Good morning, good afternoon and good evening everybody, depending on where you are. Welcome to Threat Spike’s webinar. To introduce myself, I’m Ellie Hills, I’m the sales Manager here at Threat Spike. Joining me here today as well is Joe Buck, our senior Operations Engineer, um, working across all teams covering all different parts of our services.

Um, Joe has a wealth of experience in the endpoint hardening, um, field, um, both from Threat spike, but also his previous roles prior to Threat Spike, where he faced a lot of problems with endpoint hardening, which is really where a lot of this content will stem from, and obviously how he has solved it whilst in his role at Threat Spike.

Joe is here to outline exactly what happened and how to avoid those common problems, especially when dealing with some of the, the benchmarks out there such as CIS and while you’re doing your own device hardening pro uh projects. But before we get underway, I just have a little bit of housekeeping to do.

We’d like this webinar to be as engaging as possible. So on the right hand side of the screen, you’ll see a little speech bubble icon, that’s our chat there. Feel free to drop in a message now, tell us where you’re from, what your role is, and let’s meet some of the people who are in this webinar.

We also have a Q&A, so. If you’ve got any questions on the presentation today, anything Joe mentions, anything we do here at Threat Spike, please feel free to drop that into the Q&A window, that’d be great. We may get through some of those questions during this webinar. We may get through some of them at the end, and if there’s any leftover, we’ll send written responses to all of the attendees as well.

We’re also running a few polls throughout the webinar, so another interactive piece to put into the mix. The polls will come up, there’s 3 throughout the whole thing. It’s a good way for us to gauge who we’re speaking to in terms of the audience, your maturity in terms of device hardening, and it also allows Joe to pivot and answer some of the additional things, um, based on the answers to the polls as well.

That’s almost it for me, apart from this session is being recorded, so if you do want to watch it again, you’ll get that recording after we’re finished. Please feel free to also share it with any friends, colleagues, family members, anyone who you think might actually be interested.

So without further ado, I’m gonna hand it over to Joe to dive into the technical content.

Thank you very much there, Ellie, and yes, we’ll get started with the webinar. So this is endpoint hardening without breaking everything.

Um, so first of all, just a little bit of background about me, about Threat spike, if you’re familiar with us. Uh, my name’s Joe, uh, senior operations engineer here at Threats Spike, working mainly on the Threat Spike Blue side, so managed defensive security side. Um, I was that little kid that really wanted to get into cybersecurity because they watched James Bond, um, and ended up doing something similar to what Q might have been doing, uh, in those movies, um.

I’m deploying Treat spike on a day to day, so our, all of our security tooling and implementing security controls, um, a few people in the audience might, might know me from some of the account meetings, um, but predominantly what my role has developed into is security consulting. Um, so solving problems, it’s what I like to do on a day to day basis, and Threat spike puts me in a unique position to do that. Um, one of the things that I’ve focused on throughout my security career, if you put it like that, is, uh.

Endpoint hardening, um, that was my predominant responsibility as part of my previous role and I sort of took it in my stride, going forward in this role as well, so, just a little bit of background about Threat spike.

So we were founded by husband and wife duo uh Adam and Kate.

Uh, about Uh 1213 years ago, I think.

Um, we deliver managed IT and cybersecurity services to customers globally. Um, we also have, uh, about 100+ employees now, um.

I think I started about a year and a half ago as maybe the 35th or 40th employee, so we really have grown massively in that time period, um, and if anything, the services we deliver have just got bigger and bigger and on a grander scale, um, which means that I’ve talked to a lot of people, um, all over the globe in a lot of different industries about their journeys, not only in not in cybersecurity, but. Sort of focusing more on device hardening, which I’ve had some very, very interesting conversations and hopefully be able to share some of those with you as we go forward, um.

So in threat spike, we have defensive security, offensive security, um, on the red side and the blue side. So unlimited penetration testing on the red side. And I work predominantly in the defensive security side, um, like I said, deploying threat spike agents for MDR, EDR, um, offering unlimited incident response with our 24/7 365 SOC team.

Um, and like I said, security consultancy and helping with security compliance as well, and on the topic of that compliance, this is what that talk is about, it’s. Sort of making sure people know what’s, what’s available to them when they do choose hardening frameworks, um, and more importantly why we harden devices and what it means for an organisation to sort of choose, um, a hardening framework and and follow that journey through.

Um, we also have a fully managed IT which encompasses all these packages which, I mean.

Regardless of the sort of sphere you’re looking at this presentation from, whether it be defensively, offensively, or sort of the whole IT stack, whatever your role is, I hope you’re able to get something.

