4 Expert Tips for Incident Response in Remote Workplaces

Many aspects of the IT infrastructures that serve organizations today are nothing like they were two to three years ago. Hybrid and remote work models are now firmly in place at numerous companies, and they are unlikely to go away any time soon—a fact we’ve talked about numerous times. In a previous post on remote work environments, this blog discussed its implications for e-discovery professionals. Today we’ll be focusing on something that’s top of mind for IT and cybersecurity professionals—responding to cyber-incidents in remote environments.

In the current environment, end-user devices are just as likely if not more so to be operating off the main corporate network as on it. While this creates a lot of opportunities in terms of worker flexibility, it also introduces a host of cybersecurity risks. Most enterprise incident response (IR) plans were developed and put in place before the pandemic and shift in work models. They were designed for a world in which incident responders did their work on site. With more security practitioners working remotely, procedures, tools and techniques that worked well on premises no longer cut it. A new approach is needed.

Find out what cybersecurity experts think in the Exterro ebook, Incident Response for a Remote World.

Increased Risks of Remote Environments

The change to remote-first or fully remote work environments poses a number of challenges to cybersecurity. For instance, remote workers might be using their own personal devices and their own networks, which might be less secure than what their organizations require in terms of minimum protection. Also, many employees are no longer working behind the company firewall with fully updated, company-owned devices. IT teams lack direct control that was not an issue pre-pandemic, and may not be able to ensure devices are updated with the most recent security features or patches.

The attack surface has expanded significantly, making the job of incident responders even more difficult than it already was. Traditional network monitoring tools provide less utility in cases where most activity is now “off network” or does not occur on trusted internal/corporate networks. But IT professionals are not entirely without means to respond to cybersecurity incidents. Here are five tips they can use to help secure their organizations against cybersecurity threats.

Make sure devices are managed before granting access to data.

“Management will allow logging and monitoring of EDR [endpoint detection and response], authentication and data access at the endpoint, cloud services and the enterprise,” says Arthur Treichel,

CISO at Maryland State Board of Elections. The security operations center should be capable of ingesting and correlating data to alert the team quickly of any potentially malicious activity.

Deploy tools and services that provide effective incident response in a remote environment.

Technology solutions are available that allow security teams to respond to incidents without the need for direct network connectivity. They do this by placing agents on client devices. When an incident occurs, the security team can connect with a particular device over the Internet to remediate the incident remotely. If a device is connected to the Internet, the security team can perform incident response on the device using incident response tools. This is a key capability because in many cases users might not have their VPNs turned on while they are working from home, or they might be working offsite.

These types of tools collect data from off-network remote devices, eliminating the need to ship the devices to the security team for analysis and fixes. The collected data is securely transmitted to validated servers, and security analysts can investigate incidents such as ransomware attacks, data breaches, or other threats by scanning for indicators of compromise (IOCs). They can detect and analyze suspicious activity, traffic, applications, and processes.

Beef up endpoint monitoring and control.

“Without the ability to rely on traditional on-premises network security controls, incident response teams need more visibility into and control over end-user endpoints that are not always connected to the trusted corporate network,” says Bradley Schaufenbuel, vice president and CISO, Paychex. “Cloud-based endpoint detection and response software and user behavioral analytics agents are critical tools for incident response teams with largely remote workforces.”

Whenever possible, automate incident detection, response, and mitigation.

“The escalating threat landscape is driving higher incident volumes,” Schaufenbuel says “Because incident response teams are not growing as fast as incident volumes, incident response teams must automate responses. Investments in security orchestration and automated response technology are becoming more important than ever.” In many cases companies are asking for that capability, Exterro Forensic Software Evangelist Justin Tolman says, “because a greater need for automation is kind of the consequence of the [skills] shortage.”

Learn more, including six more tips from experts, about how to prepare for Incident Response for a Remote World in the Exterro ebook.