The Ideal Security Stack
By Joshua Liberman, Net Sciences, Inc. and ASCII Group member
The most important decisions you make as an MSP are about how to secure your clients. No matter what you get right, if you get the security wrong, you lose. The first decision will be whether to weave together best-of-breed offerings or to go with broader offerings from fewer vendors and will be easier to manage. Though we all worry about the costs of properly securing our sites, you may find that the big issue is no longer money but inconvenience. Anyone that has ever enabled universal MFA or DPISSL in their firewalls knows what I mean here.
How Do They Work? Your first step in the process of analysis is to determine how the client works. Are they still premise centric? Fully in the cloud? Working in a hybrid in/out of office mode? The answers to this question will inform how you will build your security stack. For nearly every site we manage, there is still a local network with a perimeter, as well as remote workers to protect. This leads to the question of whether you plan to provide a single security solution that covers all these bases, or tailored solutions that address these various scenarios.
Does One Size Fit All? As alluded to above, you will need to determine if a single bundle does fit all. In our case, since so much of what we do still involves “traditional” premise-based scenarios, we have settled upon a comprehensive solution that I will outline next. But many of us are working with sites that no longer have a traditional premise (or much of a perimeter) and will therefore need to tailor their offer to support that style of distributed security. You may find that moving forward Secure Access Secure Endpoint (SASE) solutions are your future.
Our Current Ideal Stack. We deploy a best-of-breed solution stack that includes Endpoint protection and Managed Detection and Response (MDR) with a Security Operations Center (SOC) on the back end. Next up is DNS filtering with mobile agents on the mobile endpoints. We do our patching, monitoring, and alerting through our RMM tool as you probably do. MFA is crucial today for M365 access, remote workers, and even local logins. We provide Bitlocker management on all endpoints and proxied RDS for secure remote access. We provide firewall log reading and response and employ a dedicated tool for IoT management and new device alerting. We bundle these services as our SecurITTM plan, and every site gets them.
Meet Your New Endpoints. With the Microsoft 365 “endpoint” being such a hotbed of hacker activity today, we have come to accept that we must treat as endpoints and protect them as such. That starts with highly effective third-party mail filtering. Next comes a dedicated anti-phishing tool that really works well. We also engage a SOC for M365 log reading and response services. Finally, we bundle granular backup of Outlook, OneDrive, SharePoint, and Teams. This is delivered in a single bundle that we sell as M365 Complete.
The Perimeter. Most of our sites still have very real perimeter, and that means they must have a modern firewall/UTM device deployed, with full services engaged. This includes cloud-based heuristic analysis, integrated Wi-Fi for your smaller sites, SSLVPN termination, and more. The Firewall/UTM truly is the Swiss Army knife of perimeter protection. We also protect every site that has an on-premises server with complete BCDR protection, delivered on a managed basis. No security solution is complete without backup, business continuity, and disaster recovery.
On Our Horizon. Currently, we offer two add-ons to our stack, though sooner than later they will probably migrate into our stack as well. First up is application whitelisting; ThreatLocker is the leading player here. Though a bit noisy at first, whitelisting offers protection that nothing else can, locking down clients, come what will. Related to that, though also available separately, is Privilege Elevation with AutoElevate being a leader here. Both products are developing overlapping features today, so perhaps we will see one solution for both soon.
But What Is Still Missing? I am sure that some of you have noted deficiencies in this stack, so let’s go through a few of them now. The first and most obvious is probably Mobile Device Management (MDM). While we once had a dedicated offering for that, it was complicated, difficult, and finicky. Nowadays, the right M365 plan handles that. Another thing absent from this list is Data Loss Prevention (DLP). Our MDR client does manage that for USB devices but it does not address email or file sharing, the real vectors of risk in the data loss space.
Mastering the M365 product stack, learning about everything from Conditional Access to Intune (or Endpoint Manager) is critical to your ability to deliver on these missing pieces of your security stack. This includes Identity Access Management (IAM), MDM, and DLP offerings. You may find that if you dig in deep and sell Enterprise M365 packages, you can provide almost all the components in our stack purely in the Microsoft world. For those that believe fewer (vendors) is better, optimizing the M365 stack is an excellent option.
Zero Trust Architecture (ZTA). Nobody can talk about a security stack without mentioning Zero Trust. But what is it, really? Simply stated, Zero Trust inverts the typical methodology of detecting unwanted access or activity and blacklisting it to starting with an assumption that no traffic or access is allowed, and that only “known good traffic” can flow. This is a very fast-growing area in our industry today, incorporating everything from application whitelisting, to 2FA and IAM, to Secure Access Secure Endpoint (SASE) solutions.
Ultimately, ZTA is more of a concept than a reality today. ZTA must address everything from access control lists to firewall rules, as well as universal MFA, application whitelisting, and much more. ZTA is an ideal that we should all aspire to, but you should not get the idea that you can attain this pinnacle with a few products or processes. Executing fully upon ZTA requires a truly comprehensive reimagining of your networking but it is the future of security. The move from trust all (baked into the very design of TCP/IP) to trust no one (X-Files fans!) is well underway.
About The Author
Joshua Liberman is the President and founder of Net Sciences, Inc. and has been a member of The ASCII Group since 1996. Joshua started PC Services in 1990, doing Novell networking and becoming an early Master CNE. As a contractor to the DOE from 1990 to 1995, Joshua developed one of the first digital video networks in the nation. After starting Net Sciences in 1996, Joshua began his migration to Microsoft networking and has since built and secured hundreds of Microsoft Windows networks over the past twenty years. Joshua has been a rock & ice climber, mountaineer, martial artist, and a lifelong photographer. Joshua speaks five languages, has forgotten four more by now, and has traveled half of the world. In his spare time, Joshua writes, travels, does photography, and raises Siberian Huskies with his wife and best friend of 22 years, Heidi Olsen, who calls him the Most Interesting Geek in the World.