The COVID 19 pandemic has forced large scale adoption of remote work. There is an increasing use of digital systems, and organizations are seeing an exponential rise in connectivity while trying to sustain operations during this crisis. This massive shift in the mode of work is putting immense pressure on cybersecurity operations due to the significant rise in cyber threats with hackers taking full advantage of the situation through phishing and social engineering attacks.
The attacks have a COVID 19 theme, which makes it even more challenging to detect and prevent its occurrence. These attacks can rise in volume and sophistication due to the lack of tools and resources within the organization to stop them.
Organizations must conduct more in-depth risk assessments to mitigate risks, and sensing issues related to VPN vulnerabilities, insecure Wi-Fi connections since hacking communities are only happy exploiting these vulnerabilities. Most businesses neither haven’t done any risk assessment nor have the security policies, procedures, or resources to meet the cyber demands rising due to remote work.
Privileged users accessing crown jewel assets and authorized users leveraging sensitive data and apps now need to access them from anywhere (public/private/hybrid cloud or on-premise) and from any device.
Here are some of the security challenges commonly faced by a CISO
- How can I expose my applications and systems outside of my network?
- How can I do a risk assessment to meet the demands of remote access of applications from outside of the network?
- My data security and insider threat controls can only regulate access within the network. What should I do now?
- I lack the resources to monitor extensive user activity over VPN and web.
- My IT administrators were always on-premise, and now they are forced to do it remotely.
- I am not sure of the impact of remote work on data privacy and compliance.
- I know phishing, malware, and ransomware attacks are on the rise, but I am not ready for them.
These challenges belong to the following category of risks:
- ID/Device Risks (laptop/desktop/mobile)
- Application Risks
- Network Risks
- Data Risks
The nature of remote work is also making organizations think about how to manage the workloads of the future. By being aware of the pain points of the risks mentioned in the categories above and the solutions to fix it can help you in devising an integrated and customized security framework to meet the challenges of the future.
How to mitigate security risks due to remote work
Identity and Device Risks
The foremost risk is the risk associated with user devices. Employees might be working from personal/handheld/mobile devices having Windows, Linux, IoS, or Android operating systems. These devices, along with their operating systems, have a unique set of vulnerabilities that needs quarantine at the source itself.
For, eg. If you have a device having a malicious app and using the device, the user tries to access a business critical server over a VPN. It can lead to potential risks. The app can also steal data from this device. To minimize these threats, you need Unified Endpoint Management (UEM) capabilities to containerize the data and enable mobile threat management features to keep your devices safe from viruses. Ensure that you are secure every device used by the employees with UEM to mitigate all devices related security risks.
Application Risks
The next risk is due to the applications, Identity and Access Management. When employees get connected over VPN, user name and password alone cannot guarantee secure remote connectivity. There is a need to validate user identity through authentication mechanisms which will ensure the user is verified before entering the network. After authentication, the authorization phase decides whether to deny or provide user access to data, resources, and systems.
Identity and Access Management can be driven manually for a few thousand employee IDs to provide access to a few apps. However, in an enterprise scenario, where the user base is beyond 1000 or 2000 employees, the process becomes complex to provide user access rights to multiple applications. To meet this scale of identity and access needs, you need an automated process that will help you manage identity and access management needs. If you do not automate, users might gain privileged access or escalated rights to your IT environment resulting in potential risks and threats.
You must also address identity, access, and authorization challenges, along with managing the entire lifecycle of the user.
For Eg., If a new employee joins the organization, based on the role and responsibility, he/she can access, say, four business apps. When the employee changes the role, there might be a need to access more apps and do away access to previous apps. If the employee leaves the organization, all access rights are revoked, and the employee ID deleted.
However, most businesses do not take such preventive measures since all processes are manual, and it is impossible for IT resources to manage every ID and access due to the size and scale of enterprise operations. Automation of Identity and access management to provision/disable IDs or revalidate user access in stipulated time frames is the most efficient way to meet compliance and mitigate risks associated with employees due to remote work.
Single Sign-On (SSO) is another way of enabling users to access different applications without compromising on their productivity. Though SSO can increase productivity and customer experience, Multi-Factor Authentication (MFA) in the form of OTP, soft/hard token, biometrics, facial detection, etc. can help in authenticating users at every level of access.
There are also smarter ways of identifying legitimate and non-legitimate users. The identification process is enabled by adding a layer of authentication in MFA. A risk scoring engine in the IAM solution helps in identifying the pattern of users trying to access the business application. If the user is trying to access through a company laptop by not changing the geographic location, logging from the same browser, the risk scoring algorithm will verify the user as legitimate and provide access to the application.
Network Risks
If the IP address keeps changing, such as a change in laptops (from business to personal laptop) to access a business application, the risk scoring engine will alert, saying that there is a deviation from the regular access pattern, and this doesn’t seem legitimate. The user is challenged with an additional layer of MFA for authentication. This process will keep the customer experience in place and keep the wrongdoer away from the network.
Smarter robotics driven IAM solution can help with robust device and ID management, monitor user activity, behaviors, patterns to enable comprehensive employee lifecycle management. Automated IAM solutions can drive continuous background monitoring of user activities to challenge any user automatically to mitigate the emergence of any possible threat scenario.
Developing a security strategy for remote user management must be based on authorizing users based on the level of access. There should be visible differentiation in the strategy to meet the needs of both authorized users who access business applications and privileged users who are administrators of business servers and can access sensitive assets.
Privileged Access Management (PAM) helps in discovering privileged accounts in your environment and helps in managing user sessions and protecting credentials of privileged accounts so that they can not be misused by even by administrators. You can also restrict accounts from executing commands (such as delete, reboot, copy, cut, etc.), record user keystrokes, or do a video recording of the entire user session. These features of PAM can help you manage privileged accounts when administrators are operating from a remote location.
Data Risks
Data is another high-risk area that should matter the most. You should have solutions such as continuous database monitoring to detect any malicious activity around critical data. Most organizations are not aware of where their critical information is located in the database. The first step is to discover the critical data and classify them based on confidentiality. After classification, you can monitor the data based on user access and compliance requirements. You can then create security policies that will restrict administrators or malicious users from exfiltrating data. There is also a need to encrypt data to meet compliance standards such as HIPAA, PCI, and can help you meet audit needs.
Adopting a integrated security approach
Here is a use case scenario which adopts an integrated security approach:
Lets us consider you have a VPN and IAM solution in place, and the user is trying to access a business critical service through a VPN. Just in case, he can enter your network, despite the security controls in place by hacking a personal device or compromising user name and password; when he tries to some malicious activity, a log is generated from that device. Suppose if you have deployed a SIEM solution, the log data will be fed to the correlation engine to create offenses. SIEM creates patterns as to what is going wrong in your environment. A User Behaviour Analysis (UBA) of the particular log powered by Machine Learning is done to analyze and create patterns for various users. If any user tries to do malicious work, UBA will notify to notify the security analysts of the observed changes in the behavior of the particular user. By creating a baseline of user activity, UBA can notify you of users deviating from regular activity. Once detected, you can block or disable the user.
A SOAR platform can take things a level higher by automating security tasks.
By having a SOAR platform, you can automate workflows in case of an offense. If a malicious user is detected, an incident is opened in the SOAR platform, and the workflow is initiated automatically to block that particular traffic based on IP address.
SOAR solution can ask your IAM solution to block the user for a specified period. The solution is resilient enough to pull data from various security solutions or applications to investigate the incident further. If the incident has occurred due to false-positive alarm, you can send a notification to verify using MFA to the user’s registered mobile number to revalidate the identity. If the user identity is authenticated, automatically, the user id is enabled. If not, malicious user alert is generated to indicate a compromise. By using the SOAR platform, you can automate a response such a vulnerability scan in the end-user machine such as pushing new antivirus patches and quarantining the device from the network.
As you have seen in this use case scenario, you can have comprehensive control in mitigating risks, from detection, investigation to crafting a response for users working remotely. An integrated approach can help you sustain security levels, be it authentication, user validation, authorization for users to the apps for users, and audits to maintain compliance needs. The approach includes Identity and Access management, perimeter and endpoint solution, SOAR/SIEM solution empowered by intelligence feeds to give your comprehensive security cover.
Your security analysts will be empowered to make informed decisions when a non-legitimate user enters the network. They can use tools & platforms such as SIEM/SOAR to quickly detect and respond to incidents through automated workflows and meet any security skills shortage while leveraging existing resources for more productive work.
SIEM solution has limitations, and you should bring data to a centralized location to do a correlation. There might be may apps and data lakes in your environment, which are distributed across locations, and it might be impossible for an organization to bring all the data to a central location to do a correlation.
The latest advancements in SIEM space can help with data explorer functionality to integrate data sources and other security technologies in your environment, which otherwise cannot be integrated with SIEM solution. It will also enable you to search for incidents from a single console across log sources, provide you with advanced, proactive threat intelligence feeds, which is categorized based on business vertical and geographic location. Regular automatic scans of your log sources integrated with the SIEM solution will keep you informed of the indicators of compromise related to your business. Such advanced solutions can give you complete visibility in terms of proactive threat intelligence for threat hunting to bridge security operations log sources not yet integrated with SIEM solution. All these happen through a single console of the data explorer and reduces the detection, investigation, and response time for an incident.
Integrate your security practices for better outcomes
Considering the modern security needs of remote work, you must adopt an integrated approach to ensure 360-degree visibility of security threats. Whether it a pandemic or you foresee a significant chunk of your employee population working remotely in the future trying to access applications, data, or systems located on private/public/hybrid cloud or on-premise, consolidating security practices is the only way ahead.
Do you have questions on how to effectively manage and leverage security operations for the best possible outcomes in a remote working environment? Reach us at contact@aujas.com