Updated: 3/23/22
What are the increased risks resulting from remote workers? Why is it increased for these workers? How does the threat landscape change once outside your network? These are some of the questions you need to answer. The answers will be different for every organization and depend on the data and type of work being conducted by remote workers.
It’s all about the fundamentals. Think "Adapting on-prem mentalities to be mobile friendly".
Below are the top areas that I believe need to be addressed and where the challenges for remote endpoints lie.
Baselining and asset management
Blindly sending assets into the field can cause a headache down the road. Keeping an accurate record of which asset was assigned to who allows for auditability. Additional details contained within the asset inventory such as hardware and software configuration will aid in support and security decisions. Hardware based vulnerabilities is just one example of this. Having the ability to quickly search your asset management system for a specific model of hardware will make your risk assessment somewhat less painful. The same goes for identifying end of life (EOL) hardware and software.
Baselining provides you the ability to quickly deploy assets that are configured in an identical manner. These baselines should include industry best practices related to patch management and system hardening. Knowing that every system has been deployed securely in the same manner helps considerably with incident response because you can compare your clean baseline to the asset in question. Not to mention, it makes deploying security related configuration changes a lot easier. You know if a change works on one machine it will most likely work on all the others. Potentially reducing alert fatigue and false positives.
Tip: Baseline security examples include patch schedules and deadlines, OS hardening, encryption, user limitations (USB blocking, App allow listing, removal of admin priv, etc.) and security applications. This is easily accomplished using an MDM solution such as Intune. Open-source asset management systems such as Snipe can quickly aid in the asset inventory process.
Visibility
Organizations invest a large number of resources into logging and SIEM. These logs provide great insight for system administrators and security professionals. The sources of these logs can span a large array of security controls including DLP, firewall, IDS, IPS, web proxy, DNS, endpoint protection, system logs, etc. This data aggregated into a SIEM provides the visibility and insight needed to make security decisions.
Most logging capabilities are static and require the endpoint to reside within the organizations network. Once an endpoint leaves this network it essentially goes black. The topic of visibility goes together with the next section, “control”. I chose this as the first topic because without some form of logging and audit capability, controls are only so useful.
While products such as next generation EDR tend to cost more money, they can provide security professionals with a great deal of useful information. With the limitations of visibility on remote assets, these products tend to be worth the extra money. Depending on the product, one may be able to check multiple boxes such as application inventory, URL and DNS logging and vulnerability management.
Tip: If you are a Microsoft shop, I recommend leveraging the Azure log analytics agent. This is similar to a Splunk forwarder and is capable of being remotely managed from the Azure console. No need to push logging config files to each endpoint when additional data is needed. This will allow you to aggerate all remote endpoint-based logs and either leverage Sentinel as the SIEM or forward to an on-prem solution. This of course will only satisfy a few of the visibility requirements.
Data you want: Application inventory, DNS, AV, EDR (Sysmon is free), web access log.
Data you might want: System events, authentication logs, firewall logs
Control
Security controls tend to be implemented in a static manner, preventing them from reaching into remote endpoints. For example, URL filtering is usually conducted on a proxy or firewall. These solutions are unable to cover endpoints working outside of the internal network. While disabling split tunneling and forcing traffic through a corporate VPN solves half the problem, once the employee disconnects, the organization loses control.
The best overall solution is to adopt cloud-based products that are either able to tie into your on-prem solutions for easy management or are similar to what is currently being utilized in order to lower administrative overhead. Either way, the end goal is the extend your organizations policy to the remote user. Basic controls that should be leveraged include URL/DNS filtering, file-type filtering, anti-virus and DLP (passive or active).
Always remember that the control being implemented should have the ability to provide you with the proper amount of visibility and logging. It is always beneficial if the control can leverage central logging to a SIEM. Having to login to multiple consoles can become cumbersome and time consuming. Potentially prolonging response to an incident.
Response
If an incident occurs, what is the plan to initiate response on an asset that is at an employee’s home? This needs to be documented in the organizations Incident Response (IR) policy and procedures. You most likely do not want the employee connecting over the VPN, requiring some form of policy or procedure to prevent this from happening. Is there a minimum amount of time an employee has before the infected asset must be turned in? How do you enforce this? These are just a few questions that need to be addresses.
For SOC’s and incident responders, a method for remote remediation and investigation should be introduced. This could be as simple as leveraging a remote management application such as TeamViewer. Either way, there needs to be a documented method for remotely assessing a potential incident with the capability to remediate any findings.
Tip: Several EDR products contain the capability to run remote shell sessions on endpoints, providing incident responders with the ability to conduct remote investigations. Any process should be documented in a policy and procedure. Helping to streamline and enforce any activities.
Data Protection
Encryption of remote assets belongs in the baselining topic. Some form of encryption should be applied prior to deploying an asset into the field.
In the past several years there have been several news articles regarding companies who have lost personal data because of a stolen asset. Once a machine leaves a building, the risk of stolen data increases dramatically. Employees tend to take laptops wherever they go, whether that be a public coffee shop or in the back seat of a car. Encrypting data at rest on a mobile device is one of the most basic security controls that is overlooked.
While hardware based (on disk) encryption tends to be the most secure manner of accomplishing at rest protection, software-based encryption has come a long way. This is especially true when paired with the latest generation of TPM chips, which most new laptops and desktops now include.
Employee Offboarding
This is one of the more overlooked subjects when discussing a remote workforce. In a typical on-prem environment, simply disabling the user’s credentials would suffice because the employee would only have access to company data from an in-office machine. However, with roaming employees and hybrid environments, terminations are occurring outside of the office. This brings along several challenges such cached credentials, delay in account termination and possession of computer hardware. Even after termination, the employee who resides potentially in another state or country would still have possession of the organization’s computer hardware and cloud applications. With the push towards zero-trust models and hardware-based authentication, this poses an increased risk.
Let’s use Azure Active Directory (AAD) joined machines as an example. We are not going to dive deep into this from a technical perspective. If an administrator disabled an employee’s account within the AAD console, the terminated employee would still have access to the AAD joined devices and Office 365/MS365 environment for a limited amount of time. This is due to cached credentials and saved sessions. For the hardware, once an employee signs into the AAD joined machine it stores a token, which allows it to authenticate a user without reaching out to AAD. The best way to address joined machines is to remotely disable the local account on the machine itself. While this method is manual, it quickly solves the problem. For Office365/MS 365 applications, the best course of action is to revoke the sessions of the terminated employee. This would force a re-auth on all signed-in apps, which would fail because the account was disabled.
The point that needs to get across is that the organization needs to have a plan in place for employee terminations and this plan should address caveats that are brought along with a remote workforce.
