Zeki Turedi, CTO, EMEA, CrowdStrike, talks about remote cyber and IT support in the age of working-from-home.
IT support and cyber defence have been upended in the wake of COVID-19’s barging through the way we used to work. There’s no more popping in to support a challenged colleague as part of the rounds of an ‘IT doctor’ in the office environment. Now all colleagues’ identities must be identified remotely, their connections secured, and even devices that may not belong to the company require protect0ion – whilst maintaining the employee’s privacy on it.
Our poor IT and cyber teams never banked on this level of challenge, but it’s here and now these teams are retooling and fighting back. The best were prepared already. Others applied prepared plans and have been pleasantly gratified with immediate results. Some have learnt as they’ve gone on, under the pressures of enforced remote working and business disruption.
And the majority of organisations will have done all this whilst under active attack from cybercriminals busy phishing, vishing, probing the expanded attack surface, and locking up systems with ransomware to extort money. A few particularly unlucky enterprises will have also been infiltrated, perhaps by cybercriminals, perhaps by nation-state sponsored adversaries or ‘advanced persistent threats’ (APTs) – and the business won’t know a thing about it… Storing up trouble down the line, when systems are disrupted, data stolen, ransomware deployed, or some authority or partner lets them know.
The cloud supports… the cloud subverts
The key technology that’s supported the enterprise leaders, the laggards, and the learners alike, is cloud: To allow effective collaboration, to share files, screens, and video calls, identify remote workers, to configure and secure devices and endpoints of all types, and to troubleshoot and optimise.
Whilst the cloud is the enterprise IT saviour for the times we find ourselves in, it’s also a huge boon to cyber adversaries too. It opens the attack surface from just an enterprise network (when the staff were all in the office) to a variety of networks, devices, and even cloud workloads too – all distributed around a city, a country, or the whole world.
So, if you have played catch-up and your enterprise has enabled remote working, perhaps painfully, over the past few months, here’s the plain truth: The traditional on-premises security perimeter has dissolved, and legacy security stacks are unable to secure a remote workforce and cloud-hosted applications. Today, the internet is the new corporate network.
Enterprise CISOs should be asking themselves: How are you making sure that IT administrators have the proper visibility into user activity? Can you minimise attack surfaces in this cloud-first world? How do you provide users with an optimal experience without the struggle of a traditional VPN approach? How do you scale your security services and detect advanced threats more effectively?
Follow the rule: 1:10:60
The 1:10:60 metric is useful to help focus senior management’s minds on spending and setting the right strategy to create the most impactful results – a cyber defence that fits the needs of the business. Measuring the right metrics, using a fitted strategy yields the most effective results.
The ‘breakout time’, the time for an attacker to start moving laterally throughout a breached network, being counted in minutes for effective hackers, being able to quickly identify and contain breaches is essential to any cyber strategy. 1:10:60 rule is a guide to best practice as well as a metric to beat. Using this the enterprise commits to:
• Identifying breaches in 1 minute
• Investigating breaches in 10 minutes, and
• Remediating them in 60 minutes
Yet sadly this recommended best practice, enabled by strong procedures, trained staff and cloud-delivered technology solutions, may be ambitious for organisations used to measuring response times in days.
In fact, organisations should be thinking in terms not only of speed, as per the 1:10:60 rule but also moving towards thinking about everyone and everything using corporate systems with ‘zero trust’. Simply put, systems should not trust any device until it can be verified. As such, when devices are introduced to networks they have to be authenticated. But what organisations will find is that transitioning security models is not an overnight process. It is a long-term change in strategy that needs to start in the C-suite and filter down. Companies with multiple incompatible legacy systems will find this especially hard. That being said, with more organisations moving to cloud environments now is the time for enterprises to take the step.
What to look for
Build a company on a strong technology platform since it’s the technology that keeps the team connected, productive and profitable. Seek a cyber strategy and solutions that:
• Use AI-powered protection for real-time, unparalleled visibility down to operations at the kernel level, into container awareness, and offer reporting to help secure cloud workloads without compromising enterprise performance.
• Offer proven endpoint protection to all workloads, regardless of their location: Physical servers and virtual machines, private data centres as well as instances running in public clouds including AWS, GCP and Azure. Display findings on easily understood dashboards to understand and monitor rapidly evolving and dynamic workloads.
• Can stop threats that are known – or unknown: Stop indicators of attack (IOA) rather than indicators of compromise (IOC), i.e. focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the threats from malware-free intrusions and zero-day exploits. Next-generation security solutions use an IOA-based approach to protect from all threats; however they present.