From this that really sort of resonates with you.

OK.

So, Before we go into the nitty gritty.

I would like to pass over to Ellie again where we have our first poll.

Thank you, Joe. So yes, for our first poll, we have, how would you describe your current endpoint hardening maturity?

A, we haven’t started yet. B, some hardening in place, but it’s done on an ad hoc basis. C, we’re following a benchmark, but we’re not compliant yet.

Or D, we’re fully benchmarked and compliant and just working to maintain that level.

Give it a few seconds for people to get their answers in, they’re er, jumping between different numbers, or we have a clear winner at the moment.

Oh, it’s like a cat and mouse game between these. Um, fantastic. OK, so we’ve got two winners there, we have, oh, it’s gonna change as I carry on, isn’t it? Um, so the one that’s come out on top is is people are following a benchmark, but they’re not quite compliant. Um, followed fairly closely behind with some hardening place, but it’s done in place but done on an ad hoc basis.

So I’m gonna hand back over to Joe to really touch on those two points, which are pretty similar in, in the long run in the grand scheme of things, working towards hitting that benchmark, but just not quite there, just at different levels. Back over to you, Joe.

Thank you very much. Yes, it’s interesting to see that actually, um.

So some hardening in place, what we tend to see when we work with um new customers with Threat spike, specifically with Threat Spike Blue, um is that they may have an idea of what, what, they’re supposed to comply with.

Um, so either sort of what legislation they need to comply with, which means they have to harden to a certain standard to work with certain data, or sort of what the organisation feels is acceptable based on their risk appetite. Um, and either that’s, that journey’s been started and the sort of ad hoc controls in place, either through like interview interviewing policies or something like that, or they’ve, they’ve made good headway into getting compliant, um.

As we stated there, sort of following a benchmark already, er, but regardless of that threat spike can help out and people like me on my team, operations engineers, we can, we can help out with that journey as well by offering advice and sort of using threat spikes tooling.

To Um, Advance and build upon the hardening that’s already in place.

Or not, not seeking to sort of tear down the progress that’s already been made. Um, so, just going into it from, from the basics is what do we actually mean by hardening? Well, that’s reducing the attack surface via secure configuration. So talking specifically on endpoints here, although hardening is a general security term, endpoints, workstations, servers, mainly focusing on workstations for the purpose of this presentation as we’ll see in a bit. Um, there is that famous quote that likely a lot of you have heard that. The only truly secure system is one that’s powered off, cast in a block of concrete and buried on the sea floor, um.

In various succeeding levels of hyperbole there, but that would kind of be an attack surface reduction of 100%, which is unrealistic. It’s, it’s not only realistic, it’s um, it’s undesirable.

But with that in mind, um.

What do we actually want to achieve with hardening if we’re not trying to get to that 100%. Now, those of you that are following a benchmark already will probably know your goals, which is almost like step one, You’ve sort of eliminated all of the, the, um, extraneous factors and eliminated it down to a checkbox exercise, you, you, you’ve said this is what we want to achieve at high level and, and gone all the way down to, this is how we’re actually going to implement it, but for those that are starting the journey, choosing that tooling um that you use to implement or even.

Sort of going about figuring out what you need to comply with in the first place can be a bit tricky, um.

So just tiny bit more context in, in the earlier days, most networks on the smaller scale, um it was all about sort of from perimeter security, assuming um. No unauthorised users in your network, the scope of what the users could do with your workstations might not have been sort of.

Um, massive, excessive, so the attack surface was quite small anyway, focusing on the perimeter to secure it, but nowadays we look at more of the defence in depth model which.

Um, as networks became a lot larger, the complexity of the operating systems expanded and. Almost like the capability of users, they’ve used computer systems for a lot longer now. They can do a lot more, they can misuse a lot more, they can break a lot more.

Um, using this analogy of the, the lovely sort of mediaeval castle we’ve got here where our end users and our workstations, the end points we want to harden are sort of already within the castle walls, that, that defence in depth model kind of rings true because we’ve got the drawbridge, we’ve got the moats, we’ve got walls and turrets and castle guards already protecting, um, in different layers.

But We can think of defence in depth even on the smaller scale of just on the end points themselves, so.

Effectively we’re applying the philosophy on the smaller scale, but that doesn’t necessarily make it any less complicated, because, like I said, finding out what you need to harden.

And what you need to harden to, um.

