Last week, I wrote a blog describing 3 ways that COVID-19 is changing CISO priorities for 2020. COVID-19 drove large scale work from home (WFH) initiatives where the priority was getting users up and running as quickly as possible. Security leaders were then forced into an unanticipated follow on sprint to deliver elementary security safeguards for remote employees (i.e., VPNs, endpoint security controls, network security controls, etc.).
This is the new reality and it’s an ongoing scramble, but what comes next?
Let’s call the current situation phase 1, which is about employee access, network communications confidentiality/integrity, and basic endpoint security.
Since posting my last blog, I’ve heard of additional IT efforts to address network performance and user productivity (phase 1A). Some organizations are implementing split tunneling so key employees can access VPNs and the internet simultaneously. Some are paying to upgrade employee bandwidth, especially for executives spending their days on Zoom/WebEx meetings while their children use the same networks for home schooling. My colleague Bob Laliberte also tells me about companies instrumenting key employee systems with WAN optimization software. Back at corporate, there’s also lots of load balancing and SD-WAN activity.
From a security perspective, forward-thinking CISOs are now on to phase 2 focused on situational awareness and risk assessment. This is directly related to the fact that a lot of LAN traffic has been rerouted to WANs and internet connections. The goal? Scope out the new realities of usage patterns and the attack surface.
To gain this level of visibility, organizations are deploying endpoint security agents to assess device posture and system level activities. Think Tanium agents and EDR software from vendors like Carbon Black, CrowdStrike, and Cybereason. Security pros also recognize that employee home networks may be populated with insecure IoT devices, out-of-date family PCs, etc., so I’ve heard of instances where security teams are doing home network scans here as well. Finally, there is an increased focus on network traffic monitoring travelling back and forth on VPNs or directly out to SaaS providers and the public cloud.
Leading organizations are also ramping up monitoring of cyber-adversaries and threat intelligence, looking for targeted attacks, COVID-19 tactics, techniques, and procedures (TTPs), IoCs, etc. I’ve also heard that threat analysts are more actively sharing intelligence and participating in ISACs. In other words, I’m seeing an increase in collaboration within the cybersecurity community.
In about 4 weeks, organizations will have visibility and enough historical data to proceed to phase 3, a full risk assessment and a board-level report. These reports will examine the WFH infrastructure, new traffic patterns, perceived vulnerabilities, rising threats, etc. They will also dig into a more thorough look at emerging WFH issues like insider threats, expansive privileges, data security exposures, insecure cloud application configurations, and others. The goal? Quantify risk and then work with executives to prioritize actions.
This leads to phase 4, which is all about risk mitigation. Based upon my conversations, the goal is to address this by mid-May at the latest. During the risk mitigation phase, organizations will likely employ controls for data privacy/security, assign least privilege to networks and applications, and segment home network traffic to protect WFH assets from gaming systems, smart refrigerators, security cameras, and the like. We’ll see more deployment of technologies like multi-factor authentication (MFA), zero trust networking tools, privileged account management, and DLP/eRM at that point. Process automation will also be added during this period.
At the end of phase 4, WFH should be set up for threat prevention, detection, and response at scale.
A few final things I’ve heard:
- While the four phases are a general project plan, CISOs are also busy patching tactical holes like blocking Zoom bombing by using meeting IDs and issuing passwords. Issues like this come up daily.
- Another issue I’m hearing about is securing “shotgun” applications, developed and deployed quickly to support remote workers, business partners, and customers.
- Security will continue to play catch-up, with IT leading on network performance and service availability. User support and productivity is paramount while security remains behind the scenes.
- The need for speed is causing CISOs to have a “SaaS first” mentality.
- CISOs are taking a long-term approach since no one can tell how long the lockdown will last. Many also feel like this is a game changer for the future of IT and security.
I’ll continue to report on what’s happening in the CISO trenches as desperate times call for desperate measures. Your feedback, inputs, and suggestions are most welcome.