Posts

Cybersecurity in a Work from Anywhere (WFX) Environment

In 2020, thanks in large part to the COVID-19 virus, the work environment in Europe has shifted, with remote working leading the way. This presents many challenges for IT and security teams as they now must deal with an increase in cyberattacks in less a secure environment.

As the UK and other European countries enter a second lockdown period in an attempt to contain the virus, more and more organisations are announcing that not only will employees continue working from home into 2021… it may be permanent. So how can cybersecurity teams adjust to this “new normal”?

Working from Everywhere (WFX)

According to a report from Interpol, cyberattacks are at their highest levels in three years as a result of COVID-19. In turn, the number of data breaches has almost doubled, with 3950 confirmed breaches so far in 2020 against 2103 recorded breaches in 2019. Attackers are also getting more creative in their methods, with attack types ranging from man-in-the-middle attacks to network spoofing and packet sniffing of unencrypted traffic.

Hacker-in-hoodie-in-dark-room securing WFX

In the light of the global pandemic, many predict that working from home (WFH) will become working from anywhere (WFX), with a massive upturn in digital transformation as a result. As organisations announce that home working will be permanent, even when the COVID-19 virus is under control, it is predicted that millions of employees will turn this change into the chance to work from anywhere, perhaps relocating to the countryside or closer to relatives to make up for lost time during the pandemic.

So now, teams across Europe and the globe must combat the challenging task of securing staff who work from anywhere. This brings a host of new concerns. Notably, home networks are less secure than corporate offices and users with spotty WiFi connections may migrate to even less secure public WiFi options. The absence of advanced intrusion prevention tools available in office environments risk leaving more gaps for cyber attackers to gain access and steal confidential information. Frequently sending data between the office and home, or between two home networks, leaves more opportunities for cybercriminals to catch data in transit if communication is not properly secured.

The increased volume of cyberattacks that we are now seeing, combined with the shift to WFX, is forcing European organizations to revisit their strategies. Technology needs to be able to keep up with these changes and the focus of IT teams should be shifting to ensure their cybersecurity is a priority. And with the average cost of a data breach standing at £2.9 million, organisations know that a security incident will be expensive in addition to the cost of damaging their reputation.

Setting Security Teams up for Success

While most organisations realize the importance of having a strong cybersecurity posture, many find it difficult to assemble and integrate the right components when it comes to building an in-house security team and having 24/7 monitoring and protection. The resources and staff needed to successfully run an in-house operation require a significant investment of time and money. Even if they can afford to build a team in-house, many struggle to find and retain the right calibre of candidates when trying to hire experienced analysts, content developers and engineers.

While security programmes may differ in organisations, often their underlying security needs are the same, especially when it comes to securing their WFX teams. That is why many in Europe are turning to outsourced security services as a more cost-effective way to stay secure.

Benefits of Outsourcing your Cybersecurity Needs

If you’re considering outsourcing some or all of your cybersecurity needs, the best way to start is to identify what your team can do most effectively in-house. Then, look to fill the gaps by finding a partner to complement your skillset. You still need a team in place to handle certain tasks, ideally one who also knows what partners to look for and how to maximize the relationship. Outsourcing your cybersecurity needs helps to free up your team and alleviates a large portion of the hiring burden. It also enables you to have shared liability and gives you 24/7 protection without building an in-house Security Operations Centre (SOC).

The trend of outsourcing cybersecurity services in Europe has been growing faster than has been seen in many years. In addition to addressing new challenges, IT teams are faced with shrinking budgets. Many European organisations are now considering outsourcing some or all of their security needs as the key to getting more done with less.

There are many benefits of partnering with an external security company, in addition to taking advantage of their 24/7 services and staff (although that piece is critical for most!). Here are some reasons organisations across Europe are choosing to partner with an external organisation for their cybersecurity:

  • 24/7 ProtectionProficio-SOC

Cybercrime is not a 9-5 problem, so you need more than a 9-5 solution. With hackers and cybercriminals striking at any time, networks need to be monitored around the clock. This is especially critical if employees will not be returning to a normal office environment. Having a successful 24/7 operation in-house requires a staff 12 or more. And with the  shortage of trained cybersecurity professionals, even if you are able to find people with the right skills, the cost to hire and retain those experts does not come cheap.

Utilizing a Managed Security Services Provider (MSSP) or similar cybersecurity partner means you’ll have a team of experts available whenever you need them. You won’t have to worry about staffing the graveyard shift or holidays to make sure you’ve got someone monitoring your networks, and their team is ready to respond quickly to any potential threats.

  • Free Up Time

Many IT departments often get bogged down with mundane and manual work, spending more time fixing issues rather than implementing strategic projects. When outsourcing to an MSSP, you gain instant access to a team of expert cybersecurity professionals.

Managed security services are valued by organisations that wish to refresh their security stack but lack the in-house expertise to maximize the value of new tools. Also, many organizations find that tasks like reconfiguring firewalls need to be completed outside of business hours but lack the staff to operate 24/7.

  • Improve your Security Posture

Partnering with a managed cybersecurity provider will help you improve your security posture. They should have a library of threat detection use cases already built and optimized, so you instantly get access to relevant content. Paired with a streamlined on-boarding process, this allows you to quickly start receiving actionable alerts and reduce false positives that cause alert fatigue.

In addition, MSSPs offer a wealth of security knowledge and can offer guidance on best practices to help you ensure you’re getting the most value from the security tools you have in place. Some advanced providers have tools available that can help you uncover gaps in your security posture and provide recommendations to help fill in any gaps. Ask your provider to combine this data into a cyber risk score and compare your score to other similar organisations.

  • Automate Response

Automated response and containment is a critical capability to protect organisations from attacks that could lead to damaging security breaches. Despite their best efforts, cyber defenders may miss indicators of attack or take too long to remediate problems. Leading Managed Detection and Response (MDR) service providers can leverage their client’s existing perimeter and endpoint products to automatically block IP traffic and contain endpoints, quickly containing a threat to stop an attack before it causes damage.

  • Save on Costs

Many security providers are now offering services in the cloud. If you opt for this, it can present substantial cost savings over building your own facilities. For example, a SOC-as-a-Service gives you access to a powerful SIEM without investing in your own. This not only saves on hardware, but also means you don’t have to look for (and retain) staff in-house to manage the technology. Partnering lets you better protect your business without the prohibitive costs that go with upfront purchasing costs, maintenance, storage, staffing and other costs.

Securing the WFX in 2021 and Beyond

The rapid pace of change and the increasingly complex cybersecurity environment is leading security teams to evolve and adapt and making outsourcing a smart option for many European organisations.

While there are many creative options on how to stretch your security budget, partnering with a MDR service provider it should be near the top of your list. If you’re looking for a partner who can help you meet your cybersecurity goals, please feel free to contact us.

Reopening Safely – Cybersecurity Recommendations for Organizations Returning to the Office

According to the consulting firm, McKinsey, organizations will need to navigate through the stages of Resolve, Resilience, Return, Reimagination, and Reform during the COVID-19 pandemic. Many organizations are now in the Return stage as they ask their employees to come back to their business locations.

The challenge for IT organizations is how to manage the transition through these stages as securely and effectively as possible. It is not as simple as flipping a switch, where business operations return back to the way they were before COVID. Successfully reopening will require advanced planning, locking down networks, and avoiding human errors often caused by a rushed implementation.

Industry experts expect COVID to accelerate digital transformation. From the supply chain, through manufacturing and on to customer engagement, businesses need solutions that are more adaptable, agile, and digitally enabled. For example, the digital transformation of the supply chain includes digitally connecting buyers with a network of partners, uploading design data, getting instant pricing, and performing design for manufacturing on the fly.

Digital transformation will require businesses to rearchitect their networks and applications, creating new cybersecurity challenges.

Protect Your Networks

Sales of notebooks rose dramatically in March and April of 2020 as office workers transitioned to teleworking. Whether permanently or following a staggered work schedule, many of these workers will be trading in these notebooks for their old desktop computers as they return to their traditional place of work. IT teams should proactively secure desktop PCs by applying security patches, updating endpoint security, and adjusting thresholds for desktop logs.Calendar with Band Aid - Patch Tuesday

Unpatched vulnerabilities are a significant cause of avoidable data breaches. Patch management for Microsoft products alone is a major undertaking. Known as Patch Tuesday, on the second Tuesday of each month, Microsoft releases security-related updates for Windows, Office, and related products. Microsoft issued 339 security patches in March, April, and May of 2020. When reviewing vulnerabilities, teams responsible for patching should not only assess the criticality of the vulnerability but also consider its exploitability. For example, Microsoft classifies CVE-2020-1054 as “Important” with a rating of “Exploitation More Likely”. According to Microsoft, an attacker that exploited this Win32k Elevation of Privilege Vulnerability could run arbitrary code in kernel mode, and then install programs; view, change, or delete data; or create new accounts with full user rights.

