Welcome to this blog series which highlights the top security challenges organizations are facing and discusses how to overcome them. In this series of five articles, each will target a specific challenge while providing guidance on how to find the method(s) that work for you while meeting your organization’s unique needs to rise above each of the challenges.
Given each organization’s differing needs, requirements, budgetary constraints and regional location, consider the guidance provided here to be less prescriptive (i.e., you need to do this), instead, look at it as listing out the potential options available – alongside their respective strengths and weaknesses – allowing organizations and the administrative teams that support them to develop the security strategy that works best for them while still addressing the threats, attacks and concerns of the modern threat landscape that most impact their business operations, processes, users and of course, data.
In the previous blog, we discussed the challenges presented by unanticipated business risks as it pertains to cybersecurity threats, like hacking groups, high-profile targets and the role of insider threats to name a few. In our fourth entry, we turn our attention to the preparation for and addressing of cybersecurity threats stemming from outside the organization, such as:
- Targeted attacks from nation-states
- User introduced risk from using personal devices
- Non-sanctioned software and service use at work
- Undiscovered threats within the infrastructure
Let’s get right down to it, shall we?
Government surveillance of citizens. Oppressive control. “Big Brother.” Depending on where in the world you call home, any one of these euphemisms could fit the description of a nation-state or sponsored threats. This does not imply in any way that surveillance et all., particularly that which serves the greater purpose of keeping watch over civilians in public areas, like highways, shopping malls and public transit stops, is one step beyond abuse of power. No, it is merely to identify that not all governments are designed with the same set of principles and that extends to its views on its people.
Because differing agendas often lead to different outcomes when viewed through the lens of protecting a country’s sovereignty, the same tactics that are employed worldwide naturally extend to the digital domain with tactics, like espionage, sabotage and even full-scale wars being carried out over the cyber landscape (more on this later).
Who is at risk from nation-state attacks?
Simply stated: any person can be the target of a nation-state-backed attack. Given the vast resources, including access to communications and equipment, and the best threat actors, nation-state attacks pose a significant threat to organizations as well, regardless if they have ties to a government or are merely private entities performing their business operations.
What is their aim?
These types of attacks typically have a series of different vectors which they target, but ultimately they center around a few main goals:
- Disrupt or sabotage operations/infrastructure
- Disseminate misinformation or modify information
- Obtain critical information, such as confidential and sensitive data
- Prevent “whistleblowers” from speaking out against them
What are the common targets for nation-state attacks?
While anyone or an organization can fall into the crosshairs of a nation-state or sponsored attacks, typically, the motivation behind the attacks falls in line with a country’s agenda. Among these targets, the following are among the most common:
- Any person deemed a national threat, such as dissidents, journalists and groups that actively speak out against the country or bring to light unfair practices
- Critical infrastructures, like utility companies, financial institutions, communications and healthcare organizations
- Military targets, including weapons systems, informational databases and intelligence, such as plans, movements and locations
- Political campaigns, vote tampering or election interference and public- and private-facing government websites
How can enterprises best protect themselves and their users from nation-state attacks?
It is important to not underestimate nation-state attacks. First and foremost, like most cyber threats, they can exploit risk to achieve their means and once an attack vector is found, the attack can lead to a data breach in a relatively short amount of time. However, unlike other cyber threats or attacks of opportunity, nation-state attacks are often very well-funded and well-prepared, with access to powerful tooling to carry out sophisticated attacks. Furthermore, while motivation is a central theme, it isn’t necessarily required, as nation-states have historically been known to conduct cyberattacks without a clear mission, but rather remain very patient, taking their time to gather reconnaissance and only then planning their attacks accordingly – even if it takes years to complete.
Bearing that in mind, IT and Security teams should be aware that there is no silver bullet or “one-size-fits-all” solution that will mitigate any threat, less still a carefully planned one.
In fact, the best resource in your arsenal is to minimize the risk of falling victim to nation-state threats. Institute a strong, layered defense strategy that fortifies your security posture and that of the devices connecting to and accessing organizational resources. For example:
- Perform a risk assessment to understand nation-state threats, the types of attacks carried out and to identify which of your resources are at risk is a crucial first step
- Deploy and enforce secure configurations on devices through mobile device management (MDM) to mitigate device misconfiguration of company- and personally-owned devices
- Implement a patch management plan that ensures that devices are up-to-date with patches to OSs and apps
- Integrate a cloud-based identity provider (IdP) with your management and security solutions to secure access workflows while extending permissions and protections across your infrastructure
- Require MFA and context-aware conditional access control for all devices – local and remote – delivering truly scalable, secure protection over any network with Zero Touch Network Access (ZTNA)
- Monitor endpoint compliance and stream logging data to your preferred SIEM solution to provide insight into device health in real-time
- Deploy in-network and on-device endpoint protection for your entire fleet, aligning with security frameworks to prevent malware and minimize risk
- Hunt and remediate unknown threats through advanced behavioral analytics to identify suspicious behaviors and detect malicious threats before they lead to a data breach
- Vet partners to ensure your supply chain is taking appropriate actions to mitigate risk being introduced into your organization through a third-party compromise, ensuring that endpoints are protected at each step of the pipeline
- Pass on knowledge of cyber threats through regular end-user security awareness training sessions, expanding user knowledge to identify and stop social engineering threats
Bring Your Own Device (BYOD)
BYOD programs have existed for quite some time now. In fact, the introduction of the iPhone in 2007 is truly what kickstarted the explosive growth of the modern smartphone, leading to its widespread adoption by users for both personal and business usage.
