Work from Home - Practical Advice on Operations and Security Impact and what to do about it.
DR and BCP Planning Ideas
Widening Attack Surface Solutions
Managing Threats Solutions
3. And this was before awfulizing the pandemic
escalated distraction and click-bait attacks
And a sudden remote work force became prevalent
4. In the News
• TrickBot banking trojan introduces RDP brute forcing
module
– https://www.scmagazine.com/home/security-
news/malware/trickbot-banking-trojan-introduces-rdp-brute-
forcing-module
• Report: Account takeover and data scraping attacks on e-
retailers up as COVID-19 surges
– https://www.scmagazine.com/home/security-
news/cybercrime/report-account-takeover-and-data-scraping-
attacks-on-e-retailers-up-as-covid-19-surges
5. Escalated Threats
• Hackers are taking advantage of the disruption and already have
significant mal-vertising as well as hijacked coronavirus infection maps
distributing new malware and ransomware. https://futurism.com/the-
byte/hackers-coronavirus-maps-spread-malware
– This is rising with fake news Click-Bait attacks and social media “alerts”
• SaaS and Cloud security systems (as well as the people and processes)
are not ready for the additional load.
– MultiFactor and Behavioral Analytics are behind, in the rush to disperse staff,
the security stance is being weakened.
• Split Tunneling makes “Follow Me” security such as Secure endpoint
DNS and CFS more critical because the main workforce is now remote.
• People who are generally in the office are now working in unfamiliar
patterns
– ACH and Wire Transfer Fraud
– AccountTakeover Attacksare intensifying
6. Combating Escalated Threats
• Hackers have increased compromised Ads, banners, and search
hijacking as well as hijacked coronavirus infection maps
– Best Defenses: OpenDNS, NextGen-AV, Cloud App Security, SSL Decryption
• SaaS and Cloud security concerns
– Best Defenses: OpenDNS, Cloud App Security, SSO/MFA
• Human Error such as ACH and Wire Transfer Fraud
– Address with: MFA/SSO, Cloud App Security and OpenDNS/”Follow Me”
security
– Validate business processes in this area
– Remember - KIDS DELETE FILES!!!
Keep in mind a “tunnel all” philosophy will probably take you down
7. Predicted W.F.H. Concerns
My guesses from last week:
• Do employees know how (process and habits)?
• Is IT ready to support them?
• Is anyone actually workingfrom home? How do you know?
8. Our Top 3 Calls
• Overload support calls because users can’t remember how to
get it
– Grab a hot spot and have people test before they go
– Set a conference bridge/WebEx for a specific hour a day to facilitate
support
• I need more licenses for my VPN and MFA
– In Example, RSA has been having issues generating even quotes in
under 5 days. Distributors and Manufacturers both have issues, Don’t
wait!
– Be wary of fake/untrustworthy online sellers
• I need a VPN solution for BYOD/Home systems
– You can spin up virtual SSLVPN appliances simply and remotely to
facilitateor expand this. Good ones like ours have built in MFA.
9. Working from Home: How To Tips
• Remote access options:
– SSL-VPN portal systems for non-”node on network” VPNs to
restrict risk as well as bandwidth requirements
– Azure IaaS using RDP with SSLVPN and one time passwords
• Uncontrolledpeople, devices and disparate applications
– Implement CAS and OpenDNS for safer (not perfect but safer)
direct cloud access.
– If you have applications that can only work from the office there
are creative ways to use SSLVPNs to resolve this as well
10. Working from Home: How To Tips
• Remote desktop tactics to lessen bandwidth burden and
security:
– Kill Drive mapping, printers, “pretty” screens, cut and paste,
colors, screen resolution. Uncontrolled RDP “low” speed/quality
is 256Kbps to 2Mbps. And “high” quality is 10+Mbps. Those
numbers are per session.
• Remote desktop tactics to lessen bandwidth burden
https://docs.microsoft.com/en-us/windows-
server/administration/performance-tuning/role/remote-desktop/session-
hosts
• Restrict local copy and print so you aren’t out of compliance
or at increased risk of getting sued later
11. Impact of Cloud and SaaS is Accelerated by Work from
Home
11
Perimeter
gateway
Share Drive
Exchange
Server
Datacenter
Old Thinking –
Control, Logs, SIEM
New Thinking – distributed
access and threats
12. Working from Home: Planning Recommendations
• Firewalls: Can your firewall handle the load? All Security Services? All
VPN connections? How do you determine this?
– Draw a picture of who needs to get to what from where and when. (we will
ignore the why for now)
– What machines will they be on? If it is home or uncontrolled systemsyou
need to take additional steps.
• Identity Access Control
– Make 2FA/MFA happen. Don’t budge on it.
– Is everyone set up and trained for remote access? If you use tokens do you
have enough?
• Uncontrolled Endpoint threat management and security (phones,
tablets and personal laptops)
– Cloud App Security, MFA and Conditional Access, RDP and SSLVPN proxies
(with End Point Control and 2FA)
13. A Few Tips
• Have people patch before they leave the office for remote
work.
• Double check remote access client versions via software
inventory.
• IT should be on extreme heightened alert for security issues
and keep an eye out for oddities.
• Do you have the licenses to increase the remote user
count?
