Johannesburg, 20 May 2020
“Remote teleworking has been a growing trend for many years, but the demands of the COVID-19 realities has dramatically accelerated the trend, and is largely set to be the 'new normal'. It can, however, mean that employee systems are not on the corporate network ever or very infrequently,” says Murray Benadie, MD of Zenith Systems, the African representatives of Snare.
If the systems are not on the corporate network, then the audit logs and other activity from their laptops cannot always be collected in near-real-time as there is no connection to the internal SIEM system that is typically on the corporate network. The corporate SIEM systems need to be protected and is rarely on open networks as they contain sensitive information and need to be protected from tampering and viewing by unauthorised parties.
This can leave the endpoint systems exposed to unauthorised activity from the staff member doing something they should not be doing, or to being hacked from an external party while on some other open network like a cafe, a hotel or an airport’s wireless network, for example.
If the system gets compromised, then no log or alert information can be sent to the corporate SIEM and the security teams won’t know that one of their employees was just hacked. In general, most connections would require the employee to VPN when remote or go into an office location to connect to the LAN so the logs can be sent to the corporate SIEM. But by then the system may already be compromised so it could spread the malware on the corporate network and result in a larger scale incident.
Many attacks can go unnoticed after a seemingly innocuous event such as not patching the system, a user clicked on a malicious link and malware was installed, a remote hacker exploits some weakness in the systems settings or via a new day zero vulnerability. Some attacks may try and hide on users’ systems until the user connects back to the corporate network but there will still be subtle bits of activity that can be detected and reported on with software installs and process execution.
So how does Zenith Systems use Snare to help with this problem?
Benadie answers this important question as follows: “When we deploy our Snare agents to the customers’ workstation real-estate, we have the capability to collect the logs from the employee’s system in near-real-time over the Internet, all securely over TLS using a mutual authentication key to our Snare Collector/Reflector technology or to send it directly to the SIEM solution used by the customer.
"The system can be open to the Internet and only allow authorised connections from the Snare agents to the Snare Collector/Reflector. Any system that does not have the relevant authorisation keys won’t be allowed to connect. Along with the TLS certificate strict validation the destination connection can be trusted and securely send the log data to the central SIEM. The connection works much like a VPN does for the traditional laptop to the corporate network when a user is remote, but is limited only to the Snare Agent and the Snare Collector/Reflector for sending log data.
This then allows all remote workers' systems to have near-real-time monitoring and collect the audit logs whenever they are on the Internet such as in a cafe, hotel, airport or elsewhere. These are all common areas they can be exposed to a remote exploitation attack, so this ability helps with early incident detection and data breaches of the user's endpoint system before it can spread to other users and the corporate network. The technology can be deployed on the corporate network or in the cloud and reflected around to other parts of the network and multiple SIEM systems as needed to facilitate early warnings and reporting for the security team and any SOC the customer has in place.
The time to detection of a breach is always critical to containment and minimising any business impact. That’s why collecting the data in near-real-time is always important to minimise the impact to the business.
Share