Outsourcing Production Risks Productivity
Today’s modern workforce relies on a whole host of different "as a service” approaches. Remote working is certainly here to stay and cloud-based management of roaming devices, which makes it easier to apply policies and updates, has become increasingly common. Any remote device just needs an internet connection because the cloud is always on.
With all of the talk about AI and its rapidly increasing versatility, if you work in cyber security, you would be forgiven for thinking AI-based solutions are coming for our jobs. We’re not there yet though, and some of it is hardly new.
In isolated forms, “automated response” has been with us for many years. Anti-virus products have implemented automatic quarantine and deletion of files for years when malicious content was detected – effectively stopping the execution of a chain of attack in an isolated fashion.
Anti-virus updates are no longer only applied when a client is connected to the corporate network’s internal update services. Today updates can be pushed out quickly and automatically from a central cloud service, reducing exposure time to potential threats.
The Security Benefit Of Automatic, Fast Updates Is Clear.
However, there can be a less obvious downside, in terms of productivity risks. Although productivity benefits often drive businesses to adopt a more agile, cloud centric model, once a business has adopted a dynamic cloud service they are at the mercy of these platforms. While global outages or incidents in large cloud platforms do not happen often, when they do the ripples can be felt everywhere. Just a single global provider’s mistake can create huge disruption to a global workforce.
With legacy on-premises environments, updates were often tested thoroughly before being rolled out, now updates are commonly rolled out with little or no testing. When this goes wrong, it can be hugely disruptive.
An example of this was MO497128 – “ASRMAGEDDON” last year. Microsoft provides an advanced and robust mechanism for the remote deployment of core services such as application hardening, operating system updates and anti-virus solutions with technologies such as Intune and Windows Defender. In enterprise subscriptions, companies can take this a step further than historic anti-virus via tooling such as the Attack Surface Reduction (ASR) rules. These rules provide a baseline of controls for hardening frequently attached applications, for example, Microsoft Office applications and integrated macro code execution options.
In January, an update to the Windows Defender ASR rule set created havoc for sysadmins around the world. It pushed out new rules that marked shortcut files and links as dangerous and then deleted these shortcuts, making common program links for Outlook and Word vanish from the start menu. Even though just the links and shortcuts to the programs were deleted, access to them was removed from core locations of Windows.
Users were understandably alarmed as they got warnings about activity being blocked and then had access to programs removed as icons disappeared. Many internal IT teams must have been stretched considerably.
Most end users don’t need or want to know about the inner workings of systems. Computers are there to help them to do their jobs and when this fails, the individual cannot work until the IT department provides a solution. Scale this up to 100s or 1000s of users, that is a significant hit to productivity.
Almost certainly mission critical projects would have been disrupted as user groups struggled to gain access to the tools they need. Many hours will also have been burned in IT departments to keep people working and handle the influx of support tickets. The distraction created by the shower of false positives in alerting systems may have even created opportunities for a genuine attacker's activity to go unnoticed, or at least receive less scrutiny because of the chaos.
Many IT heads will have lost time trying to explain what had happened to people that needed to work. There was no server they could reboot, nor rollback. This problem was pushed onto them, and there was little they could do about it. The only consolation was that the Microsoft updates on Friday 13th January 2023 created a global problem, so the business, customers, and partners they work with may also have been affected.
There was a workaround - to set the relevant rule into audit mode rather than blocking mode, reducing the coverage of the ASR protection. The overall security posture of endpoints had to be reduced to prevent operational disruption because of the error. Whilst the workaround prevented the deletion of shortcuts, it introduced additional security risk that should ordinarily have been carefully considered – but probably didn’t receive much of a review.
An IT department often needs to find a quick solution when a large number of users are impacted by an operational emergency. If decisions expose the company to another threat, leading to data loss and risks that owners are not aware of, the ramifications could be significant. The impact on productivity must always be weighed against the reduction in defences.
Productivity vs Security?
When people “can’t work”, the theoretical risk of attack is hard to weigh against the immediate reality of users who cannot perform their functions. When risk decisions are made rapidly and under pressure to get people working, there may be no documented ‘back to normal’ plan. In addition, there may be no clear route back from ‘turning off the security control’ that doesn’t risk more disruption that the business.
As a result of the Windows Defender ASR update error, it’s likely there will be more reluctance for this control to be deployed – even though it is highly beneficial to implement these rules. Businesses may choose to audit behaviour rather than block behaviour because they are worried about it happening again. We may also see businesses who placed ASR rules into ‘audit’ mode forget or be reluctant to turn them back into ‘block’ mode.
As we continue to build enterprises on cloud platforms, and the power of AI and automated response grows, the goal is to increase productivity through more freedom for the workforce. We’re also likely to see more disruptive incidents like ASRMAGEDDON happening, and will need to get used to weighing up the “productivity vs. security” calculation – at least for a short term fix.
When an issue occurs at the provider level, it can have widespread impact. We are consuming a service and these platforms have become so embedded into our environments that we forget that there are parts we do not control. Mistakes can and will happen and businesses need to consider the overhead when they do, along with the complex human decisions that may be required in a hurry, and the loss of productivity while trying to get back to operation as normal.
Importantly, when short-term decisions to relax controls are taken in an emergency, there has to be a well-documented pathway to reimplement controls once the emergency is over.
Matt Lorentzen is Principal Consultant at Cyberis
You Might Also Read:
Static Application Security Testing: Trends & Predictions For 2024:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible