[Chester Wisniewski] Protecting Assets in a Remote-First and Potentially Hostile World
With both persistent attacks and post-pandemic remote work here to stay, modern security solutions must assume the endpoint device or phone operates in a dangerous environment at all times.
I live in a city center and the lunch hour certainly isn’t like it once was. While some people have returned to working in an office, it seems that the majority have not. Looking back, the pandemic will have been a turning point for many things around the world, and the rhythms of office-centered worklife will be something that will never return to the old ways.
With this increased flexibility employees are not just working from home behind consumer-grade Wi-Fi routers; they are also spending part of the day at the park or coffee shop, or perhaps even having a “working holiday.” Those in charge of protecting enterprise assets have to assume these endpoints are always in hostile territory.
“Pushing Left” Blocking an Attacker as Far as Possible
Even before the pandemic, organizations working toward improving their security maturity were often trying to “push left.” What is pushing left? At its most basic level it means moving things closer to the start. It originates from software development where the stages of the development process are conceptualized from left to right, left being the beginning. In applied security we also use the term “pushing left,” but rather than referring to the software development process we are referring to the attack chain, which moves from reconnaissance on the left through action [exfiltration or other attacker goal] on the right.
For many years, the most comprehensive security strategies have involved defense in depth. The idea is that not all technologies are suitable for detecting a given threat type, so it is best to deploy them in layers. These layers often directly correspond to how far “left” something is in the attack chain. If you can detect something at the network border through your firewall, email, or web filters, you have contained the threat before it has any negative impact on operations.
Ideally you want to detect and block an attacker as far left as possible, i.e., as early as possible. Pushing detections left also alerts security analysts that an intrusion may be underway, initiating more focused threat hunting to anticipate gaps in defenses your attacker may be attempting to exploit.
For employees at the office, you can centralize control of these defenses and provide optimum protection. The question is, are you able to provide the same protection for remote workers regardless of their location? Can you monitor and respond to threats being detected on those assets when they are out of the office? As many have observed, this did not work as well as we would have liked when we all went into lockdown, many of us without a plan.
Follow us on Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to firstname.lastname@example.org