Proactive vs. Reactive Security: Don't Fall Into the 'Next, Next, Finish' Trap

By David Ramel
06/21/2024

Threat monitoring for small/medium businesses (SMBs) and enterprises can be a complicated, daunting business, but following some basic best practices learned on the front lines can help.

And providing that real-world experience are two veteran cybersecurity pros, John O'Neill, Sr. and Dave Kawula, who regularly share their knowledge in online webinars and in-person events. Still regularly consulting on the front lines on urgent topics like ransomware, they banked on some 70 years of combined experience to share their insights in a half-day online summit titled "Threat Monitoring for SMBs and Enterprises," now available for on-demand replay.

Their detailed, wide-ranging presentation covered a lot of ground, including the importance of proactive vs. reactive security stances, which we'll focus on here.

As part of being proactive vs.reactive, the duo explained the dangers of not paying enough attention to initial security and other system configurations and set up, such as for Windows. That practice, they said, too often just devolves into a series of accepting configuration defaults and clicking through without adding any extra precautions or customization. They referred this to this practice as the "Next, Next, Finish" trap.

"Alright, so now we're going to take a look at just the back half of our session today, John, and this one here is taking a look at a proactive stance versus a reactive stance," said Kawula, managing principal consultant at TriCon Elite Consulting. His presentation partner, O'Neill Sr., is chief technologist at AWS Solutions.

"And this one here is so important for me, John, because number one in a reactive stance, this one here is basically you have a threat monitoring solution. And you're you're basically looking at this as an armchair quarterback, and you're just waiting for alerts and just completely reactive. And so inside of that model being reactive like that, I find that is a very, very dangerous place to be today, because of the fact that you may not be fast enough getting to those alerts as they pop up in the console to actually deal with these. Most of these threat intelligence tools that are out there, most of these threat monitoring tools are going to provide a comprehensive list of what are called recommended actions that the tools are seeing in your infrastructure.

Tip No. 1: "Don't be a victim of next next finish. You need to harden your systems. If you don't it's like running Windows Home edition in your enterprise."

"So for example, let's say that, from a Microsoft security perspective, let's say that you you build a new server. And when you build that new server, you're basically just popping in the ISO, and you're building what's called a next next finish build of Windows, okay. And John, when I attend these sessions, I'm always looking for little golden nuggets. So everyone just listen up real close here for a sec, because this is gonna be a really important gold nugget for you, okay?

"When you build Windows, and I call it the 'next next finish' build of Windows, John, you're basically building a home edition version of Windows with none of those security features turned on."

Dave Kawula, Managing Principal Consultant at TriCon Elite Consulting

"When you build Windows, and I call it the 'next next finish' build of Windows, John, you're basically building a home edition version of Windows with none of those security features turned on.

"Can you secure Windows? Absolutely, you can secure Windows.

"But as a company, Microsoft has made a living over all of the years in my IT career by making the operating system usable, versus secure out of box, okay. And so even in your cloud tenants, let's say that, hypothetically speaking, John, you go and you're going to go build yourself a new infrastructure as a service VM, it's very easy to do in the cloud portal. Very easy. Next, next, next, next, next, and you have yourself a VM running up there.

Tip No. 2: "Security is not meant to be a matter of convenience. It is supposed to be hard for us and the bad guys."

"Let's say that that happens to be a copy of server 2019, or 2020, to have the latest flagship 2025. In the initial builds of that those aren't hardened by default. So even Microsoft has identified this as a challenge. And so now, even though it's cloud-based builds that give you options to having pre-hardened images that you roll out.

"And so I like to say, don't be a victim of next next finish. And also remember that the measures of security that you have out of box, if you are not hardening things, is like you're running home edition of Windows in your enterprise.

"Can we secure this job? I always get asked this question. Yes, there's great organizations that are out there that help with this, for example, the Center for Internet Security, they provide hardening baselines and hardening templates for us that we can take a system from and next next finish to a known hardened state, different levels, level one, level two.

"And so with that, what ends up happening John, is I'll use the CIS for server 2022.

Tip No. 3: "Just because you can operate a console doesn't make you an expert. The best security professionals have had subject matter expertise coming in."

"As an example, there are over 360 configuration changes to be made in there to get yourself compliant to a level one off of a next next finish. So guess what all of those 360 settings are going to do for you. They are going to put you into a proactive stance. Protecting you against threat actors instead of waiting for them to come into your infrastructure. Don't wait until you actually get hit by a cyber attack to start hardening your infrastructure.

"This is something that you can do today. Just remember everyone, and I'll repeat myself .... The systems that you build out of box next next finish are not fully hardened by default, it is up to you as IT pros and security professionals to lock those things down.

"The good news is, there's great tools that are out there ... but that's my little proactive reactive stance here, John, the proactive for me, is go ahead and get projects in place where you're hardening those systems to try to prevent those types of attacks."

O'Neill, Sr. chimed in with several observations of his own, and the pair discussed a variety of other subjects, including the importance of threat monitoring, tools and technologies for real-time detection and integration strategies, along with answering many audience questions.

As noted, the summit is available for replay, but there are benefits to attending live sessions such as the ability to ask questions and interact with the presenters (not to mention win great prizes). With that in mind, some sessions upcoming in the next month or so include: