Over the past few days and weeks, more and more organizations have been asking their employees to work remotely. Many of whom are utilizing remote working systems that have not operationally been tested as part of their core security operations monitoring. For many, this change in the way we all are working will result in fewer security alerts and issues. This is because the corporate infrastructure will not be subject to the same levels of usage in areas such as internet browsing and users may be working from web-based applications on non-company sanctioned assets.
It’s not getting easier for your security operations team… ask the right questions
For the security operations center (SOC) analysts, this may seem like a heavenly situation. Fewer false-positives to deal with, lower likelihood of security policies being broken and more time to deal with all those things they want to concentrate on but never had the time for before. However, organizations must not consider a lack of visibility as a reason to become complacent; as security leaders, we must consider these new risks to our organizations:
- Will we even know that data and systems are being compromised?
- Are we now dependant on a wide range of key remote working solutions that don’t have proper resilience?
- Once all this is over, will we know where all our sensitive data resides?
- Are we still compliant with the IT security regulations that we need to be?
Get your security steering committee round the ‘virtual’ table
Much like the government response to the socio-economic challenges at the moment, we have to manage these challenges one day at a time. We need our equivalents of the ‘Chief Scientist’ and the ‘Chief Medical Officer’ for security to help security operations prioritize a strategic response to this potential crisis so that we are not negligent and just let security issues happen. Now is the time to gather your security team (virtually if possible) and answer a couple of the key questions:
- Are we still looking in the right direction? are the use cases, security data sources, endpoint agents, etc… all focused on the areas that will keep our business in business, are there any massive gaps?
- Do we have a plan to revert to normal working when all this is over? How are we recording where our data is going, how do we make sure it remains secure?
- Are we still running the right security operations model?
The solution is not technology
The solution to these issues lies in solid processes, not technology. It requires planning to establish a set of priorities for the security operations team. Diverting our attention to an adjusted set of business risks. It also requires us to have a path to return to normal in a non-disruptive way.
Our top business risk requirements may change, and therefore security use cases would require re-evaluation. Firstly for coverage of any new data sources and new ways of working, secondly for the protection of new key business enablers (such as remote working platforms, VPNs). We must effectively record the changes we make during this time so that we can reverse this at a later date, understanding, and recording where everything that creates new risk now resides. The security part of our businesses need to move quickly on this, it’s not just a question of “can our security operations and SOC analysts work remotely?” but also a question of “What new risk does this bring?”, “have our security priorities changed?”
Whether these changes are purely for our internal teams, or whether we have to engage our security service providers about moving faster to change based on new requirements. It’s clear that organizations need to complete a due diligence exercise to make sure that what they are doing to protect the organization, matches the objectives set to keep cyber-risk low. Adjusting in alignment with what is high-priority and what is feasible as an agile change.