The first phase of the remote work paradigm in the early days of the coronavirus pandemic entailed getting enough laptops and ensuring connectivity for all users. Then organizations began securing all work-from-home employees, which makes sense given the average cost of a breach is $8.64 million in the U.S., according to IBM’s 2020 Cost of Data Breach report. Now there is a common expectation, echoed in recent conversations I’ve had with CISOs, heads of IT, and infosec specialists across the globe, that there will be more teleworkers in the future, creating a greater need to protect endpoints for employees who are not on a VPN.
Indeed, a recent report from Cisco Systems finds that roughly 75% of organizations are expecting employees to increase remote work arrangements even after the pandemic. Additionally, several companies have deferred the decision of when to have employees return to the office well into 2021.
To protect users, services, and the overall business going forward, security leaders are currently assessing alternatives to some of common approaches taken thus far, as they have fallen short. First, let’s dispel some myths:
Myth #1: Get everyone on a VPN
Astute leaders quickly recognized the fallacy of this model. Don’t get me wrong; VPNs have been an important tool in safeguarding remote access and have been used for over two decades for secure access to data in on-premise data centers. But as services have moved to the cloud and users demand more productive remote work environments, VPNs introduce a scalability bottleneck because they create a circuitous route to cloud applications and have limited concentrator ports. Additionally, they do not protect against end-user attacks like ransomware or phishing, and instead rely on adjacent technologies in the network or endpoint.
Ensuring a strong user experience is one of the key challenges for IT professionals dealing with remote users, and some organizations resort to split tunneling to overcome this limitation. But this approach reintroduces security concerns from direct-to-internet connections. Also, traditional VPNs provide blanket network-level access to the data center to all users. This further increases risk, and when combined with logging and auditing, ups the IT overhead to manage these resources as well.
Myth #2: Train ’em
Security training indeed improves awareness; however, Verizon’s 2019 Data Breach Investigation Report shows that despite training, users will continue to click on malicious links, leading to successful breaches. In a recent survey by Cyberinc, three-quarters of security leaders and practitioners expressed concerns about users clicking on risky links in emails, documents, or the web. The challenge is that as attackers evolve their approaches, users struggle to differentiate good from bad—the determination of which should not be left to end users in the first place. Bottom line: Training is important, but attacks still succeed.
Myth #3: Manage risk with content filters
While content filtering is a valuable tool that enables organizations to enforce acceptable use policies and also reduces the attack surface, users still face challenges. Policy management with content filtering can be difficult, especially with more services moving to the cloud and more users needing access. What should be allowed and what should be blocked? For how long should access be allowed? Who manages policies and compliance? Content filtering is also ineffective when attackers use “”allowed”” domains to deliver threats, as was the case with the recent Garmin breach that occurred via malware delivered from compromised news sites. Malvertising attacks use well-known sites to deliver malware as well, especially during the busy holiday online shopping season.
Myth #4: Endpoint protection can stop threats
Although anti-virus solutions protect endpoints against file-based malware, file-less malware is able to bypass these protections because there is no signature to detect. Additionally, with the frequency with which new threats emerge, anti-virus/malware solutions fail to keep pace. Endpoint detection and response (EDR) solutions do look for file-less malware, however they need to be supported with an appropriate security team to ensure the alerts (and false positives) are handled in a timely fashion.
Security Decisions Should be Based on Needs, Not on Tools
The new normal of remote work makes it imperative to understand the strengths and weaknesses of trusted frameworks to ensure security. Your specific solution must depend on your threat surface, and not be driven by the tools themselves. In other words, you must understand your primary risk. Is it the end user? Is it application access? Is it the application architecture? Or something different?
If cloud application access is a key consideration, newer technologies like zero trust network access (ZTNA) can serve your purpose. ZTNA challenges the assumption that location of an entity (inside a network) should automatically grant trust to a user or device and allows application access based on attributes such as user identity, device, geolocation, etc. Users get access to applications they need, but see nothing else on the network, with a ZTNA broker assessing the user’s profile before granting access. So, if Joe’s credentials fall into the wrong hands and an attacker tries to use them to access a service, they would be unable to, given the context.
If end-user threats like ransomware, phishing, and users clicking on links are a challenge, look at recent innovations like remote browser isolation (RBI). RBI is designed on the premise that end users represent the weakest link and web access is one of the largest attack surfaces. Consequently, an effective way to shrink the endpoint/end-user compromise is to adopt a preventative security model and “”airgap”” web access to eliminate browser exploits, as well as threats from users clicking on malicious links.
It’s not always new technologies that move security forward. Many cloud providers (e.g., O365, Google) offer application-level encrypted access, one of the simplest measures to minimize risk. In addition, most services now support multifactor authentication (MFA), which is another simple way to protect against the most basic brute force attacks.
As security professionals continue to embrace the remote workforce, productivity as well as security must be key considerations to preserve business continuity and operational efficiencies. Essential to this is an understanding of the most prominent threats affecting your organization and the structural weakness they rely on to compromise. Security investments must include architectural models that address both the company’s risk surface and staffing constraints to avoid becoming tomorrow’s headline.
RAJIV RAGHUNARAYAN is senior vice president of products at Cyberinc, a cybersecurity company based in San Ramon, Calif.