Key Takeaways from the SolarWinds Compromise

Brief Recap

FireEye has recently released a detailed report on a global supply chain cyber-espionage campaign that utilizes compromised Solarwinds Orion software updates to distribute a backdoor codenamed “SUNBURST” by FireEye.

This particular campaign was announced by FireEye to be associated with a breach reported earlier on the 8th of December 2020, where it was revealed that attackers have gained access to FireEye’s environment, attempted to obtain information relating to certain US government customers and stole some of their Red Team tools.

FireEye isn’t the only organization using SolarWinds Orion software, with the malicious updates being pushed to 18000 other customers of the SolarWinds Orion platform, including Microsoft, the US Treasury and Commerce Departments, the Department of Energy and the National Nuclear Security Administration Of course, not all organizations affected were actively targeted and breached by the threat group, with majority of the targets located in the United States and the rest in seven different countries; Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the UAE.

At this time, it is too early to say that we have a full understanding of the scope of the SolarWinds compromise. The number of organizations impacted is based on very limited visibility with an expectation that we understand all the compromise routes and adversary command and control capabilities. We do not know that to be true and more time is needed before we can say that we have a complete idea of the scale and scope of the compromise. Everything we know at this time relates to cyber-espionage and US national security institutions and there are no indications that most customers of SolarWinds Orion are actively breached by the threat group.

There are also no indications that the SolarWinds compromise was the only way in which the adversary could have gotten to their targets. The Cybersecurity and Infrastructure Security Agency has evidence that there are initial access vectors other than the SolarWinds Orion platform. As mentioned previously, we recommend following the remediation measures recommended by CISA. Even if your organizations aren’t active targets of this threat group, there are no reasons to leave a backdoor into your network lying around if you are using the affected versions of SolarWinds Orion.

Some Interesting Details

Proficio has issued several advisories regarding the SolarWinds compromise and will be issuing more advisories as we learn more about the compromise. We are also in the midst of conducting an ongoing threat hunting campaign. Here are some of the interesting details that will shed light on the lessons we can draw from this campaign thus far.

  1. SolarWinds hackers did a test-run of the spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version did not contain a backdoor, but indicates that the hackers were dwelling in SolarWinds network in 2019, if not earlier.Code with the word password in red stolen credentials Solarwinds
  2. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system so as to receive the employee’s unique access codes. FireEye’s security system sent an alert to the employee and to the company’s security team saying a new device had just been registered to the company’s MFA system as if it belonged to the employee, prompting FireEye to investigate. FireEye uncovered the SolarWinds breach into their network while trying to determine how the hackers obtained the employee’s credentials to register their device.
  3. The SUNBURST backdoor is only an initial persistent entry point used to deploy other tools to take root and subtly compromise the network configurations to allow future accesses. Remediating the SolarWinds breach is only the first step to be taken.The SUNBURST backdoor is known to distinguish between malleable detectors (services modified and tracked in the config file) and dealbreakers (running processes that will make SUNBURST abort immediately). Malleable detectors include several AV/EDR agents, while dealbreakers include several generic and specialized forensic tools, one of those being Sysmon. The distinction between the buckets of target system processes/drivers for evasion purposes is pretty important. Upon encountering one of the 8 malleable detection product families, SUNBURST takes a backup of SCM ACL for the service, modifies the ACL to take ownership and disables the service. Before going dormant, SUNBURST restores the original ACL and settings. This means that:
    1. Dealbreaker drivers installed prevents execution of SUNBURST completely.
    2. Dealbreaker processes at RUNTIME prevents Job Execution at that time.
    3. The 8 AV/EDR products would not have been very effective at preventing actions taken by SUNBURST unless anti-tampering settings are cranked up.

Lessons to Take Away

The SolarWinds compromise is a good case study of the impact, scale and scope of a supply chain compromise by a serious and capable adversary. It is important for us to draw the right lessons away from chasing buzzwords and what is popular and trendy.

  1. Most organizations should not shift all their focus to supply chain attacks. Most organizations do not have sufficient visibility, network segmentation, administrative tiering, insider threat programs, sufficient detection and response, backups and asset management capabilities and those pose far more risks in terms of actual impact on most organizations. Supply chain compromises are incredibly serious, but they are far from being the only way organizations get hit by serious cyber-attacks.
  2. Prevention is increasingly a no-win game. Well-orchestrated supply chain compromises are almost impossible to prevent. However, where prevention can fail, detection and response can succeed and did succeed in this case. FireEye was able to detect and respond correctly to the actions of a capable nation-state adversary. Organizations should look to beef up their detection and response capabilities either internally or with a managed detection and response partner like Proficio. Contact Proficio
  3. The success of detection and response actions depends significantly on basic visibility and monitoring. DNS logs play a key role in identifying if a breach has taken place, and other activity indicators include file-write events to the ‘SolarWinds Orion DLL config file’, as well as changes to services in registry while using anyone of the 8 AV/EDR families tracked by the SUNBURST backdoor.
    1. In fact, the adversary does not even attempt to infect your network if it looked like you were watching the machine with something as simple and as effective as Sysmon. This means that the adversary knows that such dealbreakers work very effectively against them.
    2. That is not to say that FireEye and other organizations do not have monitoring in place, but it simply may not have been tools in the list of SUNBURST dealbreakers.
  1. Make use of defence-in-depth principles when crafting a detection strategy. When it comes to visibility, logging and detection and response capabilities. EDR and NDR solutions provide the ability to detect and rapidly contain threats, and should be complemented with solutions focusing on complete visibility and logging like Zeek and Sysmon. Reach out to Proficio to find out more about how we can help you create a more complete detection strategy.
  2. Make use of multi-factor authentication where possible and ensure that you have a robust asset management program. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system, and that requires both robust asset management and the use of multi-factor authentication.
  3. Enhance actual detection and response bandwidth and capability by reducing noise and excessive alerting. Reach out to Proficio to understand how we can help you enhance your existing capabilities by helping you to focus on what matters most.

Cybersecurity in a Work from Anywhere (WFX) Environment

In 2020, thanks in large part to the COVID-19 virus, the work environment in Europe has shifted, with remote working leading the way. This presents many challenges for IT and security teams as they now must deal with an increase in cyberattacks in less a secure environment.

As the UK and other European countries enter a second lockdown period in an attempt to contain the virus, more and more organisations are announcing that not only will employees continue working from home into 2021… it may be permanent. So how can cybersecurity teams adjust to this “new normal”?

Working from Everywhere (WFX)

According to a report from Interpol, cyberattacks are at their highest levels in three years as a result of COVID-19. In turn, the number of data breaches has almost doubled, with 3950 confirmed breaches so far in 2020 against 2103 recorded breaches in 2019. Attackers are also getting more creative in their methods, with attack types ranging from man-in-the-middle attacks to network spoofing and packet sniffing of unencrypted traffic.

Hacker-in-hoodie-in-dark-room securing WFX

In the light of the global pandemic, many predict that working from home (WFH) will become working from anywhere (WFX), with a massive upturn in digital transformation as a result. As organisations announce that home working will be permanent, even when the COVID-19 virus is under control, it is predicted that millions of employees will turn this change into the chance to work from anywhere, perhaps relocating to the countryside or closer to relatives to make up for lost time during the pandemic.

