Anyone in the business of defending computer networks knows that attackers have the advantage over the long run. To secure a network, we must secure every device, entry point, and pathway and educate every end-user.
On the other hand, attackers need to discover only one mistake, or trick one user, at one point in time, to gain entry.
We have to be nearly perfect; they simply have to succeed.
Where to start?
With that daunting premise in mind, what can we do to best protect our clients, their businesses, and ourselves? There is no single right answer, and there are a lot of moving parts. I take a three-pronged approach to this in my practice. I protect endpoints, the perimeter, and my own practice. But before we dive in, I want to revisit what happened to so many of us about nine months ago.
Overnight changes
In March, like so many, I had to suddenly shift half of our client’s staff to remote work, most of them in one week. To make this shift quickly, I cut some corners, which is not something anyone in IT security wants to say. We did not start forwarding RDS, but we did violate our “Prime Directive” and allow unmanaged endpoints to connect to our networks. With a 30% increase in exploits focused on RDS by April (according to SANS Institute), the miscreants are ahead of the game.
I decided the best option was to provide proxied RDS service to our remote users to allow them the benefits of SSLVPN connectivity without the complications of securing SSLVPN connectivity. That gave me a significant degree of insulation against threats migrating from the remote (home) machine to the target (office) machine. Of course, you have to monitor this new pathway, so working with a vendor that monitors for anomalous behavior (such as out of geo, multiple login failures, etc.) is crucial.
Defending your endpoints
Next, I decided to better protect our target endpoints, adding a threat hunting client that worked in concert with the next generation, non-signature AV client we use. I backed that up with SOC services that were tied to the client, providing us the ability to lock the endpoint down for remediation should any anomalous behavior become apparent to the SOC. This is not the endgame, and as time passes, we will move back to allowing only managed endpoints into our network. But the need to quickly provide remote access to unknown endpoints really drove this choice. And it works.
MS365 — another “endpoint”
With so much being done in M365, it makes sense to treat it as an endpoint. Of course, every mailbox needs spam filtering, but with the explosive rise of phishing attacks, dedicated phishing protection is also wise. We use a service that detonates every link in every email, quarantining any messages with malicious links. Looking out for anomalous behavior in your M365 tenants should be part of your toolset; think of it as SOC service for your M365 tenants. And do not forget about the comprehensive backup of Outlook, OneDrive, SharePoint, and Teams.
Defending the perimeter
Now that “Work from Anywhere” is our new normal, the very concept of the network perimeter is almost quaint. But most of us still have clients with traditional networks to protect, and that still means starting with a sophisticated firewall, well hardened and monitored. We should also manage, secure, and monitor WiFi access on premise. And we have to provide secure remote access for our users. This used to mean SSLVPN, whether through the firewall or a dedicated device. As discussed earlier, I have moved to proxied RDS for this, rather than SSLVPN clients.
Defending ourselves as providers
You should have a strong culture of using the same products and services you deliver, or “eating your own dog food” as we say here. That is how I make sure we develop an intimate understanding of our tools. We develop processes and procedures, execute from checklists, and then carefully check our work. As nearly daily news of attacks on MSPs and the providers of their toolsets breaks (including today’s Solarwinds revelations), it has become clear that we as MSPs are the new targets. That leads to my final thought here; every MSP should understand what their E&O and Cyber liability policies do and do not cover. A good talk with your insurance provider is probably wise.