We changed our name from IT Central Station: Here's why

Top 8 Information Security and Risk Consulting Services Tools

ConvergeOneIBM Security and Risk Consulting ServicesProtiviti Security and Risk Consulting ServicesScienceSoft QLeanHerjevac Group Security ServicesAT&T Security and Risk Consulting ServicesColumn Information SecurityAccenture Information Security and Risk Consulting Svcs
  1. report
    Use our free recommendation engine to learn which Information Security and Risk Consulting Services solutions are best for your needs.
    564,643 professionals have used our research since 2012.

Advice From The Community

Read answers to top Information Security and Risk Consulting Services questions. 564,643 professionals have gotten help from our community of experts.
Evgeny Belenky
Hi peers, I believe many of you have already heard of the recent Log4j/Log4Shell vulnerability that allows attackers to perform remote code execution (RCE). What does it mean for an organization? How can you check you're vulnerable and mitigate/patch it now, if at all? Lastly, what impact do you see this can have in the near future? Thanks
author avatarSimonClark
Reseller

This vulnerability is particularly critical because Log4j is widely used in open source and commercial software and remote exploitation of the vulnerability against any internet-facing server is trivial using a single HTTP post. Exploitation results in full system compromise. The vulnerability has a CVSS Score of 10 out of a possible 10 meaning it is as bad as it gets.


Our SOC has launched a new app that detects the presence of vulnerable versions of Log4j however, detecting it does not mean you have been exploited.


My advice: Scan your network to get a full visibility report i.e. find all your legacy and shadow IT that you didn't know existed which means you should find all potential instances of Log4j, patch all of the Log4J environments, monitor your systems 24/7 using your SOC and if you don't have a SOC invest in a Managed SOC provider. 

author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

Yet another chance to test our incident response procedures. 


So far I would say we're a B. Good on the process, and an A on team response and interactions and reducing threat risk were about a B. 


ID'g your external assets exposed to this vulnerability is your teams' #1 priority and mitigate or patch (if available) the threat. 


You also have to notify and communicate with any 3rd party to make sure they're aware so they can start the same process. You ALSO need to be fully aware of your vendors' weaknesses and defenses (mitigations, patches, knowledge and reaction time). 


Then be prepared to roll out patches or in this case shut systems down OR put mitigations in place immediately to mitigate risk to the entire environment.

author avatarJairo Willian Pereira
Real User

One excellent opportunity for the company to test your CMDB/Inventory (at medium and big companies). 


Tenable, and I think, other Vulnerability Scanners offer a specific plugin used to check your infrastructure against Log4shell. 


If you don't have VS, you can try looking at your logging system for evidence or use:


https://buff.ly/3lYZRh0
https://gist.github.com/SwitHa...


In the future, Patch Mgmt pre-defined and applied schedules need to be first (proactive) from scanners/vulns. (reactive).

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

WhiteSource has released a utility to detect log4j vulnerability in the codebase. 


Take a look at this if it helps. In our case, a lot of projects use Elastic Search and Azure DevOps Server - both of them have log4j being used and that's where additional fixes have to be done.


https://github.com/whitesource/log4j-detect-distribution

Giusel
Hi community, I'm working on a document about the Security Operation Center best practices, and I would like to get your inputs about it. Thanks
author avatarShibu Babuchandran
Real User

Hi @Giusel ​,


Some of the best practices that I feel is as below.


1. The SOC must enable end-to-end network control


Your security operations center protects the enterprise from network threats, but you need to precisely define your network boundaries to achieve this. It is a common misconception that the external network is identical to the public internet, and anything that’s not part of the public internet is safe. CISOs must keep in mind that any third-party network (including and beyond the internet) can be a threat vector.


For modern organizations, API-based app integrations, external device connections via Wi-Fi or Bluetooth, and cloud-shared resources must also come under the definition of external networks.


In the case of internal networks, least privilege access should be your rule of thumb, and no single user should have complete access to sensitive/valuable information. Segregate your internal network into several tiers of access (based on its asset contents), aided by a powerful firewall solution.


2. Pay attention to shadow app discovery


Shadow applications (part of shadow IT) are a growing threat for enterprises. Traditionally, SOCs have restricted software installation on enterprise systems, even if the app came from a trusted source. However, in a remote working world, this becomes a major problem. Remote users could intentionally or unwittingly download malicious applications from the internet, eventually spreading across the entire internal network.


In addition to the firewall, regularly conduct an app discovery exercise to create a full software inventory across the hundreds and thousands of computers on your network. Classify these apps as per their security risks and take action. Also, gain from built-in restrictions that prevent unauthorized users from downloading and installing software on enterprise systems (including servers).