Really goes um so far as choosing sort of a framework and maybe not even choosing, but having some frameworks enforced upon you, so, these frameworks typically tell you from a very, very high level, what you need to do to reduce the attack surface, um and that’s, that’s the important thing is the what, not necessarily the how, for example, um PCIDSS.

You are working with a lot of cardholder data, you’re gonna have to be compliant with this in order to actually continue business, um.

They set the objectives, um, you need to make sure that it is encrypted at rest, um, you need to make sure sort of primary account numbers are encrypted, not just at the disc level but the file level, the field level, um, but they don’t tell you exactly how to do that, um.

Now, straying slightly from the exact model of PCIDSS, all of these frameworks will, will give you a higher level and focus on different areas of what your endpoints need to conform to, um, and.

Limiting this presentation just to the endpoints, um.

Uh, without talking about the full scope of these frameworks, for example, PCI, DSS, it talks about the whole network, the network as a whole, um, and enforces, not just sort of endpoint-based hardening.

But from this perspective, you really need to think about how you’re going to implement them as opposed to um what you need to do. Um So this is where what I’ve worked with a lot in my career comes in with the Centre for Internet Security, CIS SIS as I call it, um, so they publish benchmarks.

Uh, which probably quite a lot of you are working to already, which is absolutely fantastic. Um, these come in different levels, so different levels of security, level 1, level 2. you can see some examples at the top of this, uh, slide here for managing the user experience, um.

Just to do with sort of Windows updates and how we configure those, some of them, some of the individual settings that these benchmarks specify should be made are kind of self-explanatory. For example, we really want updates to happen automatically. Um, this is telling you how to do it. You change this registry setting to a certain value, um, you set this to enable, you set this to zero, etc. etc. Um, now, implementing these benchmarks can be quite difficult because.

Um You can use uh SISA’s own secure suite membership, which I’ve explored in the past, um, outside of this role, which it’s a third party tooling.

It’s very good, it’s, it’s, it’s kind of excessive sometimes to what an organisation might need. For example, I was working for a, a relatively small enterprise, much, much smaller than we currently are as Threats Bank now, where I was tasked with exploring this option, um, got a free version of Secure Suites and was able to use it as an auditing tool to see how. Compliant out of the box a Windows device might be and how compliant we might need to be to sort of sell on to some of our customers um.

But the GB membership also comes with hardened images, it also comes with sort of, um, bespoke GPOs that contain all of the settings in a certain benchmark, and that’s not just for Windows 11. They publish them for sort of like kind of like network endpoints like Forgate firewalls and there’s like in-tune hardening standards they do, um, benchmarks for Linux, for Mac, that there’s a lot of them, and they’re quite comprehensive.

Whereas all the benchmarks are available for free, the tooling to actually implement them is not, um, so I actually created a GPO by hand in a, in a past career, which is, which is quite fun, um.

If you want to put it that way, but it taught me a lot about the individual settings that this applies because this, particularly for Windows endpoints, makes around 600 to 700 individual registry setting changes, which can be overwhelming to someone just looking at it.

Um, sort of on the off.

But hopefully, the, the next few slides will explain sort of a few of these niche cases within these benchmarks and how to apply them, um cohesively such that nothing kind of breaks, um.

Because when you do actually press the big button, the big glowing button that enables Sys level 1 for your Windows 11 device, um.

Many, many things happen to the device, sort of instantly the, the benchmark is applied, registries are changed, and then the device just falls over because.

Applications that were relying on certain protocols to communicate with some of your other endpoints might be breaking, um, you know, users are complaining that they can’t actually do anything, they can’t even log into the device sometimes, um, because you’ve restricted their UX down to as, as minimal as possible, as, as it specifies, which is altogether brilliant for security, but to actually manage your business by applying hardening overnight, that’s.

That’s a big no no, um.

You basically don’t want millions of support tickets opened, um, in the end user experience and more importantly, the critical assets that you’ve got, uh, shouldn’t be affected to the point of things falling over.

Um, so Having said that before we go into a couple more niche ideas.

About sus benchmarks level one, we’re actually gonna throw it to another pole, so.

I’ll add it to the stream now and throw it to you, Ellie.

Perfect,

thank you, Joe. Um, so for the second poll, we’ve got, what caused the most pain in your hardening rollouts? Is it A, printer network and sharing issues, B, application compatibility, C, support ticket volume increasing dramatically as uh Joe just described, um, D, lack of testing before the hardening rollout.

Um, and last but not least, we haven’t rolled out any hardening as of yet. Just whilst we wait for the answers to come through, um, Joe, is there a big difference between the different frameworks, and do they vary depending on location as well?

