The share of the workforce working remotely and the percentage of freelancing workers was steadily rising worldwide, even before the spread of the COVID-19 virus. Working entirely from home or performing specific tasks remotely is already a routine across organizations of all sizes and all industry verticals. The spread of the coronavirus only speeds up the process of shifting toward a more flexible work environment in which work from home plays an increasingly important role.

In 2020, over one-third of the workforce in developed economies work remotely full-time or perform work tasks from home very often.

Datashield has been providing managed detection and response using full packet capture and logs from leading SIEM tools for over a decade. We have experienced analysts, engineers, and support staff ready to help your company defend against attacks on-premise, in the cloud, and in hybrid environments. Contact us today for a free consultation.

Heading toward Remote Work World

Source: Statista

With just 35% of the workers saying they are working remotely occasionally, we can safely estimate that some two-thirds of the workforce is already working from remote locations – part-time or full-time.

While moving toward an increasingly remote workforce is a decade-long trend, so is the problem with making work from home as safe and secure as possible. Securing numerous desktop and mobile devices in use by remote employees is a challenge for every organization, especially among organizations that are adopting emergency remote work strategies due to the COVID-19 pandemic.

The coronavirus pandemic only accelerated an already irreversible trend of having more and more employees working remotely. Statistical data shows that the number of people working remotely at least once a week has gone up by an impressive 400% over the last decade. Estimates are that about 70% of the global workforce will work remotely at least five days a month by 2025. Furthermore, recent surveys show that around half of the workforce say they would work remotely for the rest of their lives, if possible.

Globalization and the adoption of cloud services make it possible for any organization to introduce work-from-home practices or hire remote teams and freelancers for specific tasks or projects. Still, cybersecurity problems add pressure on organizations to make every effort possible to secure their perimeter, extending to multiple remote devices, systems, and cloud platforms.

The use of firewalls and antivirus software for securing connections to and from remote locations is only a part of the solution. Organizations need a holistic and proactive approach by implementing solutions such as Security Information and Event Management (SIEM) software that tracks and analyzes activity from many different resources across a complex and widely distributed IT infrastructure.

What Is SIEM and How Does it Work?

A SIEM platform is a tool that aggregates and analyzes data collected from an organization's networked computing resources. The core functionalities of a SIEM include reporting and forensics about security incidents but the main strength of SIEMs lies with their capabilities to generate security alerts based on events that match a specific ruleset. A SIEM tool can spot abnormal behaviors and suspicious activities, which enables the detection of unknown threats.

Time to respond and in-depth threat analysis are other core capabilities of SIEM systems, but they offer many other security features, including:

• Security monitoring and advanced threat detection
• Forensics and fast incident response
• Log collection and normalization of data collected
• Security notifications and alerts
• Security incident detection
• Threat response workflows
• Compliance reporting

SIEM tools are monitoring and analyzing data coming from all accounts and passing through firewalls and antivirus filters. Organizations can have a centralized view over suspicious activities originating from any account within a complex IT ecosystem with multiple remote endpoints and multiple network entry points.

Having a centralized platform for gathering data from dozens and hundreds of remote devices is of utmost importance for securing a network, especially in a remote workforce. As remote workers switch to mobile devices to perform their day-to-day tasks and use various applications and Wi-Fi networks to access corporate networks, having a reliable SIEM tool becomes essential.

Importance of SIEM Adoption for Networks with Remote Devices

Before 2020, the industries leading the pack in allowing remote work comprised of organizations working mostly in financial services, professional and business services, and information-related companies.

Leading Remote Work Industries

Source: Statista

Once the pandemic emerged, industries like education, healthcare, and public administration rapidly moved towards remote work models. Currently, almost all industries have been touched by the pandemic and its need for remote working operations, while the need to protect sensitive and personally identifiable data remained the same.

