In line with a core value of "improving always", I championed and implemented an initiative to harden our MFA across all 500+ employee accounts. The goal was to move to the Microsoft Authenticator app, to pair with our hybrid work environment. Why? This was a bonus for many reasons:

• faster/one-click login (typically)

• easier ability to deny (which alerts the security team) of MFA prompts you didn't initiate

• easier pairing with conditional access policies

• doubles as an offline TOTP inside the app in case of no internet/service

• SIM swap resistant

• standardization across the organization

All accounts already had some sort of MFA, ranging from an app, TOTP, SMS text, to Voice Call. Roughly 43% of accounts were using the Authenticator app in some way, or at least had it downloaded at one point but might not be currently using it. For sure 36% of colleagues had it as default. Of the remaining 64%, I initiated an azure registration campaign and sent communication of the MFA changes, coupled with a training guide on how to easily set it up via the QR code. Over a roughly 4-6 week span, these short email bursts (a few dozen at a time) yielded very few questions and an abundance of joy from people who were grateful to see the "legacy" voice call/text system go away. In total, I only had to reach out to roughly 3 dozen people directly to help them setup the app, and mostly this was simply due to their fear/misunderstanding of the app and its' requirements. After a quick explanation, they were all just as thrilled and easily migrated. Overall, the project was a great success and resulted in reduced risk and increased visibility.

This transition included enabling multiple key features for all users:

1. system-preferred MFA with Microsoft so logins would automatically use the strongest available MFA method

2. location messages in the Microsoft Authenticator MFA notifications to help colleagues gauge 

3. number matching for MFA prompts when possible

Rolling out the security awareness initiative was one of my favorite tasks. It combines my passion for sharing cybersecurity education with my passion for innovating. My goal with this project was to get us on a more secure footing from a security knowledge and understanding standpoint. A lot of colleagues know the bare minimum, sometimes barely that - which is no fault of their own! They have their own jobs. However, once-a-year training is simply not good enough anymore.

I rolled out a 3 phase plan to get security ingrained into peoples' minds. Even if they aren't security gurus, it is worthwhile for them to have the exposure and at the least know the bare minimums of how to report, who to go to, and what to spot.

Phase 1: Phishing Simulations

• This consisted of migrating from a quarterly/biannually run simulation to a monthly simulation with changing templates and constantly updated targets. After implementation and a fix, this resulted in the most accurate collection of phishing sim data in the past 2 years.

Phase 2: Continuous Training

• This phase is key to security awareness. Rather than just once-a-year training for compliance, I crafted dozens of weekly cybersecurity "tips" (small sentences/paragraphs) to be shared on our intranet, roughly a dozen content topics for security awareness emails, and set the stage for this content to be disseminated throughout the year firm-wide.

Phase 3: Cybersecurity Repository

• Finally, something often overlooked is "where" to go for security information. It's often challenging to hunt through your emails or for newhires to find the right information, especially if someone decides to look up something online rather than check corporate policy. So creating a repository for internal security documentation, training, and policies is key to ensuring colleagues have the resources available for success.

One of the key aspects of IAM, yet arguably one of the hardest, is keeping track of your user & admin accounts. All accounts. Everywhere. It's often overlooked that you not only need to keep track of your core accounts, like those within active directory, but also your various application accounts that aren't tied to SAML or SSO. Tools, apps, and websites that people across your firm use frequently for their job. Especially licensed accounts!

As part of an annual NIST SP 800-53a assessment to review compliance with the HIPAA Security Rule, I audited over 140 SaaS applications by having application owners pull lists of current users, permissions, data of recent audits, and admin information. In attempt to determine if an application is being well-maintained from an account management standpoint, I compared the obtained data against our current active employee list, people who should have been administrators, permissions against the principle of least privilege, password policies, and other similar data points. 

With this information in tow, I was able to find that:

• INACTIVE: an extremely large number of apps had not been removing former employees or inactive accounts

• ADMINS: many apps had admin-level permissions for standard user roles

• PWD: many accounts hadn't had password resets, used MFA, or kept password following our password policy

Granted, these findings were not only a concern for the NIST assessment, but realistically it displayed a gap that needed to be quickly addressed. After meeting with the senior engineer on the team, I developed a plan which, coupled with our ongoing SAML project, led to major IAM risk reduction. Some of the steps I outlined for the department are listed below: 

• Created relevant education for principle of least privilege, IAM, and password policies for all app owners

• Created a once-a-quarter standardized IAM audit for application owners to individually cross-check active users themselves, sending a copy of the final audit to IT Security

• Sent out a questionnaire to app owners to discover which SaaS apps can be migrated to SAML

• Offered one-on-one and follow-up meetings with app owners for training and explanations as needed

• Assisted dozens of app owners in the manual "cleanup" of stale accounts, settings, and permissions

Traveling internationally has become more popular recently as COVID scares lower. However, with the large rise in proxy and VPN usage, even a pretty common tourist destination like the UK, France, or Germany can land you amidst IP ranges that are flagged as potentially malicious due to their location. This is why a lot of companies implement standardized "geo-fencing", by simply blocked countries other than their home country and calling it a day. With today's environment, that's simply not efficient anymore, especially when so many threat actors use US based proxies, and in fact sometimes can put a strain on your business workflows or colleagues' travel plans. 

One of the most dreaded downside to always saying "no" and blocking international access is finding ways to deal with the unintentional insider threat and data loss issues that arise when someone decides to make custom workarounds with email forwarding rules or copying company data to an online storage website like Box, Dropbox, One Drive, Drive, etc. to bypass blocks.

