Visibility and Threat Detection in a Remote Working World

June 24, 2020
| |
6 min read

At the outset of the COVID-19 pandemic, when governments around the world put stay-at-home orders in place, it was hard to imagine the state of work would permanently change. Yet, as organizations rapidly adopted and expanded systems to enable a remote workforce — which doubled in size in just three weeks — company cultures began shifting, too. As employees adjusted to life working remotely, many proved to their employers that productivity could remain high, and in some cases even increase, while they worked from home.

As a result of this forced experiment, many experts and executives now predict that flexible, work-from-home policies are here to stay. Research from Gartner suggests 41% of employees will continue to work from home, up from 30% before the pandemic, as reported by ZDNet. Additionally, 13% of chief financial officers (CFOs) have already started to cut real estate expenses spent on office space. With remote work here to stay, security professionals need ways to maintain visibility, monitoring and threat detection when the network perimeter, which has been disintegrating for years, has become almost non-existent.

Learn More with the On-Demand Webinar: Visibility and Detection Best Practices in a Remote Working World

Despite the new blind spots, below are four key areas in which a centralized security information and event management (SIEM) solution can help security teams re-gain and increase visibility and monitoring controls.

Email

Targeted attackers are good at crafting compelling phishing emails and they’re only getting better. Email is one of the most important threat vectors to monitor, as 94% of malware that reaches an organization is delivered via phishing. To get early insights into these threats and, more importantly, be able to track exactly what happens after a phishing email is opened, security teams need a centralized view of what’s happening across the organization.

To achieve this, security operations center (SOC) teams can send a combination of relevant email events and network flows to a centralized SIEM solution for analysis. By ingesting and analyzing email events or email security events, such as those from Proofpoint or Cisco IronPort, security analysts can get a more effective, comprehensive view of email-based threats.

For deeper insight, analysts can also take advantage of network analytics to extract additional attributes, such as sender email, attachment name, file hash and URL and then correlate those attributes against threat intelligence in real time. As a result, this network-level insight can provide early visibility and alerting for known threats and suspicious attributes that may indicate a phishing attack.

Endpoint

Before the massive shift to remote working, there were typically two types of companies:

  • Those who were almost entirely in-office, with users on desktops.
  • Those who were remote-enabled, with users on laptops that could connect to the network via a VPN.

When workers went almost entirely remote, both faced challenges. In-office organizations needed to rapidly figure out how to enable core services and applications for remote workers and, in some cases, deploy a virtual private network (VPN) for the first time. Remote-enabled organizations saw massive spikes in VPN usage, overwhelming networks and dramatically reducing speed, essentially forcing users to work off the VPN to maintain productivity. From a security perspective, both situations introduced a massive blind spot for endpoint and user activity.

To regain visibility, security teams can leverage a combination of endpoint operating systems (OS), VPN and endpoint detection and response (EDR) events to help with threat detection. With native Windows, macOS and Linux logging, security teams can get insight into what’s happening at the endpoint level. By augmenting Windows event logging with Sysmon, teams can gain even deeper threat-relevant insights, such as process activity and domain name system (DNS) requests.

For organizations using an EDR solution, such as Carbon Black or CrowdStrike, endpoint security events can be sent to a centralized SIEM solution and correlated against other enterprise data for end-to-end threat visibility. When EDR is tightly integrated with a SIEM, response actions can be initiated directly from the SIEM interface. Lastly, when users sign on to the VPN or go through risk-based authentication to access applications, these solutions can provide insight into the endpoint’s location, MAC address, user agent and other valuable information that can provide insight into whether this is the real user.

Once this valuable data is collected in one place, security teams can apply a series of both machine-learning and correlation-based analytics to detect known and unknown threats. For a security operations team, it’s particularly useful to look for SIEM vendors who provide pre-built security use cases and analytics so you don’t have to invest time and money in researching and developing these from scratch.

Application

Monitoring application activity should be a key focus for teams since, unlike with endpoints, organizations are still in control even off of the network. Application monitoring can also help to expose attackers who are already inside the network. Application monitoring can be enforced at a number of levels:

  • At sign-on through identity as a service (IDaaS) solutions, such as Cloud Identity Connect or Okta.
  • From sign-on through to sign-off directly via applications such as SAP, SalesForce.com or Office 365.
  • Via a cloud access security broker (CASB) solution, such as Zscaler, to monitor who is accessing or attempting to access which applications.
  • Directly within the application stack, including the OS container orchestration platforms (like Kubernetes), containers themselves and API calls within these environments.

In addition to monitoring and analyzing events at each of these levels, network monitoring can provide detailed insight into how application data is traversing the network, who and what is connecting to these systems and if any abnormal traffic has been witnessed. This added layer of insight can augment existing visibility and insight to help to uncover several suspicious activities faster, such as compromised accounts and lateral movement data exfiltration attempts. Further, network monitoring can be particularly helpful when attackers have gained enough control to successfully use detection evasion techniques, such as disabling logging. As a highly reliable source of truth, network data can show when systems and applications are still online even though they aren’t sending logs, and it can also continue to provide visibility into what those systems and applications are doing.

Cloud

With many physical data centers temporarily closed, organizations have faced an urgent need to minimize the requirement of the on-site physical maintenance of IT systems. Many organizations have quickly accelerated the adoption of cloud infrastructures to support their workloads and applications to maintain business continuity. Since many of these migrations were already planned — just often for later timelines — most security teams should expect these investments are here to stay.

To gain earlier insights into risks and threats in these environments, security teams can monitor a range of events including user activity, application activity and resource and configuration changes. Fortunately, the major public cloud vendors, such as AWSIBMAzure and Google Cloud, provide a rich set of log, event and network flow data that can be brought into a centralized SIEM solution to gain visibility and detection across on-premises and multicloud environments.

By ingesting this data and applying security use cases to it, analysts can gain insight into several suspicious activities, such as:

  • Anomalous user and account activity, such as abnormal authentication activity, multiple logins from different geographies or suspicious root user activity.
  • Anomalous workload activity, including abnormal API calls, suspicious container activity or non-standard services accessing resources.
  • High-risk configuration changes, such as suspicious IAM or security group policy changes, changes to S3 bucket policies or new or altered certificates.
  • Suspicious resource changes, such as non-standard virtual private cloud (VPC) or EC2 instances or a rapid increase in the number or size of EC2 instances potentially indicative of cryptocurrency mining.

While many of the cloud providers have their own native security capabilities, without a centralized view into security data across environments, analysts are forced to work within complex data silos. Today, 62% of public cloud adopters use two or more public clouds, and, on average, organizations use a total of 4.8 separate public and private cloud environments. For an analyst struggling to keep up with an ever-growing workload, getting centralized cloud visibility combined with the ability to automatically analyze, detect and track threats as they progress through different environments, is critical. A centralized SIEM solution that’s capable of ingesting and analyzing the event and flow data across cloud and on-premises environments can help analysts quickly and more effectively detect threats before they escalate and cause serious damage.

Putting it all together

As a result of the rapid shift to remote work, many IT organizations now have the technology to support remote employees. And over the last few months, employees have proven they can remain productive from home. As we move forward into a new normal, one clear change that is here to stay is more flexible, remote-friendly working policies. As a result, security operations teams need a sustainable, long-term strategy to maintain visibility and threat detection over a network that has new blind spots and hardly any remaining perimeter.

By doubling down on centralized security analytics, with a particular focus on phishing, endpoint, application and cloud security use cases, security analysts can gain new insights to compensate for lost visibility and ultimately help strengthen the security posture of their organizations. In this remote world when teams are already stretched thin, consider SIEM solutions that can run anywhere, including as SaaS or in a public cloud, offer pre-built use cases to make detection easier and improve overall value and offer tight integrations with SOAR solutions, such as Resilient, to accelerate the end-to-end threat detection, investigation and response cycle.

Learn More with the On-Demand Webinar: Visibility and Detection Best Practices in a Remote Working World
Lauren Horaist
Program Director, QRadar SIEM Offering Management, IBM Security

Lauren Horaist leads the IBM QRadar SIEM offering management team. She has ten years of experience in cyber security product management and product marketing...
read more

Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00