So now, teams across Europe and the globe must combat the challenging task of securing staff who work from anywhere. This brings a host of new concerns. Notably, home networks are less secure than corporate offices and users with spotty WiFi connections may migrate to even less secure public WiFi options. The absence of advanced intrusion prevention tools available in office environments risk leaving more gaps for cyber attackers to gain access and steal confidential information. Frequently sending data between the office and home, or between two home networks, leaves more opportunities for cybercriminals to catch data in transit if communication is not properly secured.

The increased volume of cyberattacks that we are now seeing, combined with the shift to WFX, is forcing European organizations to revisit their strategies. Technology needs to be able to keep up with these changes and the focus of IT teams should be shifting to ensure their cybersecurity is a priority. And with the average cost of a data breach standing at £2.9 million, organisations know that a security incident will be expensive in addition to the cost of damaging their reputation.

Setting Security Teams up for Success

While most organisations realize the importance of having a strong cybersecurity posture, many find it difficult to assemble and integrate the right components when it comes to building an in-house security team and having 24/7 monitoring and protection. The resources and staff needed to successfully run an in-house operation require a significant investment of time and money. Even if they can afford to build a team in-house, many struggle to find and retain the right calibre of candidates when trying to hire experienced analysts, content developers and engineers.

While security programmes may differ in organisations, often their underlying security needs are the same, especially when it comes to securing their WFX teams. That is why many in Europe are turning to outsourced security services as a more cost-effective way to stay secure.

Benefits of Outsourcing your Cybersecurity Needs

If you’re considering outsourcing some or all of your cybersecurity needs, the best way to start is to identify what your team can do most effectively in-house. Then, look to fill the gaps by finding a partner to complement your skillset. You still need a team in place to handle certain tasks, ideally one who also knows what partners to look for and how to maximize the relationship. Outsourcing your cybersecurity needs helps to free up your team and alleviates a large portion of the hiring burden. It also enables you to have shared liability and gives you 24/7 protection without building an in-house Security Operations Centre (SOC).

The trend of outsourcing cybersecurity services in Europe has been growing faster than has been seen in many years. In addition to addressing new challenges, IT teams are faced with shrinking budgets. Many European organisations are now considering outsourcing some or all of their security needs as the key to getting more done with less.

There are many benefits of partnering with an external security company, in addition to taking advantage of their 24/7 services and staff (although that piece is critical for most!). Here are some reasons organisations across Europe are choosing to partner with an external organisation for their cybersecurity:

  • 24/7 ProtectionProficio-SOC

Cybercrime is not a 9-5 problem, so you need more than a 9-5 solution. With hackers and cybercriminals striking at any time, networks need to be monitored around the clock. This is especially critical if employees will not be returning to a normal office environment. Having a successful 24/7 operation in-house requires a staff 12 or more. And with the  shortage of trained cybersecurity professionals, even if you are able to find people with the right skills, the cost to hire and retain those experts does not come cheap.

Utilizing a Managed Security Services Provider (MSSP) or similar cybersecurity partner means you’ll have a team of experts available whenever you need them. You won’t have to worry about staffing the graveyard shift or holidays to make sure you’ve got someone monitoring your networks, and their team is ready to respond quickly to any potential threats.

  • Free Up Time

Many IT departments often get bogged down with mundane and manual work, spending more time fixing issues rather than implementing strategic projects. When outsourcing to an MSSP, you gain instant access to a team of expert cybersecurity professionals.

Managed security services are valued by organisations that wish to refresh their security stack but lack the in-house expertise to maximize the value of new tools. Also, many organizations find that tasks like reconfiguring firewalls need to be completed outside of business hours but lack the staff to operate 24/7.

  • Improve your Security Posture

Partnering with a managed cybersecurity provider will help you improve your security posture. They should have a library of threat detection use cases already built and optimized, so you instantly get access to relevant content. Paired with a streamlined on-boarding process, this allows you to quickly start receiving actionable alerts and reduce false positives that cause alert fatigue.

In addition, MSSPs offer a wealth of security knowledge and can offer guidance on best practices to help you ensure you’re getting the most value from the security tools you have in place. Some advanced providers have tools available that can help you uncover gaps in your security posture and provide recommendations to help fill in any gaps. Ask your provider to combine this data into a cyber risk score and compare your score to other similar organisations.

  • Automate Response

Automated response and containment is a critical capability to protect organisations from attacks that could lead to damaging security breaches. Despite their best efforts, cyber defenders may miss indicators of attack or take too long to remediate problems. Leading Managed Detection and Response (MDR) service providers can leverage their client’s existing perimeter and endpoint products to automatically block IP traffic and contain endpoints, quickly containing a threat to stop an attack before it causes damage.

  • Save on Costs

Many security providers are now offering services in the cloud. If you opt for this, it can present substantial cost savings over building your own facilities. For example, a SOC-as-a-Service gives you access to a powerful SIEM without investing in your own. This not only saves on hardware, but also means you don’t have to look for (and retain) staff in-house to manage the technology. Partnering lets you better protect your business without the prohibitive costs that go with upfront purchasing costs, maintenance, storage, staffing and other costs.

Securing the WFX in 2021 and Beyond

The rapid pace of change and the increasingly complex cybersecurity environment is leading security teams to evolve and adapt and making outsourcing a smart option for many European organisations.

While there are many creative options on how to stretch your security budget, partnering with a MDR service provider it should be near the top of your list. If you’re looking for a partner who can help you meet your cybersecurity goals, please feel free to contact us.

ENISA Report Highlights: Guidelines for Securing the Internet of Things

Over the past four years, I’ve been fortunate enough to contribute to several papers produced by the European Union Agency for Cybersecurity (ENISA). ENISA was started in 2004 as a place for industry experts to partner and work together towards the common goal of making Europe more cyber secure. The Agency works closely with both Member States and the private sector to deliver advice and solutions as well as improving their capabilities. It also supports the development of a cooperative response to large-scale cross-border cybersecurity incidents or crises. Since 2019, the Agency has also drawn up cybersecurity certification schemes.

Our latest report, “Guidelines for Securing the Internet of Things”, was written to help establish a security framework for securing the Internet of Things (IoT). The framework provides guidance for both consumers and providers on how to secure IoT devices and infrastructures, considering the whole cybersecurity cycle. In writing this paper, one of the main objectives was to address the challenges that the global supply chains for IoT must overcome to deliver greater security. We include a non-exhaustive list of security considerations alongside a set of best practices to help ensure not only the security but also the overall quality of the supply chain.

An important area of focus is our section on best practices. While the development of good security practices in the supply chain for IoT is critical, the majority of our advice extends beyond this; similar models and concepts can be applied for IT networks and many IT devices. We provide recommendations that will assist in countering and mitigating the threats that might impact the supply chain, classified into three main groups – actors, processes, and technologies.

While those factors are important in security, one must not forget that there is always a human element needed. Without the right people or partners in place, it is difficult to create and maintain a secure environment. Similar to IT devices, monitoring  IoT devices  24×7 is crucial to being able to quickly detect threats and respond to incidents. If you’re unable to manage this in-house, using an MDR service provider to assist with or augment your security is a great way to help orchestrate actions in complex and hybrid environments.

To read ENISA’s recommendations on how to secure the IoT supply chain, download the full report.

To learn more about how Proficio can help you improve your security posture, contact us.