As usage continued to spike, more and more users adopted mobile devices since their flexibility, ease of use and efficient performance compared to larger, more cumbersome mobile computers. The latter was also heavier and required more frequent charging to keep the device from powering off after a few hours of steady use. Not to mention the age-old problem of supporting multiple operating systems across multiple device types, which certainly added to IT and Security teams’ workload as they tried to keep devices and the company network secured.
The solution to the challenges of supporting mobile devices while maintaining your security posture? Mobile Device Management (MDM).
MDM, coupled with support from Apple through its security frameworks, really accelerated the management of mobile devices but also kicked it into lightspeed by designing a framework that supports security and user privacy from the ground up. Solutions like Jamf Pro fully support the groundwork established by Apple and extend it further, with support for all ownership models and same-day support that provides a solid foundation for IT to manage all macOS, iOS/iPadOS and tvOS devices that access enterprise networks in a safe, secure manner.
By extending management and security workflows to all devices, regardless of whether they are personally- or company-owned, organizations simultaneously limit risk introduced from devices that are:
- Misconfigured or not configured at all
- Missing the latest security updates
- Lacking necessary apps and updates
- Not recoverable or data can be wiped if lost or stolen
- Non-compliant by utilizing unsanctioned apps/services (Shadow IT)
- Processing and storing data in unsecured volumes
- Communicating over untrusted networks without encryption
- Leaving data unencrypted due to not using passcodes
- Not monitored nor reporting back crucial device health data in real-time
- Unmanageable by IT/Security, leaving them unable to effectively mitigate incidents
The list above is far from exhaustive when it comes to securing your devices at work. That said, some of the ways in which organizations can utilize MDM to ensure a smooth transition to user’s personal devices – while keeping business resources secure – are as follows:
- User-initiated enrollment allows end-users to receive enterprise-wide security for business resources in a separate, secure volume leaving user privacy and personal data intact
- Lockdown settings on devices, like installing configuration profiles for securing connectivity to wireless networks and business resources
- Ensure devices are kept up-to-date with system and security updates to patch vulnerabilities
- Deploy supported, pre-configured apps so data stays secure as users remain productive
- Enforce compliance with company and regulatory governances through policy-based management
- Implement managed Apple IDs for business use and a separate consumer Apple ID for personal use, including cloud-based backup of data and settings
- Enable features and functions for enhanced security, like requiring passcodes and volume encryption
- Leverage the Self Service catalog of pre-approved business apps to empower users while deploying required services, like ZTNA for secure remote access to business resources
- Integrate MDM and Endpoint Security solutions to monitor device health in real-time and allow for automated remediation workflows
- Actively prevent threats, both on-device and in-network, ensuring devices are protected at all times
In the previous section, we talked about BYOD challenges. And while it sometimes gets lumped in with Shadow IT, the truth of the matter is that – when done properly – sanctioned BYOD programs serve as one mitigation solution to the threat of Shadow IT. That said, Shadow IT threats are made up of more than just using unsupported devices for work. Falling under that umbrella are also utilizing unsanctioned apps and services that have not been vetted by IT and Security teams when accessing, processing, storing or transmitting company data.
While not inherently malicious in nature, Shadow IT began to take shape when end-users, often frustrated by the inaccessibility or lack of user-friendliness behind official, company-authorized apps and services gave way to users relying on better hardware and easier, more efficient software to stay productive in ways that add value to the work instead of subtract from it.
As with most things in the security space, a tool is just a tool. What defines whether it is malicious or not is the intent of the user operating it. Unlike other tools though, in the cybersecurity realm, intent is not the only component to the risk element. There’s also whether the user knowingly or unknowingly introduced risk that is often paired with intent.
However, it is beyond the scope of this blog to determine malicious intent or not, but rather to identify the risk factors posed by Shadow IT and, more importantly, how to mitigate them effectively to fortify your organization’s security posture against data breaches.
After all, that is the $3.08 to $5.02 million question, according to IBM’s 2022 Cost of Breach report which concluded that“adversaries took advantage of configuration errors and any vulnerabilities within apps, many of which were undetected due to employees using unsanctioned services.”
How can businesses protect what they’re not aware of?
By embracing Shadow IT, that’s how.
Let’s clarify, this doesn’t mean allowing end-users to use any and all hardware and software tools without oversight. It also doesn’t mean rolling it back to the late-90s and 2000s by adopting an “iron-fisted” approach to managing IT. No, it simply means leveraging modern security tooling, practices and procedures that are more flexible while still protecting business resources from unauthorized access and data usage.
