Are Your New Remote Workers Visible to Security Operations?

April 03, 2020

Contributor: Pete Shoard

Security teams must pay close attention to how new work arrangements affect security visibility.

Due to coronavirus, companies are seeing an unprecedented amount of remote work. Whether mandated by the government or the organization, businesses are asking many (if not all) employees to work from home. While this move creates obvious challenges for IT in terms of infrastructure and capacity, it’s also creating challenges for security teams as they push to scale remote work on a rapid and global level.

Many are utilizing remote working systems that have not been operationally tested as part of their core security operations monitoring. For many, the likely result is fewer security alerts and issues because the corporate infrastructure will not be subject to the same levels of usage in areas such as internet browsing, and users may be working from web-based applications on non-company-sanctioned assets.

Don’t stop asking questions (even if it seems like you should)

For security operations center (SOC) analysts, this may seem like a heavenly situation: Fewer false positives to deal with, lower likelihood of security policies being broken and more time to deal with all those things they want to concentrate on but never had the time for before.

But fewer alerts does not equate with being more secure; rather it might mean you are more blinded by the lack of visibility. Lack of visibility does not equate to a lack of security vulnerabilities. Security leaders must consider these new risks to our organizations:

  • Will we even know that data and systems are being compromised?
  • Are we now dependent on a wide range of key remote working solutions that don’t have proper resilience?
  • Once all this is over, will we know where all our sensitive data resides?
  • Are we still compliant with the IT security regulations that we need to be?

Gather your security steering committee 

It’s time to gather your team (assuming you haven’t already done so) around the (possibly virtual) table. Much like the government response to the socioeconomic challenges at the moment, we have to manage these challenges one day at a time.

Where the government will have top medical experts, your table should have not just management, but a variety of security skill sets. The goal should be to help security operations prioritize a strategic response to this potential crisis so that we are not negligent. We don’t want to adopt an attitude where we just let security issues happen. Once gathered, answer a couple of the key questions:

  1. Are we still looking in the right direction? Are the use cases, security data sources, endpoint agents, etc., all focused on the areas that will keep our business in business, and are there any massive gaps?
  2. Do we have a plan to revert to normal working when all this is over? How are we recording where our data is going, and how do we make sure it remains secure?
  3. Are we still running the right security operations model?

The solution is not technology

The solution to these issues lies in solid processes, not technology. The goal is twofold: Establish a set of priorities for the security operations team and focus on an adjusted set of business risks. But don’t neglect to establish a path to return to normal in a nondisruptive way when the time comes.

Read more: 4 Actions to Be a Strong Leader During COVID-19 Disruption

As business requirements shift and flex in the current environment, security use cases will require reevaluation. First, we need to account for any new data sources and new ways of working. Second, think about the protection of new key business enablers (such as remote working platforms or VPNs).

Part of this process will be to meticulously document all changes so they can be reversed at a later date, understanding and recording where everything that creates new risk now resides. Even if these are strategic changes, evaluate carefully, as most are probably tactical at this point. You’ll need to reevaluate the path taken to ensure it is robust. 

The security part of our businesses need to move quickly on this. It’s not just a question of “Can our security operations and SOC analysts work remotely?” but also “What new risk does this bring?” and “Have our security priorities changed?”

Whether these changes are purely for our internal teams or whether we have to engage our security service providers about moving faster to change based on new requirements, it's clear that organizations need to complete a due diligence exercise to make sure that what they are doing to protect the organization matches the objectives set to keep cyberrisk low. Adjusting in alignment with what is high priority and what is feasible is an agile change.

Pete Shoard is part of the Security Operations team. Covering analysis of and selection criteria for threat detection and response Managed Security Services (MSS) such as Managed Detection and Response (MDR) and Vulnerability Management (VM) services. This blog was originally published on the Gartner Blog Network.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

Drive stronger performance on your mission-critical priorities.