Garland Technology ensures complete network visibility by delivering a full platform of network test access point (TAPs) and packet broker products.
Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.
Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.
The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners
Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.
Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.
In a mad dash to enable a distributed workforce amid the COVID-19 pandemic, IT teams had to make difficult compromises to keep their businesses running. Unfortunately, some of their well-intentioned actions resulted in misconfigurations and security trade-offs in a rush to enable business continuity.
As the dust settles and the world adjusts to large-scale remote work, IT teams need to ensure that these vulnerabilities don't persist in their environments for longer than necessary. To that end, let's take a look at some of the most common trade-offs that IT teams have been forced to make and share some recommendations for how to rebuild a strong security posture.
Purchasing new hardware is the easiest and most secure option. However, according to a survey conducted by electronics trade group IPC, computer manufacturing and the supply chain are experiencing significant delays on a global scale.
If you were lucky enough to get your hands on new hardware, it's important to remember to equip those devices with the corporate image by installing the right applications and firewalls. If you're using refurbished hardware, it's critical to first conduct an audit to make sure it's a clean and secure device.
Many businesses have allowed employees to use their personal devices during this transition. While this may have been critical to keep operations running, personal devices come with a slew of security challenges, including the possibility of pre-existing malware and not having the latest updates installed. When these devices connect to corporate networks—more on this next—it opens up the entire organization to unseen risks.
Sidenote—this is one reason it's so important to have visibility into network communications. By using network TAPs to gain 100% traffic access and monitoring in real-time, network detection, and response (NDR) solutions allow you to track suspicious behavior from assets to the asset so you can better mitigate the threat and understand the attack vector.
Whether employees connect via corporate computers or their personal devices, many are using virtual private network (VPN)s to gain access to critical systems and assets. While many organizations already had VPNs configured, few had enough licenses for everyone who suddenly needed them, forcing IT teams to move quickly. In the rush, misconfigurations are a legitimate cause for concern. It's critical for those teams to go back and audit those connections to ensure security.
Planning for Office Reopenings
While the time frame for coming back to the office is still yet to be determined, IT teams should consider wiping machines and reimaging them with the corporate image when employees return. This includes any desktop computers that employees have physically moved from the office to their homes.
IT teams and employees may be tempted to use remote desktop protocols (RDP) to access their machines in the office. In fact, many already have. According to Shodan, there has been a significant uptick in RDP activity. ZDnet reported a jump from 3 million to 4.5 million RDP ports open to the internet from January to March 2020, and at ExtraHop, we've seen an increase in RDP usage across our customer base. As a general rule of thumb, you shouldn't use RDP long-term.
If you must use RDP under these circumstances, we recommend following some key best practices. Above all else, it's imperative to access RDP through a secure VPN in order to ensure that your critical assets and systems do not get exposed through an open portal to the internet—and keep RDP usage brief. Bad actors are scanning for openings and ready to take advantage of any vulnerabilities they find. To learn more, read Extrahop’s Security Advisory on RDP.
Similar to RDP, virtual network computing (VNC) is another way that employees may try to access their desktop computers from home. While unlikely that an IT team would recommend using this system, we have heard reports of employees going rogue and using VNC tools, like TeamViewer, on their own.
Again, VNC software is okay when used as intended: troubleshooting. Sustained use is not recommended and presents a substantial security risk while also using a ton of bandwidth. Unlike RDP, which must be enabled internally, VNC is managed by third-party vendors. Giving hosted service access to the employee's computer and critical assets is an added risk. Routing authentication through a third party is not a secure option for an enterprise. Simply put, you should never allow your security posture as an organization to be controlled by a third party.
So, are employees at your organization engaging in dangerous behavior that could compromise your business?
Unfortunately, you don't know what you don't know. The good news is that it’s easy to get full visibility into the network by combining a network TAP with a network detection and response (NDR) solution. If an employee is using a VNC tool, the Garland Technology Network TAP and PacketMax combined with ExtraHop Reveal(x), you will receive alerts to the risk.
Full Tunnel vs. Split Tunnel VPN
In most cases, IT teams will want employees to access the VPN via split-tunnel VPN, not a full tunnel, so as not to overburden the network. Failing to do so will result in challenges for both performance and for security.
High-volume applications like Zoom and Netflix—which have seen increased use since work from home went into effect—do not need to be routed through the VPN and have the potential to affect performance if left unmonitored.
Too much traffic could tip over the VPN and expose you to denial-of-service (DoS) attacks. Full tunnel VPN access also increases your risk of routing nefarious traffic through the datacenter.
Incidentally, with full packet visibility from Garland’s and real-time detection from ExtraHop Reveal(x), you always know who is accessing the VPN via a full tunnel.
As more people need to do commands and configurations from outside of the corporate environment, organizations will likely see a rise in the use of Secure Shell protocols (SSH). SSH allows for secure connections to systems in otherwise unsecured networks. It's intended to provide additional security. However, if accessed by someone who doesn't have permission, it has the potential to cause a lot of damage.
Under normal circumstances, security teams would limit credential access, but the shift to remote work has increased the number of people who will need to access SSH. With the rush to give access and an increase in employees using SSH, bad actors have the chance to slip in undetected.
Security teams should keep an eye on which IPs are accessing SSH, leveraging Garland’s visibility solution. The Garland solution allows users to know baseline traffic to continuously spot deviations from the norm. ExtraHop Reveal(x) can then scan SSH for any open ports that have left critical assets exposed, and investigate immediately if there's any suspicious activity.
Security teams can and should scan their environments to expose any open portals. But they should also pay attention to who is doing that scanning. Monitoring who is doing asset scanning can expose potentially unwanted intruders who are looking for access points to your environment. If you're seeing an increase in scans, that should tip you off to potentially malicious behavior since malware needs to scan before starting an attack. If you can account for an increase in scanning, that's great. But if it's suspicious, then dig deeper.
Enabling a distributed workforce pressed IT teams to move quickly and make tradeoffs in order to ensure business continuity, but now it's time to go back and tidy up the mess. Without complete visibility across your (now distributed) network, problems like those outlined above have the potential to persist for a long time without detection.
Increased dwell time leaves bad actors with even more time to burrow into your infrastructure. The average dwell time for attacks remains around three months, meaning that the security implications of this new reality won't be known for some time to come. According to the IDC, ExtraHop helps security teams to reduce dwell time by 60 percent and the only way to ensure complete tool visibility is by implementing network TAPs.
With a cloud-native solution composed of the Garland virtual TAP and ExtraHop Reveal(x), organizations gain the perspective they need to secure their distributed business.
By taking advantage of the Garland "TAP to Tool" philosophy, Extrahop Reveal(x) can apply advanced machine learning to all cloud and network traffic to provide complete visibility, real-time threat detection, and intelligent response across hybrid and multi-cloud environments. To see how to eliminate any blind spots from a (newly) distributed network, check out the Extrahop and Garland solution.
Josh Snow is a Senior Engineer at ExtraHop with over 15 years' experience in network computing and security. He is passionate about helping others learn about security topics and has a popular YouTube channel where he shares insights and recommendations for securing against anything ranging from common misconfigurations or emerging threats.