Why Singaporean Businesses should Incorporate AI / Machine Learning into their Cybersecurity Operations

Did you know that 96 percent of Singaporean businesses have reportedly suffered a data breach? And cybercrime is not slowing down. With the financial risk from cyberattacks estimated to be US$5.2 trillion between 2019 and 2023, it creates an ongoing challenge for investors, corporations, and consumers around the world. In Singapore, experts detected approximately 4.66 million web threats in 2019. This shocking statistic acts as a reinforcement for the need for innovative ways of enhancing cybersecurity within our region.

Earlier this year, Finance Minister Heng Swee Keat revealed that the Singapore government will be investing S$1 billion to strengthen its cyber and data security systems to safeguard its critical information infrastructures, as well as its citizens’ data. Moving forward as a digital economy and smart nation, and with increasingly adopted technologies like artificial intelligence (AI), Machine Learning (ML), and Internet of Things (IoT), the Singapore government will also provide more funding to local deep-tech startups and small and midsized businesses (SMBs).

While the term AI was first coined in 1956, today is it a field of computer science, focused on how machines can imitate human intelligence. Successful applications of AI include beating humans at Go, diagnosing cancer, and operating autonomous vehicles. Over the last 10 years, the potential of AI to help with cybersecurity problems has evolved from being over hyped into a critical ingredient of enterprise security programs. In their Top Security and Risk Trends for 2020, Gartner projects that “AI, and especially machine learning (ML), will continue to automate and augment human decision making across a broad set of use cases in security and digital business.”

Finding a Needle in a Haystack

While it is common knowledge to security professionals, others may be surprised by the daily volume of security logs generated by enterprises. The number of logs generated by firewalls, authentication servers, endpoints, and a variety of other devices and security tools total multiple millions every day.  Security information and event management (SIEM) tools can use rules to filter and prioritize these logs into alerts but it is the job of security analysts to investigate the most critical alerts. For example, out of 10 million daily logs, hundreds may require expert human investigation.

Security analyst investigations include examining detailed log data, reviewing correlated events and threat intelligence, and looking for suspicious behavior. Analysts must quickly determine if the event has actually compromised the organization’s security, is a potential threat, or is a false positive. This difficult and time consuming work is made even more challenging by the high percentage of alerts that are false positive. This is why it is not uncommon for security analysts to get “alert fatigue” – losing motivation to thoroughly investigate alerts.

Reactive investigations are necessary but insufficient for a robust security defense. Security teams should also proactively hunt for threats that are not triggered by system alerts. Targeted attacks often aim at stealing critical data and use techniques like obtaining user credentials, upgrading access to a privileged user, and moving laterally across the network. These attacks, also known as advanced persistent threats (APTs), can result in an attacker gaining unauthorized access to a system or network and remaining there for an extended period of time without being detected.  The time a hacker goes undetected on your network, or “Dwell Time”, is commonly measured in months. APTs that use multi-stage attacks that occur over longer periods, commonly referred to as low and slow attacks, are hard to detect with rule based analytics alone. The practice of hackers changing or morphing their attack techniques further adds to the challenge of threat hunting.

AI to the Rescue ai-cybersecurity-superhero-in-gallant-pose

Initial approaches to detecting threats used a subset of AI called unsupervised machine learning to detect anomalies. Unfortunately, while AI has been proven to predict significant future events, the range of behaviors of users, applications, and external data is so complicated it is very hard to identify malicious outliers. The result was many AI-powered products that generated too many false positives to be practical.

While unsupervised learning attempts to find patterns among data points without knowing the meaning of the data, supervised learning infers a relationship based on existing data labels. For example, an AI model can learn to recognize pictures of a table after being trained on a large number of images that are identified as tables. However, in the field of cybersecurity, it is very hard to obtain labelled data to train detection models. Additionally, hackers can change or adapt the attack techniques faster than a supervised learning model can be trained.

The solution to these limitations is active supervised learning, which engages human experts to help create and train threat hunting models. Organizations that are using both AI and humans are 20 times stronger against cyberattacks than traditional methods. The resulting AI models combined with expert feedback can quickly learn to distinguish between malicious and normal behavior. AI-powered threat hunting enables security analysts to significantly increase productivity and detect and respond to more real threats that would have otherwise resulted in a damaging breach.

Can AI Defend Against AI?

Just as security teams and technology vendors are adopting AI to detect and contain threats, hackers can also use AI to power their attacks. Hackers are expected to use AI techniques to target organizations, develop new exploits, and detect vulnerabilities. AI is expected to increase the speed of attacks while reducing cost. For example, writing an effective phishing email takes time and creativity, AI can help automate this process.

The good news is developers of security tools are also rapidly adopting AI as part of the product development and enhancements. However, there is still a lot of marketing hype around AI, so we advise you to dig into the details to assess if your vendors are fully leveraging AI/ML technologies before you make the leap.


Organizations can use machine learning to detect suspicious and unusual patterns that are nearly impossible to discover through the human eye. The intelligent detection algorithms can compare the network data packets continuously to discover anomalous traffic, then apply strategies, such as statistical monitoring and anomaly detection, to identify malware variants communicated over a network. Cybersecurity is traditionally a very time-consuming task but with effective use of AI, you can begin to make your cybersecurity teams more efficient.

Europe’s 2020 Cybersecurity Evolution: Securing Teleworkers

How cybersecurity of organisations in Europe will change and adapt with teleworking and the migration to the cloud

When 2020 arrived, no-one could have predicted nor expected the drastic changes that we are seeing in the light of the COVID-19 pandemic. Not only has the pandemic changed cybersecurity, it has also created a huge paradigm shift in the way that organisations work.

The pandemic caused a rush across Europe to get employees out of the office and working from home, creating a requirement to better secure the teleworkers. Prior to the pandemic, only 5.2% of people regularly worked from home across the EU. A Europe-wide push for people to self-isolate proved challenging for the majority of the continent’s population who typically hadn’t been working from home; however, now that this paradigm has shifted, organisations across Europe are turning their attention to how they will work in the future.

Person on a laptop creating a plan to securing teleworkers

Creating the New Normal in the Cloud

There has been much talk in the media about the “new normal” and what that will look like when it comes to cybersecurity. With lockdown restrictions easing, the return to the office is firmly on the board’s agenda. Most European organisations are considering two options – allow their employees to work from home full-time or adopt a “hybrid” workplace approach, where employees will split their time between working in the office and at home.

The pandemic has helped many employees realize how much they enjoy the work/life balance  and appreciate not having to commute to an office five days a week. They have also proven that they can work just as effectively from home as in the office. Research predicts that the number of UK employees working from home on a regular basis will double, increasing to 37%, compared to 18% before the pandemic hit.

In line with this change, many European organisations have reduced their real estate and have a decreased need for on-premise solutions. This is creating a shift to cloud-based solutions that will provide stronger protections for teleworkers. The growth in cloud computing has been massive and transformational – and quickly sped up with the pandemic.

Cybersecurity for Teleworking

If employees are going to work from home on a regular basis, their cybersecurity hygiene should be considered by the organisations they work for. There are a myriad of different challenges with securing teleworkers; for instance, employees might be more likely to fall victim to a phishing email or cut corners when it comes to backing up important company data.

