The mass migration to working from home that happened almost overnight at the onset of the pandemic in 2020 has blended with a partial return to the office for many people and resulted in a hybrid working model in 2021. The result is a significantly increased workload for a lot of IT security teams as they look to protect an ever more distributed workforce and navigate continuing uncertainties and policy changes.
To avoid business operations being interrupted, employees need to access key systems and resources from anywhere, potentially on any device. Shadow IT is also a much larger consideration in the current environment, as people look for quick solutions without the IT team on hand to approve the use of a new software, services, applications or devices, or onboard them into governance and control processes and technologies.
This has created a heightened risk in itself – it’s also against a backdrop of ongoing innovation by criminals, keen to take advantage of the current situation. The net result is a wide – and almost impossible – remit for the infosec team.
With that in mind, the biggest takeaway from 2021 is that resources and energy need to be focused on integrating the tools and data available to identify where the risks are. This makes it critical that each organisation truly understands its own landscape, the specific threats it faces, where these are coming from and the vulnerabilities being attacked. It is also essential that teams work together to pool resources and knowledge, rather than acting in silos. The more information to hand, the better when dealing with today’s threats.
Investigations to pinpoint risk
Security teams should be using all the data at their disposal to understand their risk posture. A configuration management database (CMDB) used with next-generation extended detection and response (XDR) to provide details of who is logging in and from where and which applications, lists of vulnerabilities present in the estate, reports on how well controls are running, etc, are all useful. However, to determine how likely a threat is to occur requires them to be combined and applied to the risk in question.
Pooling data into key risk indicators and key performance indicators can often show a risk emerging, or whether it is a problem – allowing it to be proactively addressed, rather than firefighting being required at a later date to tackle it. Systems need to be integrated into SIEM, or SOAR solutions that use multiple sources, to provide a data-enriched view of indicators of compromise (IoC). Offerings such as XDR, as referenced above, integrated with application monitoring, lead to a better response to threats or attempted breaches than if a single data source is relied upon.
Linking its IT assets to its risk register will enable an enterprise to identify the systems that are most critical to its business operations and ensure that these get the most attention.
An integrated approach to security
Homing in on the risk hotspots also requires a complete integration of systems and a holistic approach across the organisation. Cyber security encompasses a wide range of elements, all of which need to be working correctly and in conjunction with each other in order to manage threats effectively. For example:
1. System access control
Preventing unauthorised system access requires implementing strong identity and access management (IDAM) supported by network level controls. Privileged access management (PAM) across the enterprise is a key element to securing estates and one of the blindspots that attackers will try to use. Implementing these programs helps to prevent backdoors being inadvertently left open for bad actors, for example by temporarily granting local admin access or domain admin access in order for a task to be completed, but then not removing it.
2. Network level control
With more employees working from home and many organisations adopting a “cloud first” strategy, it is tempting to overlook the organisation’s core network. Most enterprises will still have significant volumes of data and applications that are only accessible via the network, which needs to be protected. Zero-trust principles should be adopted where possible to isolate resources – an employee with access to the network does not need access to all of it. Authentication and authorisation mechanisms should be in place to interrogate, verify and alert network traffic to ensure it is valid and not malicious.
3. Intercepting intruders
Detection and response capabilities integrated with a strong security operation centre (SOC) can patrol the network for any malicious activity. Robust vulnerability management should also be in place across all areas to close down those easy-to-breach holes within the defences.
4. Security is not an ‘add-on’
Security should be designed in to all IT projects from day one (a secure-by-design approach). This ensures it is not an afterthought, which creates risk for the organisation, as well as headaches resulting from the late integration of application security.
5. The ‘human firewall’
Technology is only one part of the cyber security equation – a key component in securing the enterprise is the people involved, and the importance of the “human firewall” should not be underestimated. Even an organisation fortified with the latest cyber security tools is still at risk from social engineering attacks, which use psychological manipulation and persuasive content to trick users into providing sensitive information to hackers, or allowing them system access.
This highlights the importance of security awareness training for all users in order to foster a mindset that is aware and questions everything. Education should be an ongoing cycle of developing, training and testing to keep up to date with the latest trends and techniques being used by malicious actors and be undertaken throughout the organisation.
There is no silver bullet that will secure an organisation’s critical assets, but an integrated approach to security that addresses the issues above in a joined-up way is a strong stance that provides a solid defence against attackers.