Risk-Based Vulnerability Management (RBVM) tools help address the trade-off between criticality and exploitability. Asset discovery, continuous vulnerability scanning, risk indexing, and patch management are components of RBVM solutions. RBVM Managed Services take this a step further by offering experts that provide lifecycle vulnerability management services and make patching recommendations that factor in compensating controls, deployment challenges, and business continuity.

Review Remote Access Solutions and Policies

Chances are that your IT team has already experienced a trial by fire experience setting up remote access for a large number of employees as their organizations adopted a work from home policy. Now is a good time to re-evaluate your VPN capacity as the pendulum swings the other way.

Your approach to working from home will significantly affect your required VPN capacity. Some organizations are embracing teleworking on a long-term basis, while others see this as a temporary solution until there is a COVID-19 vaccine. Use a network performance monitoring tool to analyze usage of your VPN. If you do not have one, many good tools are available on a free trial basis. For example, products like PRTG can be used to monitor multiple VPN parameters including traffic, users, and applications.

PRTG VPN Monitoring

PRTG VPN Monitoring

Through the process of rebaselining your capacity needs, you will determine if your existing VPN hardware and licensing are sufficient for your expected requirements. This is also a good time to consider rearchitecting your approach to remote access. Strategies include moving data and applications to the cloud and using products like Citrix Access Control. Moving away from traditional VPNs will likely add flexibility and scalability to your users and mission-critical applications. However, these benefits come at a price and often have longer implementation timelines than expected.

In addition to reviewing operational aspects of your VPN infrastructure, a reopening plan should revisit policies that secure VPNs including password policies, 2FA, and software updates. SOC teams or managed service providers should constantly monitor VPN activity for anomalous behavior. Easy to use dashboards should provide visibility into VPN user activity, geographic locations, and variations from expected thresholds. Having a better understanding of your VPN traffic and trends will increase your security posture by streamlining the level of effort required to properly analyze alerts.  Event notifications will drive security analyst investigations and remediation steps.

Questions to consider:

  • How many employees are just doing what works and bypassing security controls to get things done?
  • Is it normal for your organization to have successful remote VPN logins from resources outside the country?
  • Did your organization need to “relax” any security or compliance policies to enable employees to use RTP (Real-time Transport Protocol), used in live video streaming services like Zoom, WebEx or others?
  • How many different RTP applications are running on these hosts and are they configured to meet your organization’s security and compliance strategy?

Network Access Control (NAC) solutions add to your remote access security program by controlling user and device access to the corporate infrastructure. The case for NAC deployment is stronger in an environment where employees are switching between office and home locations and there are BOYD and IoT devices being connected to the network. Examples of NAC vendors are Forescout, HPE-Aruba, and Portnox.

To further leverage your NAC investments, ask your SOC or MDR Service provider to build correlation rules with endpoint security software, and then automate the containment of infected devices on your network.

Assess COVID’s Impact on Scoping New and Upcoming Projects

Many information security teams planned to build out new capabilities or implement new security controls this year. Underlying these plans were assumptions on the cost and resources required for these projects.

The COVID pandemic should cause planners to look carefully at their assumptions. For example, projects to deploy new SIEM (Security Information Event Management) software or centralize log management, need to be scoped with more than a snapshot of current traffic. With people out of the office and certain on-premise systems and controls operating at low usage, the amount of storage required (usually measured in gigabytes per day or events per second) might be artificially low compared to when the office reopens.

Estimating staffing levels for security operations during COVID can have similar challenges. For many organizations, the number of security alerts processed by a security operations team is directly correlated with increased user activity. Users will click on suspicious links, access suspicious websites, attempt to install suspicious software and perform other activities that will result in work for security analysts to investigate. As a result of COVID, many organizations were forced to furlough workers. Additionally, remote users may not be going through certain on-premise controls such as web filters and firewalls. As a result, alerts the security operations team are processing might be artificially low compared to activity levels when offices reopen.

