Why Security Operations Is More Important in Today's WFH Era

13 April 2020 | Mihai Andreescu

Recent global developments have impacted almost every aspect of how organisations typically operate. Some organisations are thriving in the newly mandated work-from-home environment, having already developed entire business models around remote working. Others have had to shift not just operations, but also mindsets. While the physical health and safety of the workforce are of primary importance, the need to adapt to maintain steady operations comes in at a close second. As businesses rush to transform at an incredible pace, the security risks arising from working remotely may often be accepted as part of the new status quo, or go completely unnoticed.

For most organisations, the perimeter is the main focal point when discussing security posture. Shifting operations to a work-from-home model means that the trusted perimeters suddenly become porous. The combined inability to ensure neither the physical security of user assets nor the security of the network to which people are connecting means that the traditional first line of defence can no longer be counted on to protect internal assets. This potentially leaves host vulnerable to attacks that otherwise would have been stopped by compensating controls deployed on the corporate network. A considerable part of the usual security layers have been peeled away, and thus continuous detection and response capabilities become paramount.

Tasked with uninterrupted security monitoring, a Security Operations Center (SOC) plays a key role in protecting the network. In the current context, SOCs need to assume that organisational assets are being connected to unsecured home networks, possibly sharing them with other compromised devices. The SOC maintains the integrity of hosts and networks by detecting and responding to anomalous or malicious behaviour of potentially compromised assets before they become a foothold for the attacker or a pivot point into the internal production environment.

In normal conditions, a SOC must have specific attributes to be considered relevant and fit for purpose. These include technical expertise, ability to correlate security-relevant events, a process through which threats are dealt with, and the infrastructure required to perform security monitoring and response. However, in unique conditions – such as a global pandemic, or even the benign transition into a new working model - the SOC’s standard attributes need to be complemented by the increased visibility of host behaviours in order for the SOC to protect an organization. Ultimately, monitoring capabilities need to be elevated to a point where even minor drifts from standard configuration are identified, thus ensuring early detection of threats and preventing an escalation of privileges or lateral movement. The concept of Zero Trust has become critical to put into practice. It should be extended to include not only the corporate assets but all software and services being used extensively throughout this period, most notably video conferencing and file-sharing platforms, by implementing strict user access controls.

Building on these principles, the responsibilities of a SOC should be designed to remove the ambiguity brought upon by the change of work patterns. Organisations that utilise SOCs can take proactive measures to lower the risk of a breach when the entire workforce is working from home. These include:

  • Continuous monitoring
  • Taking decisive action when faced with a compromised host
  • Proactively searching for hidden threats that go undetected
  • Constantly improving the efficiency and effectiveness of the security controls through fine-tuning.

Focusing on the newly exposed attack surface available for threat actors, SOCs must adapt to the new threat model that their organisations are facing. Most organisations have never considered a business continuity scenario that involved everyone working from home, this is now the reality. The criticality of secure operation under these conditions cannot be understated, and deficiencies should be addressed in order to prevent the erosion or fracture of the security posture.

Visit Digital14.com today, and learn how to prepare your organisation and your SOC during these times.

We Are Digital14

Connect with us