Table of Contents
How business continuity plans and cybersecurity change in a pandemic era. Why rely on an MSSP
Covid-19 has changed our lives forever and the same can be said for our work habits. The pandemic has highlighted (if confirmation were still needed) the extreme vulnerability of traditional cybersecurity systems. Systems that must necessarily be revised to be more consistent with the new online business models and remote working methods.
Leading experts in security and risk management (SRM) today face an extremely dynamic environment in which threats to data integrity and business continuity multiply. In this time of heightened uncertainty, an approach that emphasizes resilience is recommended and directs risk mitigation efforts to protect the extended perimeter, thus also contemplating autonomous and intelligent cyber-physical systems and remote workers. Deloitte experts advise CISOs to work on these five aspects in particular:
- Refine cybersecurity monitoring capabilities to reflect the characteristics of new operating environments where network traffic patterns, data, and corporate IT system access vectors have changed due to increased remote and mobile operations.
- Re-engineer IT incident management workflows to meet the need to monitor security events when normal response structures and official communication channels may not be available.
- Communicate awareness messages on cybersecurity issues, to ensure that all employees and collaborators remain alert and attentive to the dangers of phishing (and other social engineering cyber attacks) that could compromise operational continuity, data security, and privacy.
- Involve partners and service providers to understand the potential impacts of new lockdowns or restrictions on the availability of critical security services.
- Ensure that measures taken go beyond pure IT security and include a focus on compliance and cyber-physical systems where necessary.
How The Concept Of Cybersecurity Has Changed
The impact of a global pandemic such as that of Covid-19 was not included in most business continuity plans. Over the past few months, the need has matured in CISOs to promote a broader concept of cybersecurity, which evolves from regulatory compliance to merge with that of cyber resilience. In this epochal transition, a central role is entrusted to Managed Security Service Provider (MSSP).
Based on the evidence, according to Gartner experts (“Covid-19’s impact on security”) to suggest how to better protect against cyber risks in the era of Covid-19. Here, then, are the 5 areas on which CISO and SRM leaders will have to focus in 2021 to ensure maximum business resilience in a pandemic period
1) Make Sure Incident Response Protocols Reflect The New Operating Conditions
In a pandemic scenario where the Incident Response Team operates in a completely remote or mixed mode, the old response plans could be completely ineffective. Failure to adapt incident response protocols to operational conditions altered by pandemic health management could seriously compromise the organization’s ability to cope with the most mundane cyber incidents. Gartner suggests cybersecurity leaders take some precautions:
2) Make Sure All Remote Access Features Are Secure And The Endpoints Used By Smart Workers Are Up To Date
There are many company-owned devices that, even today, are mainly used outside the office environment. Many organizations have opted for full smart working and even public administrations are gearing up to offer their employees the opportunity to work remotely for at least 50% of their time. These new routines force the CISO team to pay particular attention to some precautions:
- Make sure that all endpoints provided by the organization have the minimum security configurations for off-LAN activity (for example, signature updates received directly from the cloud).
- “Licensed” endpoint protection solutions do not always provide visibility into remote PCs. The CISO will need to consider migrating to a managed endpoint protection service.
- Use caution in providing access to corporate applications that store mission-critical information from personal devices, unless they can be confirmed that they have an up-to-date antimalware solution. For additional security, all external access to critical systems should be required to use software token-based multi-factor authentication, especially when the worker is using their personal device.
- To minimize vulnerabilities, implement remote access via Single Sign-On (SSO) to applications hosted locally or in the cloud. Where this is not practicable, adopt a password synchronization system between multiple SaaS applications.
- Constantly verify and, if required, delete or limit privileged accounts that are not directly connected to mission-critical systems and applications.
- Verify that all remote access infrastructures (such as VPNs) are tested and properly patched.
3) Keep Employees’ Attention In Smart Working Concerning The Dangers Of Social Engineering
The home environment can be a source of distraction for the employee who works in smart working. This in many cases has ended up making remote workers more fragile and susceptible to social engineering attacks in which cybercriminals exploiting user anxiety, fears, and poor attention to gain access to corporate accounts and, from there, exfiltrate data or block the operation of the organization’s IT systems.
CISO and risk managers will therefore have to adopt some useful measures to keep employees’ attention in a smart working high regarding the dangers of social engineering.
