If the news is any indicator, 2020 has been beyond challenging for most of us– and we have the memes to prove it. Even if you’re one of the lucky few whose industry hasn’t suffered a massive dip, you’ve probably found yourself working longer hours and experiencing more daily anxiety than in the past. So, if you have managed to maintain business continuity in the face of catastrophic weather events, a pandemic that sent most workforces home, rapidly changing markets, and what your insurance probably terms “acts of God”, congratulations. You represent the American can-do spirit. Now that the dust has settled, though, it’s time to ask yourself how and why you set up your remote access. For most, this had to be accomplished quickly and with technology that would minimize latency and provide corporate access to the most possible end users at one time. If you didn’t already have a security-engineered cloud network that allows users to connect and work securely from anywhere in the world before the pandemic, chances are, you’ve deployed VPN.
The Problem With VPN
An old school method of accomplishing remote connectivity technology, VPN is a very well-known entity in IT. With the benefit of controlling what corporate data can be accessed and sent through a “tunnel”, as well as enabling visibility and layers of security by keeping activity behind corporate firewalls, VPN also allows for encryption and can be secure when configured properly–as long as the only connections made are between those machines and your corporate network. The problem arises when users want to use their laptops on a home network, surf the web, or do pretty much anything other than work on your corporate network. In 2020, almost no one walks around with multiple laptops or stays off the internet when not at work, and you can’t accommodate all their other connections by running them through the corporate firewall. In the age of BYOD, your workers are likely on the internet nearly every waking moment of the day, and they are likely connecting to whatever internet is available to them at the time, right alongside everyone else in their home who is using the internet at the same time. The problem here is that if you only allow them to run all activities through the corporate firewalls and dns blockers, you suddenly have more people than your systems were designed to accommodate taxing the network from remote locations, and that slows everything down. Likely, this was not the scenario you had in mind when you built the network, so firewalls and corporate bandwidth were not designed to handle that many tunnels at one time. When enough end users complain that their connections are just too slow to get their work done, IT Departments may be pressured into finding quick fixes, like split tunneling.
Split tunneling has been out of fashion for quite a long time and is actually been forbidden under PCI compliance rules due to the security risks it introduces. In a split tunnel scenario, the tunnel only handles traffic coming and going directly between an endpoint and the corporate network, and all other traffic just comes and goes normally directly from the machine to its destination. While this has the effect of lightening the load on firewalls and speeding up processes significantly, it also leaves all user activity outside of the tunnel completely unseen, unmonitored, and unfiltered. So, the IT Department no longer has visibility into malicious traffic, malicious destinations, attacks, attachments, nothing, much less the ability to control any of it. Users may be clicking on phishing emails and accidentally giving away sensitive credentials, downloading malware, or even downloading files from known bad sites. Literally, you could have an employee who is streaming malicious videos at the exact same time they are accessing corporate assets, and you would have no idea. o, you have now exposed your organization in that many ways, multiplied by every remote user.
With all of this activity occurring outside the purview of your IT security, a massive attack could be under way, right under your nose. So, what’s the fix? You can’t really force your entire staff to return to the office in the middle of a pandemic, and that doesn’t solve the problem of making your teams more flexible to accommodate the craziness that has come to be known as 2020. Antivirus isn’t going to cast a wide enough net, controls that require connectivity won’t provide the kind of remote protection you need, and most solutions you would install locally will both weigh down your endpoints and fall short. You need a solution that can deployed immediately to enable deep visibility, stop attacks not weigh down systems, and not overburden your IT teams with a solution they don’t have time or resources to manage.
Let’s break these requirements down, one-by-one.
How far into user actions does your endpoint solution really go in a remote scenario? With users are sitting outside of your firewalls and other protections, you need data on exactly who else that machine is talking to, and all the actions are being taken. Signature-based solutions won’t work, and simply looking at executed files won’t be enough to measure behavior. You need all of it, because otherwise your entire network is essentially a sitting duck, waiting to see what attackers will do once they gain access through one of those unprotected endpoints. You need deep visibility, activity logs, and the ability to understand the data you’re collecting.
TrueMDR is a light, single agent that sits on your endpoint, can be deployed immediately, and doesn’t depend on connectivity. It will immediately start collecting user data, stop attacks, and continue to protect your machines– regardless of whether they’re connected to your corporate network, a home internet connection, or a random coffee shop network. When alerts are generated, they are sent to our Security Operations Center, where we utilize a stack of enterprise security tools to immediately understand and contextualize that alert, then get it in front of an analyst with everything they need if it falls outside the norm. What this does for you is to not only catch attacks that don’t fit the usual mold, but speed up the remediation process from hours/days to seconds and minutes. Alerting is the place where most endpoint protection breaks down, and where TrueMDR really excels.
Endpoint solutions can generate a lot of alerts, many of which your internal teams won’t be sure how to deal with, which can generate alert fatigue. EDR management is more than just managing the agent. It’s about managing the information being presented to you by the toolset. A team that’s managing endpoint solutions effectively is looking at the alert data coming in and using specialized tools and knowledge to determine, for each alarm, whether it’s a false positive or a true positive–and they have the capability to know when and when not to create an exclusion. Just because I received an alert from my tool, that doesn’t mean it’s truly malicious. It could just be flagged suspicious, but not actually be bad. Only a highly trained analyst is going to know the difference.
Telemetry and Proactive Threat Hunting
In another common example, an alert will be generated from a perfectly legitimate business process, but it may be undertaken by an attacker who has assumed the identify of one of your users. How can you know, when your tool doesn’t have the ability to let you actively hunt for threats like this one? When you have analysts who understand the tool, have full visibility, is actively searching activity logs using advanced security data, additional toolsets, and specialized cybersecurity background knowledge, they will catch the series of actions that led to the compromised credentials, then find, isolate, and remediate the situation before the attacker can execute a breach–stopping the attack dead in its tracks. This kind of intervention and threat hunting allows everyone to continue working uninterrupted.
We keep logs and records for a full 90 days. Then, when a new indicator of compromise comes into the SOC, like a zero day exploit, we can go back through all that data and see if any of our clients have been affected. Going back to actively hunt for threats means we can then stop any attempts to cause long-term damage.
Respond on Our Clients’ Behalf
Once we have used our toolsets to find threats, we have the ability to remediate in a number of ways:
- Kill to process
- Quarantine the file
- Remediate (revert any changes made by the threat)
- Rollback to a known good state
- Isolate the endpoint on client’s network
In short, as you are looking at ways to mitigate new risk on your endpoints due to all the factors we’ll just call “2020”, look for those things that will make or break your solution. You don’t just want to go out and grab the first technology you find, because the tools, themselves, won’t be enough to make that solution effective. What you need to enable proper detection and response at the endpoint level are the deep visibility, telemetry, and investigative capabilities that come with proper management of the toolset. Because, let’s be honest, last thing you need right now is to get that dreaded phone call that your corporate assets have been compromised by one of the latest cyber attacks aimed at companies exactly like yours, and you don’t just want to throw away money on a tool that isn’t going to meet your needs in the end.
To learn more about how endpoint protection can help you mitigate risk, you can register for our upcoming webinar, “Why TrueMDR Could Be Your 2020 Game Changer”.