How do I select a remote workforce protection solution for my business?

Recent research shows almost three quarters of large businesses believe remote working policies introduced to help stop the spread of COVID-19 are making their companies more vulnerable to cyberattacks. New attack vectors for opportunistic cyber attackers – and new challenges for network administrators have been introduced.

To select a suitable remote workforce protection solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Vince Berk, VP, Chief Architect Security, Riverbed

select remote workforce protectionA business needs to meet three main realizations or criteria for a remote workforce protection solution to be effective:

Use of SaaS, where access to the traffic in traditional ways becomes challenging: understanding where data lives, and who accesses it, and controlling this access, is the minimum bar to pass in an environment where packets are not available or the connection cannot be intercepted.

Recognition that users use a multitude of devices, from laptops, iPads, phones—many of which are not owned or controlled by the enterprise: can identity be established definitively, can data access be controlled effecitvely, and forensically accurately monitored for compromise at the cloud/datacenter end?

When security becomes ‘too invasive’, workers create out-of-band business processes and “shadow IT,” which are a major blind spot as well as a potential risk surface as company private information ends up outside of the control of the organization: does the solution provide a way to discover and potentially control use of this modern shadow IT.

A comprehensive security solution for remote work must acknowledge the novel problems these new trends bring and succeed on resolving these issues for all three criteria.

Kate Bolseth, CEO, HelpSystems

select remote workforce protectionOne thing must be clear: your entire management team needs to assist in establishing the right infrastructure in order to facilitate a successful remote workforce environment.

Before looking at any solutions, answer the following questions:

  • How are my employees accessing data?
  • How are they working?
  • How can we minimize the risk of data breaches or inadvertent exposure of sensitive data?
  • How do we discern what data is sensitive and needs to be protected?

The answers will inform organizational planning and facilitate employee engagement while removing potential security roadblocks that might thwart workforce productivity. These guidelines must be as fluid as the extraordinary circumstances we are facing without creating unforeseen exposure to risk.

When examining solutions, any option worth considering must be able to identify and classify sensitive personal data and critical corporate information assets. The deployment of enterprise-grade security is essential to protecting the virtual workforce from security breaches via personal computers as well as at-home Wi-Fi networks and routers.

Ultimately, it’s the flow of email that remains the biggest vulnerability for most organizations, so make sure your solution examines emails and files at the point of creation to identify personal data and apply proper protection while providing the link to broader data classification.

Carolyn Crandall, Chief Deception Officer, Attivo Networks

select remote workforce protectionWhen selecting a remote workforce protection solution, CISOs need to consider three key areas: exposed endpoints, security for Active Directory (AD) and preventing malware from spreading.

Exposed endpoints: standard anti-virus software and VPNs are no match for advanced signature-less or file-less attack techniques. EDR tools enhance detection but still leave gaps. Therefore pick an endpoint solution capable of quickly detecting endpoint lateral movement, discovery and privilege escalation.

Security for Active Directory (AD): cloud services and identity access management need protection against credential theft, privilege escalation and AD takeover. In a remote workforce context AD is often over provisioned or misconfigured. A good answer is denial technology which detects discovery behaviors and attempts at privilege escalation.

Preventing spread of malware: it is almost impossible to prevent malware passing from workforce machines reconnecting to the network. It is vital therefore to choose a resolution that uncovers lateral movement, APTs, ransomware and insider threats. Popular options include EPP/EDR, Intrusion Detection/Prevention Systems (IDS/IPS) and deception technology. When selecting, take account of native integrations and automation as well as how well the tools combine to share data and automate incident response.

In short, the answer to remote workforce protection lies in a robust, layered defence. If attackers get through one, there must be additional controls to stop them from progressing.

Daniel Döring, Technical Director Security and Strategic Alliances, Matrix42

select remote workforce protectionEndpoint security requires a bundle of measures, and only companies that take all aspects into account can ensure a high level of security.

Automated malware protection: automated detection in case of anomalies and deviations is a fundamental driver for IT to be able to react quickly in case of an incident. In this way, it is often possible to fend off attacks before they even cause damage.

Device control: all devices that have access to corporate IT must be registered and secured in advance. This includes both corporate devices and private employee devices such as smartphones, tablets, or laptops. If, for example, a smartphone is lost, access to the system can be withdrawn at the click of a mouse.

App control: if, in addition to devices, all applications are centrally controlled by IT, IT risks can be further minimized. The IT department can thus control access at any time.

Encryption: the encryption of all existing data protects against the consequences of data loss.

Data protection at the technological and manual levels: automated and manual measures are combined for greater data protection. Employees must continue to be trained so that they are aware of risks. However, the secure management of data stocks can be simplified with the help of technology in such a way that error tolerance is significantly increased.

Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

select remote workforce protectionThe most important aspect for any security solution is how this product is going to complement your current environment and compensate for gaps within your existing controls.

