Tools to Manage Cyber Risk in a Growing Organization
Cyber Risk in a Growing Business
Within the cyber security industry, it is well known that as a company grows, so does its attack surface. This trend lends itself largely to the fact that as more employees are hired, more company-owned machines (laptops, tablets, etc.) are distributed. The risk is that once a company-owned machine is given to an employee, it is up to the employee whether to follow the security best practices set forth by your company. Your technological asset has now become a security risk.
The Traditional Approach
The traditional approach to handling this risk is logging and monitoring. In essence, employees using company-owned or managed machines, or employees logged onto the company’s network, are monitored to ensure that they don’t accidentally or knowingly break your enterprise’s corporate policies. Effective logging and monitoring can successfully decrease the time it takes to spot threats, remediate vulnerabilities, and quarantine sensitive files before they are exfiltrated. Logging and monitoring is a key tenant of cyber security, and gives rise to the rapidly expanding market for security information and event management (SIEM) solutions, such as Splunk, QRadar and Azure Sentinel.
But SIEM, while robust in monitoring capabilities, lacks two key features:
- SIEM does not have a native ability to enforce company policies in real-time. It can only identify when policies are broken and trigger after-the-fact remediation.
- SIEM can only act on resources that it is made aware of. If an employee exfiltrates data via a cloud app that is not managed by your company, and therefore not integrated with your SIEM solution, your security team is blind to that activity.
Enter the cloud access security broker (CASB). CASB works as a middleman between your enterprise and the thousands of cloud apps your employees log onto. It captures the user’s requests to apps in real-time, checks those requests against company policies, and can block actions on the app if they present a threat to your company or its data.
CASB can also integrate with VPN clients and endpoint agents. That way, your security team can monitor which tools are being used outside of your organization’s managed apps. For example, if your company uses MS SharePoint for sensitive documents, but an employee is uploading said documents onto Google Drive, you can monitor that activity, alert the user, and choose to unsanction, or block, that app.
CASB Deployment Cycle
A successful CASB deployment tends to follow this cycle:
- Discovery – During the Discovery phase, the CASB tool aggregates all the cloud apps being used by your employees (both managed and unmanaged), along with how those apps are being used.
- Sanctioning/Unsanctioning of Shadow IT – During the sanctioning phase, your CASB team sifts through the discovered data for unmanaged apps, and decides which apps are sanctioned (allowed for use) (e.g., Spotify), and which apps they should unsanction (block) (e.g., untrusted music streaming service).
- Policy Creation – During this phase, your CASB team defines how both managed and unmanaged apps can be used, and what actions CASB should take in real-time if these policies are broken (e.g., monitor, block).
- Alert Management – As policies generate alerts for your SOC team, your SOC team can decide whether to suspend the user, quarantine a file, etc. directly from the CASB tool.
One of CASB’s biggest benefits is that it can enforce policies in real-time (e.g., block downloads, prohibit sharing actions, etc.). It can do this because when you integrate your managed apps (e.g., Box, Salesforce) with CASB, you give the CASB tool global administrator privileges on each of those managed apps. CASB then uses those privileges to enforce policies.
This process presents a key challenge in CASB deployments that persists across industries:
All CASB vendors have very robust systems in place to keep those global admin credentials secure. However, many companies are still weary of giving global admin credentials to CASB, because it, in itself, is a SaaS tool.
As a result, oftentimes companies will forgo policy enforcement on CASB, and simply use CASB for monitoring of business-critical apps and discovery/sanctioning of Shadow IT. Choosing to use CASB this way is not a reflection on your company’s security posture, but it does bring up another issue:
In the absence of real-time policy enforcement, there becomes a strong business need for a robust alert management system. SOC teams must, in this case, be notified of policy breaches immediately in order to start the incident triage and remediation process manually.
OnPage’s incident alert management system provides a simple, efficient way to deliver CASB policy alerts and ensure rapid response. OnPage’s competitive edge in this space is that it can create real time alert-until-read, override the silence switch on popular mobile devices (IOS, Android) and manage schedules for various SOC analysts. This feature allows for a seamless integration between the CASB tool and the existing SOC structure. OnPage also offers escalation groups that ensure minimum response time, transferring missed alerts to analysts that have more bandwidth.
In summary, OnPage is uniquely positioned to integrate with your CASB deployment. Their range of alert management features will keep your SOC team up-to-date and fully informed on all suspicious activities on your network in real time. With these two tools deployed, you can spend much less time worrying about your attack surface, and more time focused on growing your business.