Justin Foster posted an interesting article entitled “Defense in the Deep End” where he talks about what technical controls he would use, and where he would put them, if he had an unlimited budget. Although I agree with most of his selections, his chart can be seen here, there are a few areas that I would continue to invest in:
Anti-phishing, URL filtering, and Threat Protection – Let’s bundle this all up into a category called Anti-malware. If I had an unlimited budget, why wouldn’t I consider installing these technologies on my workstations, laptops, AND servers? How often do admins connect directly to the Internet from a server to patch their systems, install troubleshooting applications, and the like? Why not add an extra layer of protection for your servers?
Hard Drive Encryption – Let’s encrypt hard drives on laptops, as they’re mobile, but let’s also encrypt hard drives on the workstations that also work with sensitive information and on the servers that actually store the sensitive information. I won’t even get started on phones and handsets.
VPN – In the next couple of years, more and more people will need to be able to connect to the business to perform quick tasks (i.e. check email, submit time sheet, etc.). These are tasks that can easily be performed from a public terminal using an SSL-enabled VPN solution. Also, perimeter VPN solutions aren’t going away anytime soon (I’m going to choose to believe you just forgot to put a check mark in that box 😉 ).
DLP – Why not deploy an inline DLP solution to guard against third-party network-based device DLP ‘attacks’? Put something inline on the network to watch the traffic as it flows out to the Internet?
System/Application Log Forwarding (To SI/EM) – Don’t forget to send the logs from your network-based devices, such as firewalls, routers, switches, *IDS/*IPS, proxy, and toasters, to your SIEM/LM device. Correlation is key!
File Integrity Monitoring – Yes, servers need to be monitored for changes, but what about laptops/workstations? Wouldn’t you want to be alerted when a registry key is changed at 3am?
All things considered, Justin put a good list forward.