By Chester Wisniewski.
Amidst persistent attacks and post-pandemic remote work, modern security solutions must assume constant device vulnerability.
I live in a city center and the lunch hour certainly isn’t like it once was. While some people have returned to working in an office, it seems that the majority have not. In retrospect, the pandemic transformed numerous aspects globally, and office-based work patterns will never revert to the past.
With increased flexibility, employees work remotely in various settings, including parks, coffee shops, and even during ‘working holidays’. Those in charge of protecting enterprise assets have to assume these endpoints are always in hostile territory.
“Pushing Left” Blocking an Attacker as Far as Possible
Even before the pandemic, organizations working toward improving their security maturity were often trying to “push left.” What is pushing left? At its most basic level it means moving things closer to the start. In software development, stages progress from left to right, with left symbolizing the start In applied security we also use the term “pushing left,” but rather than referring to the software development process we are referring to the attack chain, which moves from reconnaissance on the left through action [exfiltration or other attacker goal] on the right.
For many years, the most comprehensive security strategies have involved defense in depth. The concept is to deploy technologies in layers, as not all are suitable for detecting every type of threat. These layers often directly correspond to how far “left” something is in the attack chain. By detecting threats at the network border using firewalls, email filters, or web filters, you preemptively neutralize any negative operational impact.
Ideally you want to detect and block an attacker as far left as possible, i.e., as early as possible. Pushing detections left also alerts security analysts that an intrusion may be underway, initiating more focused threat hunting to anticipate gaps in defenses your attacker may be attempting to exploit.
For employees at the office, you can centralize control of these defenses and provide optimum protection. The question is, are you able to provide the same protection for remote workers regardless of their location?
Ideally you want to detect and block an attacker as far left as possible, i.e., as early as possible. Pushing detections left also alerts security analysts that an intrusion may be underway, initiating more focused threat hunting to anticipate gaps in defenses your attacker may be attempting to exploit.
For employees at the office, you can centralize control of these defenses and provide optimum protection. The question is, are you able to provide the same protection for remote workers regardless of their location?
Ideally you want to detect and block an attacker as far left as possible, i.e., as early as possible. Pushing detections left also alerts security analysts that an intrusion may be underway, initiating more focused threat hunting to anticipate gaps in defenses your attacker may be attempting to exploit.
For employees at the office, you can centralize control of these defenses and provide optimum protection. The question is, are you able to provide the same protection for remote workers regardless of their location? Are you able to monitor and respond to threats that are being detected on those assets when they are out of the office? As many have observed, this did not work as well as we would have liked when we all went into lockdown, many of us without a plan.
Don’t Lose the Ability to Attacks after Remote Assets
While there are still many benefits to monitoring the network when you have control of it, including reduced endpoint overhead and the ability to keep threats at a distance from sensitive assets, we need to ensure we can take as much of this protection as possible with us when we are out and about.
We must ensure not only the optimization of protection but also the preservation of our ability to monitor, detect, and respond to attacks targeting these remote assets. Most organizations have moved to utilizing EDR/XDR solutions [or plan to in the very near future] , which is a great start, but not all solutions are comprehensive.
In the remote-work era, plenty of issues can be encountered by insufficiently protected remote users – malicious URLs and downloads, and network attacks, to name only the most mundane – that machines guarding the corporate “fort” would have handled in the Before Times. The biggest missing components when users are “outside the fort” are HTTPS filtering and web content inspection, which are typically implemented within next-generation firewalls.When you add these technologies to pre-execution protection, behavioral detection, machine learning models, client firewalls, DLP, application control, and XDR, you are starting to look at a comprehensive stack of defenses for attackers to overcome – even if the endpoints themselves are now free-range.
For initiatives like zero trust network access [ZTNA] to be effective, we must not only wrap the applications we interact with, but we must also wrap the endpoints that connect to them. A good start may be simple checks such as whether the OS is up-to-date and whether security software is installed, but not all protection is created equal. When most devices are connected to the internet whenever they’re in use, we can utilize the power of the cloud to help provide ubiquitous protection and monitoring. Modern security solutions must assume the endpoint device or phone is in a hostile environment at all times. The old idea of inside and outside is not only outdated, but it’s also downright dangerous.
The author is the Field CTO – Applied Research at Sophos.