- Adopt measures to extend remediation on data exfiltration scenarios to smart working scenarios. As soon as reasonably practicable, review existing remote work policies to include new information protection requirements.
- Send targeted emails to all staff to make employees more aware of cyber threats related to social engineering and to remind them of the need to stay focused and hypervigilant towards phishing emails and other suspicious communications even while they work from home.
- Provide clear guidance on who to contact and the information that must be collected in the event of a suspected compromise. Ensure that the communications sent also guide how to set up secure home networks and how to best protect the devices.
4) Make Sure Your Cybersecurity Monitoring Features Include Visibility Into Extended Operating Environments
If cybersecurity operations are optimized to monitor events in a standard environment, moving to a predominantly remote operating model can pose a risk of major gaps. Those responsible for cybersecurity and risk management should take some steps to ensure that the organization’s security monitoring tools and capabilities are configured to provide maximum visibility into new extended operating environments:
- Configure and refine internal security monitoring capabilities and log management rules to ensure that the security team has full visibility into the new operating environment. An environment where risk exposure, network traffic patterns, location of endpoints, data access, and vectors have changed due to increased mobile and remote activity.
- Ensure that all internal IT security operations personnel have their own configured (and tested) access to any monitoring tool (locally and in the cloud) so that they can perform security monitoring functions even remotely.
- Where possible, take advantage of privileged session management (PSM) capabilities to monitor and manage, if necessary, any user activity that leads to an escalation of access permissions. Pay close attention to privileged account sessions to determine if there are any deviations in user activity.
- If security monitoring services are managed by external vendors (outsourced to a Managed Security Service Provider), verify that its tools and platforms are properly configured to monitor and link logs in a manner that reflects the increasing volume of traffic and access requests from external IPs.
5) Facing The challenges Of Cyber-Physical Systems
With the progressive spread of smart and connected devices, attacks on cyber-physical systems are also growing. Risk mitigation activities, in these cases, must be directed towards the objective of ensuring maximum protection of the operating (OT) and IT (IT) systems through a plurality of interventions:
- Review the policies and management approaches and access control.
- Review micro-segmentation, virtual segmentation, and firewalling approaches.
- Strengthen endpoint security.
- Map all remote connections, remote access vulnerabilities, audit trails, and password managers. Keep track of valid c credentials.
SOC As a Service, The Advantages for Business Continuity
The ability to guarantee operational continuity even in the face of a scenario, such as the pandemic one, which presents increasing complexity, today represents the main cybersecurity challenge for CISOs. More and more companies have opted for a more “intelligent” security management, which uses Big Data Analytics, Artificial Intelligence, and Machine Learning technologies to promptly identify, indeed as far as possible, “predict” anomalous behaviors and suspicious traffic volumes.
An approach that ensures the ability to quickly isolate compromised endpoints by blocking the spread of an attack in the bud, to minimize damage to the image and downtime, ensuring the cyber resilience that is essential today for business survival.
Cyber resilience that many companies opt for a “managed” security concept by delegating the burden of protecting their data and critical assets to one or more partners, even completely outsourcing the management of entire SOCs (Security Operation Centers). In this case, all information on the state of a company’s IT security will be centralized in the infrastructure of the Managed Security Service Provider (MSSP), making the most of the advantage of working with constantly updated people, processes, and technologies to optimize different activities:
1. Activity Monitoring And Incident Detection
Collection and skimming of traffic and event data obtained from security systems, networking equipment, endpoints, and servers, operated through SIEM (Security Information and Event Management) platforms. Comparison of the alerts generated by these systems with context information (new vulnerabilities, ongoing attacks, new threats…) and detection of anomalies.
2. Incident Response
Analysis of information on anomalous events and IT assets involved, definition and coordination of all remediation activities useful for remedying weaknesses by suggesting interventions to be carried out on security systems.
3. Vulnerability Assessment
Some SOCs can carry out a proactive analysis of vulnerabilities, verifying the resistance of applications, networks, databases, but also individual endpoints, to a possible attack, through penetration tests.
4. Correlation Of Security Events
Behavior Analysis Automated behavioral analysis of users, through machine learning and artificial intelligence algorithms and, more generally, tools and protocols capable of promptly identifying traffic anomalies and discrepancies with respect to “normal” behavior, alerting security operators.
6. Security Awareness
Production of security bulletins, reports, and insights on new threats and vulnerabilities, based on information obtained through cyber intelligence activities.