Read in this blog how I avoid the flood of security alerts for Windows 10. Nowadays, there are many security solutions available which all promise to increase the organization security posture. Enabling solutions is straightforward. Until the flood of security alerts start after activating the features, immidatly the challenge begins to prioritize them.
N.I.S.T – Protect
The N.I.S.T cybersecurity framework describes that it’s smart to start the security journey with the protection phase. The protection phase is the starting point to examine the current security configuration. I recommend checking if the prescribed settings of your preferred security framework could be your new default security baseline.
Keep in mind that the security baselines contains only technical settings you need to meet. Create your security vision applicable to your organization characters like wishes, demands, and government requirements for your vertical like the EDA for financials in Europe. The following questions are examples to think about your strategic choices regarding security solutions;
- Do I have insights into all the security product my organization is using?
- Which security products and vendors do I use today?
- Can I integrate all the security solutions into one single-pane-of-glass for the SecOps team?
- Guarantees the solution vendor 0-day support for Operating Systems?
- Is it possible to integrate the security solution with the ticketing system?
- Are you using the built-in security features of the Operating System, or do you use other solutions with similar functionality?
Using the built-in security features
Many security features are built in the Windows 10 Operating System. Those features support you in the continuous journey to protect against the “latest” cybersecurity threats. In my experience as a consultant, I see that organizations using multiple solutions with equal capabilities instead of the built-in ones. I understand it’s hard to deprecate solutions used for years. Built-in capabilities improve performance, which almost anytime lead to an improved user experience.
Keep in mind; There could be security features which are not activated yet. Examples of those are Windows Defender Smart Screen or Credential Guard. Those examples have a low impact on the users and a significant improvement for the security posture.
I’ve done many security health checks and security envisioning strategy project. The goal is to deliver a (renewed) vision about defense strategies against modern threats. They have scoped to Microsoft solutions only. The discussion often starts with the question, “How can we protect our endpoints if they are no longer connected to the companies network?”. It leads the conversation to the insights that their current security approach is not good enough anymore. Security components need to shift from the office building network equipment to the workplace.
Examples security vision objectives
Security vision objective I
“Creating a workplace where anyone can work wherever they are the most productive, with the freedom to personalize the machine within the security boundaries of the organization.”
The traditional security boundaries are no longer applicable in case the workplace is not always connected to the corporate network. We need to replace the network security boundary for something else. Nowadays we can make use of the power of the Cloud with Machine Learning (ML). Machine Learning can quickly determine if a process is normal or abnormal, independent of location.
Security vision objective II
“Protecting users independent of location against threats via ML capabilities to detect abnormal behavior and informs SecOps and IT-PRO’s about security threats and improvement. When abnormal behavior is detected, additional risk-based controls respond to mitigate risks to protect the identity, workplace & organizations data.“
Windows 10 built-in security features can potentially protect you against cybersecurity threats. It is recommended to start quickly an investigation which security products, solutions, and features you are using today. Secondly, evaluating the investigated results and determine if ‘it’ is still required and fits within the current organization’s security vision which meets cybersecurity frameworks like N.I.S.T. Investing in the protection phase during the security journey decreases the change of a flood of security alerts. An example of an EDR solution is Microsoft Defender ATP.
- Microsoft Trust Center
- Microsoft Defender ATP
- Microsoft Defender ATP’s diary: From a SecAdmin’s Perspective (Ronny de Jong)