Introduction

Hello! I’m mizu, a corporate IT and security engineer at Axelspace, a startup developing business in the satellite industry. It’s been two and a half years since I joined the company, and I wanted to take the opportunity to reflect on and share what I’ve worked on so far through this technical blog.

If you’re a security engineer at a company with 100+ employees and plans to scale rapidly, I hope our experience can serve as a helpful reference.

In this post, I’ll focus on our initiatives aimed at realizing Zero Trust security.

Challenges and Our Approach to Zero Trust

With remote work becoming the norm and SaaS adoption expanding, several security challenges came to light within our organization:

  • Security logs were siloed across products, making it difficult to gain a holistic view
  • SaaS usage across employees was unmonitored (Shadow IT)
  • Passwords were managed individually, lacking centralized control

To address these issues, we selected and implemented the following tools in a phased manner. The key themes of this post are “visibility” and “control.”

EDR: Endpoint Monitoring with CrowdStrike Complete

To strengthen endpoint security (PCs and servers), we replaced our legacy signature-based antivirus software with CrowdStrike Complete, a leading EDR (Endpoint Detection and Response) solution.

While many organizations already use CrowdStrike, we opted for the Complete plan, which includes MDR (Managed Detection and Response). This allows CrowdStrike’s security analysts to handle triage and initial response actions, enabling swift and efficient incident handling.

Changes and highlights after implementation:

  • Visibility into all endpoint activities, including non-incidents, greatly improved traceability
  • Triage and initial containment are handled by CrowdStrike MDR, significantly reducing operational burden
  • Even complex threats like Living-off-the-Land (LotL) attacks can be detected and responded to effectively

[Operational Note]

Many companies face a common issue after implementing EDRs: “We bought it, but can’t operate it.” By including MDR with our EDR, we significantly reduced alert fatigue and operational strain.

In my experience, incidents occurring several times a month are now resolved in under an hour each. If you’re struggling with EDR operations, MDR might be a solution worth exploring.

CASB/SWG: Shadow IT Visibility and Web Access Control with Netskope

We implemented Netskope as our CASB/SWG solution. This gave us the ability to log and control user access to SaaS and web services over HTTPS via endpoint-based agents.

Visibility and control via Netskope

Unlike traditional UTM or IDS tools, which can’t inspect HTTPS traffic, Netskope’s endpoint agent decrypts SSL/TLS traffic and allows inspection of HTTP methods, file names on Google Drive, and more.

Changes and highlights after implementation:

  • Shadow IT usage by employees became visible (Visibility)
  • We gained policy-based control over risky services like online storage, chat tools, and social media (Control)
  • Access via personal Gmail or Outlook accounts can now be blocked (Control)

[Operational Note]

Due to HTTPS decryption, Netskope sometimes inadvertently blocks traffic from development environments. We maintain an exception list for specific executables and destination URLs to avoid interfering with development.

For now, we only use CASB/SWG function and have chosen not to implement NPA (VPN alternative) for several reasons.

Password Manager: Centralized and Shared Management with Keeper

We introduced Keeper Security as our password manager to replace free software and browser-based storage. This enables secure password sharing*, auto-fill, and generation capabilities.

We also subscribed to the BreachWatch add-on, which provides dark web monitoring, weak password detection, and scoring by user and organization.

* While password sharing should generally be avoided, there are still unavoidable scenarios where shared accounts are required.

Password Manager Migration
Password Manager migration illustration

As info-stealer malware that extracts browser-stored credentials remains prevalent, password managers like Keeper are also effective against malware-related threats.

Changes and highlights after implementation:

  • Standardized password management, policies, and sharing methods (Control)
  • Improved operational efficiency via auto-fill
  • Admins can now monitor password breaches, weak usage, and scoring (Visibility)

[Operational Note]

Keeper supports importing from various tools (Keepass, Google Password Manager, etc.), which made the migration smooth and user-friendly.

We didn’t mandate usage and started with a small license count to reduce initial costs. Expanding Keeper’s usage across the org is our next goal.

SIEM: Centralized Logging and Visualization with Elastic Cloud

To manage and visualize logs from all our security tools, we implemented Elastic Cloud as our SIEM platform. By integrating logs into Elastic Cloud, we enhanced visibility, centralized monitoring, and enabled long-term storage.

Notably, our CrowdStrike plan does not retain event logs long-term, so we strongly felt the need to centralize them in a SIEM for traceability during incidents.

Elastic integration
Elastic integration illustration

Changes and highlights after implementation:

  • Logs from various tools can now be viewed directly on Elastic Cloud (Visibility)
  • Activity across users, devices, and email addresses can be traced across tools (Visibility)
  • Dashboards provide executives with visual summaries of security incidents and risk scoring (Visibility)

[Operational Note]

Since Elastic Cloud is SaaS-based, we could skip infrastructure setup and begin operations quickly. However, proper configuration of ILM (Index Lifecycle Management) is still required to manage data retention.

Fortunately, the Elastic Support Assistant (AI chatbot) was very effective in resolving issues.

We plan to cover the selection process and comparison with other SIEM tools in a future article.

Closing Thoughts

While we’ve successfully deployed these solutions, I’d say we’re at about 50% when it comes to fully utilizing their features and implementing the right policies.

Going forward, we aim to deepen our understanding of these tools and expand improvements to previously postponed security areas.

Some of our next steps include:

  • ZTNA: Building a secure, VPN-less network
  • ASM: Risk evaluation and vulnerability assessment of IT assets
  • Security Education: Phishing simulations and security e-learning programs

We are hiring!!

Axelspace is actively hiring across multiple roles, and we're especially looking for security engineers!

We’d love to hear from you if any of the following apply:

  • You’re interested in the space industry
  • You want to work at a fast-growing startup
  • You want to have autonomy and impact in a rapidly scaling company

If you're curious, let’s start with a casual chat!
https://hrmos.co/pages/axelspace/jobs/3000000006