With the winter holidays well under way, enterprise security teams are once again thinking about how to keep their networks — and employees — protected.
The rush of online holiday shopping, travel booking, and event planning is also accompanied by overwhelming amounts of marketing materials. And it can be hard to spot legitimate solicitations from fake ones. Employees are receiving more marketing emails than ever, visiting more websites, and transacting at a higher level. The opportunity for mistakes — and maliciousness — is high.
In fact, research shows that nearly half of all data breaches originate at the web application layer. If an employee clicks on a compromised link or visits an attacker-controlled website from a work computer, security teams are challenged to stop the spread before malware, ransomware, privilege escalation, fraud, and more propagate throughout corporate systems.
Yes, work and personal transactions should be separate but, let’s be honest, they’re not. Remote work, flexibility, and co-mingling of work-personal activities are here to stay.
Add in our new corporate reality in which remote and hybrid work means more personal and unmanaged devices connecting to corporate networks, “work” computers can be dual use and/or be accessible to unauthorized (i.e., others living in the same household) individuals. Employees have the ability to download whatever software they want onto personal machines (yet use the same ones for work purposes). This makes it hard to control the security hygiene or force agents onto devices that businesses don’t own.
Meanwhile, during this busy season, security, operations, and IT staff are also more scarce — enjoying their well-earned time off with family and friends. The result? Fewer eyes on alerts and fewer hands to triage incidents and remediate vulnerabilities. And attackers take note.
In addition to potential employee-focused attacks, threat actors may see space to target critical networks, to make a big splash by attacking a high-profile system or network that might be un- or under-monitored, or where baseline behavior is expected to be “abnormal” as people are away from their offices and requirements change.
Frankly, it’s a security posture management nightmare. But it doesn’t have to be this way.
Every good cybersecurity practitioner knows the realities that come with the holiday season and steels themselves for the worst, while still hoping for a little downtime. Here are four tips to bolster your organization’s security posture management this holiday season.
Every security and operations pro knows that continuous monitoring is a crucial piece of the vulnerability management puzzle. But the key here — especially while staffing is light — is automation and prioritized alerting. A tool that spits out an alert for every anomaly isn’t going to help lighten the load on staff working through the holidays.
Every company should establish its own risk assessment based on tolerance and business requirements, and controls should be tuned accordingly.
In connection with continuous monitoring, enterprises should look for solutions that can proactively identify problem areas across ecosystems — networks, software, users, devices — and map vulnerabilities to potentially affected assets.
Access Control/Privileged Access Control
A breach could not become a breach if access controls were always well-managed and infallible. Yet, over-permissioned and privileged accounts (especially admin accounts) are leading causes of breaches.
Implement tools that can centrally automate user provisioning/deprovisioning. Make sure access controls map to business requirements, that access is segregated based on users’ roles, and that the ability to apply Zero Trust (i.e., least privilege) is basic functionality.
Find a solution, too, that can identify orphaned or stale accounts and disable or remove them so they’re not accessible to attackers.
What’s access without identity? Identity has been dubbed the new perimeter, and by all means companies should implement identity-based access controls.
That said, identity-based, is not just about who the user is. Modern security tools must analyze everything from the user and their role to their devices and the devices’ security state, network interfaces, installed software, OS information, versions, and more. Only then can a security team truly authenticate users and devices.
Additionally, even with attribute-based authentication in place, multifactor authentication should always be used to decrease the likelihood of compromise.
Vulnerability Scanning and Prioritization
Vulnerability scanning is an essential part of security posture management. But scanning alone isn’t enough to protect networks. Why?
- Scanning only sees active devices.
- Most scanners are focused at one layer of the network. This means, for instance, a web application scanner will miss network-based vulnerabilities.
- Scanners can only find and/or track known vulnerabilities. This means that unknown vulnerabilities and zero-day exploits cannot be identified.
As a result, organizations are pressed to use multiple types of scanners and scanning techniques, which in and of itself is fine. The problem arises when results aren’t correlated or prioritized for remediation. Too much disparate information causes its own vulnerability management problem. That’s especially true during a period of heightened network activity, anomalous (but not necessarily malicious) behavior, and staff shortages.
Enterprises should deploy scanning along with an orchestration layer that:
- Ties results together
- Provides a prioritization mechanism
- Allows for instant remediation in the event of a found critical or high-risk vulnerability
It might be obvious from the sections above, but needless to say, visibility without action does nothing for managing cyber risk.
Many tools in the market allow admins to push alerts to integrated tools, but it’s even better if the user can take action directly in the console they’re using. It’s cumbersome for users to switch tools constantly. Plus, if there’s an increase in potentially suspicious activity during the holidays, or there aren’t enough people-resources to triage alerts, the last thing a company needs to do is place more burden on already-overworked staff.
Providing the right tools for security, ops, and IT teams to automatically find, contextualize, track, prioritize, and remediate vulnerabilities in the company’s users, devices, and systems will go a long way this holiday season — and beyond.