Phishing attacks have grown by over 60% in the UK since the COVID-19 pandemic and are widely recognised as the top cause of data breaches. Hackers are getting much more sophisticated in their approach to phishing attempts and once an employee clicks on a malicious link, they may be able to gain access to the employer’s device or sensitive data.

Cybersecurity for home workers is very different than for the office. Employees’ home networks will often have weaker protocols (WEP instead of WPA-2, for example), which can allow hackers to access network traffic much more easily. To help with this change, many organizations are looking for upgraded security tools and services that can be entirely cloud based. It’s a good time to review remote access solutions and policies, to ensure your team is working securely while remote.

Securing the Cloud

With the transition of more employees working from home, it is not surprising that cloud technologies are being adopted at an incredible rate in recent months. Of the 250 IT leaders surveyed, 82% said they have increased their use of the cloud in direct response to the COVID-19 pandemic, with 60% saying their use of off-prem technologies have continued to grow post-pandemic. The same study also found that respondents believe that by 2025 only 22% of workloads will reside on-prem, compared to 35% of workloads that resided on-prem prior to the COVID-19 outbreak.

Cybersecurity Securing Teleworkers in the Cloud

From a business continuity perspective, there has never been a better time to make the move to the cloud. The ability to allow employees to work from anywhere via a virtual desktop or remote infrastructure has been instrumental to keeping employees working, and business moving, during the COVID-19 pandemic.

However, now data sovereignty issues become more of a focus and risk, especially for Chief Regulatory Officers and General Counsels. This country-specific requirement states that digital data must remain within those country’s borders and is subject to the laws of the country in which it is collected and processed. Many countries have had data protection laws for decades, and with the stricter rules put in place by the EU’s General Data Protection Regulation (GDPR), the concerns have become much more prominent.

So while the migration to cloud-based technologies may be straight-forward, securing it may not. Some teams are well equipped to deal with the transition, but many teams find themselves struggling to secure their teleworkers. The cybersecurity skills shortage in Europe is expected to be nearly 350,000 by 2022, which means many teams will have to look for alternative ways to secure their cloud technology.

For many in Europe, the idea of a SOC-as-a-Service, or outsourced managed services, wasn’t a consideration prior to the pandemic. But given the swift changes organizations had to make, they have realized that partners can help to fill a gap with their IT security. Cloud-based SOC-as-a-Service providers offer a lot of flexibility for organizations and 24/7 protection that many organizations can’t fulfill in-house.

If you find yourself trying to build out a secure, cloud-based security program, here are a few principles that you should follow when transitioning data to the cloud:

  • Monitor and secure your Office 365 implementation. Office 365 is continuing to be adopted at an exponential rate, especially since the global coronavirus pandemic hit earlier this year. While it allows businesses to be more efficient and productive when it comes to remote working, it is also a high-value target for cybercriminals. Properly monitoring your Office 365 environments for your remote workers can help to detect account compromises, identify phishing attempts or suspicious email patterns and detect password attacks, suspicious file sharing, permission changes or downloads. Protecting your organisation and having use cases to monitor your remote workers Office 365 environment is crucial, whether you have a hybrid cloud or multi-cloud model – is even more important if you have employees working from home.
  • Make sure your data is secure. The encryption of data in transition should be end to end. In addition, all interactions with servers should happen over SSL transition (TLS 1.2). This will ensure the highest level of security. The SSL should only terminate within the cloud service provider network.
  • Get a virtual private network (VPN) and virtual private cloud (VPC). Having a dedicated cloud environment gives you total control of your data. Customers can connect securely to your corporate data centre, and all traffic from and to instances in your virtual private cloud can be routed to their corporate data centre over an industry standard encrypted Internet Protocol Security (IPsec) hardware VPN connection. This should also be monitored 24/7 for suspicious activity.
  • Look for partners who can help. If you’re struggling to secure your cloud environments, consider finding a partner to assist. Utilising SOC-as-a-Service or other managed security services allows you to not only fill a gap within IT security, but also offers significant cost savings through tailored service offerings. Their continuous detection, protection and response is a great option for organisations that do not have resources for a 24/7 in-house team.
  • Ensure partners follow rigorous compliance standards. If you find yourself looking for partners, make sure their compliance standards are robust. Two of the most important are SOC 2 Type 2 and GDPR. SOC 2 Type 2 is good for internal risk management processes, regulatory compliance oversight and vendor management programs. It confirms that a cloud service maintains the highest possible level of data security. GDPR is the European standard when it comes to data compliance. You should ensure your partners are adhering to best practices that will achieve GDPR compliance.

There is a lot to consider during this time of uncertainty, but once the dust settles, migrating to the cloud properly will provide benefits to your employees and customers alike. If you’re looking for a partner who can help you with this transition, or if we can be of help in any way, please feel free to contact us.

5 Reasons MITRE Framework is Being Adopted by the Industry

Since the MITRE ATT&CK framework was released in 2013, it has become widely used by cybersecurity teams. Built to be complementary to other frameworks, like the Lockheed Martin Cyber Kill Chain, the ATT&CK method (Adversarial Tactics, Techniques & Common Knowledge) was created to be a “foundation for the development of specific threat models and methodologies”.

The MITRE ATT&CK framework breaks down known tactics and techniques into 11 main categories. This free resource provides cybersecurity teams with a systematic approach on how to classify attacks and assess risk based on how an attacker might act. As the cybersecurity landscape continues to evolve, we expect frameworks like MITRE to play an important role and be a key component in The SOC of the future.

Here are five reasons the MITRE framework is being adopted in the industry and why you should consider using it for your organization.

Structure Your Defenses

Using the MITRE framework automatically creates an organized approach to building your cybersecurity defenses. The standardization they provide in their matrix is logically built out to help organizations form a baseline cyber strategy. Organizations both young and old can utilize this framework to achieve comprehensive detection of known threats. Using tools such as DetectionLab will allow you to create a mock environment to see how specific tactics behave so you can create correlation rules that will trigger an alert for suspicious activity.

Be Stronger Together

The MITRE framework is constantly being worked on and developed by the excellent team at the MITRE Corporation. Additionally, they accept and encourage public submissions recognizing that we are stronger when we work together. While they only publish updates twice a year, they do a great job keeping abreast of the latest threats from across the globe. And if you’re using Sigma format when writing use cases (which we highly recommend), you can also take advantage of the rules already created by the community.

Be the Best, With the Best

Although there are many security frameworks available, many in the industry believe that MITRE is the best framework to use. The framework is newer and, in many cases, considered more relevant to today’s cyberthreats. It also provides much more granularity into known tactics and techniques, which makes it a valuable tool for anyone new (or not!) to cybersecurity. The level of description provided for each technique (or sub technique) helps to answer the critical question, “how can I detect this?” The MITRE framework provides a high level of detail that includes a definition of the tactic, procedure examples, mitigations, detection details, platforms the activity is performed on, and data sources that have logs that will show the activity. It gives you much of what you need to understand each type of activity and start looking for this in a network/system.

Build Trackable Metrics

Using the MITRE framework gives you a baseline for mapping trends. Not only will this help you track where your attacks are coming from, and how you can better defend your organization, but it may also help you to discover defensive strengths and weaknesses – and then provide direction on how to close any gaps in your security posture. As an added bonus, you can use the ATT&CK Navigator, which is a tool that allows you to customize your matrix. This tool acts as a whiteboard for MITRE, allowing you to color code, annotate, and even export to Excel. It is a good way to visualize your coverage; at a quick glance, you can see what areas you have got covered – and where you have gaps – helping you ensure you have well-rounded coverage.