Uh, interesting you say about locations, so yes, um, one of the examples that I did have up there was, um, DSA Stig, so, um, security, uh, technical implementation guidelines. That is mainly, well, it’s an American focused.

Um, so mainly, mainly in the US in sort of the defence industry. That’s mainly applicable to them and that’s like, like PCI is sort of relevant for. Um, cardholder data environments where people need to secure those, um, you actually have to comply with that. You have to comply with things like, um, DSA stigs in order to work in the defence industry and.

In the US, so yeah, they vary, they vary from place to place, we also have our own version of um, sort of cyber essentials, which is something that you can work to in the UK.

Um, which is a little bit lighter when it comes to sort of, the high level requirements, but nonetheless will still specify certain levels of hardening your devices. What I do like about Sys though, Location wise it’s kind of universal, it’s industry standard and the way they actually write the benchmarks is informed on how users are using the benchmarks, um, they’re sort of iterated on over time.

Um, so sort of a, a universal implementation guideline, um, and you can pull out different areas of SIS. There are mappings between like SIS and NIST, um, and even PCI where you can take just the elements that are applicable to that framework.

And implement those, um, which I’ve done in the past er for sort of.

Um, sort of industrial security standards.

Rather than the IT sphere.

Interesting, yeah, I remember when uh Dora came out in the open. Um, and everyone was scrambling to, well, in Europe, uh, scrambling to get compliant to, to Dora. Um, there was a lot of LinkedIn posts going out about mapping Dora to SIS, ISO 27,0001, and all these different compliance frameworks, um, to try and, uh, see if there’s any overlap and reduce that workload in such tight timescales.

Um, perfect. So, Um, the answer to the poll then, the most common pain, um, in terms of the hardening rollout seems to be the application compatibility. So I’ll hand back over to you, Joe, to touch on that before we take a, an even deeper dive.

Yes, right, OK, so. It’s interesting people are saying application compatibility because well so when when it actually says support ticket volume in there, that’s kind of where the backbone of this presentation came from from me, so.

Um, I obviously work as part of the support team here at Threat Spike along with the operations engineers, and we see tickets day to day, a lot of these are.

Quite niche issues, different things happening with Windows that. Who we’ve never seen before, um, I certainly hadn’t seen before, almost a year ago, um, and we found very quickly, or I found very quickly that a lot of these were related to the sys controls that we were applying.

Because our threats by tooling allows us to apply System one benchmarks to Windows endpoints, and then suddenly, like you say, applications fall over, um, sport tickets coming to us where we’re seeing applications we’ve never worked with in our lives, that um, A setting, a configuration change that we’ve made has caused issues, and so.

Over the past, well, my, my career in Threat Spike, it’s, it’s been a bit of a process to sort of make sure we are working with, Clients and their environments to take scope of things like their applications if they have an application inventory, because we give them that through, through Threat spike. If we have a scope of the devices we’re applying hardening to, or we even want to apply hardening to, um, what sort of operational procedures and, and secure configuration policies do they have in place.

So that they can work with not just their own team, but their end users um when they are applying these policies um.

And what kind of exceptions we want to put in place, which we’ll go into in a second, to.

To the SIS level one benchmarks, um, sort of settings we don’t actually want to implement, um, to make sure we’ve got informed hardening so we know what we’re actually doing, um, aligning with the security tooling that we’ve got already and any policies we’ve got in place, um, and aligning with what our users think they’re capable of, which we’ll, we’ll also see in a bit, um, and making sure we do have a staged rollout so.

I mean, a lot of people who’ve worked with this hardening framework before have probably already been through a process of sort of testing it on some devices, but, even when testing it on some devices as part of rollouts that I’ve done myself, it’s quite interesting to see that.

Um, often the, the right devices or the right users aren’t chosen sometimes to test these policies. Um, again, we’ll, we’ll go into that in a little bit, so.

Just going into a couple of examples of what sits in those two devices, um, it’s not extensive because that, that presentation would take about 3 hours, but, um, just looking at Windows default settings, so a few of these might look a bit complicated, um.

Do not preserve his own information and file attachments, for example, what, what does that actually mean? Well, So the attachment, the attachment manager won’t warn users when they’re opening files from untrusted sources, and it won’t tell them where it’s from, it won’t tell them that they downloaded it from um a suspicious site, it won’t tell them that it’s from a network file share, um, it won’t preserve that zone information. However, we want to make sure that’s disabled, SIS wants to make that, er disabled, as well as the other settings on here, it wants to set them to a certain value and the impact.

