Gartner Blog Network


Is My Remote Workforce Visible to Our Security Operations?

by Pete Shoard  |  March 19, 2020  |  Submit a Comment

Over the past few days and weeks, more and more organizations have been asking their employees to work remotely. Many of whom are utilizing remote working systems that have not operationally been tested as part of their core security operations monitoring. For many, this change in the way we all are working will result in fewer security alerts and issues. This is because the corporate infrastructure will not be subject to the same levels of usage in areas such as internet browsing and users may be working from web-based applications on non-company sanctioned assets.

It’s not getting easier for your security operations team… ask the right questions

For the security operations center (SOC) analysts, this may seem like a heavenly situation. Fewer false-positives to deal with, lower likelihood of security policies being broken and more time to deal with all those things they want to concentrate on but never had the time for before. However, organizations must not consider a lack of visibility as a reason to become complacent; as security leaders, we must consider these new risks to our organizations:

  • Will we even know that data and systems are being compromised?
  • Are we now dependant on a wide range of key remote working solutions that don’t have proper resilience?
  • Once all this is over, will we know where all our sensitive data resides?
  • Are we still compliant with the IT security regulations that we need to be?

Get your security steering committee round the ‘virtual’ table

Much like the government response to the socio-economic challenges at the moment, we have to manage these challenges one day at a time. We need our equivalents of the ‘Chief Scientist’ and the ‘Chief Medical Officer’ for security to help security operations prioritize a strategic response to this potential crisis so that we are not negligent and just let security issues happen.  Now is the time to gather your security team (virtually if possible) and answer a couple of the key questions:

  1. Are we still looking in the right direction? are the use cases, security data sources, endpoint agents, etc… all focused on the areas that will keep our business in business, are there any massive gaps?
  2. Do we have a plan to revert to normal working when all this is over? How are we recording where our data is going, how do we make sure it remains secure?
  3. Are we still running the right security operations model?

The solution is not technology

The solution to these issues lies in solid processes, not technology. It requires planning to establish a set of priorities for the security operations team. Diverting our attention to an adjusted set of business risks. It also requires us to have a path to return to normal in a non-disruptive way.

use your top business risks (based on recent events, for today) to validate and change your security operations use cases.

Align Security Operations Use-Cases based on Key Requirements

Our top business risk requirements may change, and therefore security use cases would require re-evaluation. Firstly for coverage of any new data sources and new ways of working, secondly for the protection of new key business enablers (such as remote working platforms, VPNs). We must effectively record the changes we make during this time so that we can reverse this at a later date, understanding, and recording where everything that creates new risk now resides. The security part of our businesses need to move quickly on this, it’s not just a question of “can our security operations and SOC analysts work remotely?” but also a question of “What new risk does this bring?”, “have our security priorities changed?”

Whether these changes are purely for our internal teams, or whether we have to engage our security service providers about moving faster to change based on new requirements. It’s clear that organizations need to complete a due diligence exercise to make sure that what they are doing to protect the organization, matches the objectives set to keep cyber-risk low. Adjusting in alignment with what is high-priority and what is feasible as an agile change.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Tags: coronavirus  covid-19  emergency-planning  mss  remote-working  security-monitoring  security-operations  

Pete Shoard
Sr Director Analyst I
3 years at Gartner
17 years IT Industry

Pete Shoard is part of the Security Operations team. Covering analysis of and selection criteria for threat detection and response Managed Security Services (MSS) such as Managed Detection and Response (MDR) and Vulnerability Management (VM) services. Also security detection and response technologies such as Security Information and Event Management (SIEM), User Entity Behavioral Analytics (UEBA) and Deception. Supporting Gartner's ITL research in wider areas such as Security Operation Centre (SOC) best practice and security metrics and measurement.Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.