A survey of more than 270 cybersecurity professionals published in late June by the host of the Black Hat Conference found that 80% believe the pandemic will lead to significant changes in cybersecurity operations, and only 15% believe that security operations (SecOps) and threats will return to “normal” levels once the COVID-19 pandemic subsides. Here are some details on what we’re seeing and what CISOs are dealing with, for better or worse.
1. Increased Threat to Enterprise Systems & Data
The Black Hat survey found that nearly 95% of security professionals believe that the COVID-19 crisis increases the cyber threat to enterprise systems and data, with 24% saying the increased threat is “critical and imminent.” The FBI backs that up: in April, the Internet Crime Complaint Center (IC3) reported that it was seeing a 300% spike in cybercrime since the beginning of the pandemic. During a webinar hosted by the Aspen Institute, Tonya Ugoretz, the deputy assistant director of the FBI’s Cyber Division, said that the IC3 was receiving between 3,000 and 4,000 cybersecurity complaints each day: a major jump from pre-pandemic levels of about 1,000 daily complaints.
But who—and what—are the crooks targeting? Are they after the legions of new Work From Home (WFH) end users? That might make sense on the face of it: after all, a survey of end users working for small businesses found that after the pandemic hit, more than two-thirds of employees—68%—reported that they had begun to use their own computers for work. Only one-third of them—34%—reported that they had received instructions on how to securely use their personal laptops, tablets, and smartphones to do so. That’s a recipe for a nightmare, given many businesses’ lack of visibility into endpoints touching their networks. … unless, that is, they have adequate Endpoint Protection and Response (EDR) tools: tools that provide not only visibility into the threats coming in, but which automatically mitigate them via artificial intelligence agents that learn to spot malicious behavior and kick off kneecaps before threats strike.
Without such tools, no one knows what could be happening on those personal machines, any of which may be processing company data and/or accessing the corporate infrastructure. For example, a survey from Kaspersky found that 33% of respondents admitted to visiting adult websites on their personal PC—as in, the ones they also use for work. Unfortunately, that’s how cybercrooks catch victims, committing crimes such as stealing payment card details or tricking users into installing malware—including ransomware.
But how is targeting end users new? It’s not, says SentinelOne CISO Chris Bates. The criminals are targeting end users, but they’ve always done that, he points out, pandemic or no pandemic. The problem is that businesses lack visibility into what’s happening on their endpoints: in other words, they don’t know what’s happening on all those laptops, tablets and smartphones that are now touching their infrastructure. “We’re seeing two things: one, a mass transition to WFH, and those businesses don’t have the visibility they need to catch threats; and two, the level of access is too broad,” Bates says. “For example, with VPNs [virtual private networks]: they don’t have the visibility or tool set to defend a distributed workforce like that.”
Not-so-secure business computers being scrambled up with WFH means a bigger attack surface, Bates says. It creates “a lot more noise” that strains companies’ threat detection systems, and “that noise can cover up actual attacks,” he says. Being able to separate static from true threat is actually one of the biggest selling points for SentinelOne’s ActiveEDR, which can distinguish between all the random bugs and other noise that wastes human security analysts’ precious time as they get sent on wild forensic goose chases.
2. Where Do You Put Your Security?
According to Nicholas Bloom, an economist at Stanford University, an estimated 26% of the US labor force can’t work remotely. The flip side of that coin: 74% of the country’s labor force can. Obviously, the pandemic means that the way that people consume information from enterprises has changed. All the communication we used to do, and the way we’ve always sold products, has changed. Everything has to be done on the web, and everything therefore has to be secured.
But where? Where do you secure that data? Do you put security on premises, off-premises, in the cloud, on the physical devices themselves? Those choices have implications, according to Migo Kedem, SentinelOne Senior Director of Products and Marketing. For example, if you have an EDR solution that relies on cloud connectivity to make a detection, any given threat has that much more dwell time—i.e., time during which an attacker enjoys free rein in an environment. That’s not good.
That leaves end devices as the logical place to put security, Kedem says, and that’s where SentinelOne focuses its ActiveEDR technology: technology that tracks and contextualizes everything on a device and which identifies malicious acts in real-time, automating the required responses to shut them down. “All security has to be on the user device,” he says. “Why should you care? Because it’s the only defense mechanism you have, locally. If users are connecting from home, via WiFi, you don’t have anything you can trust.”
