Protecting Remote Workers from Dirty Networks - TAG Cyber
Written by: Katie Teitler, TAG Cyber
The COVID-19 crisis has ushered in an unprecedented requirement for remote work. While working remotely is not unfamiliar to many who work in IT and IT-related fields, the pandemic is the first time many employees will get or need to work from a non-office location. It’s certainly the first time most office-based companies will operate on a 100% remote basis.
Logistical challenges aside (and there are many to consider), security and privacy of employees’ Wi-Fi connections, the traffic sent/received via those connections, and the devices used to send/receive data are forefront in the minds of security practitioners. While plenty of companies are relying on VPNs to secure connections into/out of their networks, VPNs are only as strong as the mechanisms used to authenticate users and their devices, and the encryption standards implemented by the providers. Not to mention, VPNs are designed to protect data in transit between a device and corporate network. Cloud-based services and applications don’t fall into this category and are therefore a weak spot for data leakage and unauthorized access.
The coronavirus has forced people to work out of their homes, connecting over varying states of secure/insecure Wi-Fi connections. As a security practitioner, you may be thinking, “Did our users change default passwords on their Wi-Fi and routers? What's the security status of other devices being used simultaneously on that network? What type—if any—of security is applied? When the user doesn’t need to connect through the VPN, are they visiting risky sites that could introduce vulnerabilities or exploits?” And the list goes on. This, of course, is only for home Wi-Fi connections; when coffeeshops and restaurants open again after the virus subsides, remote workers will go back to working from their local coffeeshop, often connecting to likely-compromised networks.
Protection, regardless of device or network
Security practitioners need to protect devices, users, and the data they’re accessing, regardless of connection mechanism and location. Responsibility doesn’t stop at “corporate network and assets.” And there’s another thing to consider as we all look optimistically toward the end of the pandemic: How many companies and employees will recognize the benefits of remote work after working from home for 6-8 weeks and thus offer more remote work opportunities? What would that mean for security and privacy?
Cost and convenience are two primary drivers of remote work, and if the business can justify an increased mobile workforce, it will. However, “organizations aren’t equipped to deal with remote work today,” said Ryan Bunker, head of business development at endpoint security company, Byos. “It’s imperative to protect mobile employees using dirty networks—public Wi-Fi in coffeeshops, at airports, in hotel lobbies—and all networks should be considered compromised. Even if your organization has a VPN, the devices on those networks are exposed. An attacker can re-route packets or throw exploits at the device and the user or their employer wouldn’t necessarily know.”
This is why Byos developed their endpoint micro-segmentation product, a USB device that acts as a micro-gateway. “We took the principles of typical network segmentation and shrunk it to the lowest common denominator,” said Matias Katz, Byos’ CEO. “The μGateway is recognized as a USB ethernet device and connects to the network—no software to be installed, no OS requirement on the endpoint.”
μGateway is designed to protect layers 1-5 of the OSI stack, which complements existing network and application security technologies like VPNs, firewalls, and IPS/IPDS, which organizations (generally) already have deployed. The idea, Katz said, isn’t to replace other technologies; it’s to create another security layer focused on the interaction between the endpoint and the network, and to “isolate ourselves from Wi-Fi.”
Deployment options
To deploy μGateway, users need the hardware asset—the USB—plus a license key. Byos offers three tiers for purchase: Individual, Business 5-pack, and Enterprise. Individual buyers would obtain the license key directly from Byos; enterprise customers would administer licenses through IT or security teams. With the USB connected and the file installed, the device is instantly under control. The USB device acts as the device’s network card, adding a “hop” to the route, and shielding the device from malicious activity targeting the endpoint. Traffic from the device is encrypted, meaning, even if an attacker is snooping on the network, they can’t see what data is being sent or received, and impersonation attempts are detected and blocked.
The operational structure is comprised of four parts: the hardware (the USB device, itself), the base OS, Byos core, and the front end. The core is the company’s secret sauce; it consists of a proprietary network attack knowledgebase, network health detection services, decision-making algorithms, and multi-layer API. Together, the first three components help protect the user and device from snooping, hijacking, DDoS, impersonation, re-routing, exponential changes in traffic volume, fingerprinting, enumeration, and more. The front end, the fourth component, is the SaaS-based management console. It's is a centralized “command and control” where administrators can view all activity, provision new devices, and control access requests based on specific domain names, IP addresses, or countries.
Obstacles and opportunities
At TAG Cyber, we’re big fans of security products that layer protection for remote employees and their devices. At the time of this writing, as with so many other companies, TAG staff is entirely remote. During normal operations, we run about 65% remote. We all own different device types. Some of us work from home, some from WeWork offices, others out of different shared office space or the aforementioned coffeeshops...thus, another layer of security is always considered positive.
The Byos solution looks promising and we’re excited to try it for ourselves. For a small company like TAG Cyber, Byos will be easy to deploy. One challenge Byos will need to overcome is deployment at enterprise scale. Shipping USB devices to 25 or 50 people is a little work, but only a little. For companies with thousands of employees, the distribution challenge will be insurmountable. Then, of course, there is the issue of getting people to actually use the device. User friction has been an adoption deterrent for many proven security mechanisms (e.g., long, hard-to-guess passwords; MFA; password managers), and μGateway will be no different. Katz says enterprises can determine individual levels of enforcement based on business use case, from required use via Active Directory to simple monitoring.
Byos has big plans coming down the pike to make it easier for large companies to use their product, but in the meantime, we think the key is hitting up early adopters and those who view security and privacy as paramount. Byos is a good endpoint security layer, and if enterprise security teams can offer the technology as a recommended add-on for those who work remotely (vs. a corporate mandate), it could help inch mobile workforces toward improved Wi-Fi isolation and device protection.