As work-from-home policies persist for many enterprises amid the global pandemic – and may become permanent in the long run – the cyber threat landscape has become much more complicated. Current work arrangements are so far from the norm that a new threat has emerged: the "disrupted" employee. We are all familiar with the concept of a malicious employee actively trying to damage the company or exfiltrate data out of financial interest or revenge. Much more common is an employee who is fully compliant and follows your security policies as second nature.  

A disrupted employee is someone in between: trying to do their job right but with less secure means. He or she may face challenges in getting projects done due to no longer having access to the office's infrastructure or face-to-face interactions. Gone are the water cooler conversations or impromptu meetings in the hallways, as we rely on Zoom or WebEx calls to stay connected. Informal information exchanges are all but gone.  

Another challenge is the new home office, where spouses may be working remotely, often alongside their children attending school online. Home networks lack typical protections and bifurcations of the corporate office and may be prone to attacks using lateral movement techniques. In these scenarios, after gaining initial access through an insufficiently protected device, such as a family computer, attackers move deeper into a network, searching for other devices to compromise or obtain increased privileges. This continued probing could eventually lead to the exfiltration of sensitive corporate data or high-value intellectual property. 

Disrupted environments prone to sophisticated attacks 

To do our jobs, we may obtain information necessary for "situational awareness," lacking in newly remote workspaces. Bits and pieces of information – source code, marketing materials for a product launch, notes from a rebranding exercise, or business development activities – may end up on a computer of a disrupted employee. Having all this information in one place may not be even necessary for a successful attack: hackers are getting increasingly more adept at generating a composite of a company's proprietary data from disparate sources to make stealing it worth their while.  

Much of this activity is anomalous, such as accessing databases generally not part of one's knowledge domain or downloading software code for an unrelated product. But with the upheaval that went on in corporate networks as millions of workers suddenly relocated to home offices, these anomalies and lateral movements may be more challenging to trace and analyze. A few missed red flags may mean severe and unpredictable consequences down the road.  

The need for East-West visibility 

Firewalls are typically our go-to devices to detect and disable malicious North-South traffic (the traffic entering and exiting the network). But as networks evolve, more than fifty percent of the traffic in the data center, either physical or virtual, is now East-West (moving laterally from server to server). Security tools have not yet caught up with the need to inspect and analyze these movements to detect vulnerabilities and threats. 

Since modern-day networks include containerized applications in highly distributed and hybrid-cloud-based environments, gaining proper visibility has become increasingly difficult, especially with East-West traffic. Accurate East-West security analytics depend on packet data as the single source of truth, especially in virtualized environments lacking a firmly established network perimeter. Thus, pervasive visibility, a foundational requirement for cybersecurity, may be effort-intensive or costly to achieve, requiring new approaches or specialized tools. 

Better data for better analytics 

Packet data, when converted to smart metadata and actionable insights, helps pinpoint the source of data leaks or security disruptions impacting the network. Granular analytics deal with alert fatigue by directing security teams to the most critical or time-sensitive issues.  

Even if well-intentioned, a "disrupted employee" is still an insider threat, requiring a comprehensive approach of security controls, analytics, acceptable use policies, and education. Understanding a new baseline through analytics is the first and essential step in creating the proper controls and educational programs to help your employees securely accomplish their goals.