For CISOs, that’s a “big, big problem,” Kedem says. The pandemic hit, and many, many organizations were unprepared. Even those corporations that were already in the cloud still had islands of internal servers, he points out, and many had to choose between compromising on security versus productivity. “It’s a hard discussion for CISOs to have,” he says. CISOs are often between a rock and a hard place: often, you’re the “No-No” man or woman: No, it’s not secure. No, we have to block this. No, we have to block that. But when it comes to productivity, CISOs can’t say no all the time. They have to say “Yes, let’s do it, but let’s secure it.”
“For the business to really grow, and to grow well, everyone’s working from home,” Kedem says. “It’s back to basics for CISOs. Whenever they have a service that they can’t secure properly, but that’s generating for the business, they have to say, ‘How do we take that risk?’ If it’s ‘No,’ that’s going to lead to a clash with the CEO and other executives.”
The path to “Yes”: secure the end devices that are being used by masses of new WFH staff.
3. Getting Sucked Into the RDP Security Hole
Another repercussion of the spike in WFH: the rise of RDP brute-force attacks since the onset of the pandemic. In March, Shodan, the search engine for Internet-connected devices, began tracking an uptick in the number of devices exposing RDP to the internet. That makes sense, notes Shodan founder John Matherly, given how many organizations are moving to remote work. In April, Kaspersky reported the same thing: namely, that the number of Bruteforce.Generic.RDP attacks had “rocketed across almost the entire planet” since March.
Poorly configured RDP servers make a tempting target. Microsoft’s proprietary protocol is one of the most popular application-level protocols for accessing Windows workstations or servers. With the rise in RDP comes a fresh batch of potential targets, which has led to an increase in cybercriminal activity as crooks try to exploit the situation to attack corporate resources that “have now been made available (sometimes in a hurry) to remote workers,” notes Kaspersky’s Dmitry Galov.
These aren’t just phishing attacks going after end users’ credit card details. These are attacks coming for the crown jewels: not only all of an enterprise’s data, but also whatever ransom the extortionists can get out of paralyzed companies. Jarred Phipps, SentinelOne Sales Engineering Lead, says that all the big ransomware attacks these days are coming in via RDP. Ransomware, in fact, is where most cybercrime is pivoting, he says. You can see the attraction: Bitcoin, the currency these crooks demand, is both valuable and keeps crooks safer from being tracked, given that it doesn’t involve traceable wire transfers. In addition, the extortionists are well aware that these days, insurance companies will pay the ransom.
These attacks aren’t likely to stop anytime soon. If you must use RDP servers, hopefully your SOC or MDR is brushing up on how to harden those servers: after all, misconfigured RDP servers are a major Achilles heel. To help with that work, earlier this month, SentinelOne released an eBook on Understanding Ransomware in the Enterprise, a comprehensive guide to helping organizations understand, plan for, respond to and protect against this widespread threat.
As far as RDP vulnerabilities such as BlueKeep or Mimikatz go, this is where the ability to stop a zero day makes a crucial difference. There’s just no substitute for autonomous protection in today’s threatscape, whether there’s a pandemic raging or not. In one case study of stopping Mimikatz, for example, SentinelOne stopped an attack from infecting machines and from spreading further across a client’s network, despite the fact that the attempt to compromise these machines via RDP was using valid scraped credentials, says SentinelOne’s Igor Glik.
4. Perils of Shifting to the Cloud
Everybody is, understandably, trying to shift SecOps to the cloud, according to SentinelOne’s Bates and Phipps. A global survey of 750 IT professionals conducted by the market research firm Vanson Bourne on behalf of Barracuda Networks confirms this: the survey found that 51% of respondents are either in the process of deploying or expect to move off of VPNs to embrace software-defined wide area networks (SD-WANs) that scale better to access distributed cloud applications. Just under a quarter—23%—had already deployed an SD-WAN as of early June.
Unfortunately, some companies don’t know how gnarly the move is. “It’s a lot more than putting stuff in AWS [Amazon Web Services],” Bates says. “They’re porting their old stuff into the cloud, but it’s definitely the same old stuff, just in a different data center.
What they might be missing, Phipps says, is the greater security implications required by the systems architecture design of cloud. “They’re not thinking security, let alone advanced security,” he says. If they’re trying to figure out how to apply security after the fact, they’re basically redesigning. SentinelOne is seeing many companies now facing that challenge—consequently, it’s also seeing increased demand for its Cloud Workload Protection product. Purpose-built for containers, including managed or unmanaged Kubernetes systems, the product delivers SentinelOne’s patented Behavioral AI and autonomous response capabilities across all major Linux platforms, physical and virtual, cloud native workloads, and containers, providing cyber threat prevention, detection, response, and hunting. Its prey includes both malicious files and live attacks across cloud-native and containerized environments, offering advanced response options and autonomous remediation.