With this in mind, I created a security initiative called "Securing the Global Workforce". This had one primary end goal: to securely enable business connectivity no matter where you are sitting, as long as you can verify your identity. This zerotrust focused initiative contained many moving parts:

• Conditional Access

  • Control access through means such as blocking legacy authentication, blocking Linux and Windows Phone devices, requiring MFA, requiring certain trust types per OS, requiring approved apps and app protection, etc.

  • Applying this to every country in the world (including the US & unknown locations)

  • Applying a custom blacklist of countries that would still be blocked everywhere (namely based on firewall attempts/o365 brute force attempts/etc.) in addition to known malicious IP addresses

• MDM & MAM

  • The MDM part of this was coupled due to the integration of Intune and MAM policies, plus a desire to shift away from a former MDM provider. Because of this I was able to setup compliance and configuration settings to allow for enrolled and supervised devices to be securely managed and tie back to our CA policies

  • MAM app protection policies primarily targeted our Microsoft applications, limiting logins and data control how we wanted, this was a great tie-in with the CA policies and easy roll out through an AD group

All of this collectively allowed me to enable global access to work, everywhere, for everyone (with the exception of known malicious destinations), while easily requiring our colleagues to have a registered or hybrid device in order to login and do any sort of work; its' own MFA so-to-speak. This actually paired great with the recent MFA initiative I had completed at the same company because when rolling out the Authenticator app, it allowed us to easily stage all of these devices to be registered via the Authenticator app for easy and approved access and minimal user involvement.

Do you have a list of all of your vulnerabilities? Of course not! Not ALL at least.

Hopefully you have a software or scanner that gives you a sense of what vulnerabilities are present in your environment. In this case, I entered an environment that had purchased a vulnerability management scanner and stood it up with some default scans and data from the vendor but hadn't touched it sense. For over a year, it mostly had set there untouched with the exception of a quick glance when Log4Shell hit the news. 

Looking at the software, we had an extremely high risk score that needed to be reduced by simply patching some bugs. Starting with some of the basics, I used the built sites and subnets for our office, paired with a network-based scanning and agent-based scanning to gather vulnerabilities on endpoints. I quickly realized that our discovered asset count was wildly skewed by "Dead IP addresses" (duplicative .0 and .255's with 0 risk, for instance). 

After throwing some regex into the scan engine to ignore those dead IPs, I grouped the assets in various asset groups such as Operating System, OS type, risk severity, location, DC, etc. amongst a few other dynamic optimizations. This allowed me to create dynamic queries based on the assets and the vulnerabilities per asset which was crucial for my next project. 

Knowing that I needed to reduce this risk, but couldn't do so without proper initiatives, I took the dynamic queries and created "Remediation Projects". These remediation projects were grouped by query. This could be type of vulnerability, or asset, or OS type, or severity. It depended on the query and my needs. Below are a couple of the hugely impactful projects I built queries for:

• Highest severity vulnerabilities

• Highest severity vulnerabilities for public facing apps/webapps/DMZ

• Windows 10 EOS/EOL versions

• Windows server EOS/EOL versions

• Patches with the largest risk reduction company wide

• Assets missing browser updates

• Assets missing Windows updates

• Assets missing Security updates

• Assets with vulnerable Adobe/iTunes/etc. software versions

These few examples were the stage of my remediation projects, all with their own goals and needs. These remediation projects could have many outcomes or mitigations, ranging from editing the WAF, updating applications, updating OS, decommissioning a device, removing an application, removing a browser, enabling a security feature such as BitLocker, etc. 

After gathering these remediation projects and initial data, I met with the IT stakeholders involved with patch and asset management. This led to the successful implementation of auto-updates for Windows Operating Systems and browsers, third party apps to come eventually. In the meantime, I reached out to individuals and department heads to coordinate updates and patches where appropriate for high risk scenarios. Overall, this led to a reduction in the calculated risk score by over 70% in my first year.

Keeping a tab on your attack surface is hard, but it's crucial. Anyone in the field will tell you that this comes in many shapes and forms. In this instance, I drove an initiative from discovery through implementation to completion with an emphasis on simply wrangling assets. 

I started by took a network scanner that was sitting on the shelf (shelfware, bought and paid but underutilized) and started scanning our vlans for assets. In addition to automated discovery, I cross-referenced licensed listings in SIEM agent lists, VPN lists, Antivirus lists, active directory, and the underutilized asset inventory lists. With this massive amount of data, I combined it and used a variety of functions and scripts to remove duplicates and get an accurate listing of:

• what assets were known and unknown to exist in the environment

• what assets were missing required security software or features or licenses

• what licenses were assigned to decommissioned devices

• what assets were missing or needed to be decommissioned entirely

• what computer accounts in active directory needed to be disabled and managed

After reviewing the output, I met with other stakeholders in the IT department to discuss the findings and next steps. This led to the following outcomes over the next month:

• 700+ computer accounts disabled and moved out of active OU's in AD

• Enabled tamper protection and enhanced threat protection policies on over 600 endpoints

• Over 100 SIEM logging agents installed on user endpoints

• Over 50 antivirus agents installed on user endpoints

• Over 2 dozen old, lost, or unnecessary devices reclaimed from users (including software licenses per computer)

This was an amazing (a) increased visibility, (b) increased response capabilities, and (c) reduced attack surface; overall reducing risk to the organization. With that being said, I knew that this was just a point in time assessment. If it wasn't well maintained, it could return to this bad habit in just mere months. Because of this, I took the proactive steps listed below along with proper communication to the IT stakeholders, to help assist in proper inventorying efforts.

• Regular automated discovery scans for devices

• Alerts for newly discovered devices without security agents

• Weekly reports for devices missing security software and features such as Antivirus & BitLocker 

• Enlisting the HelpDesk in a new asset inventorying process, including enhanced communication workflows

• Enabling inactivity based licensing where possible