If you’re like me, your professional life has changed dramatically over the last six months and you’re likely working from home every day. Friends and colleagues around the globe are doing the same as companies adapt to the long term with work from home (WFH) policies during this global health crisis. Many major companies have even announced plans to keep workers home for extended periods during the pandemic with dozens highlighting plans to allow employees to work remotely long-term. The good news is that fast internet access combined with the use of cloud-based collaboration tools such as Zoom, Slack, G Suite and others, work from home is not only possible, but can be highly productive. For security teams, however, this creates an additional set of challenges to address the questions that are top-of-mind for every CISO:
The core element to answering all these questions is visibility. Visibility not just of the device itself (which is the starting point), but its state and interactions. I have written previously about the many challenges that organizations face when it comes to seeing all their hardware assets, the applications running on those devices, and the vulnerabilities associated with them. This visibility challenge is even more difficult when the users and their devices, both managed and unmanaged, are remotely connected to a variety of different services both behind the firewall and in the cloud. The resulting ‘blindspot’ that most security teams have largely comes from gaps left by traditional tools and risk assessment programs. While these tools can provide visibility to a subset of components, they do not deliver a single unified view of all assets that correlates the information from siloed tools in a way that makes it easy to manage security risks.
Let’s take a closer look at just a few scenarios you need to be aware of when addressing users working from home. First, it’s important to know who is using your network and services, what they’re trying to do and how they are accessing them. Is that user properly authenticated to the application or service and what level of authorization do they have? Is the communication coming over a secure connection such as a VPN and do you have the ability to control access to the network and/or service?
To address authentication and authorization, organizations use Identity Access Management (IAM) systems to manage the identities and access rights of all their employees. Oftentimes, IAM systems will also be used in conjunction with multi factor authentication (MFA) to provide additional assurances that a user is indeed who they say they are. VPNs are traditionally used to manage remote access to corporate networks resources and increasingly, modern application access brokers or SASE solutions are being used to govern how both on-premises and cloud-based resources are accessed.
One challenge for security teams to consider when using identity alone for authenticating users is to ensure that access is only granted to users and devices (company-managed or otherwise) meeting the company’s minimum standards of protection (e.g. installed security agents and MFA enrollment). As we know, accessing company information through a device missing core protection controls (e.g. next-gen AV) on an unsecured network can significantly increase the likelihood of the device being compromised and potentially leading to a larger event (data exfiltration, attack spreads to larger environment with operational impacts, etc.).
Similarly, users who have yet to enroll in MFA protection increase the potential for their accounts to be compromised and used without authorization.
Security professionals I’ve spoken with have mentioned the increased use of personal devices, particularly those without endpoint protection. These can also be an issue as they are typically more vulnerable to compromise, or worse, may already be compromised. Unchecked, personal devices using only identity to authenticate to cloud services could lack enough context about the security posture of the device potentially leading to device compromise and data exfiltration. Also, other devices on a compromised home network could potentially intercept company-related communications, or even attempt to gain access to the company network over VPN and infect company resources.
Another common issue, particularly when considering attacker techniques, relates to the lack of trusted DNS services on personal networks or devices. If connections from these devices are not passed through a DNS security service (many of which are free), the likelihood of a web-based exploit affecting a personal device and leading to further impact is high, particularly if other controls such as endpoint protection are not in place.
Above, I listed only a few of the many security challenges that all security teams face when managing the risks associated with WFH. Every security team I speak to tells me that they have a myriad of tools to manage various elements of the above problems, but none have an easy answer as to how to rapidly get a unified view of all relevant assets and where they may be exposed. The key here is to have the ability to aggregate the most important telemetry data from a variety of sources and tools and then correlate & normalize that data in a manner that allows you to automatically take enforcement action. There are several sources from where that information can be gleaned and fall into the following five categories:
The benefits of having this information consolidated in a common tool means you get the right telemetry data needed to understand who is accessing networks and services – and what they’re trying to do while also knowing the state of the devices (managed or unmanaged) and applications they are using. When brought together, security personnel can then evaluate risks and take action to mitigate these risks.
Many of our customers have expressed concern that they don’t have adequate visibility to help them address their WFH use cases and Armis can help. The Armis agentless device security platform is purpose-built to fill the gaps left by traditional tools that don’t do a good job of addressing WFH use cases. They are siloed or can’t even synchronize data with one another – which makes it even more difficult to get an accurate picture of everything in your environment including that of WFH users. Unless you can aggregate, correlate and normalize all the data from all of these sources, there is no good way to get a complete picture of what’s going on with your WFH program and apply appropriate business and/or security policies.
To learn more about how Armis can easily integrate into your environment and deliver the most comprehensive cybersecurity asset management for managed, unmanaged & IoT devices, download this Solution Brief.
Sign up to receive the latest news