fbpx

Posted on by admin

Continuous and complete remote control worker visibility with Network Presence Module data as a major telemetry source

Navigating the brand new normal

 

Organizations are facing new challenges linked to monitoring and securing their remote workforces. Many users don’t always utilize their VPNs while working remotely – this creates gaps in visibility that increase organizational risks. Before, many organizations viewed these occasional gaps in visibility as negligible risks because of low overall volumes of non-VPN-connected remote work. However, today, that’s no more the case, as organizations and workers have already been thrust right into a new “home based (WFH) era.”. This not merely resulted in an explosion in the necessity for remote access from anywhere and on anything – effectively expanding threat surfaces and concurrently increasing opportunities for attackers – but – as though that weren’t enough – organizations were also hit with a wide-ranging and prolonged employee activity visibility blackout . This left security teams scrambling to adapt as this sudden “visibility blackout” further exacerbated overall organizational risk of security levels.

 

Nostalgically remembering the nice days of the past

 

Back olden times, circa late 2019 – in the heydays of employee-activity visibility via on-premises network monitoring back, and way, way when people’s work-week routines involved commuting to any office back, clocking in, logging onto the organization network, and carrying out work among water cooler breaks – organizations using Secure Network Analytics had absolute, total visibility into precisely what their workers were doing. Then back, prior to the WFH era – security teams could instantly glean deep insights into practically precisely what had been hosted within, getting together with, and connecting with their corporate networks. And despite these being simpler times, security teams needed to be incredibly agile still, to speed with rapidly changing and evolving technologies up, and always prepared to respond to security incident-related fire drills at a moment’s notice.

 

Amidst the arms race that’s network security, SecOps professionals should be more comfortable with high-pressure situations and fast-paced environments always. It includes the territory just. Plain and simple. It’s an operating job that will require a thick skin and continuous adaptation. I have been impressed with security professionals’ capability to embrace such complexity and ambiguity, remain collected and calm, and focus on the duty accessible and execute just. And I especially admire those that are energized by their work and thrive onto it naturally. However, last year’s abrupt exodus from corporate offices marked a paradigm shift that left even the very best security teams at night and effectively lent a complete new meaning to the age-old adage, “the only real constant is change”.

 

New WFH blind spots

 

To illustrate, in today’s new WFH era, whenever remote workers don’t use their VPNs, organizations are 100% blind from what their workers are doing. This prevents security teams from establishing baselines of normal worker behavior and continuously monitoring them successfully, concomitantly preventing them from having the ability to alert on anomalous activity and hindering their capability to detect certain forms of threats. As a total result, SecOps teams have already been left in the have and dark been finding themselves asking questions like, have some of our users visited malicious URLs? Is anyone exfiltrating sensitive proprietary data? Have any users’ devices been unintentionally compromised and so are now demonstrating command and control (C&C) activity? Are we facing compliance-related and broader organizational risks because of employees running outdated and vulnerable os’s that require to be patched?

 

Obtaining complete and continuous remote worker visibility with NVM data

 

To adjust to this modern conundrum, Secure Network Analytics recent release 7.3.1 begun to address this whole “WFH visibility blackout conundrum” by making endpoint Network Visibility Module (NVM) data a primary telemetry source to supply organizations with continuity in remote worker monitoring and visibility without requiring NetFlow telemetry to be there. But that has been phase 1 – now just, with release 7.3.2 , we’ve further extended this capability with the Data Store now supporting all NVM telemetry record collection to provide 100%-complete and continuous remote worker visibility. So now, every time a user either works on-network or remotely – be it in the home or a local restaurant – and therefore off-network without tunneling by way of a VPN, or if they’re optimizing their remote work experience through split tunneling, almost all their activity locally is stored. With Network Visibility Module data being truly a primary telemetry source, whenever workers do eventually turn their AnyConnect VPNs back on, the NVM module phones home and sends logs of most their user activities back again to Secure Network Analytics.

 

Thus giving security practitioners the continuity in visibility they need by permitting them to monitor remote worker activities through the collection and storage of NVM endpoint records. Security teams can gain visibility into activities they were previously blind to now, such as for example:

 

    • Downloading and hoarding of huge amounts of sensitive company data

 

    • Data exfiltration or the sharing of sensitive company data to an external source

 

    • Visiting malicious IP addresses and/or inadvertently installing trojans or other malicious processes

 

    • Running older operating-system versions with vulnerabilities that require patching

 

 

Et cetera. The set of suspicious activities continues on potentially, regardless of whether they’re motivated or unintentional by an insider which has gone rogue.

 

Additionally, with Release 7.3.2, customers which are using NVM data plus a Data Store deployment may also be gaining the next benefits:

 

    • NVM telemetry records could be collected, stored, and queried in the info Store

 

    • New NVM reports which are available these days in the Report Builder application

 

    • The capability to define customized security events predicated on NVM data-specific criteria

 

    • All Endpoint Concentrator functions are actually fully managed by the Flow Collector

 

 

Remote worker
Figure 1. A Secure Network Analytics deployment enabled with both AnyConnect Secure Mobility Client and the info Store. User endpoints generate NVM data with granular and rich device context – such as for example IP addresses, host and usernames, machine models and types, which os’s and versions are running, the processes that launched network connectivity, MAC addresses, hash information, and much more – that’s all stored and collected in the info Store.
 

 

Extend the zero-trust workplace to anywhere on any device

 

In fact, not merely does deploying the NVM module software meet up with the challenges outlined above by extending visibility beyond the walls of the enterprise network make it possible for better remote worker monitoring, but it addittionally extends the zero trust workplace to anywhere globally and on any device by giving security practitioners with visibility into who’s online and what they’re doing by capturing additional granular user device context such as for example IP addresses, host/user names, machine types and models, which operating-system and version is running, the processes that launched network connectivity, MAC addresses, hash information in the event harmful files are increasingly being shared and traversing the network potentially, and more.

 

Drastically comprehensive and context-rich visibility is merely table stakes inside our “new normal”

 

Despite efforts to begin with transitioning back to any office, with some organizations forward embracing hybrid models going, a substantial paradigm shift has occurred – WFH is here now to stay already. Having pervasive visibility into remote worker activities is longer a negligible risk that might be ignored no. Nor should any NDR solution portray it as a “nice to possess” rather than “have to have” capability. Now, in today’s “new normal,” with users with the capacity of connecting to the enterprise network from literally anywhere and on literally any device, the necessity for continuity in visibility across all remote activity hasn’t been more pronounced.

 

Modern problems require modern solutions. Nowadays, organizations need NDR solutions offering an unparalleled depth and breadth of visibility across their modern, distributed networks. Secure Network Analytics delivers probably the most comprehensive, granular, and continuous visibility into remote worker activities through the Network Visibility Module, in addition to industry-leading and best-in-breed behavioral analytics to alert on suspicious and anomalous network activity.

 

For more information about Secure Network Analytics’ newest release, browse the Release 7.3.2 Release Notes .

 

Don’t have Secure Network Analytics? Find out more at https://www.cisco.com/go/secure-network-analytics or try the answer out on your own today with a free visibility assessment .

 

        <br>