By Mazen A. Dohaji, Vice President, India, Middle East, Turkey & Africa (iMETA), LogRhythm.
Throughout 2020, enterprises and public sector organizations across the Middle East have been managing disruption and finding new ways to work. The challenge as we begin 2021 is to not just survive but thrive in this new business environment. That requires adopting new tools and creating a secure foundation that keeps users connected and moving forward.
While many organizations have experienced lockdowns and quarantines throughout 2020, security and infrastructure teams are looking at how to provide flexible working while maintaining their cybersecurity posture. Users have shifted to a diverse and changeable working environment while cyberattacks in the Middle East have surged.
The UAE saw cyberattacks increase from 43,000 in April 2020 to peaks of 120,000 in July and 123,000 in August, according to the UAE’s Telecommunications Regulatory Authority (TRA). Between April and August, there was a 186% increase in cyberattacks in the country, which tracks closely with lockdown restrictions. Organizations have to be prepared for further uncertainty in 2021 and take action to manage their risk in the long term. What they can be certain of is that cyberattacks will continue to be a pain point and have the potential to spike again in 2021.
‘Work from Anywhere
Security Operations Center (SOC) teams should be reviewing and reflecting on 2020 and thinking about how they will support dynamic working environments that aren’t just working from home or in the office but look more like “work from anywhere” scenarios. Most organizations have evolved tremendously over the last 12 months and SOC teams need to stay in-tune with current operational norms and expectations of both users and business managers. SOC teams should question the state-of-play for their organization in 2021 and ask if their business is prepared for a new dynamic and fluid working environment. They should ask themselves:
- What did we learn about our systems and processes throughout 2020?
- What changes do I need to make to optimize our approach to security in the new year?
- How do we secure a workforce that is fluid and moving between remote and on-premises?
- Are my security controls and infrastructure built for this, or am I taking an additional risk?
- What is the state of play for security visibility in this flexible environment?
- How prepared are we to change and adapt in case we are ready to come back to a fully office-based operation by the summer?
- What do our users want? How can we enable their success?
- Where do we start with so much uncertainty?
Based on their responses, they should take action to ensure that their security posture matches the organization’s requirements and ensure it is ready to flex and adapt as needed. There are a few basic steps all organizations in the Middle East should be evaluating and prioritizing.
The first step for SOC teams across the Middle East should be to re-enforce best practices within their organizations and spend time educating users about policies, guidelines and best practices. Internal communications to users drive awareness and understanding of security risks. This should be increased and combined with more training. If training took place at the beginning of the pandemic, then organizations should be revisiting this in 2021.
Whether it is in the private or public sector, user-based threats, like compromised accounts, increase risk and exposure across organizations. Human nature is still a primary vulnerability in an already complex threat landscape.
Endpoint is the Bottomline
SOC teams need new levels of visibility that are built to serve both remote and office-based working. They should be focused on the collection and correlation of endpoint, VPN and other pertinent infrastructure data like employees connecting back into the corporate network, identity and access management, as well as monitoring collaboration technologies like Office 365, Teams, Zoom, and Slack. It is about gaining visibility and control over the users’ ICT ecosystem and understanding where to, from, and how employees are authenticating and accessing data and applications.
When an intrusion is suspected, they need to be able to qualify the threat and assess its potential impact. They can only do that if they have captured a wide variety of activity occurring on their endpoints and servers in real-time. Every organization should be able to search rich forensic data to understand when and how the incident occurred, and then contain the compromise with an endpoint lockdown.
While automating everything might not be possible today, SOC teams should be exploring automating as many processes as possible. They are capturing massive amounts of data, which has made automating security processes a necessity. Not only does it eliminate human error, it ensures that precise decisions can be made at speed. SOC automation tools reduce an organization’s time to qualify (TTQ) and mean time to respond (MTTR) to a security threat. TTQ refers to the average time it takes to determine whether an incident is benign or should be considered a threat that requires investigation. Research by the Ponemon Institute found that it took organizations an average of 280 days to identify and contain a data breach in 2020.
For most private and public sector organizations, that “wait time” is way too long. In a risky and uncertain time, they can’t wait for a human to perform an action that could be executed by a Security Information and Event Management (SIEM) solution with Security Orchestration, Automation and Response (SOAR) capabilities.
Reinventing the Wheel
When it comes to visibility and automation, there’s no reason to reinvent the wheel. SOC teams don’t have to develop all of this themselves. Instead, they should look for one-click, out-of-the box automation solutions that help them meet local compliance requirements and quickly deliver for their organizations.
In markets like the Kingdom of Saudi Arabia, predefined reports and use cases can be made immediately available to organizations so they can meet local cybersecurity controls. This can be a way to quickly enhance an organization’s security posture while being able to demonstrate compliance.
It also increases cost-efficiencies and enables local organizations to bridge skills gaps in the Middle East and benefit from both local and global expertise. Pre-defined use cases and reports can make it simpler and easier to deploy and enhance security in 2021.
2021 and Beyond
Rapid digitalization across the private and public sectors in the Middle East is only going to continue in 2021. The digital transformation and flexible working boom that started in 2020 will accelerate. This means that cybersecurity has to continually evolve to match the needs of rapidly changing ICT ecosystems. Adaptability and agility are critical and that starts with a secure foundation. Throughout 2021, SOC teams should review, reflect and adapt as their operational environment continues to change and unexpected events influence the threat landscape.
About the Author
Mazen A. Dohaji has worked for LogRhythm for more than 6 years, where he started as a Senior Regional Director for India, Middle East, Turkey & Africa (IMETA) and is now Vice President for IMETA. He has 26 years of IT industry wealth in the Middle East region and more than 3 years in the SIEM space. Mazen is driven by market challenges and has extensive knowledge of the Middle Eastern Security market. This has led him to be the trusted advisor for major government entities and large enterprises across the region. He has also won “Top Performer” awards in multiple multinational organizations including IBM (formerly Informix), HP, and McAfee.