2020 In Review: What a Wild Ride!
Assessing the Cost of Security Vulnerabilities During a Pandemic Year
As everyone is aware, the pandemic of 2020 made conducting business, even at a basic level, challenging. Organizations were faced with managing their existing security vulnerabilities, in addition to adapting their information security to the “new normal”.
In March, companies across the U.S. completed a migration of their existing workforce due to the stay-at-home orders. A lot of capital was spent on providing these employees with work from home (WFH) solutions. Some organizations went with a security-first model, which included cloud-delivered Endpoint Detect and Response (EDR) solutions, Identify and Access Management (IAM) solutions, VPN services provided by dedicated solutions or SD-WAN services, and managed endpoints (typically via Azure Active Directory).
Other organizations unfortunately focused on pure functionality and neglected the need to make sure their security scaled to this new WFH environment. As a result, those organizations have struggled to regain visibility into their security vulnerabilities since this point in time.
An Unfortunate Year to Have Security Vulnerabilities
The lack of investments in scalable security visibility solutions have been compounded this year with the increase in attacker behavior, specifically during the COVID-19 pandemic. In a normal year, attacks typically trend around major holidays, as the attackers know companies are not monitoring to their fullest capabilities. This year, as workforces migrated home, so did the corporate Information Security organization for most companies. This migration and a lack of visibility for remote employees left a lot of room for attackers to ply their skills in gaining undetected access and causing a lot of damage as the new “double down” ransomware trend started to rise. This trend or methodology basically involves the attackers breaking in, harvesting and stealing sensitive data, destroying backup solutions, and running ransomware. Next, they extort their victims to ensure they keep quiet about losing their data or are prevented from regaining access to their data – or both.
How to Solve Security Vulnerabilities for the 2021 Threat Landscape
Let’s start with the foundational technologies.
Regardless of what alphabet soup of compliance your organizations have to deal with (even if you don’t think you have to comply with a standard), all infosec budgets have to include the purchase of the following:
- Perimeter Security solutions – aka Firewalls
- Anti-Virus / Anti-Malware solutions
- Log Management / SIEM solutions
- Patch Management solutions
Now, most of you will hopefully respond that you’ve got all these and more. Whenever we hear that response, we say “GREAT, how well do they work for you?” and at that point, the conversations typically fall apart. If your answer is, “We don’t know,” the question becomes, “How do you get these answers?”
Simple. Get an enterprise pentest or, at the very least, an internal pentest. The goal of this exercise should be to task your solutions and your team with replaying or accounting for 75% of all the pentester’s activity at the end of each day and score your visibility: what did you see, or what didn’t you see. And how do you fix it?
You’ll find that a lot of your answers with regards to technology map back to these first four required technologies. So, let’s grade your existing investments:
- Perimeter Security: Does your current firewall have “next gen” application ID features? Are you using them? And do they scale for your new WFH users?
One of the best benefits of having App ID or basic content filtering/proxies is capturing this traffic for your SIEM. During phishing attacks, it’s an excellent resource to have to assist in identifying or determining the level of exposure a user may have to your organization. Extending this visibility via SD-Wan or cloud-provided solutions to your remote employees also extends your visibility and capabilities in spotting compromised accounts before things get out of control.
- Anti-Virus / Anti-Malware: To be blunt, if you are still purchasing AV/AM-only solutions, you’re wasting your money. If your solution does not offer an EDR component, go find another vendor. Why do we say this? EDR is your second-chance option to detect a compromise or ransomware event occurring in your enterprise.
- SIEMs: Yes, log management is a requirement for all compliance standards, but contrary to legacy log management vendors out there, trying to make a log management solution an SIEM is, candidly, a very expensive endeavor. So, choose your solution and options wisely. We specifically recommend that if you are going to get a SIEM, make sure it has:
- Basic SIEM correlation features
- User Behavior Analytics
- Attacker Behavior Analytics
- Integration with an EDR solution (or provides its own)
- Easy cloud integration, ideally for one price and not bolt-on options.
Most important of all, make sure you use all these features!
Proper use means deploying the solution on workstations and servers, especially now that most of your users are not in the office. Having this data allows you to see where an attacker came into the enterprise and where they went afterwards – or ideally stop the attack all together.
- Patch Management: This one is easy – patch or get hacked. There is no grey area on this one, and 2020 has proven that time and time again. Make sure the patching solution you’re looking into works for servers and workstations, and can scale in 90 days (ideally 30 days) or fewer to meet the demands of patching third-party products that are either in your datacenter or at work-from-home environments.
Our Incident Response services team shared that during the summer of 2020, companies still leveraging legacy AV/AM-only solutions did not fare well against ransomware events, citing that Trend Micro was 0 for 2, Sophos was 0 for 3, and McAfee was 0 for 4 on ransomware events for which they assisted companies. To resolve these events for clients, new EDR-enabled solutions like Crowdstrike and Cylance were deployed to stop the threat and detect previously-undetected signs of compromise in the affected organizations. Since these solutions are also cloud delivered they also worked very well to provide continual visibility while the employees worked remotely.
If you have confidence in your security solutions, the final challenge as we look toward 2021 is simple – make sure someone is watching all these events for you. As stated by numerous sources, security is a 24×7 practice and requires continual monitoring. Make sure you have adequate staff to view the events as they occur in your environment. Some ransomware variants can spread across a 10,000-device network in fewer than 3 hours, which is the same level of speed and accuracy you need from your monitoring solution to get in front of an event.
We’ve all had a challenging 2020, and 2021 promises to be much like this year with organizations still navigating the new economy and struggling to remediate security vulnerabilities within their ever-changing enterprise environments.
Chances are, your organization could be more secure, especially given what we have gone through in 2020. Don’t start another year with security vulnerabilities that leave your organization open to attack during this time of heightened and ever-maturing threats. We’ve seen what does and doesn’t work for our clients and are happy to assist you in identifying a strategy to move forward confidently and securely in the new year.