Black background with random blue x-pattern

IBM Security Trusteer for the remote workforce

An agentless solution to detect risks on personal devices

01

Got remote workers? Know the risks

2 min read

As individuals shift to remote work, many are using personal devices to access work applications. While the bring your own device (BYOD) trend has its benefits, such as improved productivity and flexibility, it also introduces a host of security and compliance concerns. Personal devices are typically not protected and maintained at the same security level and often don’t meet the same compliance requirements compared to the corporate environment.

An unsecured network, combined with an unmanaged device, could lead to several vulnerabilities and, if not identified early, can potentially lead to a data breach or theft.

The numbers are clear: 76% of organizations that have shifted to remote work expect that working from home could increase the time it takes to identify and contain a data breach.1 In addition, 70% of organizations said remote work could increase the cost of a data breach.

In another survey, researchers found that 53% of remote employees are using their personal laptops for work—often with no new tools to secure them, and 45% haven't received any new training.2 In fact, unmanaged devices are considered to be the top blind spot for data leakage.3

House with wi-fi bars icon

90%

of work-from-home employees said their computer is connected to their home network.2

Computer screen with security shield icon

53%

of remote workers are using their personal laptops for work, often with no new tools to secure them.2

Graduate with cap and tassle icon

45%

of remote workers haven’t received any new training.2

Now, more than ever, organizations must rethink their security strategy to ensure employees can work just as securely from home as they did in the office.

1 Cost of a Data Breach Report 2020, IBM Security, July 2020.
2 Work from Home Study Survey Results (PDF, 1.9 MB), Morning Consult and IBM Security, June 2020.
02

Invisible threats to your remote workforce

3 min read

Is your organization at risk for compromised credentials? How would you know if or when your employees’ devices have been compromised? All it takes is accessing a malicious link or downloading a “harmless” file that looks like any other file that your employees are used to. Your security team needs real-time visibility into your employees’ devices with insights into vulnerable endpoints.

Compromised credentials occur when unauthorized users gain access using valid identification documents that may have been phished, acquired or stolen. Devices may be compromised when unauthorized and malicious attackers gain access using an unmanaged personal device that’s infected with malware or has other high-risk indicators.

The types of attacks often associated with compromised credentials and compromised devices can be the start of advanced persistent threats (APT), business email compromise, data breach and more. Many of these attacks begin with employee account takeovers (ATOs), which often occur when attackers use compromised credentials and execute unauthorized access to data or an unauthorized action on behalf of a true employee. Traditional security tools can fail to detect such threats on an unmanaged personal device.

Two people with warning triangle icon

Compromised credentials
Malicious access using valid credentials that may have been phished, acquired, or otherwise stolen.

Computer mouse with lines icon

Compromised devices
Remote access using an unmanaged personal device that’s infected with malware or has other noncompliant or high-risk indicators.

Most organizations rely on a combination of security tools, including virtual private networks (VPNs), endpoint detection and response (EDR) and multi-factor authentication (MFA) to secure their users’ devices and endpoints.

VPNs are a good start but aren’t always foolproof. For example, with the outbreak of COVID-19, a large number of organizations required their employees to work from home, which led to a massive spike in the usage of VPNs.1 To maintain network speed and connectivity, users often disconnect from the VPN, which can expose their devices to more risks. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, warning that more vulnerabilities related to VPNs are being found and targeted by malicious cyberattackers.2

In its latest report, Designing Security for Remote-Work-First Enterprises, Gartner echoed a similar sentiment. According to the report, a VPN isn’t enough. Security leaders should avoid forklifting existing technology as scale and time horizons can change everything.3 The Gartner report recommends security leaders beware of the remote access products that are appealing today because they might not remain relevant as enterprise-scale remote work practices could transform the future of enterprises’ application architectures.3

When building remote connectivity, common mistakes include forcing all employees to use a VPN full tunnel, whatever their business requirements might be; or to overlook a segment of the communication, such as the outbound traffic coming from the enterprise’s application (e.g., leveraging third-party APIs) or unmanaged local network of the client. ”
— Gartner

Using EDRs can be effective in increasing endpoint security. EDRs are designed to monitor endpoints, detect and respond to suspicious activity. However, relying on EDRs alone may not be enough for your growing enterprise. For example, many EDR tools require organizations to install an agent to collect data on user activity. While this approach may seem like adding an extra layer of security, EDRs require management on each monitored system. Given the proliferation of devices, including smartphones and tablets, and the massive surge in remote workers, there could be thousands of alerts to monitor and manage every day—creating more problems for already stretched security teams.4 What’s worse, some EDR tools may not work on unsupported operating systems.

Stolen or compromised credentials were the most expensive cause of malicious data breaches in 2020. ” 5

The 2020 Cost of a Data Breach Report found that stolen or compromised credentials were the most expensive cause of malicious data breaches in 2020.5 The report also found that malicious attacks were the most common cause of security breaches at 52%, followed by system glitches at 25% and human error at 23%.

Using MFA, which combines passwords with other security identity measures, can help security teams prevent unauthorized access to protected accounts. However, using MFA has its limitations, as well. For example, when the attacker has access to valid credentials, a password authentication message to verify the identity of the user may turn out to be risky. Also, a user may have unwittingly downloaded malware onto the device, which can pose a security risk for the next login attempt.

In summary, deploying security tools without a comprehensive security strategy may increase security risks for your organization. Having a robust BYOD security policy — one that can protect every facet of your data and network — is crucial to maintaining your organization’s security profile.

2 CISA Alert (AA20-073A): Enterprise VPN Security, Cybersecurity & Infrastructure Security Agency, 13 March 2020.
4 56% of Large Companies Handle 1,000+ Security Alerts Each Day, Information Week IT Network, 9 July 2020.
5 Cost of a Data Breach Report 2020, IBM Security, July 2020.
03

Make the invisible visible

3 min read

According to Gartner, through 2021, more than half of companies will convert and extend their ad hoc crisis remote workforce tools and processes to a long-term strategy without updating the relevant security controls. For a remote-work-first enterprise to be successful, security leaders should address security posture gaps for all the remote work use cases by building tailored security profiles, the Gartner report recommends.1

It could help to take a step back and ask these questions:

  • What’s my organization’s remote security posture today?
  • How can I prepare for the future?
Refrain from approaching distributed security with a ‘one-size-fits-all’ plan. Prepare for multiple security profiles and architectural approaches. ” 1
— Gartner

While VPNs, EDRs and MFA can be effective tools in your security arsenal, they’re not enough to withstand advanced threats and targeted attacks. Your organization needs a more flexible and scalable remote workforce security solution that can support your employees, wherever they choose to work.

The IBM SecurityTM Trusteer® remote workforce solution is designed to help security teams quickly detect and alert on compromised credentials and infected devices that attempt to access an organization’s data. As an agentless offering, the solution doesn’t require installation on a device, which makes it faster to adopt and manage. It frees organizations from the hassle of managing and collecting data from personal devices to instead focus on improving the overall user experience.

Key benefits of the IBM Security Trusteer remote workforce solution:

  • An agentless solution that doesn’t require installation on the device.
  • A software-as-a-service (SaaS) offering that can be deployed digitally.
  • Faster time to value. The solution can be up and running within hours.
  • Real-time threat detection with immediate visibility to risky access attempts from remote employees using a managed or unmanaged device.
  • Automated response to highly accurate alerts by integrating with the IBM Security QRadar® Security Information and Event Management (SIEM) solution.

The Trusteer remote workforce solution is integrated with the IBM Security QRadar SIEM solution for consolidated visibility, detection, investigation and response to threats from across the enterprise. The QRadar solution is designed to automatically identify and analyze threats earlier in the kill chain, providing security teams with prioritized, actionable intelligence to accelerate response. The QRadar solution can ingest Trusteer alerts, as well as logs from several sources, including firewalls, identity and access management solutions and Microsoft Office 365, to quickly detect malicious devices or compromised credentials.

