Incident Response

Off-network incident response

These days, end-user devices are just as likely — or even more likely — to be operating off the main corporate network as on it. The remote and hybrid work models brought on by the pandemic and now commonplace enable more employees than ever to work from locations outside the corporate office.

There are clear potential benefits to this arrangement, including increased employee satisfaction, reduced capital costs for companies, greater flexibility for everyone, etc. But there are also risks, including those associated with cyber security.

For example, remote workers might be using their own, less secure devices and networks to access company systems and data. Phishing attacks could be aimed at people working from home who might be less prepared to deal with them.

So, a key question for security leaders and teams is how can organizations handle incident response when devices are not even on their central networks?

Historical thinking and practices around breaches focused on perimeter defense, believing that devices within the network or VPN are safe as long as the perimeter is safe. We now know this may not be the case. Companies need a solution that can protect both inside and outside the network/VPN environment.

But for a device that’s off network and not using a VPN, such as when an employee is working from an airport, hotel, coffee shop or other location, it can be a major challenge.

Fortunately, there are tools available, such as FTK Central from Exterro, that allow security teams to respond to incidents without the need for direct network connectivity.

This is accomplished by installing an agent on the client’s device. Then when an incident occurs the security team can securely connect with the device via the Internet to remediate the problem remotely.

As long as the device is connected to the Internet, the security team can perform incident response on that device using the incident response tool. This is important because users might not have their VPNs turned on while working from home or at a Starbucks or traveling, leaving the devices vulnerable to the latest attack vectors.

This type of tool collects data from off-network remote devices, which eliminates the cost of shipping devices, and securely transmits collected data to validated servers in a legally defensible manner. Security analysts can investigate ransomware attacks, data breaches, or other threats by scanning for indicators of compromise (IOCs). They can detect and analyze suspicious activity, traffic, applications, and processes.

The tool can be connected to a security information and event management (SIEM)/security orchestration, automation, and response (SOAR) monitoring technology to trigger automatic endpoint collection in response to incidents. In this way it can automatically stop attacks, prevent subsequent attacks, and preserve electronic evidence automatically rather than employing time-intensive manual processes.

Data breaches, ransomware attacks and other security threats are more pervasive and potentially damaging than ever. At the same time, the workforce has been transformed into a remote or hybrid model at many organizations.

Companies need to be able to detect and respond to incidents regardless of where users are working from or what type of devices they are using. By deploying a tool designed to support incident response on off-network devices, they can ensure that they are keeping employees’ devices — and by extension the organization itself — protected.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.