Sometimes my commute is all of 10 seconds. I walk into our small home office and I can get cracking right away. A quick chat with my friends on twitter, and then on to deleting email, all with a nice fresh cup of tea. Oh, and no pesky enterprise network in the way.
I visited a west-coast financial services vendor a couple of weeks ago. They had called us in because they have a recurring problem with malware. What could be wrong? I started to ask what sorts of protection systems they use.
- Network: They have all the “latest and greatest” widgets in place: A BlueCoat Proxy, the leading “Next Gen” (must be good) Firewall from Palo Alto. A FireEye box that throws inbound web traffic at sacrificial Windows VMs to see if they are attacked, and an IDS and IPS.
- Endpoint: Each Windows endpoint runs Fed-grade Host Intrustion Prevention, and they use DLP for compliance reasons.
They were doing all the “right” things, though each of these technologies has limitations:
- Advanced malware can easily bypass the most sophisticated network widgets. Why? Malware writers are smart(er) – they simply wait for user interaction before they commence their attack. On the network these attacks appear to be non-malicious because they do nothing until they reach an endpoint with an actively engaged user.
- HIPS is just a variation on the “detect to protect” paradigm. If you don’t have a signature or pattern for the attack, the malware will execute anyway.
I continued to dig into the problem. “Do users have access to consumer apps, like Facebook and Twitter?” I asked. “No – except for a few in Marketing”. And then the first real clue: “Are your users ever mobile?” The reply: “A few… But we have a new policy now where everyone gets to work at home one day a week.” Aha! Now we were onto something: “Do you use VDI for remote access?” “No – it’s too expensive, so we just give each user a laptop.”
It turned out that those WFH days were likely the major cause of the problem. “Can users access the web when they are not on your network?” “Yes”. “Twitter & Facebook?” “Yes, just not allowed from the corporate network because of compliance.”
I see this pattern all too often. An enterprise that is compliant, but insecure. Everyone is complicit in the ultimate insecurity:
- The user just wants to get on with their work, use the web and not have to deal with a slog of a morning commute. WFH? What’s not to like about that?
- IT is over-worked and knows that the vendors’ best detection tools won’t really solve the problem. But they are tasked with compliance, and if compliance is how they are measured, that’s what the CFO will get – instead of protection.
- The vendors just want to sell more stuff. They give the customer incredibly detailed logs to prove that the use of the product ensures compliance. But not protection. And the architecture is the antithesis of what makes users productive.
Protect-first is the only way forward. If you protect the user you can then empower them to do anything. Safely. And compliance is then just a freebie that comes along for the ride.