MITRE ATT&CK Navigator

Speak A Common Language

The broad adoption of MITRE makes it an easy way to communicate details to others in a more digestible fashion – not only within your organization, but also to clients, partners, and others in the industry. This is why so many Managed Security Services Providers (MSSPs) have adopted this framework within their organization. It has also become the common language in the cybersecurity community, allowing us to work together to fight against cybercriminals.

Wherever you are in your cybersecurity journey, it is never too late to redefine your processes to better align with your long-term strategy. Proficio finds the MITRE framework is a great way to provide our clients with comprehensive cybersecurity coverage, using use cases written in Sigma to map use cases to MITRE ATT&CK. If you are interested in seeing how the MITRE framework, and Proficio, can help keep your organization better protected, please contact us to learn more.

5 Strategies to Stretch Your Cybersecurity Budget

More than ever before, organizations are asking their cybersecurity teams to find savings, delay expenditures and get more value from their budgets.

While pushing vendors for price concessions, decreasing pay, or even laying-off employees are options, IT leaders should use the pandemic as an opportunity to rethink their overall approach and find sustainable strategies to maximize the ROI from their IT security investments.

1. Be Business Driven

In order to do this, you must first have the relevant business data to make decisions.

Prioritize key outcomes from your cybersecurity program such as reducing risk, preventing data theft, and meeting compliance mandates. Frameworks such as NIST CSF, ISO 27001, CIS 20, COBIT, and HITRUST are useful tools, but aligning with something like the Sherwood Applied Business Security Architecture (SABSA) methodology allows for the prioritization of projects based on the business context and value. It is important to stay strategic and align cybersecurity outcomes with key business objectives.

Analyze your existing and planned spending in support of prioritized outcomes. Things to consider include the cost of employees, contractors, services, technology, support contracts, and infrastructure. Understand the variability of costs over a short-term and long-term basis. Some costs may be locked in over the term of a contract while others may be more easily reduced or eliminated. Many vendors and MSPs have utility-based pricing, that not only allows you to shift to an OpEx model but provides the flexibility to pay for actual usage as opposed to max capacity potential in advance.

2. Maximize the Value of Existing Tools

Many organizations do not take full advantage of the products they have. This may be due to a skills gaps, incomplete implementation by the vendor, or simply because the original champion for the product has left the company. Whatever the reason, getting more out of your current tools improves cybersecurity outcomes and can delay spending on potentially unnecessary technology refreshes. Ask your vendors for free or low-cost training options and request a product roadmap briefing. You may find the functionality you think is missing is available for free in the next update.

In some cases, you may also find that spending money on external resources will help you better leverage a product’s capabilities. For example, in our experience many organizations only effectively use 50% of the functionality of next-generation firewalls (NGFWs). This is often due to incorrect or incomplete configurations and poorly defined standards. Partnering with a Managed Security Service Provider (MSSP) with mature operational processes and the necessary skills can help you maximize your investment in existing technologies, such as NGFWs or next-generation endpoint software.

3. Get Creative with Staffing

Employee costs make up a significant percentage of a typical organization’s budget – which means it’s also an area where there can be cost savings. It is important to maximize productivity by a combination of accomplishing more from existing staff and keeping salaries of new hires at reasonable levels.

Even before COVID reset the norms around working from home, the role of security in the digital transformation was a hot topic. The pandemic has accelerated aspects of the digital transformation specifically forcing the rethink of the traditional workspace and adding a layer of workforce monitoring at a scale that most organizations were not ready for, but it’s opened many employers and employees up to the idea of remote working or telecommuting. By considering a remote workforce from an expanded geographical base, you can reduce the cost of labor and access a larger pool of skilled professionals. In addition, you should consider hiring interns. While many organizations see their intern program as way to recruit and train future full time employees, interns often provide immediate value by off-loading entry-level but time-consuming tasks from other team members.

Look at how you can maximize productivity of your current team by analyzing what work can be automated or even eliminated. Removing mundane tasks from the to do list of skilled resources allows team members more time for professional growth which is more cost effective than hiring new resources to cover skills gaps. Implementing productivity improvement initiatives, such as streamlining workflows or implementing SOAR automation, allows staff to free up time to focus on other priorities or even engage in further training.

4. Outsource Security Operations

A Security Operations Center (SOC) plays a critical role in helping protect organizations from damaging cyberattacks and meet compliance mandates. The primary function of a SOC is threat identification, analysis and response.

Standing up an in-house SOC is complex, time-consuming, and expensive. Studies have shown that the cost of building an in-house SOC can be five times more expensive than outsourcing. Based on our industry analysis, the breakeven point where an in-house SOC makes economic sense, starts at organizations with over 500 security appliances and more than 10 000 employees. This assumes a 75% utilization of all resources and no advanced capabilities like Red Teams or threat intelligence research. It is often more effective for smaller organizations to focus resources on strategic planning and architectural work level and to outsource the more operational functions to a service provider.

Most organizations cannot justify a big enough team to support the range of functions needed for around-the-clock security operations. A 24/7 SOC operation with a 3 tier Analyst team would require 8 X level 1, 5 X level 2, and 3 X Level 3 Analysts, this however is only productive at scale, and for a small organization these resources will be significantly under utilized. Additional team members, with specialized skills such as SIEM administration, use case development, threat hunting, and incident response, are needed to mount an effective cyber defense. For all but the largest organizations, partnering with MSSPs provide significant cost savings and is far more effective.

Acquiring, integrating, and tuning software is another challenge for organizations considering building an in-house SOC. In our experience, many businesses find that the software subscription for an enterprise SIEM is comparable to an MSSP’s fees for a complete service. In an outsourced model, an organization only pays for the actual utilization of the resources when a shared resourcing model is leveraged. And consuming infrastructure on a utility basis allows for more flexibility to ramp up and down without the burden of fixed costs.

While switching to an MSSP is economically beneficial, the real motivation should around the efficacy of the service and improved cybersecurity outcomes. Next-generation MSSPs and MDR service providers bring their clients’ superior threat visibility and best-in-class threat response and containment. Operational maturity is immediately improved when an MSSP is leveraged.

Overhead Proficio SOC


5. Consolidate and Rationalize

Studies have shown that consolidation of vendors and technologies significantly increases effectiveness of solutions and significantly reduces operational costs. There are more than 1600 security vendors in the US market alone, which has created this culture of purchasing the best of breed technologies to fill perceived gaps in the architecture. Adding devices and technologies amplifies the skills gap and more often than not reduces the effectiveness of the security controls. On average, proactive operations of a device, irrespective of its function, requires about 6.4 hours of effort per month.

By identifying the overlapping capabilities across technologies and removing the redundant functionality through the elimination of the point solutions, an organization often will cover the gaps in the headcount through the cost savings from technologies that do not need to be renewed and maintained as well as a reduced skills requirement.

The selection of a security platform to meet the control and monitoring requirements that has the ability to integrate into the rest of the corporate network and data center infrastructure has been shown to be significantly more efficient and cost effective. The benefit of integration offsets functional advantages of point products.

