With everything going on in the world people and organizations have been forced to change their habits and routines; more and more states and organizations are mandating work from home (WFH).
Remote Work Poses Security Challenges
Some challenges are now coming due to this mandate: One is the number and type of users that now need to work from home. There may be employees that never had a company laptop to take home but still need access to do their job. With the increased need for remote work, security is important now more than ever. How do we ensure these remote users are only getting access to the things they are supposed to?
Another challenge: while working from home, employees need remote access to apps, databases, and services via endpoints, resulting in greater exposure to proliferating malicious activities into the production environment. It is more important now than ever to be able to monitor, correlate and respond to threats being introduced into our environments. Security teams now must help support the network folks while making sure company information is still secured.
Visibility is important as the need for WFH increases. Identifying evolving threats is important as visibility into the environment grows. Once you have visibility and can identify threats, responding to those threats quickly and in some cases automatically can help organizations take the pressure off.
How to Maintain Security When Employees Work from Home
When it comes to maintaining security there are a few areas to focus on that will help.
Increase Visibility
It is important to understand how your users are behaving and what they are introducing to your environment while utilizing laptops, BYOD and non-corporate approved technologies. It is more important than ever to be able to monitor, correlate and respond to threats being introduced into our environments.
One simple way to do this is through User Behavior Analytics (UBA). Within UBA, security teams can create watchlists and closely monitor those users that are not only critical users, but those users that your organization never gave VPN access to prior to the pandemic.
The UBA app will help determine the risks of users within the environment. UBA uses existing data within your QRadar environment to generate distinct insights around users and risks surrounding those users. These risks are determined by assigning risks to a number of different use cases that come with and are frequently updated within UBA. Users can also be unified by combining disparate accounts that can be imported by LDAP, Reference table, or CSV file.
Identify Threats
There is always someone trying to take advantage when people are vulnerable, like when employees are working on their home networks. It’s important to understand where these threats are coming from in order to defend against them effectively.
There are lists upon lists that identify files, domains, URLs, and risky IP addresses. It’s important to know what these IOC’s are and can correlate data you have with possibly malicious IOC’s. There are several security companies, including IBM, that have feeds that that help with identifying malicious files, domains, URLs, and risky IP addresses. These feeds can be pulled into your SIEM to help correlate where your users are going, and if they are risky IP addresses. Pull in feeds from the X-Force Threat Feed, which is no extra charge for QRadar customers, as well as other feeds though STIX and TAXII.
The X-Force Threat Feed is a solution that will help with monitoring and protecting against malicious actors. The feed provides the QRadar environment with actionable indicators that directly integrate within QRadar.
Be Able to Respond
As the potential for successful phishing campaigns and malware grows, its’ important to have a solid playbook for how to respond to these threats. Having a seamless integration between your SIEM solution and incident response (IR) platform, such as IBM Resilient, is key. The faster you can respond to these kinds of incidents the quicker you can stop them from spreading. The faster you can stop threats from spreading in your environment, the faster you can move to the next important task in your day.
Resilient empowers customers to automate and orchestrate people, processes and technology. It can act as a central location for managing incidents within the organization. There are playbooks that come out of the box to help organizations that may not have an Incident response programs. Resilient can also be customized to help automate processes within organizations that have an Incident Response Program. There is a seamless integration with QRadar that will give teams the ability to collaborate across both platforms simply.
Conclusion
The practices listed above are solutions to help secure an environment in a time where users must work from home. If you are using a UBA solution, create watch lists and put a focus on those users that do not normally work from home to ensure they are accessing the resources they should be accessing. Import any threat feeds you can to ensure those users are not becoming victim to any targeted attacks. If there happen to be any incidents that do happen, ensure that you have the proper playbooks and automations in place to resolve incidents as quickly as possible. The combination of QRadar and Resilient can surely help with all three of these areas.
Learn more about IBM Security’s complete threat management portfolio and how it can secure your remote workforce.
#QRadar