02-01-2022 08:12 AM
We are using BloxOne currently. I'm was curious to check out some security best practices from users of the product. Can I get some recommendations?
I also attempted to look for a document/guide but not having luck. Is there a Security Best Practices document for using BloxOne?
I'm new to the product and eager to get some info on this.
02-02-2022 02:00 PM
I would also be eager to hear from other community members at a more granular level of 'best practices that work for you. But here are some higher-level thoughts that might help some.
1) Since SaaS solutions are always receiving updates, set a schedule to periodically review the "What's New" page for anything from new policy object support to new reporting or Dossier investigation capabilities. For example, policy management has evolved a great deal in the last year, particularly around endpoints, but it tends to come out in little chunks that don't really stand out very much on their own. (There were 4 updates in January alone!)
2) If licensed for it, roll out the BloxOne Endpoint and the BloxOne Mobile Endpoint. It seems obvious, but customers will often get so focused on learning Dossier or other core tools, that this relatively simple activity keeps getting delayed. One customer recently rolled out several hundred thousand endpoints over a few weeks. There is obviously some planning and testing ahead of that (good 'best practice). But it really didn't take that long to ensure compatibility and consider new or modified policies to uplift off-network security and visibility. (Note that this gives you one place to see all on- and off-network DNS activity for a laptop or mobile device.)
3) WIth that said... try to take advantage of any formal ecosystem partnerships with Infoblox for a 'quick win'. And even if you are using a similar product from a non-partnership vendor, you may still be able to quickly realize valuable benefits with minimal variations on other tested integrations.
Most organizations start by feeding data to a SIEM or SOAR for investigation and response, while others work with TIDE to aggregate threat intelligence and distribute it to their NGFW or SWG. These first-time projects give them the experience to better prioritize, plan and execute additional integrations. Either leveraging the available training or working with Infoblox professional services, these early efforts can you a foundational understanding to prioritize long-term plans.
I know this isn't at the level you were looking for, but I hope it helps at least spur a few others to share.
02-04-2022 09:26 AM
Ah thank you for that! Yes I'd really like to hear more from the community as well based on their experience.
I took a look at the entire quickstart vids for Bloxone and a few I picked up involved the following:
- Ensure Join Tokens are stored in secure location
- Ensure the use of Idp or SSO to login to csp
- Use of Management Passwords to protect your endpoint group configuration from unapproved change
Although they are the blaring obvious ones they are unfortunately missed or just not adhered to due to lack of care.