The COVID-19 pandemic creates some unique opportunities for security professionals to mature their security controls.
As pragmatic professionals we can categorize security into;
- Things we know that we know
- Things we know that we don’t know
- And things we don’t know that we don’t know
COVID-19 has created an opportunity allowing us to move more questions from the ‘things we know that we don’t know‘ bucket over to ‘things we know we know‘. These things include;
- What our network baseline looks like with minimum people working in the office.
- What our egress network traffic baseline looks like when maximum people are working remotely from home.
- What VPN and remote access application ares being used (approved and unapproved).
- What admin credentials are being used by remote workers.
My two favorite are;
- Egress network baseline
- One to one VPN verification
Here I’ll focus on the first one, ‘egress baseline‘.
When I help companies perform a NIST cybersecurity maturity assessment, one of the common controls I continue to see opportunity with is identifying ‘a baseline network operations and expected data flows for users and systems’ (Detect DE.AE-1). Often we struggle with how to collect a baseline. And once we collect it for the first time, how often do we conduct follow up network baseline collections? How do we know which baseline collection is most accurate? And once we know all this data what do we do with it?
This set of questions dives into some deep maturity progression. The best way to look at it is by collecting a network baseline that is important, like egress traffic. And measuring it during a set of times that represents relative traffic flow. Two sets of egress traffic baselines I recommend collecting are:
- Workday busy time
- Off-peak weekend time
For follow-up collection I recommend starting with every ninety days. For me, I put a recurring appointment on my calendar and set a reminder. I also put a link in my reminder to the log file I maintain for recording and reference. If you want to to step it up, collect it every thirty. These become your two range samples.
The ‘workday busy’ will provide the high range traffic measurement, and the ‘off peak weekend’ will provide the low range traffic measurement, ultimately providing you with a spectrum that can be used for reference.
For companies that have low maturity, these will only be used in the case of a serious security investigation, or a cybersecurity breach. A partner firm, forensic team, or internal team can use these baselines as artifacts to help address if there is increased egress traffic.
One important statistic to supplement this data with is your employee count. The total traffic can be divided by employee count for an average measurement. This way you can modify older baselines for current employee estimates, or calculate projections.
More mature companies can compare this baseline as an on-going process. There are some tool-sets that can help. Palo Alto Panorama has some great features to help cybersecurity professionals perform this kind of analysis. They provide clear graphs, and bar chart measurements breaking down the type of traffic, and current traffic. Reporting can even be broken down by users and applications.
Now that you’re company probably has the least amount of people in the office it will experience, and the most people working from home (notice I said from home, not remotely), this provides an opportunity to gather a new baseline that has never before been possible.
Use this to perform a new ‘minimum’ network baseline of ‘home based workers’. As before, you can take this traffic measurement and divide it by employee number to get an per employee average that can be leveraged to calculate expectations even if there is a employee count change. If you want to mature this measurement (and you’re already in the system), what I like to do is pull a ‘top ten’ report. Measure the top ten users with the most traffic and the top ten applications with the most traffic. This allows you to see a little more of the story happening on egress. Once you have repeated this process several times you should have confidence of what these top ten applications are. In the future, when investigating something like data exfiltration you can quickly look at your application egress traffic to see if something has exceeded you top ten list.
One word of warning, it’s easy to get really carried away with traffic analysis. Try to build efficiency into this process so you can document it for anyone to preform easily, quickly, and consistently. Only pull data that you’re going to use. Some data is so specific and unique it can be difficult to compare it in the future to identify anything valuable.
An additional maturity step you can take is dedicate a week to collect this baseline hourly. Use this data to identify the busiest and slowest times during ‘workday busy’ and ‘off-peak weekend’ This will allow you to expand your baselines to a ‘off-peak range’ and a ‘working’ range. Then set a delta expectation, like 30% that will be used to trigger investigations. Using this ‘risk threshold’ delta you can perform investigations anytime the network egress traffic exceeds 30% of the baseline. Adjust this number over time until you find the appropriate delta control for your unique network.
Conclusion
Use this unique opportunity that COVID-19 presents to collect network baseline information. By performing this control you will successfully move something you didn’t know to something you do know and mature your cyberscurity program.
Question:
What other opportunities does COVID-19 present for cybersecurity professionals to improve controls?
Recent Comments