Earlier in this series, we discussed how the very definition of the network perimeter has changed during the work-from-home (WFH) era. I would make the argument that the concept of the endpoint has changed along with it as well. Most of us were securing every desktop and laptop that connects to our networks in February, but to belabor the obvious, we now have many newly inherited unmanaged endpoints, greatly raising our risk profile. And we must also deal with Office 365 mailboxes that are taking on a “threat life” of their own.
Every MSP worthy of the name already provides endpoint protection, often by means of next-generation products. But today the need for a more sophisticated response is even greater. Endpoint protection has actually “trifurcated,” if you will, and is now a three-legged stool of traditional anti-malware, threat hunting on the endpoints, and security operations center (SOC) remediation tools and services. And Office 365 mailboxes, one of the top vectors for malware and other attacks, are becoming “email endpoints.”
Defining the Issue
During the initial mad rush to provide instantaneous WFH capabilities, we did the unthinkable: We provided the remote capabilities first and considered the security implications later. (This is a bit overstated, as Net Sciences had elected to provide that remote access by means of proxied, secure RDS through TruGrid, an inherently secure option.) But our new priority was not only to protect those new endpoints in the homes of our user base, but also to improve the protection of the target machines and mailboxes (more on that later).
As an aside, some managed services providers have a very cloud-centric user base with virtually all applications and data hosted, and perhaps even desktop or workspace as a service or virtual desktop infrastructure (VDI) as the norm. If you have the affordable, stable bandwidth in your market, and the technical expertise to pull this off, pat yourself on the virtual back. However, most of us are still supporting endpoints on premises, either through proxied RDS or across SSL VPN connections (but, of course, never over open RDS or any port-forwarded access).
To armor up against these WFH and email threats, we face three main challenges: securing those new remote machines, better protecting their remote targets (already under our care), and working to improve security of our new “email endpoints.” Each of these brings its own challenges, which I will explain as we go forward. First, I want to say that, like many of you, until March, we did not allow remote access to any of our client networks from anything but a managed machine. That fell by the wayside quickly, as it did for many others, due to the circumstances.
Armoring the Targets
For Net Sciences, the extra protection we needed on our target machines was easily provided by simply expanding the services we already had in place with our friends at Solutions Granted. We already had CylancePROTECT plus CylanceOPTICS, but by engaging their Tier 3 services (including Active Ready Response) we were able to do even more at very little cost. This new service, for nickels a month, provides upgraded SOC services for the endpoints, as well as the ability for them to lock down any suspect endpoint to allow traffic only between it and their SOC, to enable them to remediate it. This extra layer of protection of the target endpoints really goes a long way toward better sleep hygiene for all.