Of setting these to a certain value is nothing because this should be Windows default, so the only reason you experience problems with these kind of settings.

Is if you do have a security policy in place and harkening back to that application compatibility, if there are certain apps that turn these off, um, so not sort of enforced by any GPOs, just by the installation of the app themselves, SIS will turn them on.

Um, it’ll revert back to this Windows default which.

Has to be taken into account before we actually start the hardening process, um, but 99% of the time, these shouldn’t be an issue, they just look a bit complicated, and the benchmarks themselves do say that just, My, my personal plea for the benchmarks is they don’t say that loud enough, it says impact none, this is the default behaviour like you see on the screen there, but could be a little bit louder about it, um.

Then the next kind of thing we’ve got, we’ve got unwanted changes that might be made, so, if anybody’s ever worked with, with even me or any of the team in threat spike implementing SIS, you’ve got.

These kinds of settings are preventing usage of OneDrive for example. This prevents usage of OneDrive, it turns it off, um, which means um.

You can’t actually access the OneDrive app, you can’t save in the file picker, um, and if your end users are reliant on that or your, your sort of business is reliant on that as a whole, you aren’t gonna get anywhere with, with that setting, so things we want to turn off. Um, not displaying the last signed in user, which is quite funny when you do turn that on because users who don’t know their username, um, in fact, that was, that’s probably 3 or 4 times in the last year I’ve faced that problem where.

We’ve gone through all of this preparation, implementing sys level one and suddenly realised that the team hasn’t talked to their end users, the end users don’t know their usernames, um, and so it locked them out because they couldn’t log in, it no longer displayed the last signed in user, they had to remember their name. Um, it’s quite funny.

And our principle is, uh, so a lot of issues around printing when it comes to SIS, um, not just the principle of accepting client connections, making sure that new printers can’t be added, but all the printers remain.

Connected to the endpoints, it’s er to do with like print driver installations as well, making sure that’s only, um, enforceable and install installable by admin accounts, er that’s what this does as well. So, I have turned that off in a couple of cases, again it’s just part of the process that some organisations might not want to work with that.

Um, I, when I say making exceptions or turning these off, this is part of what Threat spike can do, so.

You’ll see at the top there, just under one of our security controls we’ve got a control that implements this framework and we can turn. On or off any of these settings, um, depending on what organisation is comfortable with and what their operations account for.

Um, which actually brings us into, I think one of our, yeah, one of our last polls, um.

I just wanna check with.

Everyone listening, what’s um.

How are you currently managing sort of hardening exceptions and even like compliance tracking? It’d be interesting to know.

And Joe, just while we wait, we’ve got a question on the Q&A here. Do you think every endpoint can be hardened?

Interesting question. Well, OK, from a really high level, yes, um. You can work with any, well, let, let’s cast aside secure configuration standards, um. You can work with any out of the box endpoint, whether it’s even sort of Windows, Mac, uh, Linux, even it’s like a Linux container, um.

Or even like a network endpoint, and out of the box there will be things that are turned on by default, that you are never going to use, um.

So Um, let’s, let’s think of an example. Ah, there we go, picture password sign in on a Windows endpoint, um.

Nobody’s probably used this, but it allows you, I, I, I’ve never used this, it allows you to um, set your password to log into your device as a sort of PNG image. And interacting with that image, clicking certain things, like if you’ve got a picture of a a tree or something, clicking the apples in the tree signs you in.

It’s cool, it’s really cool.

I’ve never encountered that in the wild or otherwise er people using that, so.

If that were to be exploitable, let’s say, I don’t know, um.

People developing the Windows OS over multiple generations forget this feature exists and it eventually develops vulnerabilities, um, those who have turned that off, hardened it, um.

Have reduced their attack surface against any vulnerability that’s ever going to pop up to do with that feature, um.

Those who haven’t are just kind of sat there waiting, uh, waiting for something to go wrong, even though they don’t use the feature, and that is the same, that rings true for every single, uh, I wanna say computer in the world, there’s always always gonna be things that you aren’t going to use, and the functionality is developed for everybody, you have to make it your own, that kind of thing.

OK, so like every business is different, so it’s about the use case behind whether you would or wouldn’t harden an endpoint?

Yeah, yeah.

OK, interesting, OK, um, so then the answer to the poll here, um, we’ve got two joint winners here, um, the first being half of, uh.

The winning teams um do the device hardening via or management of it via manual process, so an e.g., a spreadsheet, um, and the other half half use some sort of third party compliance platform.

