Log management strategy to help secure users working from home
Maintain visibility for remote work with log management
April 20th, 2020
Given the global occurrences we are all facing, we have entered a new era of work-from-home at scale. To cope with this new work practice, many organizations quickly granted open access to large numbers of employees – all with different roles and permissions, and an unknown number of endpoints sitting outside their firewalls.
What this means is that we are more vulnerable than ever. We have an increased attack surface and a greater risk to our business-critical applications, distributed systems, and data. Enhancing the visibility of the infrastructure and protecting these assets can help reduce attack points, prevent potential breaches from escalating, and slow the spread of malicious actions.
Gartner recently created a blog post called Are Your New Remote Workers Visible to Security Operations?. They point out that it’s important to make sure IT and security teams have visibility into new work arrangements.
"Security teams must pay close attention to how new work arrangements affect security visibility.
"Due to coronavirus, companies are seeing an unprecedented amount of remote work. Whether mandated by the government or the organization, businesses are asking many (if not all) employees to work from home. While this move creates obvious challenges for IT in terms of infrastructure and capacity, it’s also creating challenges for security teams as they push to scale remote work on a rapid and global level.
"Many are utilizing remote working systems that have not been operationally tested as part of their core security operations monitoring. For many, the likely result is fewer security alerts and issues because the corporate infrastructure will not be subject to the same levels of usage in areas such as internet browsing, and users may be working from web-based applications on non-company-sanctioned assets."
There are immediate steps Humio users can take to help secure an environment adapting to more employees working from home.
McKinsey recently shared Cybersecurity tactics for the coronavirus pandemic, where they outline steps to take to help cover the gaps caused by employees working from home. They offer some great suggestions, touching on the topics below where Humio can help fill the gaps.
ACCOUNT FOR SHADOW IT
"Keep an eye out for new shadow-IT systems that employees use or create to ease working from home, to compensate for in-office capabilities they can’t access, or to get around obstacles.” (McKinsey)
Use Humio to monitor endpoints to detect usage of new software across the organization, using tools like sysmon and Windows event logs. Pay close attention to new applications, or processes that are performing activities that are suspicious.
Docs: Winlogbeat Data Shipper
IDENTIFY AND MONITOR HIGH-RISK USER GROUPS
“High-risk users should be identified and monitored for behavior (such as unusual bandwidth patterns or bulk downloads of enterprise data) that can indicate security breaches.” (McKinsey)
Use Humio to maintain visibility into audit logs for shares and file servers. Make sure file transfers are legitimate by setting up alerts where appropriate. Pay close attention to large volumes of files being downloaded or moved by graphing downloads and watching for unexpected spikes.
Watch for behavior that indicates an account may have been compromised, particularly those with broad access, like the CEO. You may need to monitor the activity of internal users that pose a higher risk, like those who feel they may be laid off.
Docs: Time Chart
"Widening the scope of organization-wide monitoring activities, particularly for data and endpoints, is important for two reasons. First, cyberattacks have proliferated. Second, basic boundary-protection mechanisms, such as proxies, web gateways, or network intrusion-detection systems (IDS) or intrusion-prevention systems (IPS), won’t secure users working from home, off the enterprise network, and not connected to a VPN.” (McKinsey)
More than ever, it’s important to log more than you think you need to keep an eye on what’s happening. This is a perfect time to get a handle on network logs — you should consider using devices designed for efficient network monitoring like Corelight.
Supplement your monitoring with endpoint logs using sources like sysmon and Windows event logs.
Because a lot of activity will happen outside of the firewall, you should make sure you’re watching for activity that might be considered normal at the workplace. Manage your security in layers you have available, even if it’s not comprehensive. For example, look for new processes that shouldn’t be accessing the work network.
Docs: Data Shippers
ENSURE SUFFICIENT CAPACITY
“Companies that make it possible for employees to work from home must enable higher online network-traffic and transaction volumes.” (McKinsey)
With new endpoints and new activities comes extra data, and it’s important to pay closer attention to that new data. Humio’s architecture is designed for efficiency, and to gracefully handle occasional bursts of data.
If you haven’t already, you should consider switching to Bucket Storage to save on storage costs.
If you have concerns about being able to ingest, search, and store additional data, let us know. We’re always happy to talk about how we can help.
Docs: Bucket Storage
IMPROVE CAPACITY MANAGEMENT
“Overextended web-facing technologies are harder to monitor and more susceptible to attacks. Security teams can monitor the performance of applications to identify suspected malware or low-value security agents....” (McKinsey)
In times where there is unexpected activity, additional data, and increased monitoring, servers may become overworked. Because people are using the internet at scale, it’s important to keep the infrastructure running as smoothly as possible. Humio can help detect problems early, see where they are lagging, so they can be remediated before they lead to downtime.
Set up performance monitoring on widely-used web tools, even if it’s as simple as monitoring the number of http errors occurring on webservers.
Docs: Data Sources
Docs: Built-in Parsers
Be prepared for the unknown
Humio can help provide visibility into what’s happening across your environment. Morten Gram, Humio EVP recently had a conversation with the Digital Anarchist at RSA 2020. Hear how he describes how Humio makes it possible to be prepared for the unknown.
Humio helps organizations prepare for the unknown
Please reach out to us if you have any questions or issues. We are here to help.
1. Gartner: Are Your New Remote Workers Visible to Security Operations?, April 3, 2020, Pete Shoard
2. Mckinsey: Cybersecurity tactics for the coronavirus pandemic, March 2020, Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen.