Who is this blog for?
This blog is for professionals who want to learn how to prevent security drift. Security drift is the gradual erosion of an organization’s security posture over time, due to changes in the IT environment, new threats, and human error.
Even though organisations having security measures in place, this blog from our technology partner Cymulate highlights the need for ongoing monitoring to prevent security drift and potential breaches. CSV can help to prevent security drift by continuously testing an organization’s security controls.
This blog discusses the importance of CSV and how it can be used to prevent security drift.
Read time: 2 minutes 30 seconds
I live in a city centre and the lunch hour certainly isn’t like it once was. While some people have returned to working in an office, it seems that the majority have not. Looking back, the pandemic will likely have been a turning point for many things around the world, and the rhythms of office-centred work life will be something that will never return to the old ways.
With this increased flexibility employees are not just working from home behind consumer-grade Wi-Fi routers; they are also spending part of the day at the park or coffee shop, or perhaps even having a “working holiday.” Those in charge of protecting enterprise assets have to assume these endpoints are always in hostile territory.
Even before the pandemic, organizations working toward improving their security maturity were often trying to “push left.” What is pushing left? At its most basic level it means moving things closer to the start. It originates from software development where the stages of the development process are conceptualized from left to right, left being the beginning. In applied security we also use the term “pushing left,” but rather than referring to the software development process we are referring to the attack chain, which moves from reconnaissance on the left through action (exfiltration or other attacker goal) on the right.
For many years, the most comprehensive security strategies have involved defence in depth. The idea is that not all technologies are suitable for detecting a given threat type, so it is best to deploy them in layers. These layers often directly correspond to how far “left” something is in the attack chain. If you can detect something at the network border through your security system, email, or web filters, you have contained the threat before it has any negative impact on operations.
Ideally you want to detect and block an attacker as far left as possible, i.e., as early as possible. Pushing detections left also alerts security analysts that an intrusion may be underway, initiating more focused threat hunting to anticipate gaps in defences your attacker may be attempting to exploit.
For employees at the office, you can centralize control of these defences and provide optimum protection. The question is, are you able to provide the same protection for remote workers regardless of their location? Can you monitor and respond to threats being detected on those assets when they are out of the office? As many have observed, this did not work as well as we would have liked when we all went into lockdown, many of us without a plan.
While there are still many benefits to monitoring the network when you have control of it, including reduced endpoint overhead and the ability to keep threats at a distance from sensitive assets, we need to ensure we can take as much of this protection as possible with us when we are out and about.
We must ensure not only that protection is optimized, but also that we don’t lose our ability to monitor, detect, and respond to attacks targeting these remote assets. Most organizations have moved to utilizing EDR/XDR solutions (or plan to in the very near future), which is a great start, but not all solutions are comprehensive.
In the remote-work era, insufficiently protected remote users can encounter plenty of issues – malicious URLs and downloads, and networks attacks, to name only the most mundane – that in the Before Times would have been handled by machines guarding the corporate “fort.” The biggest missing components when users are “outside the fort” are HTTPS filtering and web content inspection of the sort that is typically implemented within next-generation firewalls. When you add these technologies to pre-execution protection, behavioural detection, machine learning models, client firewalls, DLP, application control, and XDR, you are starting to look at a comprehensive stack of defences for attackers to overcome – even if the endpoints themselves are now free-range.
For initiatives like zero trust network access (ZTNA) to be effective, we must not only wrap the applications we interact with, but we must also wrap the endpoints that connect to them. Simple checks like whether the OS is up-to-date and whether it has security software installed may be a good start, but not all protection is created equal.
With most devices being connected to the internet whenever they’re in use, we can leverage the power of the cloud to help provide ubiquitous protection and monitoring. Modern security solutions must assume the endpoint device or phone is in a hostile environment at all times. The old idea of inside and outside is not only outdated, but also downright dangerous.
“No matter where your employees are located, it’s crucial to adapt and empower your teams in this rapidly evolving landscape,” confirms Babble spokesperson. “You need an end-to-end cybersecurity stack that will provide protection wherever, and however, bad actors attack.”
This blog was written and shared by Sophos and originally published on their website on 25 May 2023.