How do keep assets safeguarded from Shadow IT threats?
The first step is to understand the why behind users turning to Shadow IT, what resources are being used and why they present a better solution than what the organization provides. Armed with this information, the company can better understand which risk(s) are introduced by Shadow IT and finally arrive at the answer to the question initially asked: how to best keep assets safeguarded.
Ok, so now that I know what needs protecting and why, how do I actually go about doing it?
Part of the suggestion to embrace Shadow IT above means having a clear understanding that merely telling end-users that they cannot use a particular device, app or service simply won’t do. When it comes to data security, don’t just take someone’s word for it, you want to be able to verify and enforce that protections are in place and actively mitigating threats.
This can be achieved by employing a multi-layered strategy to effectively keep resources protected while enabling the flexibility of choice that users may be asking for (or even need) to be their most productive.
- Implement employee choice or sanctioned BYOD programs that empower employees to work with the technologies that they feel most comfortable with while allowing devices to be properly configured by the company’s MDM solution for greater visibility and security.
- Align Shadow IT with organizational standards and protocols, such as deploying endpoint security technologies that integrate with management and identity to holistically protect devices, users and data.
- Evolve security protections. For example, adopting a Zero Trust Network Access (ZTNA) solution to secure business resources from unauthorized access and compromised devices by verifying user credentials and endpoint health status each time access requests are made and before they’re granted to minimize exposure and data leakage.
- Develop hardware/software requirements for accessing protected business resources, requiring devices to meet these standards, like encryption enabled for in-device storage and on networks.
- Streamline operations, prioritize IT assets that provide the greatest benefit for endpoint, user and data security, as well as adapt to the needs of distributed workforces while reducing costs by eliminating resources that are no longer compatible and are underperfomant.
Endpoint protection is a “no-brainer”, am I right? When it comes to endpoint security, one of the threats that sit top-of-mind is arguably malware. Malicious code in its myriad forms remains one of the key threats to cybersecurity. And while endpoint protection provides an excellent layer of security against known threat types, the behavioral analytics used by many of these solutions protect devices by preventing known threats based on their signature values.
But that only tells a part of the story, doesn’t it? The other part lies hiding in the underbelly of your devices, buried under lines of code in applications installed within the OS – sometimes these unknown threats lay in wait, biding their time – gathering as much intel on your company’s operations as it possibly can, just waiting for the right time to strike.
Jonathan Raymond’s insightful quote perfectly encapsulates this sentiment: "You can't know what you don't know. You can't know about things you have yet to discover.” But it is the second sentence that provides IT and Security teams a doorway towards satiating a fundamental curiosity, for it begs the question: what can be done to discover and, therefore, know more?
The answer to this question is threat hunting.
As touched upon earlier, not all threat actors behave the same. Their actions are as different as their targets. While some utilize their tools to hastily take advantage of a window of opportunity, others carefully construct plans to play the long game, surveilling targets for undetermined periods of time, stockpiling data and using it to inform the tooling to be used to strategically attack their victims at the most opportune moment – or should one not exist, they work steadily to create one.
Both are dangerous to a company’s security posture, but the latter represents a long-lasting threat that may linger for much longer than the duration of the attack. And while this may give IT and Security teams pause, it also presents them with an opportunity of their own: to stop attacks before they have a chance to grow into something far worse, like a data breach.
The aim of threat hunting is for the hunter to become the hunted. In other words, the threats that have invaded enterprise devices are to be sought out and eliminated by a team of IT and Security professionals dedicating time and resources to gather, collate and analyze telemetry data to sus out any identifiable anomalies to the baselines to successfully hunt down and mitigate these hidden threats as part of a defense-in-depth security plan.
Teams dedicated to threat hunting can be any size and made up of professionals from all IT-related backgrounds. Though it’s not uncommon for team members to be experts in data science, programming or seasoned security staff, changes to cybersecurity tooling have made it so that even smaller teams without extensive experience or expertise can perform threat-hunting tasks to reduce the risk of unknown threats lurking around within your organization’s infrastructure.
After establishing your own threat-hunting team, some of the tasks they can perform to achieve their objective are:
- Constant, real-time monitoring and device health status checks with up-to-date insight into endpoint health
- Leverage advanced machine learning (ML) and threat intelligence engines to aid teams in detecting and remediating threats by analyzing large, complex volumes of data
- Stream endpoint logs to SIEM solution for granular reporting that provides centralized information on threats, risky apps and suspicious behaviors and system processes
- Standardize device and network security postures by creating baselines. This ensures compliance by aligning them to security frameworks, such as those from MITRE ATT&CK, NIST and CIS
- Blend analytical, situational and intelligence methodologies to achieve a mature level of consistency and scalability to adapt to current and future while increasing efficacy
Ensure the security of your Apple fleet against the external security threats of today and tomorrow.
Balance device, user and data security and privacy while mitigating risk factors with Apple and Jamf solutions.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.