Managed Detection is achieved through effective configuration of technologies that allows for tighter controls and effective visibility into network and endpoint activity. Reducing the amount of the devices and technologies sending log data, through the removal of ineffective technologies and enhanced enrichment with business context, provides for more accurate threat detection and decreases false positives allowing analysts to more effectively investigate and hunt threats.

IT leaders also need to carefully balance the impact of incremental expenditures on risk reduction. For example, the volume of log data ingested by a SIEM (measured in terms of GB/Day or Events Per Second) drives software subscription fees and storage costs. By carefully selecting the type and quantity of log data and combining use case analytics, correlation rules, and threat intelligence, you can keep costs minimized while still ingesting data critical for threat detection.


Businesses have always struggled to determine what is the right budget for cybersecurity and this not likely to change. The COVID environment only increases and complicates this challenge.

Gartner’s revised forecast for information security spending in 2020 went down from 8.7% to 2.4%. They stated, “The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies and cost saving measures.”

Boards and executive management are looking for CISOs to educate them on how to fund this critical function and for well-thought-out ideas to keep their organizations protected while maintaining a tight budget.

10 Ways to Address the Cyber Skills Gap

With all the layoffs and furloughs due to COVID-19, you may be wondering if the shortage of cyber professionals is still a problem. According to Gartner, the answer is yes. Citing the rise in COVID-19 themed cyberattacks, Gartner saw the demand for information security roles surge in February 2020.

Industry experts now count the global shortage of cybersecurity professionals in the millions. To hiring managers, this simply means good people are very hard to find and even harder to retain within their budget.


The labor shortage is complicated by the proliferation of roles that are needed to support a strong cybersecurity defense. For example, staffing a Security Operations Center (SOC) requires a team of security analysts, threat responders, security engineers, and SIEM content developers. Many organizations are not big enough to support full-time employees with such a narrow cybersecurity specialization. And when you add in the requirement to staff a 24/7 operation, the cost and time to build a team can become insurmountable.

Here are three areas where you can combat the staffing shortages in our industry.

Talent Sourcing

  1. Partner with Educational Institutes

Universities and Technical Colleges offer a range of cybersecurity courses and degree programs that may one day help shrink the skills gap. In the meantime, employers should identify local educational institutes and recruit students into intern and entry-level positions. Consider offering to be a guest presenter, hosting a tour of your company, or contact the college’s student placement team and ask about hiring events.

  1. Hire More Women

Women only make up a quarter of the cyber workforce, but bring many desirable skills and unique perspectives to cybersecurity roles. Get involved in networking groups for women interested in cybersecurity and demonstrate to female candidates that your organization is an environment where they are valued and can achieve their career goals.

  1. Recruit Veterans


Veterans are accustomed to working in demanding environments, using advanced technology, and being trusted with confidential information. There are multiple opportunities for employers to support veteran’s groups that focus on cybersecurity training and gain more visibility as a potential employer.

  1. Look for Adjacent Skills

Hiring managers like to find people who have experience in a role that is similar to the job vacancy they are trying to fill. In a tight labor market, you can expand your candidate pool by recruiting based on skills vs. roles. For example, search for candidates with computer networking or ITSM skills, that can be trained on the missing skillset.

Reduce the Need

  1. Automate

IT teams should look for opportunities to automate workflow and remediation tasks, to create faster processes and reduce the workload. Security Orchestration Automation and Response (SOAR) tools can increase productivity and reduce the need for incremental hiring.

  1. Train

Skills Gap Employee Training

Like automation strategies, effective training increases the productivity of your IT security team. Cybersecurity professionals are often focused on achieving certifications that increase their marketability but do not necessarily increase their productivity. Map your teams skills gaps to key objectives and explore training courses that allow your team to optimize the tools you have in place.

  1. Retain

Employee turnover has a negative impact on productivity and quality and is a significant time drain for hiring managers. Effective retention strategies include offering a career path, paying competitively, providing training, and offering the ability to work remotely.

Change the Dynamic

  1. Co-Managed/Outsourced Model

Skills-Gap-Outsource MSSP

Many organizations do not have the scale or budget to hire a team of cyber professionals. Outsourcing this function to a managed security service provider (MSSP) taps into a pool of trained experts, allowing the client to leverage the MSSP’s investments in tools and benefit from their mature processes.

  1. Hire Remote Employees

COVID-19 has altered the expectations of working from home. Traditionally, companies required security staff to work in a secure physical location or Security Operations Center (SOC). While there are still advantages from team members collaborating from the same location, IT security managers are becoming more accepting of virtual collaboration. This shift provides more flexibility for those in the industry and will be a differentiator in combatting the cyber skills gap.

  1. Move SOC Location

The challenge of staffing and managing a 24/7 operation is non-trivial. Studies of human behavior show that productivity and effectiveness degrade during second and third shifts. Adopting a follow-the-sun model allows employees to work during local business hours, attracting higher quality and more experienced professionals who otherwise would not sacrifice their quality of life by working graveyard shifts. Moving a SOC can also take advantage of the availability of skilled labor in locations near universities or other big employers.

Reopening Safely – Cybersecurity Recommendations for Organizations Returning to the Office

According to the consulting firm, McKinsey, organizations will need to navigate through the stages of Resolve, Resilience, Return, Reimagination, and Reform during the COVID-19 pandemic. Many organizations are now in the Return stage as they ask their employees to come back to their business locations.

The challenge for IT organizations is how to manage the transition through these stages as securely and effectively as possible. It is not as simple as flipping a switch, where business operations return back to the way they were before COVID. Successfully reopening will require advanced planning, locking down networks, and avoiding human errors often caused by a rushed implementation.

Industry experts expect COVID to accelerate digital transformation. From the supply chain, through manufacturing and on to customer engagement, businesses need solutions that are more adaptable, agile, and digitally enabled. For example, the digital transformation of the supply chain includes digitally connecting buyers with a network of partners, uploading design data, getting instant pricing, and performing design for manufacturing on the fly.

Digital transformation will require businesses to rearchitect their networks and applications, creating new cybersecurity challenges.

Protect Your Networks

Sales of notebooks rose dramatically in March and April of 2020 as office workers transitioned to teleworking. Whether permanently or following a staggered work schedule, many of these workers will be trading in these notebooks for their old desktop computers as they return to their traditional place of work. IT teams should proactively secure desktop PCs by applying security patches, updating endpoint security, and adjusting thresholds for desktop logs.Calendar with Band Aid - Patch Tuesday

Unpatched vulnerabilities are a significant cause of avoidable data breaches. Patch management for Microsoft products alone is a major undertaking. Known as Patch Tuesday, on the second Tuesday of each month, Microsoft releases security-related updates for Windows, Office, and related products. Microsoft issued 339 security patches in March, April, and May of 2020. When reviewing vulnerabilities, teams responsible for patching should not only assess the criticality of the vulnerability but also consider its exploitability. For example, Microsoft classifies CVE-2020-1054 as “Important” with a rating of “Exploitation More Likely”. According to Microsoft, an attacker that exploited this Win32k Elevation of Privilege Vulnerability could run arbitrary code in kernel mode, and then install programs; view, change, or delete data; or create new accounts with full user rights.

Risk-Based Vulnerability Management (RBVM) tools help address the trade-off between criticality and exploitability. Asset discovery, continuous vulnerability scanning, risk indexing, and patch management are components of RBVM solutions. RBVM Managed Services take this a step further by offering experts that provide lifecycle vulnerability management services and make patching recommendations that factor in compensating controls, deployment challenges, and business continuity.