3. Keep a watch on hardware sprawl, even in cloud-first environments


Another myth around the SOC maintenance is that hardware doesn’t fall under its ambit. As most security vectors tend to be software-related (spreading through the cloud or public/private networks), SOCs frequently take a short-sighted view and focus only on software. In reality, hardware sprawl is a risk for every enterprise, adding peripherals like printers, routers, Wi-Fi repeaters, storage endpoints, and other unauthorized components as business needs grow. With each addition comes new security risks.


Make unauthorized hardware connectivity prevention a priority for your SOC. Also, implement processes that restrict employees from copying data for home use or offsite use. If some degree of BYOD is inevitable (as in a WFH scenario), make sure to verify identity through multi-factor authentication. Finally, scan enterprise perimeters for rogue hardware, just like shadow applications, to discover risks on time.


4. Protect SOC logs to aid investigation


Access logs are among your most handy tools when conducting a post-attack forensic analysis. It also helps to root out false positives from genuinely suspicious access behavior. SOC managers typically use logging records to assess the four Ws and one H of a security breach: who, what, why, when, and how.


However, the logs themselves can be vulnerable, and it’s compromise will cripple your ability to assess and respond to any security threat. One of the first things a malicious app will once it enters your systems is to remove any evidence of the attack by rewriting device logs. That’s why it is advisable to store access logs in a separate, high-security zone that is not connected to the device itself.


Further, make sure to synchronize the timestamps across all enterprise devices generating logs regularly. A single, synchronized lock will ensure that all devices follow a central time source, allowing access events to be plotted more easily. In case of a breach, you can reconstruct the incident by piecing together logs across various devices.


5. Have a contingency plan in place via a robust backup


Assuming the worst-case scenario can be extremely helpful when building an SOC, given the unpredictable and fast-evolving nature of security threats. A big part of this is investing in a backup system that can help to restore your digital assets after an attack, even if it can’t prevent malicious parties from getting hold of it.


A cloud-based backup system can accelerate data recovery, particularly if a malicious party goes after your in-house backup service.


While no backup strategy is 100% hackerproof, remember the 3-2-1 rule: 3 copies of information, including primary/dynamic/production data and two backups, where one should be stored off-site – e.g., on the cloud. Ensure your production data is protected by strong authentication measures, and your cloud backup is accessible only to a select group of users during worst-case scenarios, like a ransomware attack.

author avatarRobert Cheruiyot
Real User

Hi Giusel,


From my little experience, it's always good to have a good working plan on how you are going to start setting up a SOC and how you are going to gradually mature the SOC. The primary consideration is the availability of 3 components: people, technology and process.


It's very easy to manage the development of SOC when you do it in bits. Talk about technical aspects like SIEM. SIEM might have components like Logs, Network, Endpoint and SOAR. From my own view, it's not an easy thing to plug in all these components at once. You could start with a primary component like the Logs component and gradually build from that. It's also good to have a technology and deployment option that works for your business needs. 


On people, it's good to have skilled analysts else you may not get value for your investment in technology and time. Many people take different approaches to sort the issue of the insufficient number of skilled analysts. Some opt to work with MSSP jointly with the team you are developing in-house for a set period of time for the purpose of knowledge transfer.


There should be a clear workflow of activities in case of an incident. What should T1 do before passing the alerts to T2 .. or closing false positive alerts? What are your sources of threat intelligence?

author avatarSteffen Hornung
Real User

Sadly, I cant contribute due to lack of experience in that field. But I would love to read about your findings


Information Security and Risk Consulting Services Articles

Ram Chenna
Enterprise Architect at Blueray Digital Services
Dec 15 2021
Privacy Concerns in an RPA Implementation Program. The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were: 1. Regulatory and Compliance issues. 2. InfoSec and Security issues. 3. Audit Issues. Regulatory and Compliance Issues: There...
Read More »
Abhirup Sarkar
Director, Middle East, East India & SAARC at a tech company with 51-200 employees
Dec 08 2021
Zero Trust is a set of techniques to secure end-to-end IT network infrastructure. Given the complexity of today’s networks, Zero Trust security principles continue to evolve and adapt to current demands. As indicated by the history of Zero Trust, an evolving IT security landscape was what had ev...
Read More »
Tjeerd Saijoen
CEO at Rufusforyou
Security and protecting your environment are the biggest challenges now. Is this because we don't have software to protect our environment or is it anything else? In the past, I started with mainframes and no worries about hackers.  Today, we are dealing with a silo approach. Servers are at v...
Read More »