• Create an asset inventory of servers and desktops.
• Document the cybersecurity roles within your organization.

• Microsoft Endpoint Manager (Intune) can be used to create Asset Inventories for desktops.
• On-Prem Active Directory can also be used.

Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

• Review and document all 3^rd party relationships that could impact information security.
• Develop objects for Information Security

• For most organizations, using Microsoft Teams to organize and share this documentation is a good place to start.

• Begin by developing an initial Information Security Policy that aligns to the NIST CSF
• Focus on a policy that contains the Core CSF Components.
• Document Roles and Responsibilities within your org.
• Begin documenting Risk findings within your org.

• Microsoft Teams is a good starting point for most orgs to store and share governance documentation.
• An Excel spreadsheet can be an effective starting point for smaller organizations to track risk.
• SimpleRisk is a good open-source product to use for GRC.

• Begin by using some form of a vulnerability management system to identify vulnerabilities in your organization.
• Get familiar with cyber threat information and know where to obtain reliable news and information.
• Develop a process for performing regular patching and configuration hardening across the organization.

• There are many good Threat Vulnerability solutions available.
• Microsoft Defender for Endpoint includes a Vulnerability module in the same agent.
• Crowdstrike Falcon also has a Vulnerability module that can be added on.
• Qualys VMDR is an industry leading solution.
• Rapid InsightVM is another leading solution.

• Create a Risk Management Policy and document how your organization will handle risk findings.
• Ensure all stakeholders understand and agree to the process.

• Develop a process to assess vendor risk.
• There are several SaaS solutions that can help automate this process.

• SecurityScoreCard.com is a leading solution for managing vendor risk.
• CyberGRX.com is another major solution.

• Select a strong Identity Provider solution that aligns with your other technologies.
• Create processes for Identity Governance, provisioning, and de-provisioning.
• Make sure you are using a strong VPN solution with MFA enabled
• User firewalls to segment your network
• Ensure all access requires MFA

• Use a robust Identity Provider like Azure AD or Okta
• Use a NGFW based VPN like Palo Alto Global Protect or Fortinet for traditional data center access.
• If your deployment is more cloud-oriented use a SASE like Zscaler, Perimeter81, or Netskope

• Ensure all users perform security awareness training.
• Document roles and responsibilities

• Use an online training service such as KnowBe4 or Hoxhunt.

• Ensure that data storage is encrypted, and access is restricted.
• Data in transit uses strong TLS encryption. Disable HTTP, FTP, Telnet in your environment.
• Utilize an asset management system to centrally managed all desktops and servers
• Employ a DLP solution to prevent data loss
• Production application environments should be separated from development and testing.

• Use Microsoft Bitlocker and Intune to ensure all disks are encrypted.
• Intune and Azure AD can be good solutions for asset management.
• Deploy a DLP solution like Forcepoint or DigitalGuardian.

• Create baseline configuration policies using automation, scripting, or vulnerability management tools.
• Application development should follow a formal SDLC
• Changes to production systems should align with a Change Control process that is auditable.
• Information assets are backed up with offline or immutable copies of data.
• Create a policy for security physical assets
• Create a data destruction policy and process
• Develop a clear Incident Response plan
• Create a DR plan that contains clear steps to recover your environment
• Perform testing of IR and DR plans
• Development of a vulnerability management plan.

• Utilize a leading backup solution that can perform immutable backups.
  • Veeam Backup & Replication
  • Zerto Data Protection
• Utilize Microsoft Teams/SharePoint to store and collaborate on Policies and Procedures

• Ensure changes and maintenance activities are properly logged.

• Ensure security tools are properly maintained and managed.
• Limit the use of USB and Flash drives, if used only use encrypted USB
• Ensure user access follows the principle of least functionality
• Where possible ensure systems have high availability

• Collect security events from the environment. Ensure you’re collecting from the following sources:
  • Network/firewalls
  • Desktops and servers
  • Physical sources like doors
  • End-user sources like Internet browsing, file access, VPN, and email
  • Mobile device activity
  • Antimalware events
  • Cloud Provider management logs like Azure, AWS, GCP
• Prioritize the detection of unauthorized access attempts
• Perform routine vulnerability scans on the environment.
• Understand what normal activity is, and what would potentially be malicious
• Setup automated analysis of security events using a SIEM
• Create processes for handling alerts and classifying them

• Make use of a SIEM solution to collect events and perform analysis.
  • Splunk
  • Securonix
  • Exabeam
  • Microsoft Sentinel

• Ensure the roles are defined for responding to detection events.
• Perform testing on detection rules.
• Setup alerting using Email, SMS, or push notifications.
• Continuously make updates to the detection process adding rules to detect new attacks or vulnerabilities, or using new technology.

• Use solutions like Teams or Slack to automate notifications and track detections.
• DevOps tools like PagerDuty or OpsGenie are also effective and alerting responders.

• Have the Incident Response plan ready to be used in the event of a cyber incident.

• All responsible parties know their roles.
• Incidents are documented and communicated with stakeholders according to the established policy.
• Where appropriate, information sharing occurs with external parties.

• Ensure that all detected security events are investigated
• Perform deep forensics on any event
• Any reported vulnerability should be analyzed to determine if it affects the organization.

• Ensure that security events are quickly contained.
• Determine the presence of vulnerabilities in your environment and mitigate them.

• Make use of an EDR solution that has the ability to network isolate an endpoint to mitigate the impact of an event.
• Use next-generation firewalls to limit lateral movement in the network.
• Use CSPM solutions like Azure Security Defender, Wiz, or Palo Alto Prisma Cloud to identify cloud vulnerabilities

• Make updates to IR plans using lessons learned from cyber incidents.
• Where applicable, change your security strategies based on IR events.

• Ensure your Recovery plan is available and can be used during an incident.

• After an incident, update your recovery plans to include any lessons learned.

• Ensure all internal and external stakeholders are communicated with during and after an incident.