More sooner than later, employees will be making their way back to the office. Here’s how security pros can plan for the next new normal.
- Treat All Returning Endpoints as High Risk:-
That means segregation from the trusted corporate network, says Joseph Carson, chief security scientist and advisory CISO at Thycotic. Each endpoint to be introduced back onto the corporate network will need its security controls reverified and system scanned to ensure no malware or other risks might be hiding or waiting to move laterally onto the corporate network, he explains.
Companies really need to get serious about hardening employee laptops, adds Oliver Tavakoli, chief technology officer at Vectra. Security teams that have not already deployed an endpoint detection and response (EDR) platform should do so before the vast majority of workers come back to the office.
“By deploying EDR on the laptops, IT staff can also ensure a degree of security hygiene when those laptops eventually accompany returning employees,” Tavakoli says. “Think of this as vaccinating the laptop to limit cyber outbreaks on return to the office.”
- Watch Out for Intrusions With Long Dwell Times:-
While security teams should expect an immediate uptick in support calls as infected devices attempt to connect directly to the corporate network, John Morgan, CEO of Confluera, says security pros must also be on the watch out for attacks that simmer slowly and travel under the radar.
It takes more than six months for a typical organization to detect and respond to modern cyberattacks, Morgan points out. Once an attacker gains access into a corporate device or network, they are in no hurry to navigate from server to server looking for their catch, as such actions could alert the attention of IT and security analysts. Instead, they will take small, benign-looking steps, lying dormant for weeks or months in between. IT and security analysts often do not have the tools to correlate various weak signals to make sense of an attack in progress. Neither can they correlate events that occur weeks or even months apart. This gap in security coverage should concern organizations.
“There will surely be a surge in security-related issues as employees return to the office,” Morgan says. “Organizations need to be even more vigilant after the surge subsides as hackers have now gained a foothold in the corporate network and are traversing laterally under the covers.”
- Provide Security Awareness Training for Returning Workers:-
Attackers tend to take advantage of people when they are disoriented or preoccupied — such as when the pandemic first happened. John Ayers, chief product officer at Nuspire, says this will happen again when people return to the office.
Scams could include fraudulent promotions and deals for corporate travel, such as emails that promise special bonuses for returning to normal travel levels, he says. Employees will also need to stay on guard with what they share on social media, especially taking care not to tip off hackers if the organization is going through a tough transition. That’s just open season for hackers to prey on the initial chaos.
- Leverage Behavioral Analytics:-
Some portion of the workforce will continue to work from home as others return to the office. Others may take a hybrid approach, working one or two days from home, and some will return to traveling.
The pandemic has taught us that the perimeter-based network has gone by the wayside for good, says Eric Parizo, principal analyst for cybersecurity operations at Omdia. In this accelerated mobile reality, companies will need to lean more extensively on behavioral analytics tools.
“Companies will need to look out for anomalies that do or don’t make sense — for example, if a user logs on from China or a different time of day and it just doesn’t add up,” Parizo says. “If there’s an anomaly, there are XDR-based tools that can either kick the user out of the system or ask for a secondary form of authentication.”
- Pay Closer Attention to Vulnerability Remediation:-
Patching known vulnerabilities at scale presents a massive and continuing challenge, especially with an increased attack surface and more complex environment. This requires a high level of coordination across multiple business teams (development, operations, security, business, etc.), which itself can be difficult when these teams are working remotely, says Vulcan Cyber’s Bar-Dayan.
Organizations that have prioritized secure cloud migration have seen the most success during the pandemic, he says. Companies that were able to quickly pivot from brick-and-mortar to online operations, logistics, and sales models or embrace digital transformation have been able to achieve the inherent business value delivered by enabling cloud-native technologies. Those in highly regulated industries, such as finance and healthcare, moved at a slower rate and have faced greater business and security challenges.
“Although we’ve seen major improvements in the ability of security teams to ensure that the remote working model is secure, vulnerability remediation continues to be a significant pain point,” Bar-Dayan says. “The remote work model presents a particularly tricky threat landscape, so IT security teams should use configuration changes whenever and wherever possible to mitigate risk proactively. They should also consider tailored patching schedules, which can be a lifesaver in patch management and remediation processes, built around users’ availability patterns.”
The shift to mass remote working required security teams to quickly adapt to an evolving threat landscape and the need for more proactive vulnerability remediation efforts, he adds. Reflecting on the experience as companies return to the office, organizations must build task forces for the most critical vulnerabilities within enterprise infrastructures. Security and IT teams can’t do it alone. They need to invest in collaboration platforms that will bring teams together, rather than relying on a confusing array of Excel spreadsheets and communication channels. And finally, they need to establish clear and uniform key performance indicators.
“You can’t fix what you can’t measure,” Bar-Dayan says. “The efficiency and strength of an organization’s collaboration and the clarity of communication will be the key to success.”
- Use Identity and Access Management to Complement VPNs:-
The evolution to a hybrid work environment over the next several months means security must evolve from perimeter and network-based to focus on identity and privileged access management.
Security teams will have to treat devices that have left the traditional office perimeter as they do bring your own device (BYOD) units, says Thycotic’s Carson. This will mean further segregating networks for untrusted devices, but securing them with strong privileged access security controls to foster productivity and access.
“VPNs will continue to have their use for encrypting traffic, which is what they were originally intended for and not exactly access management,” he says. “However, identity and access management will complement VPNs to ensure that the traffic is secure and that the person and endpoint is verified and authorized.”
- Consider Segmentation Technologies:-
The industry has to come to grips with the reality that it will sometimes fail, says Andrew Rubin, co-founder and CEO of Illumio Just look at the past several months, with major hacks around SolarWinds and Microsoft Exchange.
“Each successive incident is worse than the next,” Rubin says. “We can’t think that we can stop it and create a situation where systems will stay secure 100% of the time. We will fail.”
Especially as employees head back to the office, security pros should look for solutions that segment workloads and endpoints so if and when a server get compromised, the team can isolate it so it doesn’t infect the rest of the systems on the network, he adds. Security teams can limit spread by setting rules and policies for what systems can talk to one another. For example, Rubin says development systems don’t ever have to communicate with production systems.
“The idea is to make it as hard as possible for the attacker to penetrate the network,” he says. “We can’t shrink what’s become an enlarged attack surface as a result of the pandemic, but we can make it more difficult for hackers to maneuver so when a breach does take place, we can limit the damage. I view segmentation as just as important as identity and access management in moving down the path of zero trust.”
