With a solid month or more of remote working under their belts, organizations continue working diligently to keep their workforces safe and productive during these unprecedented times. We have seen standard monitoring and detection processes adjusted to account for the “new normal” and, in this blog post, we discuss some of the many ways organizations can safely make the adjustment.
What We’ve Learned:
- With each passing week, it is becoming increasingly more important for organizations to modify the way they monitor and detect malicious or unauthorized activity.
- Organizations need to be able to identify and mitigate ever–changing threats and risks in a more effective and time sensitive manner.
- Leveraging both user and entity-based analytics will assist in the identification and detection of potentially malicious activity. Adjusting the baselines to account for the “new normal’ is important due to the change in work locations, accessibility of corporate data and user behaviors.
- Ensuring that endpoint detection capabilities are operational and effective safeguards users from potential unwanted behaviors by bad actors.
While businesses have quickly adapted the way they operate, one of the areas we’ve discovered is prone to be overlooked is detection. As the world has changed significantly as a result of COVID-19, malicious attackers have increased their volume and modified their methods of attack. Breaches and compromises are on the rise and a major concern of many organizations. This means organizations need to adjust the way they monitor and protect their mobile workforce from malicious attack.
Establish New Analytical Baselines for Users and Systems
With the early 2000’s introduction of user and entity-based analytics (which would become User Behavior Analytics and User and Entity Behavior Analytics, respectively), Security Information and Event Management (SIEM) providers began to view technology as a form of event detection to determine “outside of the norm” activity. While it is commonplace today for Security Operation Centers (SOC) to utilize UBA/UEBA in their day-to-day detection practices, some adjustments should be made to aid in the detection of malicious activity in the new workplace. Typically, UBA/UEBA works from a baseline of approved user activity and entity-based activity. This baseline is established to aid in the detection of unauthorized activity that could potentially be malicious or unauthorized. With employees working from remote locations, the initial baseline is no longer valid, as the activity that the user or system is performing will be uniquely different from that which would be performed from within the workplace. Some examples of activity changes are listed below and should be considered:
- The location from which the user is connecting
- Ways in which users access their email, enterprise wide applications and shared documents
- Personal activity taking place on a company–owned systems and applications
- Hours at which a user accesses the network
- The manner in which data is exchanged through and outside of the organization
- Individuals with whom information is being shared, both inside and outside the organization.
Adjusting the baseline to account and monitor for these actions is critical and drastically aids the Security Operations Center (SOC) in the detection and response to malicious and unauthorized activity.
Ensuring Endpoint Detection Capabilities are Enabled, Safeguarding Users from Potential Unwanted Behaviors by Bad Actors
A remote workforce also means that more employee laptops and workstations are connecting to organizations’ internal network from the outside. For many companies, this shift can cause difficulty in enforcing and maintaining appropriate endpoint and network security controls for these devices. In addition to enabling a traditional antivirus solution, utilizing VPN connections with multi-factor authentication when accessing any corporate asset, regularly patching endpoints and utilization of an advanced endpoint protection (AEP) solution is a requirement to ensure real time detection and remote remediation of advanced attacks. These solutions provide endpoint visibility and protection while on and off the network. However, there is no “silver bullet” in endpoint security. Additional actions must be taken to ensure endpoint detection capabilities are fully maximized and effective. Here are seven measures that must be taken in conjunction with the AEP tool to safeguard remote users from bad actors:
- Ensure all employees know what acceptable user behavior is when using corporate assets or accessing corporate data
- Test endpoints’ protection agents to ensure they are operational and visible to network administrators, so they can communicate and respond to security events regardless of the endpoint’s location
- Review and update prevention policies to ensure remote business units are not impacted
- Tune policies to reduce false positive alerts
- Enable AEP technology is logging to your enterprise SIEM tool
- Create more robust correlation rules
- Review and update security monitoring playbooks and procedures
It is critical for organizations to adopt and utilize advanced endpoint protection. Advanced endpoint protection solutions have evolved immensely over antivirus technology and provide a high level of detection and protection. But no technology is perfect. To truly safeguard remote users from bad actors, an in–depth defense strategy that includes enabling endpoint detection technology, enhance current procedures, 24/7 security event detection and response and an integrated UBA/UEBA SOC is a must.
As we are now living and working in unprecedented times, we are encouraging all clients to take the appropriate steps to ensure both their employees and the organization itself are sufficiently protected. Otherwise, it is far too easy for an attacker to circumvent the minimal security controls most organizations employ and no one wants to find themselves on the wrong side of security breach. To help organizations navigate their way through this new landscape, we have developed a Work from Home Cybersecurity Practices overview.
Protiviti offers a wide range of security and privacy solutions, tailored to meet the unique needs of each organization. With our ability to function at both the strategic and tactical levels, we combine deep technical security competence with executive-level communication and management. Our holistic approach starts by understanding what is most important to organizations, then structuring and supporting programs so the business is engineered to grow securely.