Branch Offices are More Than a Remote Risk to Network Security

Vectra-Tavakoli-headshotby Oliver Tavakoli

Cyber attacks and data breaches are a constant concern for virtually every organization. Attackers compromise private data and systems of all types, often by running their attacks patiently and methodically to avoid detection. Hackers begin their attacks by infecting user machines, and leveraging them as an attack foothold to get inside the network, where your crown jewels are stored.

Modern cyber attacks succeed by starting with small compromises against individual machines and expanding them into broad network-wide attacks. A single compromised machine gives an attacker a wealth of information and access that fuels the progression of the attack. The attacker can gain access to systems, applications and data in a manner that looks similar to valid user behavior, often starting small and undetected, only to eventually spread through the organization’s internal network.

Organizations know they must expand their security defenses to cover the entire network. Today, millions of dollars are pouring into new security solutions and methods to protect organizations from advanced threats. But what are often left unsecured are smaller offices and remote branches – they’re easier to infiltrate and offer a threat surface that’s similar to the corporate headquarters network.

Any user from any location represents a potential entry point for attackers. As a result, hackers seek portions of the attack surface that are least protected. Remote sites can be these weak links. While remote offices, clinics, bank branches and retail locations are critical to business success, they often lack the same security protections found at the headquarters or data center locations.

Remote sites are ideal initial targets for sophisticated attackers. In addition to offering user credentials, remote sites often have remote access to critical systems. Compromises at remote sites can also enable social engineering attacks to infect users in other locations. The physically distributed nature of remote sites makes them harder to defend, but these sites and their users are just as valuable to a sophisticated attacker.

Unfortunately, operational and cost constraints make it highly impractical if not impossible to replicate an organization’s entire security stack at all locations. Protections with significant hardware dependencies – such as intrusion prevention systems and malware sandboxes – are expensive to deploy at every location. And capital costs aside, remote sites often lack onsite IT resources to install and maintain these systems.

Cybersecurity organizations today must extend threat protection all the way to key assets that attackers may breach. As detection technologies improve and offer more visibility, it’s important to consider security solutions that are affordable and practical to deploy and manage, especially for remote sites.

Capital and operating costs are an obvious consideration, and these concerns are compounded when applied to remote sites. To be practical, devices or sensors that provide visibility at remote sites must be lightweight and cost-effective. The TCO of the entire solution should also be kept in focus. Overly simplified sensor devices can increase the workload on centralized security tools.

Another vital consideration involves the network infrastructure at a remote site. It may be limited to a simple router that can make it challenging to gain the most basic visibility into local traffic to detect a remote site attack. To support these environments, solutions must meet several requirements. Since a remote site may or may not have a Switched Port Analyzer (SPAN) or Test Access Point (TAP) infrastructure, it’s critical that the sensor support inline deployment.

In the absence of more sophisticated networking infrastructure, an inline sensor is the only way to gain visibility into traffic. However, inline deployment introduces a potential point of failure, and any inline sensor must have a fail-open design to ensure the sensor never disrupts connectivity.

Remote sites will often have very limited or no onsite IT resources. Ideally, a solution must be truly plug-and-play and work straight out of the box. Any initial configuration or troubleshooting should be performed remotely without intervention from local staff.

Finally, once a security solution is installed at remote locations, it must have little or no impact on the network throughput. If it generates too much overhead, it could slow down application performance. When evaluating sensors, consider the additional traffic it may generate and ensure that it stays well within the capacity of the WAN links to the Internet and the corporate data center.

While it may seem like common sense to extend cybersecurity to all corners of an organization, issues like cost and local IT manpower have inhibited widespread surface protection. As a result, organizations should consider low-cost, plug-and-play, inline sensors that provide cybersecurity visibility at all locations to protect the crown jewels back at the corporate data center.

Oliver Tavakoli is the CTO at Vectra Networks.


Leave a Reply

WWPI – Covering the best in IT since 1980