How do I select a remote workforce protection solution for my business?

Recent research shows almost three quarters of large businesses believe remote working policies introduced to help stop the spread of COVID-19 are making their companies more vulnerable to cyberattacks. New attack vectors for opportunistic cyber attackers – and new challenges for network administrators have been introduced.

To select a suitable remote workforce protection solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Vince Berk, VP, Chief Architect Security, Riverbed

select remote workforce protectionA business needs to meet three main realizations or criteria for a remote workforce protection solution to be effective:

Use of SaaS, where access to the traffic in traditional ways becomes challenging: understanding where data lives, and who accesses it, and controlling this access, is the minimum bar to pass in an environment where packets are not available or the connection cannot be intercepted.

Recognition that users use a multitude of devices, from laptops, iPads, phones—many of which are not owned or controlled by the enterprise: can identity be established definitively, can data access be controlled effecitvely, and forensically accurately monitored for compromise at the cloud/datacenter end?

When security becomes ‘too invasive’, workers create out-of-band business processes and “shadow IT,” which are a major blind spot as well as a potential risk surface as company private information ends up outside of the control of the organization: does the solution provide a way to discover and potentially control use of this modern shadow IT.

A comprehensive security solution for remote work must acknowledge the novel problems these new trends bring and succeed on resolving these issues for all three criteria.

Kate Bolseth, CEO, HelpSystems

select remote workforce protectionOne thing must be clear: your entire management team needs to assist in establishing the right infrastructure in order to facilitate a successful remote workforce environment.

Before looking at any solutions, answer the following questions:

  • How are my employees accessing data?
  • How are they working?
  • How can we minimize the risk of data breaches or inadvertent exposure of sensitive data?
  • How do we discern what data is sensitive and needs to be protected?

The answers will inform organizational planning and facilitate employee engagement while removing potential security roadblocks that might thwart workforce productivity. These guidelines must be as fluid as the extraordinary circumstances we are facing without creating unforeseen exposure to risk.

When examining solutions, any option worth considering must be able to identify and classify sensitive personal data and critical corporate information assets. The deployment of enterprise-grade security is essential to protecting the virtual workforce from security breaches via personal computers as well as at-home Wi-Fi networks and routers.

Ultimately, it’s the flow of email that remains the biggest vulnerability for most organizations, so make sure your solution examines emails and files at the point of creation to identify personal data and apply proper protection while providing the link to broader data classification.

Carolyn Crandall, Chief Deception Officer, Attivo Networks

select remote workforce protectionWhen selecting a remote workforce protection solution, CISOs need to consider three key areas: exposed endpoints, security for Active Directory (AD) and preventing malware from spreading.

Exposed endpoints: standard anti-virus software and VPNs are no match for advanced signature-less or file-less attack techniques. EDR tools enhance detection but still leave gaps. Therefore pick an endpoint solution capable of quickly detecting endpoint lateral movement, discovery and privilege escalation.

Security for Active Directory (AD): cloud services and identity access management need protection against credential theft, privilege escalation and AD takeover. In a remote workforce context AD is often over provisioned or misconfigured. A good answer is denial technology which detects discovery behaviors and attempts at privilege escalation.

Preventing spread of malware: it is almost impossible to prevent malware passing from workforce machines reconnecting to the network. It is vital therefore to choose a resolution that uncovers lateral movement, APTs, ransomware and insider threats. Popular options include EPP/EDR, Intrusion Detection/Prevention Systems (IDS/IPS) and deception technology. When selecting, take account of native integrations and automation as well as how well the tools combine to share data and automate incident response.

In short, the answer to remote workforce protection lies in a robust, layered defence. If attackers get through one, there must be additional controls to stop them from progressing.

Daniel Döring, Technical Director Security and Strategic Alliances, Matrix42

select remote workforce protectionEndpoint security requires a bundle of measures, and only companies that take all aspects into account can ensure a high level of security.

Automated malware protection: automated detection in case of anomalies and deviations is a fundamental driver for IT to be able to react quickly in case of an incident. In this way, it is often possible to fend off attacks before they even cause damage.

Device control: all devices that have access to corporate IT must be registered and secured in advance. This includes both corporate devices and private employee devices such as smartphones, tablets, or laptops. If, for example, a smartphone is lost, access to the system can be withdrawn at the click of a mouse.

App control: if, in addition to devices, all applications are centrally controlled by IT, IT risks can be further minimized. The IT department can thus control access at any time.

Encryption: the encryption of all existing data protects against the consequences of data loss.

Data protection at the technological and manual levels: automated and manual measures are combined for greater data protection. Employees must continue to be trained so that they are aware of risks. However, the secure management of data stocks can be simplified with the help of technology in such a way that error tolerance is significantly increased.

Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

select remote workforce protectionThe most important aspect for any security solution is how this product is going to complement your current environment and compensate for gaps within your existing controls.

Whether you’re looking to upgrade your endpoint protections or add always-on VPN capability for the now predominately remote workforce, there are a few key considerations when it comes to deploying security software for protecting distributed assets:

  • Will the solution require infrastructure to deploy, or will this be a remote cloud hosted solution? Both options come with their unique benefits and drawbacks, with cloud being optimal for disparate systems and offloading the burden of securing internet-facing services to the vendor.
  • What is the footprint of the agent and are multiple agents required for the solution to be effective? Compute is expensive, agents should be as non-impactful to the system as possible.
  • How will this solution improve your security team’s visibility and ability to either prevent or respond to a breach? What key gaps in coverage will this tool help rectify as cost effectively as possible.
  • Will this meet the organization’s future needs, as things begin to shift back to the office?
  • Lastly, ensure that you allow for the team to operationalize and integrate the platform. This takes time. Don’t bring on too many tools at once.

Matt Lock, Technical Director, Varonis

select remote workforce protectionWith more remote working, comes more cyberattacks. When selecting a remote workforce solution, CISO’s must ask the following questions:

Am I able to provide comprehensive visibility of cloud apps? Microsoft Teams usage exploded by 500% during the pandemic, however given its immediate enforcement, deployments were rushed with misconfigured permissions. It’s paramount to pick a solution that allows security teams to see where sensitive data is overexposed and provide visibility into how each user can access Office 365 data.

Can I confidently monitor insider threat activity? The shift to remote working has seen a spike in insider threat activity and highlighted the importance of understanding where sensitive data is, who has access to it, whose leveraging that access, and any unusual access patterns. Best practices such as implementing the principle of least privilege to confine user access to the data should also be considered.

Do I have real-time insight into anomalous behavior? Having real-time awareness of unusual VPN, DNS and web activity mustn’t be overlooked. Gaining visibility of this web activity assists security teams track and trend progress as they mitigate critical security gaps.

Selecting the right workforce protection solution will vary for different organizations depending on their priorities but the top priority of any solution must be to provide clear visibility of data across all cloud and remote environments.

Druce MacFarlane, Head of Products – Security, Threat Intelligence and Analytics, Infoblox

select remote workforce protectionEnterprises investing in remote workforce security tools should consider shoring up their foundational security in a way that:

Secures corporate assets wherever they are located: backhauling traffic to a data center—for example with a VPN—can introduce latency and connectivity issues, especially when accessing cloud-based applications and services that are now essential for business operations. Look for solutions that extend the reach of your existing security stack, and leverage infrastructure you already rely on for connectivity to extend security, visibility, and control to the edge.

Optimizes your existing security stack: find a solution that works with your entire security ecosystem to cross-share threat intelligence, spot and flag suspicious activities, and automate threat response.

Offers flexible deployment: to get the most value for your spend, make sure the solution you choose can be deployed on-premises and in the cloud to offer security that cuts across your hybrid infrastructure, protecting your on-premises assets as well as your remote workforce, while allowing IT to manage the solution from anywhere.

The right solution to secure remote work should ideally enable you to scale quickly to optimize remote connections and secure corporate assets wherever they are located.

Faiz Shuja, CEO, SIRP Labs

select remote workforce protectionIn all the discussion around making remote working safer for employees, relatively little has been said about mechanisms governing distributed security monitoring and incident response teams working from home.

Normally, security analysts work within a SOC complete with advanced defences and tools. New special measures are needed to protect them while monitoring threats and responding to attacks from home.

Such measures include hardened machines with secure connectivity through VPNs, 2FA and jump machines. SOC teams also need to update security monitoring plans remotely.

Our advice to CISOs is to optimize security operations and monitoring platforms so that all essential cybersecurity information needed for accurate decision-making is contextualized and visible at-a-glance to a remote security analyst.

Practical measures include:

  • Unify the view for distributed security analysts to monitor and respond to threats
  • Ensure proper communication and escalation between security teams and across the organization through defined workflows
  • Use security orchestration and automation playbooks for repetitive investigation and incident response tasks for consistency across all distributed security analysts
  • Align risk matrix with evolving threat landscape
  • Enhance security monitoring use cases for remote access services and remotely connected devices

One notable essential is the capacity to constantly tweak risk-levels to quickly realign priorities to optimise the detection and response effectiveness of individual security team members.

Todd Weber, CTO, Americas, Optiv Security

select remote workforce protectionSelecting a remote workforce protection solution is more about scale these days than technology. Companies have been providing work-from-home solutions for several years, but not necessarily for all applications.

How granular can you get on access to applications based on certain conditions?

Simply the credentials themselves (even with multi-factor authentication) aren’t enough any longer to judge on trusted access to critical applications. Things like what device am I on, how trusted is this device, where in the world is this device, and other factors play a role, and remote access solutions need to accommodate granular access to applications based on this criteria.

Can I provide enhanced transport and access to applications with the solution?

The concept of SD-WAN is not new, but it has become more important as SaaS applications and distributed workforce have become more prevalent. Providing optimal network transport as well as a visibility point for user and data controls has become vitally important.

Does the solution provide protections for cloud SaaS applications?

Many applications are no longer hosted by companies and aren’t in the direct path of many controls. Can you deploy very granular controls within the solution that provides both visibility and access restrictions to IaaS and SaaS applications?

Ransomware, then and now: The change in data theft behavior

The rising number of people working from home have left more businesses at risk from ransomware than ever before. Gaps in network security, shadow IT and a greater reliance on remote communications present cyber criminals with a wealth of options for exploitation.

Every time ransomware moves out of the news cycle, someone will ask whether cybercriminals have moved on to other, perhaps more lucrative, activities.

Unfortunately, not only is ransomware alive and well, but it’s also evolving.

Ransomware 1.0

Until around five years ago, the criminals’ goal was to encrypt a victim’s files and ask them to pay a release fee. It was indiscriminate, haphazard, with a low success rate and little need for in-depth reconnaissance. A cybercriminal sent an email with a malicious link and hoped an unsuspecting employee opened it to infect their system. Just about anybody could use a pay-to-play service to carry out these attacks. Threat actors sell ransomware kits online for as little as $1,000, while others don’t even ask for an up-front payment, but instead require a cut of the profits.

But as cyber defenses became more sophisticated, so too did the attackers and their methods. We saw the advent of WannaCry and NotPetya using advanced exploits to spread peer-to-peer.

While these attacks were devastating for any business unlucky enough to get infected, it was still hit and miss as to whether or not the victim would pay up.

For instance, even though Maersk suffered up to $300 million in losses to NotPetya, it did not pay a single penny in ransom. Furthermore, despite more than 200,000 machines ending up infected with WannaCry, it was reported that the attackers only made off with around $386,905 based on Bitcoin’s value in December 2019.

To ensure that their efforts have a greater chance of earning them a substantial amount of money, cyber criminals are changing their tactics again, focusing on what we like to call big-game ransomware.

The rise of big-game ransomware

In contrast to Ransomware 1.0, big-game ransomware attacks are well planned, targeted and have a greater chance of earning the perpetrators money.

The techniques are stealthier: threat actors will silently gain high-level access to Active Directory (aka “the keys to the kingdom”), which enables them to go wherever they like and do whatever they like on the system. They can steal information and sell it to the highest bidder later, while at the same time sowing the seeds of a ransomware attack. In this way, once the ransomware is activated, if a business doesn’t pay the rasom the threat actor can still turn a profit by selling the data. Some may even be unscrupulous enough to sell the information regardless, earning them a double pay day or will simply release it on to the dark web.

There are now many new ransomware strains that steal data before encrypting it, such as Maze, Snatch, Zeppelin and REvil. Recently, the gang behind the REvil ransomware attacks started auctioning off stolen data following the reluctance of one victim to pay up for their data.

Mitigation and recovery

With any type of ransomware, but especially big-game ransomware, prevention is more effective than the cure. First, businesses need to know exactly where all their sensitive data is kept and restrict access to it to only those that need it. Employing a least privilege approach will ensure that if cyber criminals do manage to access the network, their scope for lateral movement will be limited.

Firms also need to put in place contingency plans about what to do in the event of a ransomware attack. This should cover how employees can continue working and deploying a team to prevent the ransomware causing more damage and remove it from the system.

Sound backups are key to any contingency plan. To ensure that the right files are recovered, businesses should consider tracking file system activity, so that they know what the ransomware encrypted and when. In this way recovering corrupted files is relatively straightforward. Automation is also key, as the race is on to prevent ransomware from spreading and encrypting files, once your organization is infected. Reduce access to sensitive data by placing least privilege controls around this data and put processes in place to automatically detect unusual activity and shut down compromised accounts as quickly as possible to limit damage.

While a business tracks file activity, it should also monitor and then analyze activity logs, especially those on critical data stores. Automation can ensure this is achieved accurately and in real-time, alerting the security team to any anomalies that indicate an attack.
Businesses must assume that at some point they are going to be a ransomware target and prepare accordingly. If they don’t, reclaiming the keys to the kingdom could cost them a king’s ransom.