In some cases, the different architecture in the cloud means that the way you do security has to evolve. Vulnerability assessment is one example: Before the move to the cloud, you would walk into a data center. You’d have servers to count and applications to assess: Do they need to be patched? In contrast, servers are dynamic in the cloud, where they’re made up of a set of code. A given server may live a day, an hour, or a minute before it scales down. As business needs change, developers constantly change those recipes.
Joe Knape is Director, Digital Transformation & Strategy/Agile Delivery/Enterprise Architecture/Cloud at Infoedge LLC, a management consultancy. He agrees with what everybody else in the space is saying: More companies are moving more rapidly to the cloud because they realize that digital transformation has to happen faster, mostly due to WFH mandates. That, and the fact is that for smaller, brick and mortar businesses, nobody’s walking through the door. Those businesses have got to provide other services, digitally or virtually. They used to knock on the gate at Bob’s Junk Yard & Auto Parts to pick and pull parts, but if Bob wants his business to survive, he’s had to make his inventory digital and put it online. “That’s where COVID’s pushing things,” Knape says.
Here’s the thing, though: does Bob’s have the skill set within its ranks? “As far as security is concerned, especially in case of rapid movement, [change] is mostly around people,” Knape says. “Do your people have the skill sets to do the job? Depending on which companies we’re talking about—as in, how deep their security posture was pre-pandemic—the answer is, ‘Probably not.'”
5. Brand-new Skills Shortages
Cloud security skills—#SecDevOps—are just one of at least two types of security skills shortages that the pandemic is either causing or worsening. The other is regulatory compliance skills. Think about it: who would have predicted, six months ago, that a bike-sharing company would start taking the temperature of workers when they clock in, meaning that they’re suddenly in possession of health records, subject to regulations such as HIPAA? … that local craft breweries would be collecting contact tracing details? … or that such details might be abused by employees who collect them? Case in point: A woman in Auckland, New Zealand, bought a sandwich at a fast-food shop, gave her contact tracing details to a worker, and consequently got hit up for a date via Facebook, Instagram, Messenger and texting.
There are obviously good reasons why companies and governments should be paying excruciating attention to how to protect privacy as countries and states gradually retreat from lockdown and institute ways to do so safely. It’s been all over the map.
That was evidenced by a survey done by PwC, which developed a contact-tracing app to help employers identify workers who may have been exposed to the virus. The survey found that, as of April, governments around the world had issued more than 60 directives regarding protecting data privacy while responding to the pandemic.
What to Do First?
What’s the answer? If you’re looking for a new job, you might want to consider specializing in regulatory compliance. If you’re a CISO thinking about heading to the cloud, you’ve got a few things to keep in mind: if the business is small, you might have one person working part-time doing anti-virus scans. Well, that process may no longer work in the cloud. If you’ve got a 50-person SecOps team, already responsible for all your servers, routers, switches and more, they still have to deal with all that—plus the infrastructure that’s moved to the cloud.
“They’re strained,” Knape says. “They’re already being asked to do more with less, and now it’s more with less. And it’s completely different from what they were doing yesterday. You have a balloon. You can only squeeze it so hard before it bursts.”
Knape suggests sticking with what they know. Don’t go multi-cloud. Pick one cloud vendor and stick to it. If you’re a Google or AWS shop, be that Google or Amazon customer. If you’re a Microsoft shop, go with Microsoft Azure. “Why learn a different language?” Knape says. “Think data security as opposed to network or infrastructure security, and pick a cloud and stick with it. Learn to be an expert, and have your people be experts in that cloud.”
Even if you do that, your security team will likely still be stressed and stretched thin. On the plus side, WFH means that you might be free to hire anywhere you can find talent, regardless of where you’re geographically located.
Beyond “hire anywhere you can find talent,” now might just be the perfect time to start thinking about sourcing talent that doesn’t need to sleep. Now might be the time to start thinking of artificial intelligence plugged into every endpoint: helpers that can whittle down all those false flags your stretched-thin security analysts are chasing down. Now might be the right time for ActiveEDR and its autonomous, automatic mitigation.