Outsourcing Production Risks Productivity

Uploaded on 2024-02-13 in TECHNOLOGY--Resilience, FREE TO VIEW

Today’s modern workforce relies on a whole host of different "as a service” approaches. Remote working is certainly here to stay and cloud-based management of roaming devices, which makes it easier to apply policies and updates, has become increasingly common.  Any remote device just needs an internet connection because the cloud is always on. 

With all of the talk about AI and its rapidly increasing versatility, if you work in cyber security, you would be forgiven for thinking AI-based solutions are coming for our jobs.  We’re not there yet though, and some of it is hardly new.

In isolated forms, “automated response” has been with us for many years.  Anti-virus products have implemented automatic quarantine and deletion of files for years when malicious content was detected – effectively stopping the execution of a chain of attack in an isolated fashion.  

Anti-virus updates are no longer only applied when a client is connected to the corporate network’s internal update services. Today updates can be pushed out quickly and automatically from a central cloud service, reducing exposure time to potential threats.

The Security Benefit Of Automatic, Fast Updates Is Clear. 

However, there can be a less obvious downside, in terms of productivity risks. Although productivity benefits often drive businesses to adopt a more agile, cloud centric model, once a business has adopted a dynamic cloud service they are at the mercy of these platforms. While global outages or incidents in large cloud platforms do not happen often, when they do the ripples can be felt everywhere.  Just a single global provider’s mistake can create huge disruption to a global workforce. 

With legacy on-premises environments, updates were often tested thoroughly before being rolled out, now updates are commonly rolled out with little or no testing. When this goes wrong, it can be hugely disruptive.

An example of this was MO497128 – “ASRMAGEDDON” last year. Microsoft provides an advanced and robust mechanism for the remote deployment of core services such as application hardening, operating system updates and anti-virus solutions with technologies such as Intune and Windows Defender. In enterprise subscriptions, companies can take this a step further than historic anti-virus via tooling such as the Attack Surface Reduction (ASR) rules. These rules provide a baseline of controls for hardening frequently attached applications, for example, Microsoft Office applications and integrated macro code execution options.

In January, an update to the Windows Defender ASR rule set created havoc for sysadmins around the world. It pushed out new rules that marked shortcut files and links as dangerous and then deleted these shortcuts, making common program links for Outlook and Word vanish from the start menu. Even though just the links and shortcuts to the programs were deleted, access to them was removed from core locations of Windows. 

Users were understandably alarmed as they got warnings about activity being blocked and then had access to programs removed as icons disappeared. Many internal IT teams must have been stretched considerably.

Most end users don’t need or want to know about the inner workings of systems. Computers are there to help them to do their jobs and when this fails, the individual cannot work until the IT department provides a solution.  Scale this up to 100s or 1000s of users, that is a significant hit to productivity.

Almost certainly mission critical projects would have been disrupted as user groups struggled to gain access to the tools they need. Many hours will also have been burned in IT departments to keep people working and handle the influx of support tickets.  The distraction created by the shower of false positives in alerting systems may have even created opportunities for a genuine attacker's activity to go unnoticed, or at least receive less scrutiny because of the chaos.

Many IT heads will have lost time trying to explain what had happened to people that needed to work. There was no server they could reboot, nor rollback. This problem was pushed onto them, and there was little they could do about it. The only consolation was that the Microsoft updates on Friday 13th January 2023 created a global problem, so the business, customers, and partners they work with may also have been affected.

There was a workaround - to set the relevant rule into audit mode rather than blocking mode, reducing the coverage of the ASR protection. The overall security posture of endpoints had to be reduced to prevent operational disruption because of the error. Whilst the workaround prevented the deletion of shortcuts, it introduced additional security risk that should ordinarily have been carefully considered – but probably didn’t receive much of a review.

An IT department often needs to find a quick solution when a large number of users are impacted by an operational emergency. If decisions expose the company to another threat, leading to data loss and risks that owners are not aware of, the ramifications could be significant. The impact on productivity must always be weighed against the reduction in defences.

Productivity vs Security?

When people “can’t work”, the theoretical risk of attack is hard to weigh against the immediate reality of users who cannot perform their functions. When risk decisions are made rapidly and under pressure to get people working, there may be no documented ‘back to normal’ plan. In addition, there may be no clear route back from ‘turning off the security control’ that doesn’t risk more disruption that the business.

As a result of the Windows Defender ASR update error, it’s likely there will be more reluctance for this control to be deployed – even though it is highly beneficial to implement these rules. Businesses may choose to audit behaviour rather than block behaviour because they are worried about it happening again. We may also see businesses who placed ASR rules into ‘audit’ mode forget or be reluctant to turn them back into ‘block’ mode.

As we continue to build enterprises on cloud platforms, and the power of AI and automated response grows, the goal is to increase productivity through more freedom for the workforce. We’re also likely to see more disruptive incidents like ASRMAGEDDON happening, and will need to get used to weighing up the “productivity vs. security” calculation – at least for a short term fix.

When an issue occurs at the provider level, it can have widespread impact. We are consuming a service and these platforms have become so embedded into our environments that we forget that there are parts we do not control. Mistakes can and will happen and businesses need to consider the overhead when they do, along with the complex human decisions that may be required in a hurry, and the loss of productivity while trying to get back to operation as normal.

Importantly, when short-term decisions to relax controls are taken in an emergency, there has to be a well-documented pathway to reimplement controls once the emergency is over.

Matt Lorentzen is Principal Consultant at Cyberis

You Might Also Read: 

Static Application Security Testing: Trends & Predictions For 2024:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The US Makes Robocalls Illegal
Facebook Changed the World »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

eSentire

eSentire

eSentire is the authority in Managed Detection and Response Services, protecting the critical data and applications of organizations from known and unknown cyber threats.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

TEISS

TEISS

Teiss.co.uk is a website dedicated to providing information about cyber security. TEISS also provide a series of conferences and events focused on cyber security.

NAVEX Global

NAVEX Global

NAVEX Global’s compliance management system consolidates your entire GRC program onto a scalable cloud-based platform.

Arctic Wolf Networks

Arctic Wolf Networks

Arctic Wolf Networks delivers the industry-leading security operations center (SOC)-as-a-service that redefines the economics of cybersecurity.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

SOC Experts

SOC Experts

SOC Experts is a pioneer (we started SOC training well before people realized how big the domain was going to be) and the only institution to provide end-to-end training on Security Operations Centers

Adarma Security

Adarma Security

Adarma are specialists in threat management including SOC design, build & operation.

Aware

Aware

Aware is the only comprehensive AI solution for governance, risk, compliance and insights for leading collaboration platforms.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

Sentryc

Sentryc

Sentryc provides automated monitoring of brands on online marketplaces and social media making online brand protection processes faster, more clearly structured and more efficient.

ThreatCaptain

ThreatCaptain

ThreatCaptain is a Cybersecurity Leadership Development Company driven to enhance and illuminate cybersecurity risk through strategic alignment and informed business decision-making.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.

Standard Notes

Standard Notes

Standard Notes is a secure digital notes app that protects your notes and files with audited, industry-leading end-to-end encryption.