Whether you’re looking to upgrade your endpoint protections or add always-on VPN capability for the now predominately remote workforce, there are a few key considerations when it comes to deploying security software for protecting distributed assets:

  • Will the solution require infrastructure to deploy, or will this be a remote cloud hosted solution? Both options come with their unique benefits and drawbacks, with cloud being optimal for disparate systems and offloading the burden of securing internet-facing services to the vendor.
  • What is the footprint of the agent and are multiple agents required for the solution to be effective? Compute is expensive, agents should be as non-impactful to the system as possible.
  • How will this solution improve your security team’s visibility and ability to either prevent or respond to a breach? What key gaps in coverage will this tool help rectify as cost effectively as possible.
  • Will this meet the organization’s future needs, as things begin to shift back to the office?
  • Lastly, ensure that you allow for the team to operationalize and integrate the platform. This takes time. Don’t bring on too many tools at once.

Matt Lock, Technical Director, Varonis

select remote workforce protectionWith more remote working, comes more cyberattacks. When selecting a remote workforce solution, CISO’s must ask the following questions:

Am I able to provide comprehensive visibility of cloud apps? Microsoft Teams usage exploded by 500% during the pandemic, however given its immediate enforcement, deployments were rushed with misconfigured permissions. It’s paramount to pick a solution that allows security teams to see where sensitive data is overexposed and provide visibility into how each user can access Office 365 data.

Can I confidently monitor insider threat activity? The shift to remote working has seen a spike in insider threat activity and highlighted the importance of understanding where sensitive data is, who has access to it, whose leveraging that access, and any unusual access patterns. Best practices such as implementing the principle of least privilege to confine user access to the data should also be considered.

Do I have real-time insight into anomalous behavior? Having real-time awareness of unusual VPN, DNS and web activity mustn’t be overlooked. Gaining visibility of this web activity assists security teams track and trend progress as they mitigate critical security gaps.

Selecting the right workforce protection solution will vary for different organizations depending on their priorities but the top priority of any solution must be to provide clear visibility of data across all cloud and remote environments.

Druce MacFarlane, Head of Products – Security, Threat Intelligence and Analytics, Infoblox

select remote workforce protectionEnterprises investing in remote workforce security tools should consider shoring up their foundational security in a way that:

Secures corporate assets wherever they are located: backhauling traffic to a data center—for example with a VPN—can introduce latency and connectivity issues, especially when accessing cloud-based applications and services that are now essential for business operations. Look for solutions that extend the reach of your existing security stack, and leverage infrastructure you already rely on for connectivity to extend security, visibility, and control to the edge.

Optimizes your existing security stack: find a solution that works with your entire security ecosystem to cross-share threat intelligence, spot and flag suspicious activities, and automate threat response.

Offers flexible deployment: to get the most value for your spend, make sure the solution you choose can be deployed on-premises and in the cloud to offer security that cuts across your hybrid infrastructure, protecting your on-premises assets as well as your remote workforce, while allowing IT to manage the solution from anywhere.

The right solution to secure remote work should ideally enable you to scale quickly to optimize remote connections and secure corporate assets wherever they are located.

Faiz Shuja, CEO, SIRP Labs

select remote workforce protectionIn all the discussion around making remote working safer for employees, relatively little has been said about mechanisms governing distributed security monitoring and incident response teams working from home.

Normally, security analysts work within a SOC complete with advanced defences and tools. New special measures are needed to protect them while monitoring threats and responding to attacks from home.

Such measures include hardened machines with secure connectivity through VPNs, 2FA and jump machines. SOC teams also need to update security monitoring plans remotely.

Our advice to CISOs is to optimize security operations and monitoring platforms so that all essential cybersecurity information needed for accurate decision-making is contextualized and visible at-a-glance to a remote security analyst.

Practical measures include:

  • Unify the view for distributed security analysts to monitor and respond to threats
  • Ensure proper communication and escalation between security teams and across the organization through defined workflows
  • Use security orchestration and automation playbooks for repetitive investigation and incident response tasks for consistency across all distributed security analysts
  • Align risk matrix with evolving threat landscape
  • Enhance security monitoring use cases for remote access services and remotely connected devices

One notable essential is the capacity to constantly tweak risk-levels to quickly realign priorities to optimise the detection and response effectiveness of individual security team members.

Todd Weber, CTO, Americas, Optiv Security

select remote workforce protectionSelecting a remote workforce protection solution is more about scale these days than technology. Companies have been providing work-from-home solutions for several years, but not necessarily for all applications.

How granular can you get on access to applications based on certain conditions?

Simply the credentials themselves (even with multi-factor authentication) aren’t enough any longer to judge on trusted access to critical applications. Things like what device am I on, how trusted is this device, where in the world is this device, and other factors play a role, and remote access solutions need to accommodate granular access to applications based on this criteria.

Can I provide enhanced transport and access to applications with the solution?

The concept of SD-WAN is not new, but it has become more important as SaaS applications and distributed workforce have become more prevalent. Providing optimal network transport as well as a visibility point for user and data controls has become vitally important.

Does the solution provide protections for cloud SaaS applications?

Many applications are no longer hosted by companies and aren’t in the direct path of many controls. Can you deploy very granular controls within the solution that provides both visibility and access restrictions to IaaS and SaaS applications?

Top threat detection trends and challenges for cybersecurity professionals

User networks and endpoints are the biggest concerns for 65% of respondents, an 11% increase from last year, Attivo Networks reveals.

top threat detection trends

Exploring the top threat detection trends

The report attributes this shift to four primary factors: the evolution of an increasingly perimeter-less environment; the sheer number of successful endpoint attacks; the rising cost per endpoint breach; and difficulties associated with quickly detecting a compromised system before an attacker can move laterally.

The research was conducted before the coronavirus pandemic forced so many people to work from home. In the survey, remote workers ranked as the third highest attack surface of concern at 35%; however, we expect that in future research, a significant rise in concerns related to remote worker risk will emerge.

The cloud is a significant concern

In addition to user networks and endpoints, the report findings reveal the cloud is a significant concern by 63% of respondents. It attributes this finding to the continued migration of companies to IaaS and SaaS services and the concerns cybersecurity professionals have about securing these broad attack surfaces and shared security models.

Reducing attacker dwell

The challenge in reducing attacker dwell time remains significant. Nearly two-thirds (64%) of respondents indicated that 100 days of dwell time (the length of time from when an attacker enters a network to when the organization detects them) seemed accurate or was too low (up from 61% last year).

The highest jump in responses, increasing 7% from last year – and an alarming trend – came from 22% who stated that they were not tracking dwell time statistics. These findings highlight a continued need for more efficient tools to detect and track in-network threat activity and lateral movement.

Orgs adopting complementary security technologies

Organizations are increasingly adopting complementary security technologies. Respondents believe threat actors are most concerned about traffic analysis (44%), followed closely by deception technology and next-generation firewalls (both 40%), IDS (39%), SIEMs (37%), EDR/next-generation AV (27%), IAM (22%) and UEBA (15%). This shift is likely due to attackers becoming increasingly savvy at understanding the weaknesses of traditional security controls.

Additionally, organizations are shifting their strategy by deploying new technologies like deception technology for closing detection gaps and efficiently covering attack surfaces such as endpoint, cloud, and inter-connected OT environments.

Malware and ransomware remain top concerns

Despite significant investments in prevention solutions, malware and ransomware continue to top the list of attacks that concern defenders, increasing 5% to 66% from last year.

This result indicates that anti-virus, firewalls, and other prevention technologies still struggle to detect and stop attacks and that different detection solutions and/or organizations need more layers of defense to halt these attacks.

Security pros relying on frameworks

Three in four respondents are using some form of security framework, with the majority of respondents (45%) using the NIST Cybersecurity Framework, followed by the ISO 27000 family of standards (37%). Security professionals rely on these frameworks to help them clearly define policies, procedures, and processes to help reduce risk and exposure to vulnerabilities.

“Much of this year’s research indicates a continued demand for in-network detection that works reliably across existing and emerging attack surfaces and is effective against all attack vectors,” said Carolyn Crandall, Chief Deception Officer at Attivo Networks.

“Reducing dwell time has also become an increased focus, as well as adopting technologies that detect attackers inside the network early and accurately. A multilayered strategy of complementary security controls that include new solutions like deception technology is proving to create the most effective control.”

Attivo Networks unveils ADSecure solution for Google Cloud’s Managed Service for Microsoft AD

Attivo Networks, the award-winning leader in deception for cybersecurity threat detection, announced the availability of its ADSecure solution for Google Cloud’s Managed Service for Microsoft Active Directory (AD).

The Google Cloud team has reviewed the Attivo solution that operates and reduces the risk of attack escalation for organizations running Active Directory with Google’s managed service.

Active Directory is estimated to be used by over 90% of businesses to organize users, computers, and services. Attackers target it frequently because it is a centralized directory that they can use to understand the network and gain the privileges that they need to advance their attacks.

The requirement for open access and the availability of automated tools designed to help attackers break into AD make protecting this environment a challenge.

The Attivo ADSecure solution detects unauthorized queries within the managed AD service to reduce the risk of successful enumeration. The solution alters the query response and returns deceptive objects that misdirect attackers to a decoy when they try to use them.

By detecting unsanctioned access to AD, security teams receive alerts early in the attack lifecycle, and the attacker is less likely to get the critical AD information they were seeking.

Additionally, the ADSecure solution reduces the attack surface by misdirecting attackers into a deception environment that safely gathers TTPs (Tactics, Techniques, and Procedures) to aid in the development of company-specific threat intelligence and accelerated response.

Further, the solution operates without altering the production AD, eliminating a critical adoption barrier presented by alternative security solutions.

“With more and more organizations moving to the cloud, there is a heightened need to protect their directory services located in the cloud,” said Marc Feghali, VP of Product Management for Attivo Networks.

“For Google Cloud customers that are using a managed Active Directory service, the additional protection of ADSecure helps keep attackers from successfully querying Cloud Service Objects, domain controllers, Cloud OU resources like privileged users, computer groups, service accounts, and built-in privileged groups.”

“Customers are using our service to simplify AD deployment, management, and security in the cloud without managing infrastructure,” said Siddharth Bhai, Product Manager for Google Cloud. “They can now leverage ADSecure to further reduce the risk of attack escalations against their deployments.“