So while waiting for all those patches to load, I did a lot of twitter reading and found that a number of pros have been recommending that we truly learn our network and what is running on it to better protect it. I mean its a simple enough concept, one would think you should know this anyway. Unfortunately when a network is built in spurts to accomplish a large increase in demands for resources, some things get pushed aside, mainly documentation. This is what I walked into 6 months ago. In that 6 months I had a full inventory of both servers and workstations, documentation on the functions of all the servers. That lead to me being able to decom a bunch of systems. Awesome when you ask someone what this does and they stare at you blankly (and they've been there for years). So, we turn it off and see what breaks! There I go again so back on track...
So whitelisting, awesome concept, I am currently working on a plan to implement this concept little by little. I have been setting up the AV policies to utilize the IDS/IPS features to whitelist applications and prevent certain directories from being written to, that should cut down on instances of Fake AV, which are rare but do happen based on the nature of user profiles. I am also in the process of getting data for implementing egress on our firewalls. The next big chunk will be to actually utilize the nice expensive switches and really segment the network, not just block it off for organizational purposes.
So the reason I am posting, I am curious to see if others are taking the advice and beginning to implement similar plans, or if you have already done so. I'd be interesting in getting some feedback and even any difficulties you may have had with certain parts of the implementation. Also how did you get management to buy into it? The team lead in our department has been trying to get NAC implemented but it keeps getting cut and he's also been trying to secure the VLANs better but keeps getting pulled to do other projects. The management doesn't seem to get that all the patching in the world isn't going to protect you from a determined party and that we should be spending more energy at know what belongs on our network than blindly securing systems.
Sorry if this was long, but sometimes the mind shoots into overdrive. I look forward to your comments!!