Security Watercooler: Adapting detection to deal with remote working, with F-Secure's Tim Orchard

Wednesday, 1 April, 2020

This week we are trialling an idea around a virtual ‘Security Watercooler’. 25~30 min video calls to break up the day and showcase different viewpoints. Check out more about the concept here.

Today Robin Oldham was joined by F-Secure‘s Tim Orchard to discuss the adapting detection to deal with remote working. Here are the summary notes from the call:

It is really important to start by asking yourself ‘what are you defending?’ Detection is not your first line of defence and so you should start by looking at your attack surface, and working out what has changed (e.g. as a result of staff working from home.)

Your critical assets, and highly targeted hosts, may have changed. For example Citrix, RDP or VPN gateways. It’s not all about data loss, the weak points in your infrastructure needed to impact availability will likely have changed.

The threat landscape changed - think ‘the lounge clickers’ juggling job, childcare, and rolling news distractions. Think this means they’re likely more susceptible to phishing/scams, and that’s certainly seen in the rise in phishing emails.

Changes to network routing may have been implemented too: split tunnels for VC, audio, and other ways to bypass proxies and VPN chokepoints. How does that change your detection at each stage of the kill chain?

Lots of organisations rely on web proxy data and this is quite frequently being bypassed at the moment.

Organisations will have implicitly, if not explicitly, made an assumption on physical location. COVID-19 has fundamentally undone that overnight. Detection capability may be severely reduced if your strategy was to monitor main corporate firewalls and network chokepoints.

Detection can be used to:

  • Make sure your preventative controls are working effectively, and
  • Spot actors trying to evade those controls.

Be clear on the use cases you can detect against. You don’t need to have telemetry from everything, just have enough data points along the kill chain. You don’t need full kill chain coverage to prevent a successful attack!

Reducing the data set that you collect can make life easier - but it must be meaningful! Going back to ‘protect before detect’ if you have enabled 2FA - you don’t need to monitor failed authentications as closely if you’ve got better protection up front.

Away from technology, have you got enough people to watch it all? Most security teams wear many hats, and may be impacted by self-isolation. In the UK at least, this is no longer a three week thing, it’s 3-6 months, so this is the new normal.

Business will accept a different level of risk today than three weeks ago. But this isn’t ‘emergency/continuity’ mode and should be working out how this becomes ‘business as usual’. Therefore clarity of risk exposure/acceptance is more important than ever. If your organisation has made changes to support the sudden changes, then how long are you comfortable carrying risk before preventative measures or detection capabilities ‘catch up’?

Get everyone round the table to decide how/what to implement and change. Don’t make security an afterthought, but be conscious that usability is important.

Another hugely important consideration is if your security team can be shut out? Sophisticated actors may try to lock out or deny service to security teams in order to evade detection, or buy themselves more time if they already have a foothold. What open source intelligence can be gathered about your security team?

Lastly, an interesting point, that we have just ‘massively simplified our corporate networks.’ With the vast majority of devices no longer on the main company LAN, you can use this as an opportunity to spot unusual traffic back at base for devices that may be compromised or misconfigured!

A few links that were mentioned:

You can follow Robin on LinkedIn and @RTO and Tim on LinkedIn and @FSecure.

Use this Google Form to register and receive joining instructions for future Security Watercooler sessions.

Tomorrow, Thursday 2nd, join us at 14:00 BST for RESPOND: Remote incident response, with ContextIS‘s Stephanie Albertina.