To combat the risk of under scoping resources for these projects, assess activity levels for pre-COVID periods, such as January and February of 2020. Businesses are being affected by COVID in different ways and management teams are rethinking their go-forward operational models. We suggest getting a range of inputs to properly scope the requirements for new security products and services.

Cloud ComputingAccelerate Transition to the Cloud

Workloads were increasingly being migrated to the cloud before COVID. Post-COVID, the adoption of cloud computing will likely speed up as companies deal with uncertainty and value the ability to flexibly scale up and down capacity. Businesses are also reviewing their reliance on physical data centers because of safety concerns related to site visits during the COVID pandemic.

When formulating a cloud security strategy, IT leadership will need to consider trade-off risks against the benefit of increased agility. According to Gartner’s predictions around the cloud, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and 99% of cloud security failures will be the customer’s fault.

In the “2019 Data Breach Investigations Report” (DBIR), errors were found to be one of the top causes of data breaches. Errors that have resulted in misconfigurations of cloud infrastructures are increasingly cited as the cause of the loss of sensitive data. Examples of such misconfigurations include:

  • Data encryption not turned on
  • Access to resources not provisioned using IAM roles
  • VPC Flow logs being disabled
  • Publicly exposed cloud resources

In the case of Capital One, 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information was disclosed due to a misconfigured web application firewall.

The first steps to minimizing misconfigurations in the cloud are training your security teams to understand cloud infrastructure and documenting and auditing processes. Next, use cloud-native security tools that allow you to monitor your networks for suspicious activity such as a malicious actor abusing a set of compromised credentials, moving laterally across the cloud environment, or attempting to exfiltrate information. For many organizations, it is more practical to outsource the responsibility of configuring and monitoring cloud infrastructures to outside experts or a Managed Security Service Provider (MSSP).

Conventional wisdom has been that users of cloud computing must realize their responsibility for security and not overly rely upon providers who are primarily concerned with securing their platform vs everything their customers build and store within it. While cloud providers have considerably improved their security, data and applications hosted in a cloud infrastructure require the same security programs used for on-premise networks. In this shared responsibility model, event logs must be collected, analyzed and monitored; traffic in and out of virtual networks must be inspected and protected by virtual NGFWs and WAFs; and hosts must be scanned for vulnerabilities.

Today, the three cloud providers that dominate the market are AWS, Azure, and Google. As an enterprise grows its cloud infrastructure, it is likely they will consider a Multicloud approach. The idea is using more than one vendor reduces dependency and provides the user with more leverage. For organizations that are selecting a MSSP to monitor their cloud infrastructure, check if your prospective provider can support the top three players in case your organization decides to follow a Multicloud strategy.

Post-COVID Threat Landscape

Cybersecurity teams should always be anticipating new threats and new threat actors and be prepared to detect and respond to damaging attacks.

We recommend reminding your employees that phishing attack campaigns continue to be a successful tool for attackers, attempting to entice email recipients to click on embedded links to download malicious programs or launch nefarious websites. The crafting of these phishing emails will prey on anxieties regarding the spread and impact of the COVID-19 pandemic.  Attackers are fully aware of the social status of this worldwide pandemic and they will craft emails with the intent of eliciting an emotional response.

Attackers are seeking to harvest verified credentials.  If an employee does click on a malicious link but closes the web browser before any download can begin, the attacker has confirmation that the email account is legitimate. This will result in more targeted phishing emails.  Credential gathering and phishing emails are on-going security challenges for organizations to maintain their security posture. To get ahead of this threat, organizations might consider an organization-wide password reset as well as using multi-factor authentication.

While the themes used in cyberattacks are changing, it does not appear that the actors behind these attacks or the attack vectors have changed. Enterprises must maintain heightened vigilance for malware, ransomware, and phishing attacks, but that is not new. Endpoint security tools must be fit for purpose and kept updated. Implementing security tools is only half the battle, they need to be correctly configured, monitored, and their alerts investigated. Where internal teams lack the expertise or time for these functions, a managed endpoint detection and response service provider can fill the gap. Finally, the need for employee security awareness and training can never be overstated.

Increased Risk of Insider Threats Insider Threat Employee Police Lineup

Unfortunately, many organizations are being forced to furlough or lay off employees as a result of the impact of COVID on their business. Disgruntled employees are more likely to steal data or credentials to retaliate against perceived grievances. According to research from Gartner, “seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money.”

