Planning For the ‘New Normal’ in Cybersecurity Amid COVID-19
Coronavirus has created an extremely unsafe and volatile environment in terms of cybersecurity; overnight 80 to 100 per cent of your workforce begins working remotely. Meanwhile, your organisation, like hundreds of others, has become a favourite target for hackers who have been lying in wait for a significant disruption like this. Read on as we discuss CISO priorities amid the COVID-19 pandemic.
The traditional route of establishing a baseline understanding of normal and appropriate network traffic behaviour has been almost thrown out overnight with the change in the work from home type of environment. The use of collaboration tools whether it’s Zoom or Microsoft Teams, and the use of personal devices to be able to access the network and critical information remotely, has created a dramatic shift in the network flows and what would historically be viewed as normal and appropriate network traffic behaviour. So, on top of an already challenging job, CISOs (alongside other IT teams) now have to accommodate those changes quickly and completely revisit their entire approach in a very short space of time. In addition, security teams are inundated with requests for system access changes to their credentials or environment to allow them to conduct simple job functions.
What Are the Priorities CISOs Should Focus on to Better Protect Their Now Remote Team of Employees?
When it comes to the security of remote workers in such a crisis, like COVID-19, the only effective difference is the need for enhanced security, primarily on instrumentation. To increase the security posture, organisations have to take into account the opportunities the attackers are taking advantage of and come up with constructive methods that don’t interrupt those business services for remote workers, and remote executives’ interaction with clients and the business itself. We advise the following:
Organisations are tackling hundreds of false positives daily (sometimes in the thousands) due to the pandemic. As a result security teams are tasked with combing through so much noise to identify what they described as typically an average of less than 10% of a true positive rate. Too many alerts can overwhelm security teams and render them ineffective, missing critical alerts and threats which could result in a cyber breach. Therefore, a system is needed that will provide in-depth context and visibility to help prioritise data and identify which alerts need to be handled first. Utilising the Cyber Kill Chain, we’ve created a communication framework that allows you to understand whether a cyber threat is a business risk that needs attention. See for yourself here.
New Ally in the Cybersecurity Space: Artificial Intelligence
CISOs have been forced to effectively start from scratch in redefining a baseline of normal and appropriate behaviour and recreate the rules and thresholds that these systems operate against. One of the things that we work through together is looking for ways to apply Artificial Intelligence (AI). AI provides greater real-time threat visibility to support an organisation’s desire to move away from additive resources to allow an AI platform. AI does things that humans are not as good at; looking at vast volumes of data repetitively, identifying patterns in that behaviour, recognising anomalies in that behaviour, and doing so without any human intervention. This gives organisations more time to focus on addressing, resolving and remediating true positives.
Isolation of Crucial Business Services
Isolating essential business services away from more general supporting applications and services is very useful through VPN or subnets to slow the impact of breaches, particularly things that automatically propagate like ransomware, to provide the opportunity to correct or respond with effective action against an incident. For example, remote workers often need to access specific applications, but they don’t necessarily need to access printers or some file shares that they would otherwise have more general access to in the office. The same proposition holds true with IT and security; isolate the systems and applications that your remote workers need access to away from those that they don’t need access to. It can be done with subnetting, even by remote IT workers, and be one of the most effective techniques to prevent widespread propagation or lateral movement from one segment to another.
One Thing Cybersecurity Teams Should Have to Arm Themselves Against Attackers
Since the start of the pandemic, we’ve seen a huge increase in malicious acts including remote user credential theft, phishing emails with malware, malicious websites and zero-day attacks. With no idea how long this will last, or even whether things will ever go entirely back to normal, there are multiple routes cybersecurity teams can take to arm themselves against hackers. Discover these now as we continue the discussion with MixMode’s Head of Strategic Alliances, Geoffrey Coulehan.
A critical privilege escalation exploit in Windows Server (CVE-2020-1472), codenamed Zerologon, allows an attacker to become a domain admin, even without any credentials.
Microsoft’s September Patch Tuesday fixes 129 security holes (23 of which are rated ‘critical’) in numerous versions of its Windows operating system and related software. One of the more critical patches could allow remote code execution by sending an email to a victim.
Secrutiny Awarded Position on Crown Commercial Services “Cyber Security Services 3 Dynamic Purchasing System”
We are thrilled to announce that Secrutiny has been awarded a position on Crown Commercial Service’s Cyber Security Services 3 Dynamic Purchasing System (DPS).