CGNET is doing a lot of security testing, assessment and evaluation these days. Most of the work I do is for nonprofits, particularly foundations, ranging in size from 10 to about 200. I’m beginning to see a pattern in what security these organizations do well, and where they need help.
In general, these organizations do anti-virus and firewalls pretty well. Penetration testing usually shows up the need to patch more often, but usually the vulnerabilities aren’t that severe. That doesn’t mean you shouldn’t check. There have been some significant exceptions, and you wouldn’t want to have one of them.
These organizations are also aware of phishing and social engineering. Many of them have trained their staffs on security practices, often including simulated phishing tests. Many of them, however, have still not done this or have done it casually. Fixing this is cheap and easy. Just do it.
Most, but not all, organizations do good and frequent backups, and many limit what software their users can install on their desktops or laptops. This is more important than ever, because the small organization’s defense against ransomware is to wipe the affected machine and restore from backup.
There are a bunch of other things that doing a security assessment can help with, but here we’re being quite general.
The place where most organizations fail today, however, is incident detection and response. This means knowing when malware, or the unauthorized use of your own software against you, is on your network, and it means knowing how to limit its damage and get rid of it. This is a problem. Even the best-trained employee can have a bad day and click on a link without thinking. It only takes one, then your network is compromised. There are also zero-day vulnerabilities that anti-virus can’t detect. You must assume that something will eventually get in, so you have to find it and fix it.
This is hard to do, which is why so few are doing it. It’s hard because the technology we’ve been using: firewalls, intrusion detection systems, intrusion prevention systems, system logs, are hard to manage. They generate huge amounts of data and many false positives. This gets us to the root of the problem:
Almost none of the organizations we work with have the personnel to provide adequate detection and response. Many don’t know how to manage the detection devices efficiently. Even if they do, they don’t know what to do for incident response. Most don’t have a plan; many don’t have a clue.
It doesn’t help that everybody has recently discovered that they need cybersecurity, from the home user to nation states. This has resulted in a gigantic shortage of skilled information security professionals. Those who exist can charge a lot. For the small organizations we serve, putting such a person on the staff is simply too expensive.
So, the missing security puzzle piece for our clients is inexpensive outsourced incident detection and response. How to get it?
There are a lot of vendors out there who claim to provide these services one way or another. Here are a few I’ve seen: AlienVault, Arctic Wolf Networks, Cisco, Core Security, CrowdStrike, CSIS, Cybereason, Cynet Systems, Datashield, eSentire, F-Secure, FireEye, Ingalls Information Security, IronNet, K2 Intelligence, Kudelski Security, Mnemonic, MWR InfoSecurity, Morphick, NCC Group, Netswitch, NetWatcher, Paladion, Proficio, Rapid7, Raytheon Foreground Security, Red Canary, Rook Security, SecureLink, SecureWorks, UnitedLex, Vigilant.
Which of these is right for nonprofits with staffs of 10 to 200? Which are the least expensive? Which of their varied sets of technology and services fits best into this puzzle? Which solutions have good track records? It’s a lot to find out, and the useful stuff is usually not on the web.
So, this article is an introduction. What I hope to do is to pick out some of the vendors on this list, and, inevitably, other lists, and qualify them. I’m hoping to do one a week. Check back to see how I’m doing.