By Paul Caiazzo, Senior Vice President of Security and Compliance
With the latest COVID-19 advisory from the CDC regarding avoiding mass gatherings of 50 or more, many organizations are allowing their workforce to work remotely from home. While a remote workforce isn't new for most companies, the larger number of employees working from home increases the attack surface, and securing it will require more nuanced threat prevention, detection, containment, and response.
Organizations that haven’t planned and implemented tools, techniques, and procedures to manage, monitor, and control the technology used by their remote workforce may potentially have large blind spots in their security posture. Alternatively, what has been documented and tested with respect to the ‘detect, contain, and eradicate’ steps of an organization's incident response plan may not take into account this remote-oriented paradigm.
How can you approach the challenge? Here's a list of 4 best practices to incorporate into your plan.
Employees that primarily work remotely typically interact with a variety of cloud platforms including SaaS, IaaS, PaaS, etc., and depending upon how access is controlled, may not need to be on the corporate network at all to gain access to these environments. That’s great for mobility, but is data flowing from those endpoints to and from the cloud being centrally monitored? We recommend that it should be.
Misconception. Monitoring your user' cloud activity only by inspecting your private network’s egress firewall logs is sufficient.
Instead, accomplish central monitoring through API-driven integration between the CSPs and your centralized Security Information and Event Management (SIEM) platform.
The CSPs have widely implemented security telemetry into their platforms which you can capture to enrich your situational awareness on how users are interacting with them. Many modern SIEM platforms - whether on-premise or cloud-based - provide varying degrees of integration with these platforms out of the box, but few have use cases built to trigger events that might be relevant to your organization.
We recommend that you centrally capture the CSP’s available security telemetry, and build use cases around that telemetry to trigger on use cases identified through the rigorous inspection of what’s normal for your organization.
Develop Relevant Use Cases
To develop relevant use cases, the security team, both internal and external, must engage with business stakeholders. Communication is imperative in identifying and implementing the use cases to be alerted upon.
Protect the Endpoints
Your remote users represent your most significant risk and therefore, it is key to be able to centrally protect, control, monitor, and manage them. To accomplish this, you must know the hardware and software running on your network at all times as it enables your security team to do their jobs.
Leverage a Cloud-centric Approach
A remote monitoring and management (RMM) tool allow you to remotely manage those devices which expand your attack surface without a need for you to be physically in front of the keyboard. For a more robust approach, go beyond having a private IP space and VPN connectivity for the RMM of remote devices to one that leverages a cloud-centric approach to managing your expanding mobile workforce. If you haven't already done so, implement cloud-based, centrally-managed anti-malware tools and procedures. We also recommend those with company-wide BYOD policies review their existing tools and processes in light of COVID-19.
Deploy Cloud-native Antivirus
Traditional antivirus based on a centrally managed, signature-based product that communicates to/from the controlled endpoints over the private IP space is still prevalent. But few of these traditional antivirus products effectively address a large remote workforce.
We suggest inspecting the ability to control antivirus technology on detached endpoint devices with your current architecture, technology, and processes. If there is a gap in this area, we recommend evaluating and implementing cloud-native next-generation anti-malware products that can be managed in-house or outsourced to a third party.
Not only do tools like this allow you to protect remote devices over a long timeline, they allow you to have granular visibility into how your users are interacting with the Internet – your biggest risk. This becomes more and more important as you shift critical business functions to cloud providers such as AWS, Azure, GCP, Office 365, and Exchange Online.
Taking the above one step further, connect EDR tools to the heart of your security ecosystem. This enables you not only to detect threats impacting your remote workforce, but also remotely respond to incidents, and capture the forensic data you’ll need to determine the root cause and execute the steps necessary to contain, eradicate, and recover from incidents impacting remote devices.
Many of these tools are cloud-native for the specific purpose of addressing the remote workforce use case. As a third-party incident response resource, deploying tools like these is one of the first steps we take when handling live incidents. But if none exists when we are called in, the absence of forensic data needed for analysis will hinder our ability to determine the root cause. We would still be able to help you overcome the current incident but identifying the root cause and preventing recurrence will be more challenging. A highly mobile or mostly remote workforce compounds these problems.
We recommend implementing a leading EDR tool before the incident strikes.
When evaluating EDR tools, be sure that they have capabilities like Windows Registry monitoring, File Integrity Monitoring, USB device control, DLP, etc. The leading EDR providers have aggregated these capabilities into a single cloud-native tool, and our MSSP customers benefit from our ability to prevent incidents and remotely contain and eradicate those very few which slip past the preventive controls.
Items 1 to 3 will not be effective if you cannot centrally monitor the effectiveness of these controls and quickly mobilize when they fail, 24/7/365.
Since no prevention control is perfect, you can be mathematically assured they will fail, eventually. Detecting, containing, eradicating, and recovering from those 1-in-a-billion failures is what separates high-performing organizations from those you hear about on the news.
Centralized monitoring of your security ecosystem - whether on-premise, cloud-based, or decentralized and roaming – provides you oversight, and is the backstop you need to address the .001% of security incidents that represent the real risk of a possible data breach.
We’ve spent a great deal of time analyzing the volume of data we’ve captured through our MSSP platforms and have produced some best practices on data you need to capture to make your SOC effective. We’ve also cross-walked this against the Mitre ATT&CK Framework and the common attacks we see in our customer environments.
Based on that research, it would not be an overstatement to say that the lack of visibility into the above-noted controls - especially against your roaming and remote workforce - is a recipe for a data breach.
In light of COVID-19, remote work can help protect your workers from viral exposure, but it may also expose you to cybersecurity risks. If you’ve prepared for that and have implemented the controls discussed above, not only have you protected your workforce from physical harm, you’ve protected your organization from cybersecurity threats as well; all the while supporting your organization’s overarching Business Continuity Plan, pandemic, notwithstanding.
Paul Caiazzo is Avertium's senior vice president of security and compliance. He has almost two decades of experience in the cybersecurity sector and is a sought-after speaker on enterprise risk management, incident response planning, and next-generation security architectures.