Network Monitoring Considerations for Remote Workforces

As COVID-19 quickly spread across the U.S., organizations had very little time to react before they were required to send employees home. While everyone swiftly transitioned from their offices to remote-work, cybercriminals began developing new tactics to take advantage of our “new normal.”

Not all organizations were prepared for this drastic adjustment and had to make quick changes in their technology to support their employees. For the majority, this transition means an increase in their attack surface as organizations attempt to provide the same level of resources to employees at their homes as they do at the office. It is important for organizations to remember that security should remain a top concern as cybercriminals boost their efforts to take advantage of the COVID-19 pandemic.

Here are four technologies that organizations can utilize to successfully monitor and protect their networks:

Virtual Private Network (VPN) and Multi-Factor Authentication (MFA)

Given a large majority of the workforce now working remotely is new to using remote access technologies, cybercriminals are likely to target resources that were deployed in a hasty manner. As organizations begin to normalize their operational tempos, an effort should be made to ensure capabilities deployed during the crisis are secured properly according to policy and best practices. For example, requiring MFA for VPN access should be considered a foundational security control as it decreases the risk posed by weak or compromised credentials. If Remote Desktop Protocol servers were deployed to enable remote access, consider placing them behind a VPN or, at minimum, configure Network Layer Authentication alongside MFA to prevent successful attacks. Moving to a remote workforce has expanded most organizations’ attack surface, and it is only a matter of time before cybercriminals begin taking advantage of these new targets.

Security Information and Event Management (SIEM) Systems

SIEM systems can be configured to ingest log data from any source within your environment. As organizations have deployed new technologies, adopted software as a service (SaaS) offerings, and moved to a remote working posture, existing SIEM log sources and detection logic may not be sufficient to accurately identify threats to the business. For example, if you leverage a SIEM to process endpoint logs on user workstations, you may have lost visibility into large portions of your environment as the organization transitions to working remotely. Security teams should assess their visibility, determine where gaps exist and assess which ones present the greatest risk.

Intrusion Detection System (IDS) and/or Intrusion Prevention System (IPS)

An IDS or IPS is an effective solution to detecting and preventing advanced attacks. While many organizations may have these technologies in place, they may have lost visibility to significant portions of network traffic as employees began working remotely. During these times of uncertainty, an anomaly-based IDS/IPS is designed to define a standard baseline of network traffic and alert security personnel of any deviations from standard activity. It is important to monitor these alerts and adjust configurations to reflect the changing environment as baselines are being drastically modified. These alerts are integral to notifying personnel of any suspicious activity, including Indicators of Compromise (IoC). The list below contains some of the more common IoCs organizations should be monitoring and investigating:

  • Unusual Outbound Network Activity – When there is a deviation in outbound traffic from the baseline.
  • Irregularities in Administrator Account Activity – Attackers look for privileged accounts to move around a network, therefore monitoring changes in administrator activity would alert personnel of a potential breach.
  • Geographical Anomalies – When there is traffic deriving from an unusual country, this could indicate a network compromise.
  • Unusual Spikes in Network Activity & Requests – This could be changes in the normal volume of logins, database activity, web applications traffic or port activity.
Endpoint Detection and Response (EDR)

EDR solutions allow an organization to collect telemetry data from endpoint devices such as laptops and workstations. Most EDR solutions are cloud-based, allowing an organization to retain visibility and control of endpoints, no matter what network they are on or where they are physically located. With this visibility, security teams can create logic to trigger alerts and/or response actions when suspicious patterns of behavior are identified. In addition to this automated capability, EDR tools allow incident responders to perform investigations on devices and contain threat actors before they can spread into the larger network.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business.

About Soteria

Soteria is a client-focused organization providing advisory, consulting, and solutions to assist in preventing, detecting, and responding to cyber security incidents. Through proactive engagements, managed detection and response services, and ongoing advisory, Soteria partners with customers to achieve their security goals. www.soteria.io

CONTRIBUTORS

Jim Buda, CPA, CISA
Manager
DHG IT Advisory

itadvisory@dhg.com

Paul Ihme, GREM, CISSP
Cofounder
Soteria

© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.
praxity