Security Operations / By Jill Orhun With most of the country sheltering in place and so many people working remotely, work-life balance is taking on a new meaning and cloud infrastructure is taking a beating. The dramatic increase in daily activity and network use is creating both a visibility challenge and an operating model shift for already lean security teams. This “new normal” brings with it a fresh set of challenges for organizations, including increased corporate risk, necessary workflow modifications, and pandemic-driven security problems. Security teams may find these challenges manifesting in unexpected ways, which makes it an opportune time to review your security program in a fresh light. For example: Privacy risks of remote work: Employees now mandated to work from home have quickly adopted all manner of communication apps. They’re on the phone, on video, and on chat more than ever. For instance, at Devo our Slack usage has nearly doubled—and that’s for a company with an already geographically dispersed workforce. These communication channels—Slack, Discord, Zoom, Hangouts, etc.—introduce new vectors for information sharing. Unfortunately, they also make it more likely that overburdened employees will skirt security policy—e.g., throw that confidential file into Zoom chat—to get work done. We all want work life to be easier, but may not realize that overreaching privacy policies imposed by some of these communications vendors put our privacy at risk. Compliance with compassion: As we all deal with the health and safety impacts of COVID-19, it’s worth exploring whether compliance presents opportunities to help both your employees and your business. Remote work presents challenges for all of us, and compliance can help by looking at questions such as: Have you accounted for pandemic policy requirements in your business continuity plan? In your disaster recovery plan? Have you recently reviewed your continuity matrix by job function, to make sure others can help if someone becomes sick? What is your cyber insurance policy’s stance on pandemics and business interruption coverage? Does this change how you look at third-party risk? Pandemic-driven threats have emerged: COVID-19 means new attack surfaces and user behaviors, leading to new threats, including: Coronavirus phishing: Scammers are exploiting human fears related to safety and security by claiming to be banks or other entities interested in protecting your financial security and asking for your PIN or other personal information as part of their “help.” New pandemic-related domains, both legitimate and fake, are popping up. The Devo security team is keeping track of these emerging COVID-19 domains as part of our own efforts to make sure we know who we’re dealing with: Social grease and sensitive data: Most of us are spending time on conference calls commiserating with colleagues, vendors, customers, or partners—and our social currency may include sharing personal and company details that we wouldn’t normally publicize. Conference calls are also being disrupted by “zoombombing,” so now we need to watch for how this overexposure can create social risk from multiple angles. Cloud providers show fragility in the storm: The increased demand for infrastructure and SaaS solutions has created huge pressure on cloud service availability, performance, access, and agility, and providers are showing the stress from the onslaught of activity. The immaturity of these environments is a wakeup call. Many employees can’t or won’t do business across a VPN. When availability and access to data is reduced, users naturally migrate to the path of least resistance. Sensitive data is suddenly moving across less secure pathways. As security teams we need to get our arms around this, while we implement new ways to monitor cloud usage and keep ahead of the capacity and scale our people need. Reliance on provider security and “cloud at your door”: Employees at home, and yet still working in the cloud. This means the new perimeter leans into cloud security, unmanaged network endpoints, and home network security more than ever before. Cybercriminals have been exploiting home network weaknesses with the likes of Mirai, or VPNFilter malware. Makers of network hardware are trying to stay ahead of the curve by discovering and patching critical vulnerabilities in the equipment remote workers rely on as the boundary of cloud access extends to their door. Endpoints designed to return signals back for corporate visibility, may no longer return to the corporate environment, putting more focus on Zero Trust, even for organizations ill-prepared to support it. If that weren’t enough to worry your CISO, internet-enabled devices such as smart TVs and unsophisticated, unmanaged routers control what was once the corporate perimeter. Morphing threat model and visibility: Security teams have a range of tooling to capture visibility and help keep their employees safe—from log reviews and security monitoring, to full tech stacks of SIEM / UEBA / CTI and SOAR. While security teams attack similar problems in different ways, the first principle is the same: To get eyes on the logs for users and systems that interact with our company’s crown jewels—our intellectual property. The pandemic is causing threat models to evolve, as there are always more SaaS applications, more communication applications, and more movement of (potentially) sensitive data. To continue to operate business as usual, the question is how this evolution intersects with the visibility you need and the tooling your team has available. Times of crisis can provide an opportunity to take stock of your security programs, get laser-focused on what matters most, and give your best athletes a time to shine. While we all hope the pandemic will be over soon, the situation mandates you validate that your visibility extends to the doorstep, and that you think about new problems in new ways. With this new remote-focused security model, diligent teams can manage the changing landscape and be better for it.