Securing a hybrid workforce with log management

Moving to a remote workforce in response to the pandemic stay-at-home orders meant that IT departments needed to address new risks, e.g., insecure home networks. However, as they begin to move back into offices, many of these challenges will remain.

Even in a hybrid work model where employees split their work time between home and office, organizations will still need to manage many of the same challenges they faced in 2020.

To overcome these challenges in the long term, organizations need to leverage toolsets in new ways. A centralized log management tool for monitoring a hybrid workforce infrastructure can deliver significant value in a short period, making it fundamental to building security into the hybrid workforce.

Security

Experts and analysts have discussed the shifting perimeter as organizations moved to new digital business models. Cloud-first and cloud-only strategies moved the perimeter away from traditional network monitoring and toward identity and access management (IAM) as a primary way to protect from unauthorized access. As organizations added Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) to their IT stack, managing who can access cloud resources and the level of access those users have become more important.

User access and authentication

The move to the identity perimeter makes tracking user access and authentication fundamental to securing the hybrid workforce. Instead of protecting data solely behind a firewall, organizations should consider following the principle of least privilege when it comes to access to cloud resources.

Social engineering attacks attempt to leverage users’ weak password practices to steal credentials, gain access to the cloud assets with the stolen credentials, then elevate privileges to gain access to sensitive information. Cybercriminals leveraged people’s fear and uncertainty during the COVID-19 pandemic to engage in successful social engineering attacks. They planned these attacks to obtain email credentials and use them to gain access to systems and networks.

User access event logs provide visibility into when and where people log their devices into a network. Security teams can use these reports to detect anomalous access times and locations that might indicate a credential theft attack.

Server logs

When companies shifted to a remote workforce in response to the COVID-19 pandemic, cybercriminals continued to launch attacks. However, they did not target distantly managed corporate networks. Instead, they looked to exploit organizations where workforce members did their jobs on home networks and devices. Because home networks often lack the robust security controls that the enterprise uses, they become attractive gateways for malicious actors.

During the COVID-19 lockdowns, cybercriminals increasingly leveraged the Windows Remote Desktop Protocol (RDP) as an attack vector. RDP allows users to connect remotely to servers and workstations via port 3389. However, misconfigured remote access often creates a security risk. There has been a massive increase in RDP attack attempts in 2020. Windows computers with unpatched RDP can be used by malicious actors to move within the network and deposit malicious code (e.g., ransomware).

Endpoint security logs

Devices getting infected with malware is a common occurrence when users work outside the corporate network. Since IT departments cannot push software updates through to the devices, security teams need to monitor for potential malware infections. Event logs can detect potentially malicious activity when used correctly.

Antivirus event logs provide information about software updates that protect against new variations, scan for infections, and suggest remediation for infected files. They can also provide date of event, malware name, location of infected application, and whether the action taken was a success or not.

Performance/reliability

Organizations need their applications, systems, and networks to perform reliably. When SaaS applications experience service outages or slow response times, organizations experience frustrated employees and lack of productivity. For IaaS and PaaS deployments, reliable performance becomes even more important because the IT stack’s underperformance may impact the entire organization, not just users in department-specific applications. Centralized log management can help IT departments ensure that mission-critical systems, networks, and applications are accessible to the workforce and/or to troubleshoot problems.

Application logs

IT departments need to track service uptime so they can respond to problems rapidly and maintain employee productivity. Additionally, IT staff can correlate throughput logs with user activity to ensure that the application functions as intended. Finally, monitoring user actions and transaction events provides visibility into whether applications need to be optimized to increase productivity.

Load balancer logs

While cloud resources offer flexibility, organizations need to ensure that the additional access points created by allowing employees to work remotely do not negatively impact performance. Load balancer logs track latency and rejected connections. Latency – the time it takes the server to process a request – gives insight into whether the cloud resources are overloaded. Meanwhile, rejected connections provide data indicating times the application could not service the requests, showing how well it manages increased queries/use.

Availability

While performance focuses on optimization, availability focuses on preventing service outages. A hybrid workforce requires continuous cloud connectivity, meaning that services need to stay running before IT departments try optimizing them.

DNS logs

A problem with the DNS indicates that a network and all services running on it are unavailable. Although the first concern regarding a DNS issue might be a DoS attack, misconfigurations can also be the root cause. In some cases, a DNS error might mean that two clients are attempting to use the same port, which means that either one or neither will run depending on the configuration. DNS logs provide important information for system admins who need to get services up and running quickly and reduce downtime.

Dynamic Host Configuration Protocol (DHCP) logs

Organizations use DHCP to dynamically assign IP addresses and other network services such as DNS, NTP, or other communication protocols that use UDP or TCP. If the DHCP fails, then computers that need to access the network will not be able to join. A client that is having a hard time connecting to the network is considered “unavailable,” and the DHCP logs provide visibility into whether an IP address was appropriately granted or whether the client lease expired. If a client is unavailable, these logs can help identify the reason and help the system admin know where to get the client up and running.

Centralized log management as a hybrid workforce imperative

IT professionals have relied on event logs as a primary data source for managing systems, networks, users, and endpoints for a long time. However, the rise of the hybrid workforce and divergent log data sources makes aggregating, correlating, and analyzing event log data more difficult.

Diverse log formats and an overabundance of dashboards increase the time IT staff take to perform their duties. Whether they need to rapidly detect and respond to a security risk or gain visibility into underperforming resources, IT staff need real-time centralized log management options that allow them to perform their jobs efficiently.

Centralized log management offers unique capabilities because no one-size-fits-all approach exists. When developing a log strategy, the organization needs to consider how many people need access, what types of data will best help users do their jobs, critical threat hunting capabilities, and ease of use. Depending on the organization’s needs, one functionality may outweigh the others, however all of the capabilities and benefits should be part of the final decision-making process.

As organizations move through the Q1 2021, they should be evaluating whether their current tools meet their needs. If not, they may want to consider the benefits centralized log management will bring to the enterprise stack.