With so many fundamental industries working from home, organizations need to secure inbound and outbound connections to devices connecting to their corporate networks through various applications and external networks. Although a SIEM cannot act as a silver bullet for securing a sophisticated corporate network, it provides the tools to monitor a significant number of connected devices and user accounts and detect abnormal behavior by each account requesting access to a networked resource.

Implementing solutions that include a SIEM system is also required for organizations that do not need to comply with strict data regulations since the shift toward working from home inevitably results in a growing number of user accounts accessing the corporate perimeter from outside. Having even a few employees working from home full-time drastically changes the security paradigm in which an organization operates and introduces new risks associated with unknown applications, networks, and devices requesting access to the perimeter.

Analyzing user account and application behaviors before they pass through the firewall and antivirus defenses is essential for sustainable cybersecurity. SIEM can be of great advantage in many use case scenarios that involve numerous users or devices continuously accessing a corporate network from remote locations.

How to Implement SIEM in Remote Work Scenarios

SIEM implementation can make a difference when an organization must secure a large number of connections coming from a remote workforce.

Excessive Permissions and Credentials Sharing

With an increasing number of remote employees, organizations face a mounting challenge to redefine and reassign user permissions and login credentials. A SIEM provides useful tools for assessing user access rights and find excessive user permissions held by remote employees. Organizations must cope with access to sensitive digital assets from outside the perimeter, limiting users who need access to certain assets for completing their jobs.

Another problem comes from users sharing login credentials between themselves without realizing that accessing corporate systems from outside the perimeter brings new risks into the equation. A SIEM provides a solution for such problems by detecting login attempts from IP addresses not supposed to have access to specific resources despite valid credentials.

Access to Sensitive Data

When multiple user accounts access the network from remote locations, it is impossible to manually track who is accessing what is involved in sensitive data. A SIEM can help track an unusual number of requests for access to sensitive corporate data or detect an increasing number of requests from accounts that need such data only occasionally.

Detection of Phishing Attacks

Most enterprise-grade SIEM solutions have machine learning capabilities and use AI algorithms to detect and issue early warnings on phishing attacks targeting email accounts across the organization's domain name addresses.

These SIEMs analyze email data by scrutinizing message senders, email domains, subjects, and attachment names and file types to detect phishing attacks.

Monitoring of Cloud Applications

With a working SIEM, organizations can monitor the behavior of cloud applications for suspicious patterns and thus mitigate the risks associated with the ever-growing adoption of cloud apps. A SIEM can detect unauthorized access to cloud data and apps, find excessive user rights, or identify compromised data.

As remote work usually requires a virtual private network (VPN), a SIEM comes in handy by enabling IT teams and system administrators to monitor remote authentication and VPN devices. It is specifically vital in a remote workforce, as those connections can easily become a single point of failure.

Compliance and License Monitoring

By adopting a full-fledged SIEM, an organization can keep track of software license usage and data regulations compliance by monitoring application usage by users, hosts, and IP addresses.

Such SIEM usage is significant for organizations that must comply with government regulations and industry standards such as GDPR, HIPAA, California Consumer Protection Act, or PCI DSS.

Endpoints Security Monitoring

A small-scale organization can avoid being infected with malware for a relatively long period. Still, it is only a matter of time for an endpoint in a large organization with many remote employees to witness one or more remote devices compromised.

With a SIEM, organizations can detect malware communication and abnormal process happening on endpoints in use by a remote workforce, including mobile devices.

We have more scenarios involving a SIEM and remote endpoints operated by work-from-home employees. Still, those SIEM use case scenarios depend on the specific circumstances in which an enterprise operates.

Conclusion

Organizations will need to make every effort to secure their business ecosystems in the context of increasingly open remote workforce environments. The trend toward working from home is inevitable and will only accelerate in the immediate future, the pandemic factor being the primary driver.

While organizations should take a holistic cybersecurity approach and implement as many IT security tools as required, adopting a SIEM solution can give them a centralized platform for detecting and managing the security risks and alerts generated from all their connected resources.