The shelter-in-place orders and closure of non-essential businesses that have been implemented to slow the spread of COVID-19 have brought the need for business continuity to the forefront. Most enterprises have shifted to a work-from-home model that allows employees to continue working while adhering to social distancing measures. However, the massive shift to remote work brings a new challenge: continuing to secure the business while providing the flexibility and access that remote workers now require.
Security teams are seeing a spike in threats from hackers preying on this remote (and vulnerable) workforce. In fact, CNBC reported that one-third (36%) of executive-level survey respondents said that cyberthreats have increased as a majority of their employees work from home.
These unprecedented changes have affected both the nature of the attack surface security teams must defend and the tactics they must anticipate from opportunistic threat actors. Security teams have an important role to play in strengthening business continuity by ensuring this shift does not create tradeoffs between usability and security. There are three steps they can take to begin to address this issue.
Adjust Remote Access Baselines for “New Normal” Activity
The increase in remote work has changed what “normal” behavior looks like as employees access corporate networks from disparate, atypical locations and unfamiliar devices. Security teams must stay on top of remote access trends and usage patterns in order to understand what behavior is now anomalous and worthy of attention, versus what alerts may be false positives.
Tracking the source IP address is a common way to authenticate users, but may not be an appropriate baseline during this time when employees aren’t restricted to a specific location. Security teams will need to authenticate users from a variety of networks, like home internet service providers, in multiple locations. As users move outside the office, there will likely be an increase in false-positive alerts for remote access anomalies.
The increased network noise from all the new remote workers may give attackers an opportunity to carry out undercover attacks against remote authentication portals and Virtual Private Networks (VPN) using password guessing and spraying techniques. That’s why it is important to continue to monitor for anomalies and quickly remediate any alerts.
At the same time, previous geographic norms linked to business travel have also changed. For example, remote access attempts from other countries that would not have raised eyebrows two months ago may now be genuine cause for concern because they are no longer linked to employee travel patterns.
Prioritize Visibility Across Networks and Endpoints
Remote connectivity makes it more difficult for security teams to log network and endpoint activity because employees are moving off corporate networks and using devices that do not log their activity. This can result in large visibility gaps.
Anti-virus, Endpoint Detection and Response (EDR) tools and even the native operating system software will still send their logs back to a central server for collection and monitoring. Because most agents send their logs to an on-premise server, devices that are not on the internal network will need to send logs via a VPN. If remote users don’t consistently connect to the VPN, the logs will collect on their device and not be sent until they reconnect, which means detection and response will be delayed.
Network visibility is also impacted by remote devices that aren’t connected to the VPN and won’t route through on-premise logging devices such as firewalls and web proxies. Split-tunnel VPNs also don’t send internet-bound traffic over the VPN connection where it would be logged. This means security teams could miss noticing threat activity, such as web-based malware, malicious downloads and data exfiltration.
The shift to cloud infrastructure is a saving grace in this regard. While on-premise endpoint and network technologies are subject to gaps in visibility, cloud products enable “always-on” monitoring and logs are stored directly in the cloud. Office 365 and other shared cloud services are able to log user activity since the interaction occurs on the server and not on the endpoint. In addition, solutions like Email Security Appliances provide visibility into threats such as the huge increase in COVID-19 phishing campaigns.
Update or Eliminate “Bring Your Own Device” Policies
The sudden shift to wide-scale remote work may force organizations to rapidly clarify or even phase out Bring Your Own Device (BYOD) policies that enable employees to use personal devices at home. Many enterprises avoid BYOD even during normal times, due to increased security risks, as personal computers, tablets and smartphones may not be subject to the same controls as corporate assets and often lack logging agency and patches.
If employees need to access internal company resources, they’ll most often need to connect to the corporate network through a VPN or Virtual Desktop Infrastructures (VDI). But these methods can introduce new risks; for example, a machine that’s already infected can provide attackers with an opportunity to get into a network and move laterally.
Based on the risk, some enterprises have quickly pivoted to equip employees with corporate devices or at least strengthen the protocols for BYOD use. One action security teams can take is to create profiles through various BYOD solutions that enable security software to be pushed to remote devices. This enables security teams to pull audit and security logs from the device. It’s a good idea to enable features that pre-check devices for recent security updates and configurations, as well as perform anti-virus scans before they’re allowed to connect into the network.
Security and Usability Are Not Mutually Exclusive
One challenge on many business leaders’ minds is keeping employees happy and productive during this extended period of remote work. But doing so does not have to create security risks. By prioritizing security alongside useability, enterprises can create a work environment that is hassle-free and intuitive while maintaining active visibility into threats. By monitoring changes in remote access trends, maximizing visibility across endpoints and shoring up - or phasing out - BYOD policies, organizations can optimize their ability to respond to threats.
Joe Partlow, CTO of ReliaQuest