Review Remote Access Solutions and Policies

Chances are that your IT team has already experienced a trial by fire experience setting up remote access for a large number of employees as their organizations adopted a work from home policy. Now is a good time to re-evaluate your VPN capacity as the pendulum swings the other way.

Your approach to working from home will significantly affect your required VPN capacity. Some organizations are embracing teleworking on a long-term basis, while others see this as a temporary solution until there is a COVID-19 vaccine. Use a network performance monitoring tool to analyze usage of your VPN. If you do not have one, many good tools are available on a free trial basis. For example, products like PRTG can be used to monitor multiple VPN parameters including traffic, users, and applications.

PRTG VPN Monitoring

PRTG VPN Monitoring

Through the process of rebaselining your capacity needs, you will determine if your existing VPN hardware and licensing are sufficient for your expected requirements. This is also a good time to consider rearchitecting your approach to remote access. Strategies include moving data and applications to the cloud and using products like Citrix Access Control. Moving away from traditional VPNs will likely add flexibility and scalability to your users and mission-critical applications. However, these benefits come at a price and often have longer implementation timelines than expected.

In addition to reviewing operational aspects of your VPN infrastructure, a reopening plan should revisit policies that secure VPNs including password policies, 2FA, and software updates. SOC teams or managed service providers should constantly monitor VPN activity for anomalous behavior. Easy to use dashboards should provide visibility into VPN user activity, geographic locations, and variations from expected thresholds. Having a better understanding of your VPN traffic and trends will increase your security posture by streamlining the level of effort required to properly analyze alerts.  Event notifications will drive security analyst investigations and remediation steps.

Questions to consider:

  • How many employees are just doing what works and bypassing security controls to get things done?
  • Is it normal for your organization to have successful remote VPN logins from resources outside the country?
  • Did your organization need to “relax” any security or compliance policies to enable employees to use RTP (Real-time Transport Protocol), used in live video streaming services like Zoom, WebEx or others?
  • How many different RTP applications are running on these hosts and are they configured to meet your organization’s security and compliance strategy?

Network Access Control (NAC) solutions add to your remote access security program by controlling user and device access to the corporate infrastructure. The case for NAC deployment is stronger in an environment where employees are switching between office and home locations and there are BOYD and IoT devices being connected to the network. Examples of NAC vendors are Forescout, HPE-Aruba, and Portnox.

To further leverage your NAC investments, ask your SOC or MDR Service provider to build correlation rules with endpoint security software, and then automate the containment of infected devices on your network.

Assess COVID’s Impact on Scoping New and Upcoming Projects

Many information security teams planned to build out new capabilities or implement new security controls this year. Underlying these plans were assumptions on the cost and resources required for these projects.

The COVID pandemic should cause planners to look carefully at their assumptions. For example, projects to deploy new SIEM (Security Information Event Management) software or centralize log management, need to be scoped with more than a snapshot of current traffic. With people out of the office and certain on-premise systems and controls operating at low usage, the amount of storage required (usually measured in gigabytes per day or events per second) might be artificially low compared to when the office reopens.

Estimating staffing levels for security operations during COVID can have similar challenges. For many organizations, the number of security alerts processed by a security operations team is directly correlated with increased user activity. Users will click on suspicious links, access suspicious websites, attempt to install suspicious software and perform other activities that will result in work for security analysts to investigate. As a result of COVID, many organizations were forced to furlough workers. Additionally, remote users may not be going through certain on-premise controls such as web filters and firewalls. As a result, alerts the security operations team are processing might be artificially low compared to activity levels when offices reopen.

To combat the risk of under scoping resources for these projects, assess activity levels for pre-COVID periods, such as January and February of 2020. Businesses are being affected by COVID in different ways and management teams are rethinking their go-forward operational models. We suggest getting a range of inputs to properly scope the requirements for new security products and services.

Cloud ComputingAccelerate Transition to the Cloud

Workloads were increasingly being migrated to the cloud before COVID. Post-COVID, the adoption of cloud computing will likely speed up as companies deal with uncertainty and value the ability to flexibly scale up and down capacity. Businesses are also reviewing their reliance on physical data centers because of safety concerns related to site visits during the COVID pandemic.

When formulating a cloud security strategy, IT leadership will need to consider trade-off risks against the benefit of increased agility. According to Gartner’s predictions around the cloud, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and 99% of cloud security failures will be the customer’s fault.

In the “2019 Data Breach Investigations Report” (DBIR), errors were found to be one of the top causes of data breaches. Errors that have resulted in misconfigurations of cloud infrastructures are increasingly cited as the cause of the loss of sensitive data. Examples of such misconfigurations include:

  • Data encryption not turned on
  • Access to resources not provisioned using IAM roles
  • VPC Flow logs being disabled
  • Publicly exposed cloud resources

In the case of Capital One, 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information was disclosed due to a misconfigured web application firewall.

The first steps to minimizing misconfigurations in the cloud are training your security teams to understand cloud infrastructure and documenting and auditing processes. Next, use cloud-native security tools that allow you to monitor your networks for suspicious activity such as a malicious actor abusing a set of compromised credentials, moving laterally across the cloud environment, or attempting to exfiltrate information. For many organizations, it is more practical to outsource the responsibility of configuring and monitoring cloud infrastructures to outside experts or a Managed Security Service Provider (MSSP).

Conventional wisdom has been that users of cloud computing must realize their responsibility for security and not overly rely upon providers who are primarily concerned with securing their platform vs everything their customers build and store within it. While cloud providers have considerably improved their security, data and applications hosted in a cloud infrastructure require the same security programs used for on-premise networks. In this shared responsibility model, event logs must be collected, analyzed and monitored; traffic in and out of virtual networks must be inspected and protected by virtual NGFWs and WAFs; and hosts must be scanned for vulnerabilities.

Today, the three cloud providers that dominate the market are AWS, Azure, and Google. As an enterprise grows its cloud infrastructure, it is likely they will consider a Multicloud approach. The idea is using more than one vendor reduces dependency and provides the user with more leverage. For organizations that are selecting a MSSP to monitor their cloud infrastructure, check if your prospective provider can support the top three players in case your organization decides to follow a Multicloud strategy.

Post-COVID Threat Landscape

Cybersecurity teams should always be anticipating new threats and new threat actors and be prepared to detect and respond to damaging attacks.

We recommend reminding your employees that phishing attack campaigns continue to be a successful tool for attackers, attempting to entice email recipients to click on embedded links to download malicious programs or launch nefarious websites. The crafting of these phishing emails will prey on anxieties regarding the spread and impact of the COVID-19 pandemic.  Attackers are fully aware of the social status of this worldwide pandemic and they will craft emails with the intent of eliciting an emotional response.

Attackers are seeking to harvest verified credentials.  If an employee does click on a malicious link but closes the web browser before any download can begin, the attacker has confirmation that the email account is legitimate. This will result in more targeted phishing emails.  Credential gathering and phishing emails are on-going security challenges for organizations to maintain their security posture. To get ahead of this threat, organizations might consider an organization-wide password reset as well as using multi-factor authentication.

