"I run an IT department and I have no real budget for anything the CEO cannot see."
Whatever else that sentence may say about the state of business, it is often true.
Here is a quick list of resources that are free or super cheap that can help you (the IT department) get the situational awareness you need in order to keep things secure. Just remember that Time=Money so while the initial Money cost is low, the Time cost makes up for it.
1) Inventory and Maintenance - Spiceworks. Actually I am less and less happy with Spiceworks because it "requires" admin level access to desktops and servers (and switches) to give really useful data. As such it kind of scares me. However, it is free and useful. Just be very careful with it.... maybe don't leave it on all the time? I have not yet found a comfortable level of use but I'm working on it.
2) SNMP Monitoring - Spiceworks can do this, but I don't like it as stated above. So I have been using Observium. Really powerful, and free for basic use. The paid (more updates and some support) version is ~$200/year. Not going to break the bank with that one. Its also pretty, capable, and as secure as you choose to make it. On a side note, remember to use different SNMP community names for every class of device, make them random and long, disable Version1 (and 2 if you can) and try to use read only whenever possible. Oh, right, and setup Apache to run HttpS. Install guides are on the Observium website and Apache SSL tutorials abound. I used this one for CentOS.
3) Log Collection and Correlation - Make an ELK (ElasticSearch, LogStash and Kibana) stack. This has gotten easier since I first started talking about it. SPLUNK is still the gold (platinum?) standard and it still costs a huge amount to run. What I have been toying with lately is using my deeply limited free splunk install to fine tune my log correlation rules (one server at a time) and then applying what I learn to the ELK stack. You can get a basic idea of what windows logs to keep an eye on by going here or here or here. If your running a VM, you can use the very badly named SexiLog which is an OVF running elastic with tweaks for keeping track of VM logs, but can also handle everything else too. Lastly there is the Nagios version. It has a nice front end, comes with support. It is not free, but is far less expensive than splunk and very robust. Here is a nice little write up on it.
4) IDS/SIEM - The fair warning of Time=Money goes six times over on this one. These things take a lot of attention to get them set up correctly, and even then they need to be tweaked all the time. That being said, AlienVault OSSIM works well enough for most of us. AlienVault USIM is the paid product and is expensive, but has good support.
5) Up-time and Accessibility - Most of us have external servers/services and internal servers with outward facing sites. Monitoring it from inside the network is not the best way to keep tabs on it. I use/like the Monitor.us free monitoring dashboard. Simple pings, uptime, full page loads, etc... From two locations around the world.
With a VMware/HyperV server and these tools, you can get a decent view of your network without spending too much money. If you spend some time at home building these out in your lab (or even a work lab if your lucky enough to have one) you should be able to get it all running together without too much time spent, but as always RTFM.
Good luck.
No comments:
Post a Comment