Cybersecurity in a Remote Work World

Are "disrupted" employees a new cybersecurity threat?

Cybersecurity in a Remote Work World

Pandemic-driven work-from-home policies are likely to persist well into 2021, and for many, remote work will become a permanent change for a growing portion of the global workforce. That massive shift has triggered significant activity across the global threat landscape, as adversaries pounced on vulnerabilities exposed by the global crisis and weaponized attack vectors that poke at the weak spots of our new reality. For many companies, securing their newly distributed infrastructure in the face of on-going cyberthreats requires a strategic reassessment.

Remote Work Shifts IT’s Focus

When the rapid shift to remote work hit at the onset of pandemic lockdown, IT professionals had to quickly provide the infrastructure to support this change. Now, IT needs a longer-term cybersecurity strategy that addresses the challenges of remote work:

Disrupted employees. Current work arrangements are so far from the norm that a new threat has emerged: the "disrupted" employee who can unknowingly increase security vulnerabilities. We are all familiar with the concept of a malicious employee actively trying to damage the company or exfiltrate data out of financial interest or revenge. Much more common is an employee who is fully compliant and follows your security policies as second nature.

A disrupted employee is someone in between: trying to do their job right but with less secure means. He or she may face challenges in getting projects done due to no longer having access to the office's infrastructure or face-to-face interactions. Gone are the water cooler conversations or impromptu meetings in the hallways, as we rely on Zoom or WebEx calls to stay connected. Informal information exchanges are all but gone.

Vulnerable home offices. Home networks lack typical protections and bifurcations of the corporate office and may be prone to attacks using lateral movement techniques. In these scenarios, after gaining initial access through an insufficiently protected device, such as a family computer, attackers move deeper into a network, searching for other devices to compromise or obtain increased privileges. This continued probing could eventually lead to the exfiltration of sensitive corporate data or high-value intellectual property. 

Data at risk. To do our jobs, we may obtain information on devices that no longer live behind corporate firewalls. Bits and pieces of information source code, marketing materials for a product launch, notes from a rebranding exercise, or business development activities–may end up on a computer of a disrupted employee. Those bits of information present a risk, because hackers are getting increasingly more adept at generating a composite of a company's proprietary data from disparate sources to make stealing it worth their while.

Much of the adversarial activity is anomalous, such as accessing databases generally not part of one's knowledge domain or downloading software code for an unrelated product. But the upheaval across corporate networks brought on by the massive migration to home offices means that these anomalies and lateral movements may be harder to trace and analyze. A few missed red flags may mean severe and unpredictable consequences down the road.

Understanding the new risk profile

Disrupted employees increase the risk profile for insider threats, requiring a comprehensive reassessment of security controls, analytics, acceptable use policies, and education. Understanding a new baseline through analytics is the first and essential step in creating the proper controls and educational programs to help your employees securely accomplish their goals. However, doing so presents challenges.

For example, firewalls are typically our go-to devices to detect and disable malicious North-South traffic (the traffic entering and exiting the network). But as networks evolve, more than fifty percent of the traffic in the data center, either physical or virtual, is now East-West (moving laterally from server to server). Security tools have not yet caught up with the need to inspect and analyze these movements to detect vulnerabilities and threats. Since modern-day networks include containerized applications in highly distributed and hybrid-cloud-based environments, gaining proper visibility has become increasingly difficult, especially with East-West traffic.

Better data for better analytics 

Accurate East-West security analytics depend on packet data as the single source of truth, especially in virtualized environments that lack a firmly established network perimeter. Thus, pervasive visibility, a foundational requirement for cybersecurity, may be effort-intensive or costly to achieve, requiring new approaches or specialized tools. Packet data, when converted to smart metadata and actionable insights, helps pinpoint the source of data leaks or security disruptions impacting the network. Granular analytics deal with alert fatigue by directing security teams to the most critical or time-sensitive issues.