Outsourcing Production Risks Productivity

Today’s modern workforce relies on a whole host of different "as a service” approaches. Remote working is certainly here to stay and cloud-based management of roaming devices, which makes it easier to apply policies and updates, has become increasingly common.  Any remote device just needs an internet connection because the cloud is always on. 

With all of the talk about AI and its rapidly increasing versatility, if you work in cyber security, you would be forgiven for thinking AI-based solutions are coming for our jobs.  We’re not there yet though, and some of it is hardly new.

In isolated forms, “automated response” has been with us for many years.  Anti-virus products have implemented automatic quarantine and deletion of files for years when malicious content was detected – effectively stopping the execution of a chain of attack in an isolated fashion.  

Anti-virus updates are no longer only applied when a client is connected to the corporate network’s internal update services. Today updates can be pushed out quickly and automatically from a central cloud service, reducing exposure time to potential threats.

The Security Benefit Of Automatic, Fast Updates Is Clear. 

However, there can be a less obvious downside, in terms of productivity risks. Although productivity benefits often drive businesses to adopt a more agile, cloud centric model, once a business has adopted a dynamic cloud service they are at the mercy of these platforms. While global outages or incidents in large cloud platforms do not happen often, when they do the ripples can be felt everywhere.  Just a single global provider’s mistake can create huge disruption to a global workforce. 

With legacy on-premises environments, updates were often tested thoroughly before being rolled out, now updates are commonly rolled out with little or no testing. When this goes wrong, it can be hugely disruptive.

An example of this was MO497128 – “ASRMAGEDDON” last year. Microsoft provides an advanced and robust mechanism for the remote deployment of core services such as application hardening, operating system updates and anti-virus solutions with technologies such as Intune and Windows Defender. In enterprise subscriptions, companies can take this a step further than historic anti-virus via tooling such as the Attack Surface Reduction (ASR) rules. These rules provide a baseline of controls for hardening frequently attached applications, for example, Microsoft Office applications and integrated macro code execution options.

In January, an update to the Windows Defender ASR rule set created havoc for sysadmins around the world. It pushed out new rules that marked shortcut files and links as dangerous and then deleted these shortcuts, making common program links for Outlook and Word vanish from the start menu. Even though just the links and shortcuts to the programs were deleted, access to them was removed from core locations of Windows. 

Users were understandably alarmed as they got warnings about activity being blocked and then had access to programs removed as icons disappeared. Many internal IT teams must have been stretched considerably.

Most end users don’t need or want to know about the inner workings of systems. Computers are there to help them to do their jobs and when this fails, the individual cannot work until the IT department provides a solution.  Scale this up to 100s or 1000s of users, that is a significant hit to productivity.

Almost certainly mission critical projects would have been disrupted as user groups struggled to gain access to the tools they need. Many hours will also have been burned in IT departments to keep people working and handle the influx of support tickets.  The distraction created by the shower of false positives in alerting systems may have even created opportunities for a genuine attacker's activity to go unnoticed, or at least receive less scrutiny because of the chaos.

Many IT heads will have lost time trying to explain what had happened to people that needed to work. There was no server they could reboot, nor rollback. This problem was pushed onto them, and there was little they could do about it. The only consolation was that the Microsoft updates on Friday 13th January 2023 created a global problem, so the business, customers, and partners they work with may also have been affected.

There was a workaround - to set the relevant rule into audit mode rather than blocking mode, reducing the coverage of the ASR protection. The overall security posture of endpoints had to be reduced to prevent operational disruption because of the error. Whilst the workaround prevented the deletion of shortcuts, it introduced additional security risk that should ordinarily have been carefully considered – but probably didn’t receive much of a review.

An IT department often needs to find a quick solution when a large number of users are impacted by an operational emergency. If decisions expose the company to another threat, leading to data loss and risks that owners are not aware of, the ramifications could be significant. The impact on productivity must always be weighed against the reduction in defences.

Productivity vs Security?

When people “can’t work”, the theoretical risk of attack is hard to weigh against the immediate reality of users who cannot perform their functions. When risk decisions are made rapidly and under pressure to get people working, there may be no documented ‘back to normal’ plan. In addition, there may be no clear route back from ‘turning off the security control’ that doesn’t risk more disruption that the business.

As a result of the Windows Defender ASR update error, it’s likely there will be more reluctance for this control to be deployed – even though it is highly beneficial to implement these rules. Businesses may choose to audit behaviour rather than block behaviour because they are worried about it happening again. We may also see businesses who placed ASR rules into ‘audit’ mode forget or be reluctant to turn them back into ‘block’ mode.

As we continue to build enterprises on cloud platforms, and the power of AI and automated response grows, the goal is to increase productivity through more freedom for the workforce. We’re also likely to see more disruptive incidents like ASRMAGEDDON happening, and will need to get used to weighing up the “productivity vs. security” calculation – at least for a short term fix.

When an issue occurs at the provider level, it can have widespread impact. We are consuming a service and these platforms have become so embedded into our environments that we forget that there are parts we do not control. Mistakes can and will happen and businesses need to consider the overhead when they do, along with the complex human decisions that may be required in a hurry, and the loss of productivity while trying to get back to operation as normal.

Importantly, when short-term decisions to relax controls are taken in an emergency, there has to be a well-documented pathway to reimplement controls once the emergency is over.

Matt Lorentzen is Principal Consultant at Cyberis

You Might Also Read: 

Static Application Security Testing: Trends & Predictions For 2024:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The US Makes Robocalls Illegal
Facebook Changed the World »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

SQA Service

SQA Service

SQA Service provide independent software and process Quality Assurance services.

LexisNexis Risk Solutions

LexisNexis Risk Solutions

LexisNexis Risk Solutions provides technology solutions for Anti-Money Laundering, Fraud Mitigation, Anti-Bribery and Corruption, Identity Management, Tracing and Investigation.

GreatHorn

GreatHorn

GreatHorn offers the only cloud-native security platform that stops targeted social engineering and phishing attacks on communication tools like O365, G Suite, and Slack.

CyberProof

CyberProof

CyberProof aims to give clarity and confidence to businesses worldwide using a new risk-based approach to cyber security services.

Stage2Data

Stage2Data

Stage2Data is one of Canada’s most trusted cloud solution providers offering hosted Backup and Disaster Recovery Services.

Red Snapper Recruitment

Red Snapper Recruitment

Red Snapper Recruitment is a market leading staffing services provider to the law enforcement, cyber security, offender supervision and regulatory services markets.

Strike Graph

Strike Graph

The Strike Graph GRC platform enables Security Audits & Certifications.

IT Band Systems

IT Band Systems

IT Band Systems is an international provider of IT products and services including web server monitoring and web security consulting.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

SpecTrust

SpecTrust

SpecTrust provides an all-in-one defense solution for identity abuse & fraud, enabling your company's talent to stay focused on the core business.

BlockAPT

BlockAPT

BlockAPT, empowering you with an advanced, intelligent cyber defence platform. We protect our customers digital assets by unifying operational technologies against advanced persistent threats.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

Dotsquares

Dotsquares

Dotsquares leverage the latest web and mobile technologies to build, grow and support your business.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.