This week’s blog features an article from ISACA Journal about reducing cyber security vulnerabilities in the hybrid workplace.
The lockdowns and other precautions instituted based on the COVID-19 pandemic have fundamentally changed the way society lives, works and plays. The pandemic has resulted in a growing consensus that the hybrid workplace—where at least some staff members work remotely part time or full time—will be a permanent fixture in the enterprise landscape. This seismic shift has broad implications for cybersecurity efforts as the enterprise boundary expands to accommodate the new remote workforce.
Uncertainty and Lack of Control
In a traditional enterprise architecture, both the endpoints and the Internet connections are closely controlled by the IT department. A hybrid workplace inverts that construct and introduces a great deal of uncertainty into the IT environment. For example, in terms of connectivity, remote workers’ Internet connections are typically provided by each individual user instead of the IT staff. These connections might be through a variety of Internet service providers (ISPs) or even public networks with drastically varying security standards.
In terms of endpoints and devices in a traditional setting, the bring-your-own-device (BYOD) arrangement has been the trend in most enterprises for many years, and security is still ensured because these personal devices in enterprise offices are connected to the enterprise’s network, nullifying the aforementioned concerns. In addition, the enterprise IT team may employ one or more security strategies for BYOD, such as zero trust via remote browser isolation to boost productivity while ensuring security and enterprise mobility management or mobile device management, which can provide some level of security and protection to those personal devices.
By contrast, in a hybrid workplace, the enterprise’s IT team may have far less control over which devices users employ to access the enterprise network and assets and which external public networks they use to transport said data. Further, a shared network environment in a home office increases the chances that an attacker can execute an eavesdropping or man-in-the-middle (MitM) attack.
Networked endpoints such as cameras, televisions, digital assistants and Internet of Things (IoT) devices are often unsecured, which can present a multitude of problems. These devices can become vectors of attack against the enterprise network, be used to execute MitM attacks, or be compromised and exploited for other malicious purposes. IT teams in particular and enterprise culture in general typically have less trust in connections that take place at a distance compared with on-premises or face-to-face interactions.
An important principle of cybersecurity is authentication, authorization and accounting (AAA):
“Further complicating the situation is that devices, home networks and Internet connections in the remote environment may carry both business and personal (nonbusiness) traffic.”
AAA controls access to network resources, enforces security policies, and provides an audit trail for forensic and billing purposes. This is normally a seamless process in traditional on-premises work environments, but it becomes more complicated in modern hybrid environments. For example, how should users and credentials be authenticated? Is multifactor authentication (MFA) enough? How can MFA, along with additional authentication schemes, be implemented securely when remote devices and connections are not under the control of the enterprise IT department? How does the security protocol react if a user’s Internet Protocol (IP) address changes or multiple logins occur from separate devices?
Ultimately, the concept of AAA revolves around balancing security with mobility and user experience. By extension, IT and security teams must find a balance between fine-grained access control and the impact on user experience and productivity.
A hybrid workplace can make it difficult to detect and respond to threats, anomalies and attacks in a coordinated and timely manner. A heterogeneous environment in which unsystematic devices are deployed can lead to sporadic or nonexistent threat detection and data reporting. Certain threat events may be overlooked entirely because detection is not enabled within a specific environment or device that is out of the IT team’s control. To make matters worse, the threat attack surface is increasing exponentially, with known and unknown multi-layer threats taking the stage.
Further complicating the situation is that devices, home networks and Internet connections in the remote environment may carry both business and personal (nonbusiness) traffic. A household’s private traffic and data are not necessarily reported and analyzed for possible breaches or suspicious behavior, resulting in yet another potential threat vector.
Responding to threat events through mitigation actions such as blocking, diverting and otherwise disrupting attacks is also more difficult in a hybrid workplace. Although a timely response can reduce risk, this becomes much harder to accomplish at a distance. It requires a more systematic workflow for incident response, which, in turn, creates a far greater workload for security teams unless the process can be automated. Similarly, forensic information may be much harder to collect from distributed work environments, making incident investigation efforts more difficult. The name of the game is now postbreach mitigation and the ability to manufacture a cyber resilient infrastructure that can endure and bounce back from waves of threats.
Limitations of Legacy Security Technology
By the time the COVID-19 pandemic exploded in early 2020, many enterprises had already adopted cybersecurity technologies to support a limited number of remote and mobile workers. This allowed enterprises to pivot relatively quickly to support a fully remote workforce when lockdowns closed physical offices.
One of the chief technologies employed by enterprises to enable remote access throughout the pandemic has been Secure Sockets Layer (SSL) or Internet Protocol Security (IPsec) virtual private networks (VPNs). This essentially creates a secure tunnel between the worker’s device and the enterprise network. Although VPNs have evolved significantly since their inception approximately 20 years ago, several key issues constrain their applicability to the new hybrid workplace: cost, scaling and visibility.
