Security Think Tank: Don’t bet on a new normal just yet
After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?
We enter 2021 with the good news that the Covid-19 vaccination programme is under way here in the UK – but what a year 2020 was, and I suspect many of our Security Think Tank readers are hoping for a better 2021.
What will the year ahead bring? We certainly won’t see a return to normality as we knew it in in 2018 and early 2019. The impact of Covid-19 forced many non-manufacturing jobs to move to remote working and, in that process, many companies have taken to reviewing and updating their working practices.
The fallout from this process has included, or will include, a greater use of workflow automation, the discovery that remote working can be done effectively and does work well, and in some instances a happier workforce that doesn’t need to commute to work each day.
This move to remote working requiring only an occasional visit to the office has brought about, or will bring about, the necessity to reorganise office space to accommodate a move to hot-desk working and more meeting rooms equipped for video operation.
Surplus office space and a probable reduction in the workforce due, in part, to improvements in work practices will be a likely outcome, but what of the IT infrastructure – will it undergo a permanent redesign or just or just enhancements or tweaks? Has the move to remote working and the need to respond rapidly to that move increased the use of, or increased reliance on, cloud-based services?
Whatever happens, there will be additional pressures on IT and security teams because there will be a need to service and support an infrastructure with many endpoints mainly located in staff homes, where physical security and the security of the home network will be a challenge. The IT infrastructure itself may also have become a hybrid of HQ-based IT and cloud-based supplier IT and, along with the increase in endpoints, comes the realisation that the attack surface of a company’s IT infrastructure has dramatically increased.
Towards the end of 2020, there came the disturbing announcement that FireEye, one of the top security tool suppliers, had suffered a major security breach. Investigations identified that the breach came about after malware was injected into automatic updates of the SolarWinds Orion network management range of tools.
The fallout from this revelation still continues because within the US, more that 400 of the Fortune 500, including top accounting firms, use SolarWinds products, as do many branches of the US government and its agencies. And while Microsoft identified that 80% of deployed SolarWinds products are used in the US, there are victims in Europe, including in the UK. Blogs regarding this breach that are worthwhile seeking out and reading are:
- A moment of reckoning: the need for a strong and global cyber security response.
- FireEye hack: A firm that helps protect businesses and cities from cyber attacks just got hit by one.
- A new SolarWinds flaw likely had let hackers install Supernova malware.
What does this increased use of remote/home working, the increased use of cloud services and the major FireEye/SolarWinds security breach do for our “crystal ball- gazing” efforts to identify the “must have” tools for 2021?
Some automation wouldn’t go amiss, as there will be an increase (perhaps quite large) in the number of events both security- and infrastructure-related, to deal with and cross-correlate.
The Security Think Tank have covered off this area well recently, with many articles on this subject. You can read my articles on this area at: Security Think Tank: SIEM and AI – a match made in heaven? a July article that looks at SIEM and AI, and my December article SIEM or SOAR or both? Consider your business complexity first, which weighs up which approach is best for different types of company.
Automation within the management and operation of an IT infrastructure, while very important and increasingly so, is not the only area that IT security needs to be looking at. It becomes doubly important to ensure that operational and security patching is rigorously carried out, but – and it is a big BUT – incoming software or code updates need to be checked carefully for malware. This could be done by passing the software through a “sheep dip” system and/or deploying the software into an isolated test system to observe its operation.
Sadly, this may not necessarily be sufficient where malware has advanced stealth characteristics that would only become apparent over time. In these circumstances, the enterprise will need to ensure its backup processes are fully functional and regularly tested and that annual, monthly and weekly backups are taken and kept in a safe location away from the main datacentre site and not connected to the infrastructure – and this in addition to daily backups.
The takeaway here is that the security toolset must include effective testing of any software, update or new, entering a company’s infrastructure and that the backup toolsets need reviewed and updated as appropriate.
What else will the IT security team need in their 2021 arsenal to keep their enterprise safe? They will need to develop a solid understanding of how their remote endpoints work and the risks associated with them. Again, this area has been covered by other Security Think Tank articles over the years.
Encrypted VPNs are a good start, and for remote workers who don’t have a company-supplied and maintained device, access can be provided by a central terminal server service and HTTPS connections. Advice to home workers on how to work safely and securely at home is another essential.
Where cloud services are in use, has a proper risk analysis been carried out and appropriate measures and mitigations been implemented? Remember that your cloud supplier has its own IT staff (who, in turn, may be contractors), that your company’s servers are likely to be virtual ones sharing a physical host platform with other companies, and your data will be carried with the cloud supplier infrastructure over shared pipes.
Do you know how good the separation is between your virtual servers and the virtual servers of other companies, between the VLAN carrying your data and the VLANs of other users? What security guarantees is the supplier offering? Finally, has the security team read and cleared the contract with the cloud supplier as being “fit for purpose”?
The takeaway here, in my opinion, is that the security team needs to develop a solid understanding of the threats, risks and exposures that the IT infrastructure now faces, including the IT supply chain. This might require external professional help or, at the very minimum, some formal education in the subject.
Wishing you all a happier 2021. Stay safe, stay secure and, if you have a mind to, here are some additional blogs to read: