By Splunk March 20, 2020
If you're a cybersecurity leader with decades of experience in the industry, I am sure you've helped your organization navigate major security issues related to remote working. Technology has evolved drastically across the decades, with new attack surfaces emerging with each shift.
In the 1990s we faced more basic issues related to hardening headend dial-up modems terminating 64kbps lines or with securing Wi-Fi just emerging onto the scene. In the 2000s, focus shifted to broadband-based VPN, responding to the SARS crisis, and securing nascent smartphone adoption. In the 2010s, remote working became a norm for many companies, smartphones and mobile computing became ubiquitous, and companies began moving to public or hybrid cloud resulting in no/ limited backhaul and a loss of complete control over security enforcement points. All of these events brought with them new cybersecurity policy challenges.
What we’re going through now in early 2020 is unprecedented. While there are plenty of unknowns, it’s also a great opportunity to focus on the basics; the must-do things for security maturity. To that end, there’s no better place to start than with a strong cybersecurity policy.
This should not come as a surprise. The very first step is ensuring there is a strong cybersecurity policy. This includes documented steps agreed by IT, Security, Executive Management, and the Board. Security policy should include not only corporate-provided assets, but also Bring Your Own Devices (BYOD). The policy should take into consideration the organization’s security operations maturity level, technologies that are implemented, and alignment with corporate-wide enterprise risk management frameworks.
BYOD Policy
A BYOD policy for example, can bring a lot of challenges if not constructed properly. Can the security team plant a digital certificate in the employee-owned device? How can the security team enforce minimum security standards for BYOD devices? Should Mobile Device Management software be used to closely manage those devices? What happens when the device is stolen or lost? Can the company wipe data on the employee owned device?These are key policy questions to answer. While many organizations have built robust BYOD cybersecurity policies for remote working in the past decade, there are still organizations maturing their security policies. It’s important to build (or review and strengthen) policies based on industry best practices.
To Split Tunnel Or Not?
Split Tunneling, in its simplest definition, allows simultaneous access to the public internet and corporate network. In the 1990s and early 2000s, this conversation could split a room full of NetOps and SecOps experts into two halves. But this has changed with advanced security defenses and analytics. With broadband internet, the question about secure direct internet access for small offices (and power remote users), had to be balanced with how much and which traffic to backhaul. Having the right policies based on business risks, technology maturity and cyber defense tools is important. Monitoring traffic anomalies, high remote authentication failures, analyzing traffic patterns for backdoors, detecting attempts to circumvent standards and most importantly response at machine speed – all become critical.
Indicators of Compromise
Here, there...everywhere! Correlation of security events can be the most important part of an effective monitoring system. Quite often we see multiple tools used for managing a specific attack surface – an average enterprise can have 40+ security solutions deployed. This can create significant gaps in the overall security operations spread across different teams. For instance, endpoint alerts not correlated with network threats (e.g. steep spike in malware calling home on specific network ports) will only give part of the picture. Maturing internal working policies among various operations teams is important.
Cyber Risks
In any organization, we can manage, mitigate, avoid and transfer risk. There are tools, such as firewalls and malware protection, that can help manage and mitigate risks. Strong policies can help drive risk avoidance – for example, there are environments where we don’t want USB sticks plugging into laptops. Risk Transfer is growing in importance across all businesses. While not a short term thing to jump on right away, security executives should look at opportunities to transfer risks that are most pertinent to their business based on lessons learned from the ongoing crisis. This could be obtaining an Incident Response (IR) retainer with strong SLAs, integrated with Managed Threat Detection. Cyber Insurance, an area that is fast maturing, is another solution to consider.
Enterprise Risk Management (ERM)
Cybersecurity technologies and tools have come a long way in the past decade. Yet, one area that is still nascent is integration of cyber risks with corporate risk management. I've personally had the privilege of partnering with enterprise risk focused companies, such as insurance brokers and risk measurement leaders, to tie cyber risks to how executives and boards are managing enterprise-wide risks. With the rise of digitization, every company is becoming a digital company. Security risks, when not measured and integrated properly with enterprise risk, can have catastrophic effects. There are models that are evolving such as FAIR (Factor Analysis of Information Risk) that are worth looking at. Off-the-shelf risk scoring platforms can also help. If you have a GRC platform or a Vulnerability Analysis deployment, they too can help with rudimentary risk focused applications. Again, integrating these tools with strong analytics, monitoring and response is an imperative for security operations.
Splunk can help organizations improve their cybersecurity policies by maturing security operations across the entire event lifecycle with SIEM, UBA and SOAR offerings. Our robust network of partners via the Adaptive Operations Framework integrates with leading cybersecurity players so that customers can drive advanced threat detection and mitigation.
Lastly, this week the Splunk security team released quick technical tips for securing a remote workforce that I would encourage everybody to check out.
We are navigating a complex new world, with many folks around the world working remotely for the foreseeable future, resulting in increased security risks. It’s important now, more than ever, to ensure that the right cyber policies are in place to help drive business outcomes within every organization.
----------------------------------------------------
Thanks!
Jawahar Sivasankaran