When an alert is sent from the Trusteer remote workforce solution, an automated response is immediately triggered in QRadar, such as routing the alert for further investigation or even blocking the account. Security teams can then examine the activity from their QRadar dashboards and drill down into specific logs and events to evaluate the alert.

Screenshot of QRadar SIEM solution dashboard displaying Trusteer alerts
Trusteer alerts displayed in the QRadar SIEM solution dashboard
Screenshot of QRadar User Behavior Analytics dashboard
The QRadar User Behavior Analytics (UBA) dashboard

To assess risk, the Trusteer solution evaluates hundreds of signals from a wide variety of sources, including:

  • Device identification
  • Session information
  • User behavioral analysis
  • User history
  • Geographic location
  • Suspicious evidence
Together, IBM Security Trusteer and IBM Security QRadar SIEM offer an end-to-end solution to protect the remote workforce, detecting and exposing unmanaged personal device risk noncompliance and unauthorized access using compromised credentials.

By gaining visibility into the context and associated risk of each access attempt, adopting the Trusteer remote workforce solution can help your organization on the path to a zero trust approach. Zero trust requires the ability to monitor the behavior of all users, including remote employees, resources, and data connecting with your business.

Here are two scenarios that explain the invisible threats to your organization’s security and how you can quickly detect them with the help of the Trusteer remote workforce solution.

Scenario 1: Detect compromised credentials

A cybercriminal initiates a phishing campaign and waits for an organization’s employee to fall for the trap. The employee is lured into submitting his or her credentials into the phishing site. As soon as the employee submits the credentials, the cybercriminal maliciously activates a VPN to spoof a true IP and manipulate the browser to mimic the employee device. Using the email account and other sensitive web applications available from the corporate dashboard, the attacker easily passes authentication.

As part of the company’s security policy, a two-factor authentication challenge is triggered. The cybercriminal gets the one-time password from the phishing site, completes the challenge, and successfully logs in.

The Trusteer agentless solution immediately detects that the employee wasn’t the person who accessed the system and generates an alert. The solution seamlessly collects hundreds of signals from a web session, building a full digital identity context using machine learning (ML) and advanced analytics. Accurate detection also includes uncovering velocity patterns, session and device manipulation, malicious use of the VPN, or other virtual deceiving tools, as well as validating if some of the suspicious evidence already exists.

Scenario 2: Identify and expose risks on compromised devices

The employee is working from home and using a personal device to share a file. The employee logs into the corporate dashboard to access the file storage. Unknown to the employee, the device is infected with malware. Since it’s a personal device, it’s unmanaged and the company has zero visibility into what’s happening on the device.

As part of the company’s security policy, a two-factor authentication challenge is triggered. The employee successfully logs in. The Trusteer agentless solution immediately detects a malware infection and generates an alert to the security operations center (SOC). Trusteer collects hundreds of signals from the web session, analyzes them using ML and generates alerts only on high-risk incidents without the need to install any agent on the device.

The alert from the Trusteer platform contains all the details to take immediate action: the source, severity, offense classification, risk indication, the malware detected, and whether the attack was active during the session.

The Trusteer solution evaluates hundreds of signals, including device identification, session manipulation, virtual deceiving tools, location and behavior analysis, and alerts security teams to high-risk access.

About IBM Security
IBM Security works with you to help protect your business with an advanced and integrated portfolio of enterprise security products and services, infused with AI, that modernize your security strategy according to zero trust principles, helping you thrive in the face of uncertainty. By aligning your security strategy to your business; integrating solutions designed to protect your digital users, assets, and data; and deploying technology to manage your defenses, we help you to manage and govern risk and grow with a modern open approach that supports today’s hybrid cloud environments. To learn more, visit ibm.com/security.