with building a security program for an organization with what I can only describe as security chaos. I’m writing a proposal based on solutions, products, and costs and hoping for a clarity check to make sure I’m not missing anything major. Here’s a quick snapshot of the environment:

The Situation:

  • No segmentation: Flat network.
  • 1-FA VPN: No MFA.
  • 10+ Google Workspace tenants: No centralization.
  • No Azure at all in the environment.
  • Default credentials all over the place
  • Shared LA passwords: Across both Windows and Mac devices.
  • No Patch Management or centralized way to push machine updates. No golden images, machines are manually setup.
  • Legacy servers: Windows 2000, 2003, 2008, 2012, many of which are internet-exposed IIS servers.
  • Kerberoastable Domain Admins/DA passwords in Shares
  • No signing enforcement: LDAP Signing/Channel Binding/SMB Signing = relaying attacks galore.
  • 5 AD domains: Each with unique problems.
  • No PAM solution: Privileged account management is non-existent.
  • 50+ devs with no SAST, no pipeline security across GCP and AWS.
  • EDR: Falcon deployed but incomplete due to unknown assets.
  • Rapid7 exists, but it’s unclear how effective it is. I prefer Splunk as a SIEM.
  • No enhanced logging on endpoints (e.g. Sysmon)
  • No DLP: FortiDLP is a maybe
  • No IR playbook: Incident response is “panic and pray.”

My Proposed Solutions So Far:

  • SAST: Snyk, VeraCode, or Checkmarx for development security.
  • SIEM: Splunk, Chronicle, or DataDog for centralized logging. I might continue to use Rapid7 if it can do what I need it to.
  • Network Segmentation: Palo Alto NGFW.
  • Patch Management: PDQ Deploy
  • Secrets Management: HashiCorp Vault
  • PAM: Delinea or PasswordState for account management.
  • Enhanced Logging: SysMon for better Windows event logs.
  • LAPS on Windows
  • Web Security: Cloudflare Enterprise WAF.
  • Nessus for vuln scanning
  • ProofPoint.
  • Backups overhaul and removing them from domain joined systems - Veeam

Key Non-Technical Proposals since this org has no idea what a security team looks like. This is the part I really want to double down on.

  • Security has final say: Security needs authority over IT when mitigating risks.
  • CEO/CTO as tie-breakers: For business needs vs. security conflicts, leadership accepts risk formally.
  • Risk communication: Ensuring they understand the ransomware threat until baseline security is achieved.

What am I missing? Are there gaps in my proposal or areas I should double down on? Any tool or strategy recommendations for this level of chaos? Specifically looking for more info to put in writing on non-technical processes and procedures on making sure they really take security seriously since I’ll be a one man team starting off.

I’m being hired to guide the process and get things done, and they’re seriously invested in fixing this.