Not sure where this fits since its not just about malware or firewalls.  Anyway I just finished about a 3 month project to get my organization (that I've been at for 6 months or so) caught up on years of back patching.  Unfortunately the ISO's words of wisdom consisted of "install all patches because they are old"  regardless of whether or not the patch was deemed critical by MS or whether they had posed any risk to the organization.  "Even this DVD/CD no-autorun patch for our servers that no one can get physical access too and we don't frequently load media in..."  "yes because its old..."  but I digress...

So while waiting for all those patches to load, I did a lot of twitter reading and found that a number of pros have been recommending that we truly learn our network and what is running on it to better protect it.  I mean its a simple enough concept, one would think you should know this anyway.  Unfortunately when a network is built in spurts to accomplish a large increase in demands for resources, some things get pushed aside, mainly documentation.  This is what I walked into 6 months ago.  In that 6 months I had a full inventory of both servers and workstations, documentation on the functions of all the servers.  That lead to me being able to decom a bunch of systems.  Awesome when you ask someone what this does and they stare at you blankly (and they've been there for years).  So, we turn it off and see what breaks!   There I go again so back on track...

So whitelisting, awesome concept, I am currently working on a plan to implement this concept little by little.  I have been setting up the AV policies to utilize the IDS/IPS features to whitelist applications and prevent certain directories from being written to, that should cut down on instances of Fake AV, which are rare but do happen based on the nature of user profiles.  I am also in the process of getting data for implementing egress on our firewalls.  The next big chunk will be to actually utilize the nice expensive switches and really segment the network, not just block it off for organizational purposes.

So the reason I am posting, I am curious to see if others are taking the advice and beginning to implement similar plans, or if you have already done so.  I'd be interesting in getting some feedback and even any difficulties you may have had with certain parts of the implementation.  Also how did you get management to buy into it?  The team lead in our department has been trying to get NAC implemented but it keeps getting cut and he's also been trying to secure the VLANs better but keeps getting pulled to do other projects.  The management doesn't seem to get that all the patching in the world isn't going to protect you from a determined party and that we should be spending more energy at know what belongs on our network than blindly securing systems.

Sorry if this was long, but sometimes the mind shoots into overdrive. I look forward to your comments!!

Yeah I've been running the Application and Device control feature in SEP in a logging only mode and it captures quite a bit.  Found a great article on it as well.  Our environment isn't too riddled with random pieces of software.  For most people Office, IE, Adobe, Java and our special in-house applications are it.  I think it is quite possible to do and I will eventually be testing on a small group.  As for the networking side, that is definitely possible, but management has always had us put it on the back burner for whatever their monthly crisis is.

If anything, the research portion will be a good thing for me even if it doesn't get implemented at my current place of employment.

140 workstations, 100 or so servers.  It probably is a pipe dream though even if I can implement part of the plan, I'd be happy.  Man some days I wish I could get the chance to build from the ground up. 

That's too bad Andy.  I have determined that I will probably focus on pushing for a better organized network and in the meantime I can continue running SEP's logging on its App/Device control feature.  Sadly our Network engineer is very protective of his duties and gets very defensive when we want to make changes to it.  We think its because he doesn't know how to utilize VLANs. 

I just need to word my proposal so that the managers realize that we don't need any new flashy tools, we just need to utilize the ones we have efficiently.

Here's some whitelisting related stuff. One's a bit old but the idea is still the same.

At a TED talk
www.youtube.com/watch?v=o59mQhBiUo4

http://www.ranum.com/security/computer_security/editorials/dumb/

I don't know if I agree with everything he says (he hates hackers) but it is food for thought, especially the Default Permit.

Is that were these gray hairs are coming from??  hmmm damn them!  Thanks for the links WCNA.

So of course this side project will be put on hold since they will be decided what mystery projects we will have ti do before the year end.  And even better, got a "temp" manager for the next few months and he's another MBA hopeful with little relevant experience and seems to enjoy micromanagement.  Oh well makes for a good reason to make sure the resume is updated.  :-p