Outsourcing Production Risks Productivity

Today’s modern workforce relies on a whole host of different "as a service” approaches. Remote working is certainly here to stay and cloud-based management of roaming devices, which makes it easier to apply policies and updates, has become increasingly common.  Any remote device just needs an internet connection because the cloud is always on. 

With all of the talk about AI and its rapidly increasing versatility, if you work in cyber security, you would be forgiven for thinking AI-based solutions are coming for our jobs.  We’re not there yet though, and some of it is hardly new.

In isolated forms, “automated response” has been with us for many years.  Anti-virus products have implemented automatic quarantine and deletion of files for years when malicious content was detected – effectively stopping the execution of a chain of attack in an isolated fashion.  

Anti-virus updates are no longer only applied when a client is connected to the corporate network’s internal update services. Today updates can be pushed out quickly and automatically from a central cloud service, reducing exposure time to potential threats.

The Security Benefit Of Automatic, Fast Updates Is Clear. 

However, there can be a less obvious downside, in terms of productivity risks. Although productivity benefits often drive businesses to adopt a more agile, cloud centric model, once a business has adopted a dynamic cloud service they are at the mercy of these platforms. While global outages or incidents in large cloud platforms do not happen often, when they do the ripples can be felt everywhere.  Just a single global provider’s mistake can create huge disruption to a global workforce. 

With legacy on-premises environments, updates were often tested thoroughly before being rolled out, now updates are commonly rolled out with little or no testing. When this goes wrong, it can be hugely disruptive.

An example of this was MO497128 – “ASRMAGEDDON” last year. Microsoft provides an advanced and robust mechanism for the remote deployment of core services such as application hardening, operating system updates and anti-virus solutions with technologies such as Intune and Windows Defender. In enterprise subscriptions, companies can take this a step further than historic anti-virus via tooling such as the Attack Surface Reduction (ASR) rules. These rules provide a baseline of controls for hardening frequently attached applications, for example, Microsoft Office applications and integrated macro code execution options.

In January, an update to the Windows Defender ASR rule set created havoc for sysadmins around the world. It pushed out new rules that marked shortcut files and links as dangerous and then deleted these shortcuts, making common program links for Outlook and Word vanish from the start menu. Even though just the links and shortcuts to the programs were deleted, access to them was removed from core locations of Windows. 

Users were understandably alarmed as they got warnings about activity being blocked and then had access to programs removed as icons disappeared. Many internal IT teams must have been stretched considerably.

Most end users don’t need or want to know about the inner workings of systems. Computers are there to help them to do their jobs and when this fails, the individual cannot work until the IT department provides a solution.  Scale this up to 100s or 1000s of users, that is a significant hit to productivity.

Almost certainly mission critical projects would have been disrupted as user groups struggled to gain access to the tools they need. Many hours will also have been burned in IT departments to keep people working and handle the influx of support tickets.  The distraction created by the shower of false positives in alerting systems may have even created opportunities for a genuine attacker's activity to go unnoticed, or at least receive less scrutiny because of the chaos.

Many IT heads will have lost time trying to explain what had happened to people that needed to work. There was no server they could reboot, nor rollback. This problem was pushed onto them, and there was little they could do about it. The only consolation was that the Microsoft updates on Friday 13th January 2023 created a global problem, so the business, customers, and partners they work with may also have been affected.

There was a workaround - to set the relevant rule into audit mode rather than blocking mode, reducing the coverage of the ASR protection. The overall security posture of endpoints had to be reduced to prevent operational disruption because of the error. Whilst the workaround prevented the deletion of shortcuts, it introduced additional security risk that should ordinarily have been carefully considered – but probably didn’t receive much of a review.

An IT department often needs to find a quick solution when a large number of users are impacted by an operational emergency. If decisions expose the company to another threat, leading to data loss and risks that owners are not aware of, the ramifications could be significant. The impact on productivity must always be weighed against the reduction in defences.

Productivity vs Security?

When people “can’t work”, the theoretical risk of attack is hard to weigh against the immediate reality of users who cannot perform their functions. When risk decisions are made rapidly and under pressure to get people working, there may be no documented ‘back to normal’ plan. In addition, there may be no clear route back from ‘turning off the security control’ that doesn’t risk more disruption that the business.

As a result of the Windows Defender ASR update error, it’s likely there will be more reluctance for this control to be deployed – even though it is highly beneficial to implement these rules. Businesses may choose to audit behaviour rather than block behaviour because they are worried about it happening again. We may also see businesses who placed ASR rules into ‘audit’ mode forget or be reluctant to turn them back into ‘block’ mode.

As we continue to build enterprises on cloud platforms, and the power of AI and automated response grows, the goal is to increase productivity through more freedom for the workforce. We’re also likely to see more disruptive incidents like ASRMAGEDDON happening, and will need to get used to weighing up the “productivity vs. security” calculation – at least for a short term fix.

When an issue occurs at the provider level, it can have widespread impact. We are consuming a service and these platforms have become so embedded into our environments that we forget that there are parts we do not control. Mistakes can and will happen and businesses need to consider the overhead when they do, along with the complex human decisions that may be required in a hurry, and the loss of productivity while trying to get back to operation as normal.

Importantly, when short-term decisions to relax controls are taken in an emergency, there has to be a well-documented pathway to reimplement controls once the emergency is over.

Matt Lorentzen is Principal Consultant at Cyberis

You Might Also Read: 

Static Application Security Testing: Trends & Predictions For 2024:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The US Makes Robocalls Illegal
Facebook Changed the World »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

Iceberg

Iceberg

Iceberg has been established to provide companies with cyber security experts who will protect businesses from the unseen threat of cyber crime.

Galvanize

Galvanize

Galvanize is a leading provider of award-winning, cloud-based security, risk management, compliance, and audit software for some of the world’s largest organizations.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

CyberArts

CyberArts

CyberArts is founded on the belief that every single organization deserves and requires the creme de la creme when there is a need for Cyber services.

StepStone

StepStone

StepStone is one of the leading online job platforms in Germany, and other countries, covering all industry sectors including IT and cybersecurity.

Crosser

Crosser

The Crosser Platform enables real-time processing of streaming or batch data for Industrial IoT, Data Transformation, Analytics, Automation and Integration.

Socure

Socure

Socure’s identity verification increases auto approval rates, reduces false positives and captures more fraud. In real time.

usecure

usecure

usecure is a global provider of computer-based cyber security awareness training, offering the market’s most time-efficient, cost-effective and admin-lite solution for reducing insider threats.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.

Winslow Technology Group (WTG)

Winslow Technology Group (WTG)

Winslow Technology Group is a leading provider of IT Solutions, Managed Services, and Cybersecurity Services dedicated to providing exceptional business outcomes for our customers since 2003.

GitLab

GitLab

GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software.

Fraud.net

Fraud.net

Fraud.net operates the first end-to-end fraud management and revenue enhancement ecosystem specifically built for digital enterprises and fintechs globally.