Security Across 4 Sites and Into the Cloud

November 1, 2023

Multi-site security rollout for a distribution company, followed by AWS account hardening with Prowler, GuardDuty, and Security Hub

Phase 1: Multi-Site Security Overhaul

The Situation

Four locations. 100+ users. Inconsistent endpoint protection, no MFA, firewall configs that varied by site, and security tools that were deployed but never properly configured. The distribution company had grown faster than its security posture.

What I Did

Endpoint protection: Deployed BitDefender across all endpoints. Centralized management so every device reported to a single console - no more blind spots at remote sites.

Network security: Standardized firewall configurations across the existing SonicWall and pfSense appliances at all 4 locations. Consistent rulesets, consistent logging.

MFA: Rolled out multi-factor authentication to all 100+ user accounts. Started with admin accounts as proof of concept, then expanded company-wide. Handled the inevitable pushback with hands-on training sessions.

Monitoring & management: Centralized visibility through Atera and Action1. Security events from all sites fed into one place.

Backup verification: Implemented Veeam with tested restore procedures. Backups that haven’t been tested aren’t backups.

Results

  • 100% endpoint coverage across 4 locations -up from inconsistent, partial deployment
  • MFA on every account -100+ users, zero exceptions
  • Standardized firewall rules across all sites
  • Centralized security monitoring replacing per-site guesswork
  • Zero downtime during the entire rollout
  • Passed customer security audits that the company previously couldn’t satisfy

Phase 2: AWS Account Hardening

The Situation

After building out AWS infrastructure (Lambda, API Gateway, DynamoDB, CloudFront), I turned the same security mindset on my own cloud environment. Ran a Prowler security assessment against the account.

Starting point: 115 failures.

What I Did

Worked through every finding systematically:

  • Enabled GuardDuty for continuous threat detection
  • Activated Security Hub for centralized security posture management
  • Configured CloudTrail for full API audit logging across all regions
  • Tightened IAM policies to enforce least privilege
  • Resolved misconfigurations in S3 bucket policies, encryption settings, and access controls
  • Addressed every actionable Prowler finding

Results

  • 115 Prowler failures resolved -account now passes assessment
  • GuardDuty, Security Hub, and CloudTrail running continuously
  • Total monthly cost: $0.42 -enterprise-grade security visibility for pocket change
  • Full audit trail of every API call in the account

The Through Line

Physical sites or cloud accounts, the process is the same: assess the current state, prioritize by actual risk, fix it systematically, verify the results. The tools change - SonicWall to WAF, BitDefender to GuardDuty - but the approach doesn’t.