Emergency Enablement for Remote Work: Endpoint Protection Edition
By: Joel Young
We are currently navigating unprecedented times of a global pandemic, but as the World Health Organization’s announcement on March 11th emphasizes, for the first time in history it is also one we may be able to control if impacted nations’ responses are swift and effectively implemented. A key factor in this fight is the use of big data analytics, which we are seeing used as a weapon against disease on this scale for the first time. We are watching the live tracking of cases across the planet and hearing news of the analytics strategies of WHO, doctors and researchers, governments and businesses alike. Countries like China and South Korea have effectively used mobile data to track movements of COVID-19 patients; and while this is obviously a contentious debate in North America where privacy laws require permission to access such data, analysis of large data sets of disease research and extensive case tracking are already being leveraged.
Along with the spread of COVID-19, we have also only begun to see the proliferation of attacks preying on scrambling organizations and scrambling individuals as we react to protect ourselves. We are reacting to a medical threat and simultaneously exposing ourselves to a different breed of potential threats—those posed by cybercriminals and APTs. Such is the case with notable phishing campaigns designed to exploit our fears and anxieties over COVID-19, which are being disclosed daily by our trusted partners and many organizations across the industry. The World Health Organization has issued advisories to this effect as well, warning citizens of scammers representing themselves as the WHO. During this time, we have also been closely monitoring updates on malware campaigns representing an increased threat to the wave of companies rushing to enable remote work for much of their workforce while observing social distancing. Exasperating these developments is the fact that the rush to remote work enablement inevitably leads to swaths of devices (including BYOD devices) connecting over untrusted networks, in some cases without controls like firewalls and VPNs, let alone device control or effective endpoint protection.
There are a variety of measures that organizations ought to take when architecting and securing remote work enablement which you can read about further through our partner links at the end of this post. The basics are clear:
- Have and comply with remote work enablement policies in your ISP
- Leverage cloud-based (or other, securely architected) remote work enablement controls and/or services that are readily scalable to meet spikes in user count
- Use a VPN from device to corporate firewall or cloud services
- Ensure that your detection and response processes will maintain integrity if they need to be performed remotely
There are many more considerations when implementing controls such as these, but it remains the case that remote devices connecting from untrusted networks provide a vector to gain access to your data or email accounts that can be further leveraged; and in more cases than we’d like to admit these devices hold sensitive information on their local storage. With this in mind, we turn our focus today to endpoint protection.
We spoke above about big data analytics and how it can be effectively used to inform strategies to “flatten the curve” of the COVID-19 outbreak; so, too, are security firms leveraging artificial intelligence and machine learning technologies of their own to detect anomalous behavior and emerging threats that may be targeted at a sudden increased attack surface in order to try to flatten the curve of a different sort of potential outbreak. The approach to combatting COVID-19 recommended by governments, and the public health officials that advise them, has been designed to react swiftly in hopes of mitigating the casualties that will result if we miss our chance to slow it down while we wait for vaccines or an ultimate progression toward a state of herd immunity. There could be said to be an analogy here to NextGen endpoint protection developers’ approach in favour of using AI/ML to increase the speed and precision of detection and prevention over traditional static analysis technologies that are based on reactive, crowd-sourced signatures. In comparing the respective benefits, Morgan Wright of SentinelOne notes that AI/ML does not rely on human intervention to detect and catalogue emerging threats. The aim here is to stop threats in their tracks based on what they’re doing, even when no single file or bit of code matches exactly what we’ve seen before (or is obfuscated in some way). While we still want to leverage static analysis for its benefit of being able to block known files before they ever execute (similarly to how we will hopefully one day stop COVID-19 via preventative vaccinations), it is crucial today to be able to rapidly detect emerging threats, as well as changes and adaptations of existing malware, that may bypass our existing defences.
Additional challenges of a large-scale, rapid deployment of remote work enablement include the logistics of extending endpoint protection efficiently to new devices and not requiring them to be connected to central management to provide protection. Michael Sentonas of CrowdStrike notes the imperative, especially given the current landscape, for simple yet comprehensive architectures and deployment models that allow for fast deployment to disparate devices without requiring tasks that complicate or disrupt coverage and compliance. Additionally, the NextGen EDR approach of providing features like the ones we’ve discussed without needing to be connected to the cloud or central management server is distinctly beneficial to protecting BYOD and remote work deployment scenarios. Local dynamic analysis and NextGen IoC/IoA detection methods represent the best chance of protecting devices that are used in unfamiliar and untrusted settings against novel threats. Furthermore, the ability to take policy-based, automated response actions on remote systems not connected to centralized management should be closely evaluated when considering available solutions. The goal here is to not only protect the endpoint and its local data, user accounts, etc. but to protect the wider network from compromise. If “social distancing” is the strategy by which health officials are hoping to mitigate the propagation of the current pandemic, and has led us to this moment of increased remote work enablement, we can find yet another analogy here to local containment and isolation response methods for compromised computer endpoints—the difference being that with proper deployment and policy management we can hope to have much better control over our endpoints than some of our users.
While doing business during a pandemic has generated a challenging spike in remote work enablement, we have seen an ever–growing demand for some time, and tech companies have been developing and maturing solutions all the while. Mass remote work enablement is a sudden reality for many decision makers and architects who may have had budget committed to other priorities or had other timelines and scales of deployment in mind for the immediate future. Nevertheless, there are already new threats preying on this increased attack surface, using our fears and our urgency to maintain business processes against us. These new obstacles are an unintended byproduct of our public leaders and health experts acting in our collective best interest. A minority of individuals or groups who are acting in their own self-interest now see an opportunity for exploitation, but if we are diligent the tools exist to protect our users, our livelihoods and the delivery of essential services.
As always, if you need assistance or would like to discuss what options are available to your organization to enable secure remote work, reach out to us at firstname.lastname@example.org.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.