Passwords are the first line of defense against insider threats. Organizations must immediately change passwords, close accounts, and remove access to shared resources when an employee leaves. Your company will be liable for the confidentiality of your partners’ information, so it is equally important to inform third parties and vendors that may have provided the employee with access. This risk is enhanced where your company has signed a covered entity or business associate agreement.

Ensure departing employees have up to date paperwork protecting confidentiality and inventions, return corporate devices, and do not have company data on personal devices.

Depending on your organization’s security controls and collection of event logs, user activity can be an indicator of insider behavior. Examples of logs that can be monitored and investigated for anomalous behavior or used for correlation rules include:

  • Detect the first time a USB drive is plugged in
  • Detect data exfiltration by monitoring DNS activity for total bytes transferred
  • Detect unauthorized access attempts to sensitive systems
  • Detect activity from expired user accounts
  • Detect credential sharing for your privileged accounts by correlating account logins from disparate locations
  • Detect download events from SaaS applications like Salesforce.com for indicators of data exfiltration

Be Prepared for the Short Term and Long Term

No one knows with certainty what will be new normal for the business. Questions like when will workers return to their physical offices, what percentage of the workforce will return to physical offices, and will businesses move certain functions to permanent remote roles are all hard to predict.

In the short term, we can expect issues with technology and existing information security procedures. For example, furloughed employees may not have their access properly shutoff, their phones may still be configured to check email, their accounts might still be enabled for certain systems, or they may still have access to certain physical assets. As a result, Windows accounts will expire without password updates causing spikes in failed authentications on an organization’s domain.

Over the long term, information security programs should be evaluated based on their ability to provide visibility to threats and their efficiency in meeting operational requirements.

Expect gaps in visibility for organizations switching to a work from home model without an architecture setup to route internet traffic from work machines through a web filter product. Employees can access phishing sites, competitor websites, or use their machines for non-work-related activity because the organization does not have visibility into this layer of network traffic or the ability to log network and endpoint telemetry to a central location.

Businesses that are not experienced with remote workers will need to create new processes to ensure their employees can work efficiently. For example, if a machine is suspected to be compromised, how will the organization perform remote forensics if they do not have a detailed cloud-based EDR product logging significant endpoint telemetry? Additionally, if the employee’s machine is compromised, do you stop that employee from working and ship a replacement laptop to the employee? As a result, the employee can do nothing while the new machine is being delivered. For some businesses, this is nothing new, but for others these changes will require some level of effort to smooth over.

Get Ahead of Upcoming Audit Inquiries

Part of reopening is preparing to meet compliance standards and undergo security audits.

Security audits have become a common feature of almost every industry. Preparation and planning reduce the disruption of an audit and increases the likelihood of a successful result. Companies that take a checkbox approach to meet compliance standards can fail to adequately assess the cybersecurity risks to their organization.

Preparing for an audit should start with a review of the latest changes to compliance standards. Risk and security teams should compile and update key documents that describe the organization’s security policies. These should include a list of technical controls and safeguards, password and user account policies, configuration management, patching, incident response plan, and backup and disaster recovery.

Conclusion

The COVID pandemic is placing enormous stress on individuals and organizations. Those responsible for enterprise security operations and risk management are being challenged to respond to more change and uncertainty than ever before.

In this environment, it is key that IT leadership aligns it operational objectives with their organization’s strategic goals. IT teams must be agile and deliver value while ensuring the integrity of day to day operations. At Proficio, we address these same challenges through partnering with our clients, empowering our team of security experts, and creating innovative solutions to real world problems.

By:
Bryan Borra, Director of Security Engineering, Proficio
Paul Fletcher, Security Advisor, Proficio 

Preparing for Tomorrow: Cybersecurity in a Remote World

This article originally appeared in InfoSecurity Magazine

The world is adjusting to a new reality. While working from home may be the norm for many tech companies, organizations of all shapes and sizes are now faced with the unique challenges that come from remote employees, trying to navigate how to secure their networks in an uncertain world.

Today, they are concerned with keeping the employees – and company – safe and connected, but as the days become weeks, and weeks are certain to become months, they also have to start considering their future plans.

A lot of people are wondering what their jobs will look like after the dust of COVID-19 settles, and it’s a good question. A friend recently mentioned…

Read Full Article