The breadth and scale of change required to secure enterprise-scale companies from cyber security threats is overwhelming. When it comes down to it  -  what’s really important  - the threat. Here’s a few questions to consider.

1/ How are you building resilience into your environment so that you can withstand the compromise of a few systems by an attacker without the security of your entire environment being compromised?

2/ How are you preventing lateral movement? (think securely architecting/implementing active directory, credential hygiene/good admin practices, managing service/privileged accounts, host-based firewalls, incremental network segmentation, hardening systems, LAPS)

3/ How are you reducing the impact of a standard user being compromised? (think removing local admin access, segmenting endpoints from servers/endpoints, limiting the network shares a standard user can access and systems/databases/applications they can connect to/access)

4/ How are you attempting to slow down an attacker within your environment to increase opportunities to detect and respond to them? (think increasing the complexity of the attack paths, reducing opportunities along attack paths, taking actions to frustrate/disrupt attackers)

5/ How are you reducing the time to effectively detect and respond to attacker activity within your environment? How are you constantly improving SOC capabilities? How are you ensuring the first time your SOC responds to a sophisticated threat actor is not the real deal?

6/ How are you mapping the likely attack paths attackers will take through your environment to reach their objectives? How are you targeting layered protection and detection capabilities at increasing the cost to an attacker of executing every stage of these?

7/ How are you thinking about the behaviours likely to be carried out by an attacker? How are you hunting for these? How are you configuring/testing capabilities to detect them? (think clearing event logs, interactive logons by service accounts, performing recon/enumeration)

8/ How are you prioritising what you are monitoring? (think ensuring you have monitoring for the key areas we see attackers abusing time and time again - endpoints, identity and data, with tech like EDR/MDR, Windows ATA, database activity monitoring)

9/ How are you standardising behaviours and enabling/training/enforcing good administration practices in your environment to enable detection capabilities to be effective?

10/ How are you reducing the attacker surface your users present to attackers and building a perimeter around your users? (think restricting macros, web content filtering with SSL inspection, email filtering with whitelisting, isolating untrusted content)

11/ How are you modernising your environment to be able to defend against modern threats and take advantage of easy to enable/scalable modern security capabilities? (think accelerating the rollout of end users onto Windows 10, modern cloud based identity management e.g. Azure AD)

12/ How are you moving your users and the services they rely on away from your on-prem network and into the cloud as quickly as possible to take advantage of in-built security benefits? (think O365, Google Drive)

13/ How are you working to rid your environment of the perils of standard single factor password authentication? (think MFA, SSO, Conditional Access, banned password list, detection of anomalous login attempts)

14/ How are you grounding your activities in an attacker’s perspective of your environment? How are you using attacker tools to understand the realities of what your network, systems and data look like? Do you know how many DA accounts you have and where they are being used?

15/ How are you constantly re-validating assumptions that underpin the security of your environment, for example that security boundaries are enforcing trust/connectivity segmentation, MFA is enabled on all external facing systems and cloud systems are configured correctly?

16/ How are you validating risk reduction in the tooling you have brought and deployed? (think replaying attacks in repeatable ways before and after capabilities are deployed, validating visibility/coverage by simulating malicious activity - automating this all)

17/ How are you prioritising the delivery of the key capabilities that mitigate risk? How are you measuring realised risk reduction? How are you ensuring that you are not shying away from difficult decisions requiring business change, for example restricting the use of macros?