While the themes used in cyberattacks are changing, it does not appear that the actors behind these attacks or the attack vectors have changed. Enterprises must maintain heightened vigilance for malware, ransomware, and phishing attacks, but that is not new. Endpoint security tools must be fit for purpose and kept updated. Implementing security tools is only half the battle, they need to be correctly configured, monitored, and their alerts investigated. Where internal teams lack the expertise or time for these functions, a managed endpoint detection and response service provider can fill the gap. Finally, the need for employee security awareness and training can never be overstated.

Increased Risk of Insider Threats Insider Threat Employee Police Lineup

Unfortunately, many organizations are being forced to furlough or lay off employees as a result of the impact of COVID on their business. Disgruntled employees are more likely to steal data or credentials to retaliate against perceived grievances. According to research from Gartner, “seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money.”

Passwords are the first line of defense against insider threats. Organizations must immediately change passwords, close accounts, and remove access to shared resources when an employee leaves. Your company will be liable for the confidentiality of your partners’ information, so it is equally important to inform third parties and vendors that may have provided the employee with access. This risk is enhanced where your company has signed a covered entity or business associate agreement.

Ensure departing employees have up to date paperwork protecting confidentiality and inventions, return corporate devices, and do not have company data on personal devices.

Depending on your organization’s security controls and collection of event logs, user activity can be an indicator of insider behavior. Examples of logs that can be monitored and investigated for anomalous behavior or used for correlation rules include:

  • Detect the first time a USB drive is plugged in
  • Detect data exfiltration by monitoring DNS activity for total bytes transferred
  • Detect unauthorized access attempts to sensitive systems
  • Detect activity from expired user accounts
  • Detect credential sharing for your privileged accounts by correlating account logins from disparate locations
  • Detect download events from SaaS applications like for indicators of data exfiltration

Be Prepared for the Short Term and Long Term

No one knows with certainty what will be new normal for the business. Questions like when will workers return to their physical offices, what percentage of the workforce will return to physical offices, and will businesses move certain functions to permanent remote roles are all hard to predict.

In the short term, we can expect issues with technology and existing information security procedures. For example, furloughed employees may not have their access properly shutoff, their phones may still be configured to check email, their accounts might still be enabled for certain systems, or they may still have access to certain physical assets. As a result, Windows accounts will expire without password updates causing spikes in failed authentications on an organization’s domain.

Over the long term, information security programs should be evaluated based on their ability to provide visibility to threats and their efficiency in meeting operational requirements.

Expect gaps in visibility for organizations switching to a work from home model without an architecture setup to route internet traffic from work machines through a web filter product. Employees can access phishing sites, competitor websites, or use their machines for non-work-related activity because the organization does not have visibility into this layer of network traffic or the ability to log network and endpoint telemetry to a central location.

Businesses that are not experienced with remote workers will need to create new processes to ensure their employees can work efficiently. For example, if a machine is suspected to be compromised, how will the organization perform remote forensics if they do not have a detailed cloud-based EDR product logging significant endpoint telemetry? Additionally, if the employee’s machine is compromised, do you stop that employee from working and ship a replacement laptop to the employee? As a result, the employee can do nothing while the new machine is being delivered. For some businesses, this is nothing new, but for others these changes will require some level of effort to smooth over.

Get Ahead of Upcoming Audit Inquiries

Part of reopening is preparing to meet compliance standards and undergo security audits.

Security audits have become a common feature of almost every industry. Preparation and planning reduce the disruption of an audit and increases the likelihood of a successful result. Companies that take a checkbox approach to meet compliance standards can fail to adequately assess the cybersecurity risks to their organization.

Preparing for an audit should start with a review of the latest changes to compliance standards. Risk and security teams should compile and update key documents that describe the organization’s security policies. These should include a list of technical controls and safeguards, password and user account policies, configuration management, patching, incident response plan, and backup and disaster recovery.


The COVID pandemic is placing enormous stress on individuals and organizations. Those responsible for enterprise security operations and risk management are being challenged to respond to more change and uncertainty than ever before.

In this environment, it is key that IT leadership aligns it operational objectives with their organization’s strategic goals. IT teams must be agile and deliver value while ensuring the integrity of day to day operations. At Proficio, we address these same challenges through partnering with our clients, empowering our team of security experts, and creating innovative solutions to real world problems.

Bryan Borra, Director of Security Engineering, Proficio
Paul Fletcher, Security Advisor, Proficio 

Not All Partnerships are Equal

As Henry Ford once said, “Coming together is the beginning. Keeping together is progress. Working together is success.” While many people have an understanding of how partnerships work in their day-to-day lives, defining a true partnership in a business relationship can be more challenging. In the field of cybersecurity, finding a “true partner” means you share the risk and both strive to improve your security posture.

A True Partner

A true partnership works best when both groups share the risk, agree on the end goals, have open lines of communication and build their relationship on mutual trust and respect. Companies that embrace such partnering behaviors believe in creating mutually beneficial relationships that bring value to both parties.

Partnerships come in many shapes and sizes. There can be partnerships between vendors, where they provide complementary products or services that are further enhanced by working together. There can also be strategic relationships developed between provider and client, where they view the relationship as more than just a business transaction.

Your partners should also be building strong relationships within the technology sector. Knowing that they not only use best-in-class technologies but that they have good working relationships with those vendors means that you can maximize your technology investments. A good partner should not only be able to help you to optimize the technologies you already have in place, but also make recommendations for policy and infrastructure to ensure you reduce your risk and meet any compliance requirements.

Finding Your Partner

When you are on a team, you have certain expectations of your teammates and hope you can rely on them in critical situations. However, a lot of organizations do not have the in-house resources to staff an effective cybersecurity operation. Understanding the economics and potential cost savings of using a managed service provider is an important part of any decision to outsource security operations.

In cybersecurity, you should look for partners who act as an extension of your team. They do not just care about selling you their latest tool or services – they sincerely care about the security and safety of your company. They should have a programmatic view on cybersecurity and take your concerns seriously. Equally important is the culture of the organization with whom you choose to partner. Do they share similar values, and can you trust that they will view your security as important as you do?

Throughout the relationship, a partner should have the skills and resources to respond to security incidents and help guide your overall cybersecurity journey. And while relationships in cybersecurity may not last forever, the need for true cybersecurity partners will never change. The current environment of COVID-19 only reminds us how businesses can be disrupted when they least expected it. And with the shortage of skilled cybersecurity professionals, choosing your partners has never been more critical.

Narrowing The Search

Once you decide what you’re looking for, how do you find someone who checks all the boxes? Many may sell you on ideals but it’s crucial they also follow through with what they sell. When looking for the right partner for your cybersecurity needs, you should ask critical questions to make sure you’re making an educated choice.

Things to look for include:

  • How do their SLAs compare to other vendors?
  • Do they provide transparency and trackable metrics?
  • Do you receive insight into your cyber risk and recommendations for improvement?
  • Will they create custom content?
  • What is their long-term focus?
  • Are they industry recognized?
  • How available is their team?
  • Do you have similar preferred methods of communication?
  • Can you visualize the value they would bring to your team?

Selecting a partner who shares the risk will give you confidence that you are building a more secure organization. As your partner helps you mature your cybersecurity program, you should see a measurable change throughout the partnership and be able to track metrics over time.

Once you’ve found the right partner, you will be enabled for success not only tomorrow but for the long-term future.

So – what do your current partnerships look like?