It wasn’t too long ago that if you had antivirus software running on your computer, and the IT department had a moderately good firewall at the border of your network, that was considered “secure enough.” Staff would come into the office and be on the secured network, and they would get their work done. Then the staff would go home and not generally have access to work (if they did it was only via VPN)… work/life balance was an element of the security model, interestingly enough.
The Current Situation
Over the last few years that’s clearly changed, especially since the start of the pandemic, with organizational data being accessible from many different devices and locations. The cloud was the solution to the “new normal” of work-from-home. In this world, having antivirus on the machines and a firewall at the border of your network just isn’t enough anymore. But the fundamental concept of “antivirus and firewall” has evolved into something the industry is calling XDR. XDR stands for Cross-domain Detection and Response, and it’s a class of products – with many vendors touting their own flavor.
Protections of XDR
XDR is considered the gold standard of protecting an organization because it incorporates a few important components: first, broad-spectrum endpoint protection, like antivirus and antimalware on steroids, but with a lot of new features like leveraging trusted platform modules, enforcing policies like encryption of the endpoint, attack surface reduction rules, virtualization-based security, etc. XDR’s cross-domain nature also can incorporate signal intelligence from network monitoring and the telemetry of other tools, aspects of strong identity management and protection, cloud app (first and third party) protection, and even event monitoring, correlation, and response.
Protecting an Organization
What used to be “protect the machines inside my offices” has now evolved into “protect my machines wherever they are, user identities, applications, and my data… wherever it resides—from insider threat, accidental error, and external threat.” It’s a huge shift, but one that’s required when everyone is working from different locations and devices (some owned by the organization and some personal). And that firewall we used to care about at the edge of a network? Since the edge of the network is every device carried by everyone accessing the organization, the firewall is actually now your identity – strongly authenticated in real-time when you’re accessing the organization’s applications or data – this is known as conditional access.
Layers of Protection
There are many foundations to get in place before an organization can effectively leverage a full-spectrum XDR solution. Multi-factor authentication, to ensure that each user’s identity is an element of security, is an initial step. Defining data loss prevention policies, scanning data types in real-time, and applying policies based on the type of data, are another. Understanding what is important to your organization so the right baseline policies can be built (and reported on) is an important conversation to have as well. The right security configurations on each endpoint (whether mobile phone, tablet, laptop, desktop, or server) are critical. Insider risk management ensures that an authorized person doesn’t do something accidentally (or intentionally) with organizational data, by implementing universal labeling so different types of documents can be tagged according to their sensitivity and rules applied. And so much more… But defining, configuring, testing, and rolling out these protections should be of the utmost importance, in my opinion, to any organization that is providing flexible work opportunities to its staff.
Organizations Have Different Standards
It’s important to recognize — different organizations have different standards, not just regulatorily speaking (for example HIPAA or SOX or PCI) but also as a result of the organization’s internal staff culture. Understanding where your organization lies on the security vs. productivity spectrum is an important context. This concept, the security versus productivity spectrum, is a really important concept we try to communicate. Protecting an organization isn’t black and white…. there is a spectrum between 100% secure (and 0% productive) and 0% secure (and 100% productive), and our goals are to align the staff and organizational needs against the industry best practices and frameworks and deliver security in a way that isn’t going to be so burdensome that people can’t get their jobs done.
Productivity vs Security
When employees are being measured by their productivity they are often reluctant to invest the required effort and time on additional actions tied to strong security… especially when they often don’t fully understand them and from which they don’t see a personal benefit. And worse, employees often will resort to external, sometimes consumer-focused, or otherwise non-compliant solutions in order to complete their primary tasks quickly. So while IT is trying to enforce strong security, employees might tend to experience a negative impact on their performance, and turn around and try to solve that by using means that IT has less visibility to, requiring IT to respond with additional controls and monitoring (shadow IT monitoring for example), which exacerbates the cycle.
This is why an organization needs to be conscious of the impact of strong security controls, understand the user experience and workflows, explain the benefits to the staff, train appropriately, monitor for adherence, and last but not least, be mindful of security as it relates to productivity.