Um, I suppose, Joe, it’d be good to hear some pros and cons of the two methods, um, and how you personally would approach, um, the management.

Yeah, it’s interesting to see, so manual process, that’s kind of how everybody starts out, so that’s that’s effectively how I started out tracking things um.

Exceptions for some of the clients I used to work with, whereby it’s not necessarily, All hardening exceptions, although they do fall under sort of a, a risk register where you’re adding exceptions into there. um I’ll just bring this slide up again.

So Everybody kind of starts out with using a manual process because there aren’t that many exceptions in there, hopefully, uh, but as you start to identify more, and particularly as you try, uh, as you start sort of tracking the compliance through a third party tool, um, like Threat spike, like SecureScore, um, like sort of if you’re using like JumpCloud or something like that, the in-built tooling that they have, I suppose that falls under native tooling as well, then you’re gonna, you’re gonna see that there’s a lot of things like I, like I reckoned before.

Uh, that you aren’t using, a lot of settings that you aren’t using, so you might want to make exceptions for those.

Just to turn them off even though the compliance er configuration doesn’t specify that, or in the other way like we talked about with OneDrive, um, just reckoning that that needs to be disabled as in turning that on and you need to record that down somewhere, adding it to the risk register is great, but if you have a separate tracker for all the compliance, Um, exceptions specific to the compliance framework you’re using, then you, you really are laughing because. If somebody asks you, hey, why is this going wrong?

Um, Then you know it won’t be anything that you’ve already turned off, you know it won’t be the exceptions list that you already have causing issues unless there’s some kind of er implementation issue.

So yeah, really, really good to see. There’s a few people that have said they don’t currently track exceptions as well, which is honestly fair, if, if the journey hasn’t started or even if you have gone into the journey of, of sort of.

Harden your devices to specifically systems level one, you’ve implemented that framework and things have broken, things have fallen down, there is the, the option you can go down, which is a a, a, a much harder path to go down of, not bending to the compliance, not bending the compliance framework but um. Bending your own rules, bending your own tooling, bending the applications that you use to fit with the new compliance framework, um.

It’s a, it’s a incredibly difficult path to go down, but I have seen it done, um, sort of uprooting the tooling you’re using to make sure it complies. Um, and works with the, the stringent configuration standards that you now have.

Um, OK, I’m gonna, I’m gonna speed through a couple more slides. Just conscious of the time, guys. Um, so some of the really niche issues when we get into SIS level one as well.

Uh, user access control, no, user user account control. This is one of the settings here, so ensuring behaviour of the elevation prompt for standard users set to automatically deny elevation requests. That’s one of many different UAE, um, settings that SIS level one enforces. Now you’ll you’ll recognise it by the little pop up, when users have to install an app, for example, they’ll want to elevate to admin. Now they might, if you haven’t gone through sort of um.

Um, least privilege access control exercises already, then your users might already be, might, they might still be admins on their devices themselves, which is, which is great. This would kind of have to be ignored in that case, but should you enable this, yes, you should. Because like you say, it’s a hardening configuration standard, you’re gonna reduce the attack surface, but can you enable this? You might not be able to. I’d say about fifty-fifty of the cases that I work with when I implement this.

And org isn’t able to implement this control uh because.

They simply don’t have the infrastructure, the operational infrastructure, like their IT teams, um, to be able to provide local admin accounts to people that want to install apps, and they have hundreds of users that install apps on a day to day basis, that’s because that’s their job, um.

This also falls under sort of the scoping issues with um certain settings, so Threat Spike allows you to do this and if you do it by sort of a manual method like GPOs or Intune, you’ll be able to scope different settings like this um like this individual registry setting to be turned off for some people, turned on for some people, enforced in different ways, depending on the nature of their job role.

Like your development team, for example, might be working with new libraries, new applications they need to install day by day, and so you want them to be able to do that without them having to badger you every, every 10 minutes, so you give them the infrastructure.

To do that and manage the password accordingly, um.

Brushing on simultaneous connections as well, so these two settings here minimising simultaneous connections, um, to internet Windows domains and prohibiting connections to non-domain.

Uh, networks Your users.

But it doesn’t seem like a big deal, but we, we tend to disable both these settings for the sake of the users, for the sake of usability, um, whether you’re in the office, remote, work from home, in the field, users are probably going to bridge networks, they’re probably going to be maybe unknowingly connected to your Wi Fi network, your internal network, and there’s going to be internet connection somewhere, uh, on either of those networks. Now, if you don’t have a firm grasp on what your network’s configured to, where you’re sort of where your firewalls are going out to, um.

Suddenly turning these settings on means that your devices will prefer the domain joined network and that’s it. That guest Wi Fi that your user’s been using for the last year that they’ve worked here without you knowing is going to be turned off, and they’re not going to be able to access that anymore, and users are gonna start complaining. So it’s, it’s another weird thing that we’ve had to troubleshoot in the past.

That um Has caused issues mainly with usability uh we also have file sharing in SMB that’s a sort of a whole, um, Suite of issues that this might cause, er, particularly around SNP being one, server being disabled, so when you’re configuring um, File sharing, if you’ve seen an error like this on the right of the screen, you’ve probably configured something incorrectly with the network path, or you can’t connect to the device through an earlier version of SMB. Now that doesn’t matter for.

Well, modern environments, uh, SMBV 2, sort of overtook SMBV1 in 2014 because it was deprecated, um, but that doesn’t mean that all of your network devices are going to be modern devices, you might have some legacy systems and more importantly, harkening back to earlier as well, you might have some legacy applications, particularly in the hospitality industry that we work with, um, there’s an anecdote from.

One of the, one of the first things I did at this company, I think, um. So there was a Saflock 6000 access management programme. Um, a little image in the corner there that was built to rely on SMBV1. In fact, it was built absolutely ages ago. Um, and we turned on SIS, we, we actually stopped communications from that application to. Any of the endpoints that were managing it, um, and so, well, the access management system was effectively down for.

A few days, um.

That was an issue that nobody really realised until the problem was handled, so now as part of our rollouts, what we tend to do.

Is look at the application inventory we’ve got and see if there are any legacy systems in there that might rely on SNPV one, there’s the research that can be done either internally by us or, In within an IT team, and that’s. That’s part of the, the staging of er of our controls as well, if we apply SIS to an endpoint that has this application installed and it relies on it then.

We want to make sure this setting is at first um tested, turned on, so SNPV1 is disabled, does the application break, that kind of thing.

Um, so To sort of wrap up everything that we’ve talked about.

Into a few concise points, really when you’re hardening things, information is the key, so.

You need to first choose an an implementation method that fits your purpose after you’ve identified what you want to comply with, um, and that’s not necessarily 100% of the benchmark, that’s whatever secure standards you want to comply to yourselves, um.

You need to take scope of the operating systems you’ve got, the way there are, there are some legacy systems in there, er, the application inventory that you’ve got, whether there are some legacy applications in there, um.

And then choose how you want to apply the framework, um, choose how you want to sort of omit the exceptions as well. Do you like the idea of a really instructive approach like the cis benchmarks?

Do you have knowledge surrounding that, or is your internal team, sort of not wanting to use any third parties, they, do they have, uh, the experience, the craft of bespoke hardening for your own compliance needs, uh, so your own secure configuration policies can feed into that, um.

There’s benefits to it, so. The benchmarks are quite easy to measure compliance and the documentation is kind of already written for you, um, you can write a security configuration policy and just put SIS in there um with a couple of adaptations, um, but there’s drawbacks to implementing SIS as well, so.

We’ve spoken about things going wrong, we’ve spoken about the knowledge you need to have, um, and the more the experience you need to have with implementing it such that, um, nothing falls over in your already live, probably decade old environment that’s been running without this kind of heartening for years, um.

Feeding into sort of secure configuration policies as well, you do, you will have existing policies in your org, sort of whether they’re written up or not, they might be unspoken, so, once you’ve decided the compliance goals, I want to be 75% compliant with SIS, um, You can develop your processes, um, sort of remoting into people’s devices to, Reconfigurey policies or help them with escalating their local admin accounts.

Um, around, um, the hardening that you’ve done.

Or the reverse could be true. You might not have any policies, any procedures in place at all, but then you implement. A framework, you decide you want to go for this 70% compliant with sys level one. Cool. Now you can write your secure configuration management around that, you can, um.

You can sort of make it fit with.

You can make your policies fit with the exceptions that you’ve made. Um, yes, you might have a legal obligation to be 1% compliant, but outside of that, it’s, it’s how you want to measure it, it’s, it’s all about your risk appetite, so.

A lot of small, medium enterprises that I work with, in fact most, to be honest, um, don’t have a secure systems configuration policy, um, as part of like ISO 27,0001 or otherwise, they don’t have an entire CSMS for example.

Um, the application of this secure configuration and endpoint hardening can feed into that.

Sort of as a, as a cycle, I mean, it’s intended to be a cycle, it’s intended to be the configuration, the writing of a policy that enforces the configuration and then testing afterwards, continuous improvement.

