Managing Cyber Security in the Hybrid Workplace
As some parts of the world continue to struggle with the COVID-19 epidemic, others are starting to come to terms with a new way of working. There is much talk about some of these changes becoming permanent, including when it comes to managing cyber security.
During a recent “fireside chat” at the virtual Executive Leader’s event organised by one of Huntsman Security’s partners iomart (www.iomart.com), we spoke about an increasingly hybrid workplace and some potential changes in the way we manage security.
Some pertinent questions were discussed about how to handle the changing situation given what we have learned from conducting businesses, often working from home, for the last year or more. The questions and answers below guided the session.
How will approaches to managing cyber security change as a result of the pandemic?
For many businesses there was an increase in risk back in March 2020 that resulted from the sudden shift to remote access and working from home. In many cases, these changes were done in haste and in some instances, the lack of controls around user authentication and the way endpoints were secured or provisioned were sub-standard. The adoption of cloud solutions, such as Dropbox, Slack, Zoom, Google docs and a variety of file sharing, collaboration and communication services, in some cases reliant on personal accounts, created a less well controlled environment than a more organised IT cloud migration would typically ensure.
These rapid migrations were adopted in the short term to ensure continued business operations, but as businesses now look to their future requirements, the need to build more robust, controlled and auditable facilities will become a priority.
Specifically, we saw two major issues emerge in cyber security. One was the uptick in phishing malware activity brought on to exploit the pandemic and also the lack of end point protection. This is part technical (endpoint controls having to account for home users’ systems) and part human (with no one sitting next to you to say “Hey, does this look legit to you?”) and the phishers are exploiting the pandemic to increase click rates.
The second was that traditional monitoring relied heavily on gathering logs and records of activity from across the enterprise’s servers, network perimeters, proxies, content gateways and application systems. This is very different to the loss of visibility to attack or misuse and effective operations processes that occurred when users and systems quickly moved to remote functionality. Threat detection, response, incident handling and compliance reporting were significantly impaired because business was unable to adopt a flexible yet effective approach to security.
One year on, with lockdowns (and worse) still a reality in many countries, most (if not all) businesses are looking to retain the flexibility of a largely hybrid working pattern. These aspects of security therefore need to address this potentially permanent digital transformation.
Why outsource security monitoring?
With effective cyber security becoming more challenging, there are signs of rapid growth in the Managed Security Services market as businesses seek the expertise of specialist firms to provide monitoring and managed threat detection capabilities. Sources report this growth is as high as 18% CAGR. And this isn’t due just to the pandemic, these figures are part of a longer term trend.
Security monitoring, the technology and the processes are complex, particularly if you are hoping to provide anything approaching 24/7 protection. In the past there was a view that with users, systems and networks on site, in-house teams were better placed than Managed Security Services Providers (MSSPs) to handle the operations burden. Now as the enterprise footprints are redefined and location constraints fall away, we can expect businesses to continue to adopt appropriate security arrangements that support this shift to remote workforces and remote hosting.
The other reason of course is that security resources are still scarce, and the kind of deep technical knowledge to handle modern, advanced security breaches remains thin on the ground. For anything other than a large organisation, resourcing, equipping and maintaining a team in a cost-effective way is difficult.
Dedicated managed security providers have an advantage. They can amortise these specialist costs across multiple customers, and even leverage increasingly competent technology across multiple customer environments. This means that the expertise is better utilised and more cost-effective, as IT security workflows and playbooks are industrialised to share expertise and economies of scale across disparate client network domains.
How are threats changing?
The people wanting to steal data, plant ransomware or compromise your systems are organised, well resourced and clever. The advances in technical sophistication and capability by security and risk teams are rapidly mimicked and even bettered by cyber attackers operating in the almost parallel “black economy”. Morality and motive aside, their capabilities are everything you would aspire for your organisation – and your security team – to be: efficient, effective, skilled, creative and well-resourced.
Attackers will seek out weaknesses in configurations, patching, security controls and even user awareness. They will exploit any weaknesses quickly and without compunction. In some sense this has always been the case, but the stakes are now higher and more intense; and as we digitally transform our economies the target surface is only getting bigger. Security teams are being challenged on many fronts: more complex threats to defend against, the moving IT perimeter, broader IT governance obligations and an ongoing skills shortage.
There is a massive asymmetry between the defensive responsibilities of the security team and the efforts of an attacker. If you’re defending networks, systems and data a security team must implement controls that cover all of the things, all of the time. An attacker, in stark contrast only needs to find one obscure vulnerability that exists briefly to exploit your defences and compromise your security efforts.
What are the advantages of adopting an MSSP?
For those business that decide to outsource elements of security monitoring, threat detection and response, there are often common goals and desired outcomes. What capabilities and benefits can an efficient and skilled MSSP provide?
- Chiefly they expand the ability to detect threats – through economies of scale they can bring sophisticated capabilities and highly skilled resources to bear in your enterprise. With their systematic processes and streamlined workflows, MSSPs bring faster analytics and better security decisions. Faster response times, automation and pre-defined playbooks means MSSPs bring a critical mass of security competence that only the largest organisations can match; and as a result, on balance, deliver more cost-effective security solutions and reduced IT security risks to their customers.
- Secondly, they allow customers to put some or all elements of operational security into the hands of a specialist provider. This means defined services, KPIs, response times for the organisation and, if appropriate, the flexibility to balance outsourced expertise with internal operational knowledge for effective threat mitigation and response. It’s all about managing IT security and risk, so in insurance sense, external service providers provide the flexibility to seek expertise in areas of in-house deficit and so ultimately deliver a cost-effective security management capability.
- Lastly, it means organisations adopting an MSSP model are freed-up from the routine elements of security operations. This allows them to divert their in-house expertise and resource towards local improvements in security, tightening controls or supporting business/IT projects. They can start a programme of threat hunting, boosting security controls, improving reporting of KPIs and enhancing maturity.
For businesses that want to outsource elements of security operations, a good MSSP with skilled security analysts and a well-designed technology stack can often provide capable, focussed and cost effective managed cyber security. They can look for trends or common problems across a range of customers, optimise the responses, create and refine playbooks and, in short, leverage cross-company insights to give their customers unique visibility of the security environment.
For other businesses, who wish to retain in-house operational capability, they face making the same choices around the technology stack and how they build an effective operations capability. The ultimate goals are the same.