Whether the organization owns perimeter hardware capable of managing traffic and can handle the work-load effectively.  The second point is as important as the first, many appliances cannot scan traffic effectively unless they are sized up many times over.  It's extremely difficult for boards/managers to understand the necessity to spend exponentially more than expected.  For completeness, the hardware should be distributed to all branch offices and remote worker locations.

Whether the organization has completed a ransomware readiness assessment (or similar cybersecurity readiness) and reviewed recommendations.

How the organization decides what is necessary and/or allowed. In most small environments internet is fairly open.

What resources the organization has available to manage firewalls and content filters during day to day operations.  

What tools and technologies protect users when inside the office, when traveling, when working from home, and when accessing company data on mobile devices.

Understand the scope of devices being protected and how filtration technologies can affect all the devices which attempt to connect to the internet*.

Whether existing management technologies permit deployment of security tools effectively.

Whether the organization is capable of enforcing user-choice restrictions for internet browsers.

Whether or not the browsers used are managed through enterprise-grade management technologies.

Effective Area

Suggested Strategy

Implementation Notes

Boundary firewalls

Firewall with content filtration, malware scanning, and Layer 7 configuration.

Content filters block generic classes of websites, malware scanning looks at malicious content in more detail, and Layer 7 config can be used to block problematic systems such as peer-to-peer file sharing.  Common solutions include Cisco Meraki MX firewalls.

Optimal solution is to deploy AMP firewalls to each office, branch, and teleworker.  When teleworker protections are not possible, a compensating control is done using company-owned hardware and DNS layer filtration (see next item). 

Secure Configuration

In this context, the scope is limited to web filtering. DNS layer security (DNS Filtering) combined with Mobile Device Management and web gateway. 

While boundary firewalls work only at the “office", a DNS layer solution applies to the device at all times. It can be used to further control web traffic and reduce what is accessible.  This can also include other forms of software designed to affect application/site access.  Common solutions include Cisco Umbrella or OpenDNS.  These are often the first layer defense but they typically require other solutions (such as MDM and virtual appliances) to meet objectives. 

Malware Protection

Anti-malware software scans for viruses, monitors web behavior, reports anomalies and includes behavior monitoring.

Technologies built around early detection and tactical response.  Guided threat hunting for Indicators of Compromise, granular isolation of processes, lightweight and fast without false positives.  Automated attack isolation and remediation.  Common solutions include Malwarebytes EDR.  

Patch Management

Assurance that vulnerabilities are patched quickly.

Strong control over operating system patches, critical application patches, and drivers. Systems vary and are often bundled with RMM offered by your service provider.

Device Management

Enforce policy compliance and enable controls. 

Mobile Device Management on top of Remote Monitoring and Administration. Common vendors include Windows Intune, Cisco Meraki System Manager, JAMF.  

User Access Control

Limiting administrative privileges and assuring that device configuration matches organizational requirements. 

For critical cloud services the strategy should be to enable organizations to apply conditional access,  strong authentication, and reliable auditing. 

This topic spans three areas:  identity management, access control, and threat management.  

Identity management solutions, such as Azure AD or Okta, make it possible to authenticate users in real time and reduce risks associated with account compromise, misconfiguration, and on/offboarding. 

ACL policies for the organization, enforceable and auditable permission schemes and zero trust architecture**.

Communication/collaboration platforms such as Microsoft 365 and Google Workspace, both vendors offer advanced security and threat management solutions which enable organizations to manage access and have trust in authentication capabilities.  Microsoft refers to to this as "EDR E5" and Google refers to this as Business Plus.  These are being continuously revised and quarterly reviews of this technology should be baked into cyber security management. 

Insider Threat Detection

While ant-malware performs heuristics on software behavior, monitoring users for malicious activity (intentional and not) will assist with early detection of threats.

Behavior monitoring and active alert systems include employee monitoring software that runs on desktops and cloud application service brokers that analyze cloud application activity logs.  Notable solutions include ActivTrak, WorkPuls, Cerebral, Microsoft Cloud Application Security, and Avanan.