We are truly in unprecedented times and I am a proud to be an IBMer when I look around and see how my fellow IBMers are responding and pulling together for one another and for our clients and partners. We have witnessed a seismic shift in the way organizations are operating. Over a very short period of time, we've witnessed organizations shift a significant percentage of their workforce to a work from home (WFH) model.
The rapid shift to WFH immediately raises a number of potential concerns from a security perspective. As an organization adds to the number of end points connecting to its network, so too does it expand its potential attack surface. In fact, since the recent shift to WFH, the IBM X-Force teams have seen a significant rise in phishing attacks and targeted malware campaigns aimed at vulnerable end users. Like clockwork, as more people grow concerned with the pandemic, there has been a commensurate rise in new domains targeting key words and spikes in medical and world health related domains including a significant rise in associated phishing and malware campaigns. These campaigns are often targeting vulnerable populations and remote working tools using keywords like #prescription, #vaccine, #PPE, and more. In most cases, these are highly targeted campaigns and are designed to steal credentials, as well as inject malware and hijack systems. With truly stealthy attacks, organizations may not know the full impact of these compromises for a long time.
Now is the time for organizations to expand their monitoring. If they have not yet introduced monitoring at the end point, monitoring for cloud usage – both IaaS and SaaS - and a policy built on least privilege and active user behavior monitoring and analytics, now is the time to do so. Organizations that do not have a secure BYOD policy or monitors for malicious behavior and use of unsanctioned applications in place are finding themselves scrambling to catch up. Without the proper measures in place, organizations remain potentially at risk and vulnerable - along with their intellectual property and other corporate assets. An integrated set of security analytics and response tools should be considered the minimum viable platform.
Establishing Best Practices
To address these challenges, there are a number of best practices that organizations can adopt right away including:
- Ensure to collect all of the appropriate log data. This should include not only all of the relevant firewall, VPN, Endpoint and related filter logs but also logs from cloud services and related platform platforms.
- Collect network flow records. Flows constitute an important part of the overall threat monitoring equation. These immutable records are not easily bypassed and can provide high fidelity insights into overall network behavior.
- Leverage User Behavior Analytics (UBA). If you do not have a system installed, start. If you have a program in place, ensure that it is updated and ensure that the latest reference sets are loaded including those focusing on access, accounts and privileges.
- For QRadar clients, leverage and fully utilize the Use Case Manager app. With the QRadar Use Case Manager, users can quickly review their existing use cases for accuracy, tune watch lists and monitoring logic, as well as optimize their overall QRadar network configuration, directly from the application.
Not Just What – But Also How
What you deploy is critically important. Nevertheless, in the current environment, how you deploy these protections is also important – especially in a time where staffing and moving around to various physical locations is limited and can come with layers of additional personal safety concerns. While all industries and verticals, with limited exception, have been part of the transformational wave of moving workloads to the cloud. Current events have accelerated this and added a sense of immediacy to efforts. Organizational leaders are looking for ways to monitor their environments and, at the same time, take costs out of their overall IT spend while reducing internal dependencies on critical data center tasks. They need financial predictability and need a way to better enable their employees.
SaaS can provide an excellent way for organizations to accelerate product time to value and to lower their deployment and ongoing maintenance costs. Done right, security intelligence and analytics delivered as a service can provide users with a platform for use case scalability and future extensibility. With QRadar on Cloud, users have a fully monitored platform delivered on secured IBM Cloud infrastructure spanning the globe. The service is supported by an always-on DevOps team and employs a follow-the-sun support model and provides the strong protections and defenses synonymous with QRadar.
Having the right protections and best practices in place, organizations can be better positioned to effectively monitor and defend their environments - now and into the future.