Security operation center (SOC) teams are moving rapidly to adjust to the new challenges of managing a distributed workforce brought on by COVID-19. The pandemic has amplified existing challenges in the SOC and introduced new concerns around managing remote employees, including these:
- What is involved in managing a distributed workforce?
- How can I meet governance and compliance requirements?
- What does it look like to manage security and operations when employees are working remotely?
Where once workers were behind the safety of a network perimeter, now they are distributed in their homes, could be using personal devices, remote connectivity protocols, cloud apps, and other un-approved tools — all of which expand the attack surface.
These are important challenges, but one thing to keep in mind is that COVID-19 is just one of many disruptions that can hit a business at any time. As we are able to begin looking beyond concerns about the safety and health of employees, organizations will need to consider the health and safety of their data, their customer data, their operations, and their ability to ensure the resilience of their organization, whether from a pandemic, a break in the supply chain or other risk.
There are certain best practices that, when applied to a SOC, will enable your organization to always keep the monitoring spotlight turned on and be prepared to better manage whatever disruptions the future may hold.
Security Challenges of a Distributed Workforce
The sudden transition to a distributed workforce has created massive disruptions in the way employees work. This in turn has introduced new security issues that organizations need to address.
- Personal Devices: How will your enterprise safeguard company data when employees use devices that have not been approved by corporate IT ?
- Connectivity Protocols: Some protocols to connect to corporate systems have more vulnerabilities than others. Which ones should your organization be concerned about, and what can you do to mitigate these risks?
- Access Control: When everyone was working on-site, you could restrict access by using a combination of security controls used in any enterprise. That is significantly more difficult when your employees are working remotely.
- Cyber Skills Shortage: The cybersecurity skills shortage was a tremendous impediment to organizations even before the pandemic hit. But now, the ability to recruit and onboard new employees is even more strained.
- SOC Administration and Compliance: If you’re relying on remote workers for the first time, your SOC infrastructure probably doesn’t support remote administration and management while continuing to meet SOC 2 Type II or ISO 27001 requirements. It is further complicated when all your employees are working remotely with no clear timeline on when they’ll return to their normal work setup.
- Increased Attacks: Because of an increase in remote access during the pandemic, organizations have had to relax their security configurations, which can lead to more distributed denial of service (DDoS) type attacks. There has been a marked increase in DDoS and phishing attacks, where threat actors are trying to take advantage of the distraction.
Remote Workforce Security: Best Practices for Your SOC
Collaboration and effective communication are at the heart of an effective SOC. Adopting a multi-stage security approach grounded in these two priorities is the way forward to a secure remote workforce.
Establish security best practices
Even if you’re suddenly supporting remote work, you can limit your vulnerability to attack or disaster. Start with these steps.
- Eliminate or restrict remote connectivity protocols such as remote desktop protocols from the internet. Connections that are protected only by a username and password are among the riskiest. Instead, rely on VPN connections, which are much more robust.
- Provide multi-factor authentication (MFA). MFA verifies a user’s identity by requiring multiple credentials. Start with employees with admin access, executives and anyone who handles sensitive data. Also, focus on applications that contain the most sensitive data.
- Provide secure tools. Your employees will need new collaboration and file-sharing tools to do their jobs from home. Some tools are more secure than others, but most people won’t know the difference. Your organization should vet and provide the collaboration tools your employees will use.
Education and training
Once best practices are in place, it’s time to communicate those to employees and provide regular training on security protocols. Every person on your payroll should receive training that is appropriate to their role. There are a number of tremendous resources that provide valuable content to support your team. At Cysiv, we use SANS online security training and we make it a point that our employees are periodically retrained.
Your SOC team will also need to stay on top of the latest threats by subscribing to threat research bulletins. There are many free and paid resources that organizations can subscribe to, allowing access to important intelligence related to the broader threat landscape and also to industry-specific threats.
Emphasize clear and frequent communication
It’s critical to maintain consistent, purposeful internal communication when your business is operating remotely. Make sure that employees understand how to work from home in a way that protects your sensitive information. Provide clear, easy-to-follow instructions, and communicate them frequently.
Also practice a periodic business continuity review. At Cysiv, we do this bi-weekly. Our leadership team meets to ensure that our systems are running smoothly, and to discuss any challenges as well as learn from each other on initiatives that may be working better than others. Internal reviews look different in every organization, but every company needs to have a strategy.
Monitor for anomalies
Despite proper security training and education, people will make mistakes. This is where data science-driven rules that leverage a range of detection techniques, including cyber intel, signatures, statistics, ML-based algorithms and behaviors, are essential to monitor for threats. This activity keeps the spotlight on 24/7 to look for evidence of anomalous behavior. So, when an employee logs into your financial system at 3:00 a.m., and has never done that before, data science-driven rules will flag this as suspicious activity that warrants closer examination.
Once security teams identify issues like these, the next step is to close the loop, making sure issues are remediated and addressed to prevent a repeat occurrence. This could include blacklisting IPs, patching software vulnerabilities, or updating software.
Seek help from peers and others to optimize your SOC
One of the most important things you can do to reduce remote work security risks is to seek the input of others. Talk to peers in your industry to learn from other organizations like yours. Sharing knowledge and information is critical in times like these, because you have the opportunity to learn from people you trust who are experiencing similar challenges to your own. Get more engaged with peer communities.
Product and service providers who have deep industry knowledge are also a good source of advice. Not only do they specialize in particular solutions, but they see a wide spectrum of issues and challenges that organizations are facing every day.
Though it may be the last thing on your mind, the best time to plan for future disruptions is exactly when you are in the middle of one. Rather than waiting until the coronavirus crisis has passed, now is the time to take stock, review your security strategy, and plan for the future. Is there an opportunity or requirement to refresh your tech stack with more efficient and cost effective solutions? Is there an opportunity to adjust your security model, perhaps making the move to a cloud-based approach to better accommodate distributed teams?
Once we are out of this particular disruption, companies will be busy getting back into the swing of things, into their normal rhythm, and the disruption will be quickly forgotten until the next event happens. By addressing the security issues of a distributed workforce now, you can have the processes, models and technology in place to protect future-proof your company.
Are you currently managing a remote SOC? Read more about what it means when a security operations center is no longer a “place” in this blog by Justin Foster, CTO & Co-founder at Cysiv.