In terms of cost, SSL VPNs are typically licensed on a per-user basis, though the license may allow a single user to connect via multiple devices. In addition, whether the VPN is a physical, virtual or cloud-based product, it is typically licensed to support only a certain number of concurrent users. Scaling these solutions typically requires the addition of both user and capacity licenses, increasing licensing costs as well as the labor costs associated with implementing the massive IP management processes required.
For cybersecurity professionals, visibility is a principal concern when relying on VPNs for remote worker connectivity. Many VPN manufacturers include endpoint policy compliance checks, or health checks, which examine the status of antivirus solutions, firewalls, operating systems and other requirements. However, the visibility afforded by health checks is fairly limited, prioritizing its focus on compliance rather than threat and attack detection. Compounding the problem are the subtle nuances of an attack within an endpoint, which antivirus and other basic endpoint security measures may miss. For example, attempted communication with a botnet command-and-control center may be masked or hidden due to the lack of granular visibility and an inability to consolidate and analyze threat information across all network-attached devices, including endpoints.
Of increasing concern for security professionals is the broad access granted by VPNs to remote endpoints. Because network-level access is typically granted by the VPN, legitimate traffic—as well as illegal or attack traffic—can access any network resources for which the user is authorized. The cost, scaling and visibility issues of VPN technologies have led many IT professionals to investigate alternatives.
“XDR offers a more fine-grained and proactive cybersecurity solution while automating much of the analysis and response, thus easing the human workload associated with cybersecurity efforts.”
New Solutions for the Modern, Hybrid Workplace
In reality, the hybrid workplace has existed in some form for many years, though never at the scale seen during the pandemic. Beyond SSL VPNs, several newer technologies have the potential to increase security throughout the hybrid workplace. For example, zero trust network access (ZTNA) is a concept that is generating interest and gaining attention.
The core principle of ZTNA is to never trust and always verify, meaning users and devices attempting to connect to enterprise resources should not be trusted by default and should be authenticated in terms of identity, integrity and level of access requested. This effort is being spearheaded by the US National Cybersecurity Center of Excellence (NCCoE) of the US National Institute of Standards and Technology (NIST), which states:
Hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. Zero trust is a design approach to architecting an information technology (IT) environment that could reduce an organization’s risk exposure in a “perimeter-less” world.
The goal of ZTNA is to provide IT and security teams with certainty on the client side through multilevel, multiphase authentication of the user, and the device and its integrity. Consistency with enterprise security policies is enforced, allowing only legitimate users access to only those applications and resources permitted by their respective privilege credentials. Device attributes such as operating system version, patch level and antivirus status are verified at session initiation and then continuously monitored. When implemented properly, ZTNA can help enterprise IT teams deliver the access control needed to protect network assets while minimizing the impact on user experience and productivity.
Threat Detection and Response in a Hybrid Workplace
ZTNA has the potential to address prebreach cybersecurity concerns through strong authentication, validation and policy enforcement, but security teams must also contend with breach detection and response to the threats and attacks that will almost inevitably occur. Another new technology, extended detection and response (XDR), is generating interest due to its potential as a cost-effective solution to the challenges of breach discovery and remediation.
Currently, breach detection and response are complicated by a number of factors, including, but not limited to, siloed unactionable data from disparate point security technologies, a vast number of alarms that can lead to alert fatigue for security personnel and an inability to coordinate threat responses throughout a hybrid network.
XDR offers a more fine-grained and proactive cybersecurity solution while automating much of the analysis and response, thus easing the human workload associated with cybersecurity efforts. It integrates security data from several sources, including security, cloud, network and endpoint devices, and then standardizes and integrates the data to provide comprehensive visibility of events and anomalies. Correlation engines analyze the data using machine learning to discover and characterize threats and attacks; they then utilize IT-configured scripts to automate and coordinate responses across a wide variety of security technologies, giving the XDR a plug-and-play effect for security teams.
By integrating massive security data, correlating and investigating threat incidents, and automating security orchestration, XDR can respond rapidly and cohesively across multiple security products, allowing swift containment and mitigation, thereby improving security operation efficiency.
Just as the workplace has changed in response to the global COVID-19 pandemic, cybersecurity concepts and techniques are constantly evolving to address the fluid cyber threat landscape. As the network boundary expands to accommodate the hybrid workplace, cybersecurity efforts must adapt to gain the visibility, accuracy, automation and efficiency needed to defend against threats and attacks.
As the premier Managed Service Provider (MSP) of the Midwest, it’s our duty to reduce security vulnerabilities for all clients. Whether your team works on-site, is fully remote, or operates as a hybrid workplace, Computers Nationwide is here to mitigate cyber risks and protect you from attacks.
We partner with leaders in the cyber security industry to provide your workplace with threat detection, cyber security, data backup and much more. Let’s make sure your network and endpoints are protected around the clock with the best cyber security solutions in the marketplace today. Partner with CN to find the best way to secure your business!
Curious how your workplace will benefit from Managed Cyber Security and threat detection solutions?
The experts at Computers Nationwide are here to help!