As enterprises enforce remote working – at short notice – they face the question of how will their security teams identify bad actors and vulnerabilities in a time of massive user behavior change?
Attribute events to the associated user and monitor for anomalies using security monitoring tools such as security information and event management (SIEM) and/or user and entity behavior analytics (UEBA).
Users will need to download data to their machines in order to work from home. It is critical to monitor, attribute, and analyze logs from key exfiltration points – including VPN session logs, data loss prevention (DLP) solutions, Microsoft Office 365, Box, and other data sharing solutions, as well as email gateways such as Cisco ESA (IronPort) or Proofpoint – in order to detect any malicious exfiltration attempts.
Typically, the focus of security teams is on protecting the network, they seldom look at applications. However, with application access moving out of the corporate network, application security becomes paramount, even more than network security.
Monitor both Active Directory as well as other critical applications. Analyze for anomalies such as terminated user accounts that may still be active, sudden privilege escalations, and the use of dormant accounts.
Employees may be tempted to share credentials in order to get quick access and avoid lengthy access request processes. Monitor specifically for land speed anomalies such as a user simultaneously logging in from multiple locations, or a user badged into an office but logging in remotely.
In addition to proactively monitoring your internet-facing RDP/VPN infrastructure, we recommend leveraging the NIST guidance regarding securing enterprise and telework access to implement the additional required controls to help further mitigate the risks associated with malicious threat actors possibly obtaining and exploiting RDP shop-based access credentials.
Also, make sure that they are ready for spikes in remote access activity depending on your current situation.
We’ve been observing malicious phishing implants increasingly evading sandboxing/detonation. Our recommendation is to implement a more in-depth “Assume Breach” approach in your environment. If your IOC (Indicators of Compromise) and sandbox-based checks fail, make sure you have checks and monitoring in place for staging/post-exploitation detection.
Dictionary attacks is the most common way of compromising credentials on internet facing devices. With the increase in remote access for employees, contractors, and business partners, you should consider enforcing strong authentication and authorization controls to minimize the risk of compromise.
With a large number of employees requesting remote access, the business is likely to push to allow employees as much access as possible in order to avoid business disruption. However, it is important for security and IT teams to maintain SOD and peer-based checks to ensure that the access granted is aligned to the job role of the employee.
Sennovate delivers custom identity and access management solutions to businesses around the world. With global partners and a library of 1000+ integrations, we implement world-class cybersecurity solutions that save your company time and money. We offer a seamless experience with integration across all cloud applications, and a single price for product, implementation, and support. Have questions? The consultation is always free. Email [email protected] or call us at: +1 (925) 918-6618.