Um, and I realise I have talked to the majority about cis because that’s, that’s where the real, the real problems lie, um.

But there are other hardening standards out there, um, CIS doesn’t cover everything, CIS covers endpoint hardening, which is great, but it’s, it might not be everything that you’re actually legally required to comply with from an endpoint hardening, so, blocking USBs, managing removal media, um, disc encryption, er or just general encryption for.

Network um and data in transit, data at rest and implementation of police privilege, they all come under it, um, and, That’s where a third party tooling like Threat spike. Um, would be able to work with you to implement that kind of thing as well, um.

And a little, little touch on testing, so.

Making sure you have prevented as much as possible an influx of support tickets, um, making sure your end users are aware, you have that management of change process in place, and whether it’s not strict management of change, maybe it’s just communication to your end users, um, that hey, you are now part of uh a trial for the secure configuration we’re doing, we’re changing this, this, this, this, this is what you should be aware of, um, and us in Threat spike, we, we typically do that for end users as well, we make.

Um, either IT managers or or teams of people aware that look, this is what you need to look out for. If you can’t use your device after we’ve made these changes, then we’ve made you aware.

Let us know what’s going wrong, um. And there is that touch on the rollback plan as well. If you do make a change, you’ve gotta be aware of how it was made and how you can roll it back, sometimes quickly. If it’s particularly like sensitive, like the S&BV1 problem that we talked about earlier, you gotta know.

When to roll that back and how to roll that back if, if end users are complaining, and a lot of that does come with experience, um, I can’t pretend you can, you can kind of learn this from a book, um, it’s just troubleshooting.

More often than not you’re gonna see an error that you might not know about and it’s, it’s part of the experience to sort of be prepared for those cases and, Know the full scope of the changes you’ve made so you can identify which one registry setting has gone wrong, um, and caused that issue.

Um, but yeah, like I said, Threat Spike can help you with a rollout like this. I mean, we come, we come prepared. I’ve talked, um, at length about the preconfigured exceptions we’ve got and how we can actually implement those, um.

We have flexibility for enforcing policies by users, device groups, um, you might even apply differently depending on the settings, which, um, I mean we can, we can certainly help you out with and by just, just by virtue of the fact that we’ve we’ve created this presentation, it’s hopefully giving you insight into how we’re ready to tackle these kind of problems and everything you’ve seen in this presentation is anecdotes from, from the past, from me and the rest of my team when it’s come to.

Weird things we’ve seen when we have implemented frameworks like this, so.

Just to summarise that, if you have an informed approach, if, if you’re aligned with your policies and you do sort of stage, all the changes you’re making, make sure you’ve got that, um, realistic simulation of an end user environment and communication rollback plan, then.

You’re really, you’re gonna have a good time, um, you’re gonna have a good time with hardening your devices, um, and hopefully, you’re not gonna break everything, um.

So that is almost everything. Thank you very much for listening guys, um, I will hand over to Ellie though cos I believe we have one more poll.

Yes, thank you Joe, so for our last poll, if you would like to hear a bit more about how we do the endpoint hardening without breaking everything um at Threat spike in one of our services, um.

Let me start the poll there, and please feel free to answer yes and one of our team members will reach out to you, of course, if you’re already a customer, fantastic, thank you for joining, it’s always great to er see you all on these uh types of things um.

Yeah, so, uh, let’s leave that for a few seconds, whilst I’m here, just wanted to say a huge thank you for, uh, for joining us, Joe, and providing all the insights, um, that you see so often, um, with the onboarding process of various customers and the, the, the pain points that they were often experiencing before, um.

Definitely not something I could do, that’s for sure, especially in that technical depth, um, so really appreciate your time with that one.

so for those that answered yes, one of our team members will reach out, but thank you all for taking the time out of your busy schedules to join us on this webinar.

We will be running them on a monthly basis, each month we’ll cover a different topic across IT and security.

Um, the invites will go out as normal and the registration link as it, as it did, uh, did this time round, um, so keep an eye out. Our team will reach out directly to you all as well. Um, if you do have any questions following, um, the webinar, anything that springs to mind once this ends, please reach out to anyone at Threats Spike, and we’d be more than happy to get those questions answered here.

Um, I know there were a couple of questions are, uh, asked throughout, just conscious of the time, we’ll drop some written responses across to everyone on those questions as well, um, and that will go alongside the recording of today’s webinar. So thank you all again for joining, and we look forward to seeing you on the next one.

Have a great rest of your day.

Thanks guys.