With more and more companies having non-essential personnel working at home to reduce risk, we wanted to touch on some of the risks from a defender standpoint. One of the big things in my mind is that attackers are using the cover of increased remote work to try and break into more companies.
With that in mind, what are some of the items to look for? For starters, keep an eye on your VPN logs – failed attempts are easy, and failed second step in multi-factor is a huge red flag. If you are able to see when a user denies a login request, that should be a critical flag of a potential incident. On a side note, make sure you are applying inspection to inbound traffic (a lot of companies utilize NGFWs as their VPN gateway, making it easier).
If you utilize cloud technologies like Azure/Office365, some of the same logic applies. Obviously, you’ll need a baseline for a normal number of failed logins but look for the denied multi-factor authentication and for signs password spraying (a rapid number of failed logins for the same account). There are built-in features like geographically impossible travel that looks at successful login locations. Also look for inappropriate application usage, permission changes, unauthorized data transfers, etc.
All of this is ideally being pulled into a SIEM that can correlate activity between your different data sources – manually having to review cloud audit logs is just not scalable and it is too easy to miss stuff.
A lot of this comes back to your planning – is your organization built to be the right balance of available and secure? How does this all tie into your risk management strategy and protecting business outcomes?
If you are ready to set up remote work security for your business contact us today for an immediate consultation.