Industry Insights

Tips from the Trenches: Keep Your Security Ops Bearings

5 min Read

Nathan Hunstad

Principal Security Researcher and Engineer

In the past couple of weeks, our daily realities have been turned upside down. Routines have been drastically altered; people are understandably anxious; and each new day brings a new development that makes it hard to build any long-term plan. It’s frankly chaotic. And for security teams, chaos is probably the least-welcome visitor around. Nevertheless, for the safety of your organization, it’s important to do everything you can to keep your bearings, and determine how you can best protect people, infrastructure and data going forward.

One of the biggest changes that most organizations are now facing is the widespread shutdown of many business locations, whether restaurants, stores or offices. As a result, for those people who are able to work remotely, working from home has become the new reality — and in very short order. Some organizations are more amenable to remote work and have designed their security controls with that architecture in mind. However, many organizations have strained to provide services to their newly-remote workforce in a hurry, which makes it incredibly hard to ensure that security gets the attention it needs.

Regardless of how ready your security team is for these new working arrangements, here are some things to keep in mind as you reorient your attention to places that may be new or unfamiliar.

Make sure you understand your security visibility

Every organization has a set of security tools in place. Those tools are designed to look at various entities for information, be it endpoints, servers, web proxies, general network traffic, SaaS services or anything in between. Given the large-scale shift in work patterns, the value provided by your tools has shifted. Those controls that were placed at your corporate office perimeter, for example, are probably providing less value, while the data from your endpoint tools is likely more valuable. At Code42, we use endpoint tools like CrowdStrike, JAMF, Cisco Umbrella and our own Code42 application to maintain security visibility. Take a moment to review your toolset and understand what data you are still receiving, and perhaps more importantly, what data you are no longer able to see. Now may also be a good time to look at all the unused capabilities that your security tools include, and perhaps turn on some things that you didn’t need before.

A great way to broaden your perspectives on your new security landscape is to conduct tests of your security controls. If you have a set of alerts that you were reasonably comfortable with handling in the past, can you recreate some activities to verify that you can still detect and remediate them? If you have Red Team capabilities this is relatively easy to perform. But even if you don’t, there are plenty of ways to test security controls using scripts, test files and so on.

Understand business changes

Not only are people working in different ways, but many businesses are working on different priorities. The overall business risk environment has also changed, as issues like supply chain problems or business continuity in the wake of widespread illnesses becomes a high priority. As a result of these changes, your business partners may be looking at new technologies, working with new vendors, or dusting off old contingency plans that haven’t been acted upon in quite some time. Make sure that the security team is aware of these changes and understands any potential security ramifications.

For example, if a new vendor is brought in to provide additional manufacturing capacity, will that vendor also need remote VPN access to your network? Are vendor security audits still happening? And in cases where quick action is required, can the security team act nimbly and with proper risk appetite to allow the business to take necessary actions? The last thing that security teams want is to be viewed as obstacles in a time of crisis. That said, proper risk management still applies. There are absolutely times when security needs to draw firm boundaries, such as saying “No” to that request to open port 3389 to the Internet for all internal infrastructure.

Be ready to switch gears quickly

With the day-to-day situation changing so rapidly, anything is possible. Even though some security tools now provide less value than others, they shouldn’t be ignored, because the way that people work will likely change again going forward. Infrastructure that was properly sized before may need tweaks or outright replacement under new workflows. One frequent discussion that falls in this category is whether to use split-tunnel or full-tunnel VPN.

In addition to changes in your own world, malicious actors are not taking any time off. They are coming up with new campaigns to take advantage of people’s anxieties. Identifying new phishing and malware campaigns, and acting quickly to quash them, is very important.

Take care of yourself

Security teams are under a lot of pressure right now, and it can seem like it is unrelenting. When you combine professional responsibilities with personal responsibilities, like trying to find care for children, checking on the health of vulnerable family members, or just finding stores that have items in stock, it’s easy to feel overwhelmed. Remember to take time for yourself, because you are absolutely no good when you are not healthy yourself. If you find yourself working at home full-time where you weren’t before, there are many guides on how to be productive while balancing your work and home life. Take breaks and rest.

There’s a lot for security teams to keep on top of right now, and it’s easy to feel lost. By taking these steps to maintain your bearings and paying attention to what matters, we will all get through this.

Nathan Hunstad

As director of security operations at Code42, Nathan leads the team responsible for security tooling, red team exercises and responding to security events. Nathan joined Code42 in 2016, bringing experience from both the private and public sector, and is a graduate of the Masters of Science in Security Technologies (MSST) program at the University of Minnesota.