14. The Best Bang for your Buck
• Cloud App Security: Add account takeover protection,
uncontrolleddevice protection, Zero-Day protection for
collaborationplatforms.
– Remotely implementable. No endpoint touches. No user impact.
• OpenDNS Security: “Follow Me” protection on prem and
remote.
– Requires agent push, No user impact.
• Implement an Activity Tracking Solution: Executives are
concerned about employee productivity while people react
to the pandemic, you can address this issue.
17. SIEM 2020 – care of Splunk’s website
In 2020, security information event management (SIEM)
solutions will be far more than an information platform,
expanding to include compliance reporting and logs from
firewalls and other devices, as well as User and Entity
Behavior Analytics (UEBA) — now considered an essential
capability by Gartner. On top of that, the importance of a
SIEM solution in today’s enterprise is magnified by the
growing sophisticationof attacks and the use of cloud services
which only increases the attack surface
18. Why does SIEM fail?
System Log ingestion Useful Parser Log reviewviaAnalyst
and AI
Active watchviaAnalyst
and AI
Carbon Black -
CBDefense
Yes Yes No No
Cylance Protect /Crowd
Strike
Yes Yes No No
Office 365 yes yes No No
CentoS Yes No No No
WAFS Yes Yes No Yes (Assistance with
report building)
The above datais an example and not vender specific
BehaviorAnalyticsStarts Here
19. When SIEM is implemented what do you want it to
do?
• Start with the end in mind and your worst-case scenario. Like
anything in IT, there are a dozen options & picking the right
one is all about what you want to get out of it, not the
marketing feature set analysis. No true SIEM is good at
ingesting every type of log.
• Don’t leave concerns till the end of the process. In Example, if
your concern is people wrongly accessing 365, Account
Hijacking, or the website at AWS that got hacked last year.
Start with that. It will often lead to traditional SIEMs failing to
be the answer.
• What do you wish the SIEM system could do? Give 3 objective
• Does the system miss (not support) anything that bothers you?
20. Goals:
• Managing logs or managing threats?
– Are you trying to find anomalous behaviors & bad actors or
archive logs & forensics?
• Threat hunting or compliance?
– Yes these often are mutually exclusive
• Traditional SIEM is an after-the-fact acknowledgement of a
previous issue, is this your goal?
• The unicorn hunt for a Single Pane of Glass?
21. SIEM Scoping
Once you know your key goals, we need to define the scope.
• What key systems need to be ingested: 365, servers, AD.
• What secondary systems need SIEM: PC’s, firewalls, security
systems, etc.
• But what about: AV, CB Defense, OpenDNS, WAFS, etc.
• Are you worried about: Salesforce, SaaS apps, JIRA, Cloud
systems?
• Are you trying to include switches + routers? If yes, why?
22. IDENTITY
Data Center
(HQ/Co-Lo)
SaaS Apps
SIEM Integration: Whereand Why?
If you want real SIEM in this
picture you need:
1. Authoritative Single Sign on
2. Cloud App Security at least
from an attack point of view
3. An integrated security
platform. Why? GUIDS
Corona Victim
23. The Proactive Response?
1. Fight Account Takeover attacks
1. This should be addressed with a combination of MFA, SSO, CAS,
or CASB style solutions.
2. Secure activities across cloud systems (i.e. magically taking
logs from multiple sources and pairing them together)
1. This should be addressed in two proactive ways. Integrated
Security Access Control and as a vehicle for malware attacks.
3. Discovering invalid accessing of the system
1. Making this useful and functional requires a combination of
MFA/SSO and API driven CAS/CASB security
24. Why I think CAS is more important than SIEM:
UncontrolledPeople, Devices, and Disparate Applications
DisparateApplications
such as 365, Box,
SalesForce, etc.
PotentialRisk from -
Malware via
encrypted channel
- Account Takeover
BYOD, Mobile,emergency
access users/devices:
These uncontrolled
devices have Encrypted
channels into the
environment.Think work
from home due to Corona
Cloud Sharing with
external people.
- Malware
25. Cloud App Security - Solution Overview
Next-Gen Security for
Office 365
Anti-phishing
Ransomware & Zero day
protection
Account Takeover
Protection
SonicWallCloud App Security
26. A BetterApproach: API-Based Security
✓ Inspects all email, including internal email
✓ Scans included file sharing and file storage
apps
✓ Detects compromised O365 accounts
✓ Removes emails from users' inboxes after
delivery
✓ Retroactively scans inboxes
Native API
Integration
27.
28. Where to start?
• Kick off your precursors:
1. Authoritative Single Sign On
2. Cloud App Security (CAS) at least from an attack point of view
3. An integrated security platform. Why? GUIDs
1. Such as Sonicwall’s CSC
2. RedZone MSSP (managed security (FW/AD), Alert Logic, Event Tracker,
BAE)
• Choosing Threat Management or SIEM Solution
Work with us to properly identify Goals, Scope, and Risks to your
SIEM Investment.
29. Next Defensive Discussion
Topics: Threat Hunting And Next Gen AV
Email Security
Next Gen AV
UTM
with
DPISSL
DNS based
Security
MFA and CA
CAS/Cloud
App Security
“Looking “
SEIM/SOC
And
Threat Hunting
Look Less Block More