Palo Alto Networks has released a new security module, ASM for Remote Workers. It integrates Cortex XDR and Cortex Xpanse to allow both IT and SOC teams to see the risks created by remote workers. Cortex XDR provides details of the endpoint, while Cortex Xpanse provides details of publicly accessible assets. The latter includes WiFi hotspots and the Internet-facing routers and devices in a remote workers home network.
Details of the new module and the challenges it addresses were released in a blog by Abhishek Anbazhagan. In the blog, he wrote: “The number of remote workers has skyrocketed over the past two years, and a larger percentage of workers being remote is the new normal. Unfortunately for IT professionals, this means more workers outside of the safety of the company network. Wherever your remote workers are—at home, a co-working space, or a coffee shop—can you be sure their devices are secure?
“What about your critical employees? Your VP of Finance working with sensitive financial information, or your teams working with critical customer information? Do you know if they are connecting using routers with known vulnerabilities? Do you dynamically alter their access controls using policies based on where they are working from or are they still under the same generous access policies as though they were on your office network?”
What does ASM for Remote Workers do?
Palo Alto Networks says that there are three key capabilities that ASM for Remote Workers delivers:
- Gathers endpoint data from Cortex XDR (only assets that have a public IP address and have been seen in the last 24 hours) to identify remote workforce devices associated with your organization. You will be able to see all the networks that your Cortex XDR devices are connected to.
- Combines Xpanse’s global scan data to identify risky issues and services running on the networks where your employees are located, giving you a complete picture of your remote workforce. Cortex XDR gives you internal insight into what’s running on those devices, while Xpanse gives you the external perspective and identifies what’s exposed to the internet.
- Remediates risky issues identified on remote networks—either directly on the device via Cortex XDR or via network configurations.
How will Palo Alto Networks customers use this?
There is a world of difference between doing network monitoring and doing remediation. At first glance, the capabilities of ASM for Remote Workers seems pretty comprehensive. However, think about remediation for a minute. Who will do this? How will it be done?
Public infrastructure
If the employee is regularly using public WiFi, there are questions about what level of scanning could occur. It seems a grey area to be scanning a network not owned by the company. If it finds a suspicious service, how will it contact the company running that network? Will it provide them with the details from the scan and a remediation option? How does such an action match up with the usage policies those networks provide?
Even more challenging for home networks
For home networks, there are even more challenges. Are employers going to offer to help employees secure their networks? If so, to what level? Will they send them a set of actionable steps they can follow? Some might follow them, most probably won’t.
What about taking control of the router? In some cases, this is possible, at least to a degree. For key workers, as described by Anbazhagan, a company could put in a private line for that individual to connect to the company network. In that case, it might also provide a router that it can manage. There is nothing new here. It is a capability that companies could have been doing for years, but few are interested in doing so.
What if the remote worker is not a senior executive or key worker? Will companies extend monitoring and support to them?
None of these points is answered in any of the product documentation or the blog. That is disappointing, although Palo Alto Networks will probably say implementation is not down to them. Is that a fair call? What about managed services? Will it then take the necessary steps or still leave that to the customer?
The documentation does give examples of critical vulnerabilities found in the home networks of remote workers. It says that for one company, it found open RDP servers, Telnet servers and unencrypted logins. While it then provides reasons why these are an issue, it doesn’t give remediation instructions.
Most users won’t know how to remediate RDP and Telnet. Additionally, most of the unencrypted logins are likely to come from IoT devices in the home. There is no guarantee these can be better protected.
Enterprise Times: What does this mean?
At one level, this is a good move. Anything that can reduce the risk from remote workers is to be welcomed. The intelligence gathered from this will be essential to understanding risk. It can also be used to define policies and deliver short training videos where appropriate.
At a more detailed level, there is much missing here. Palo Alto Networks says that ASM for Remote Workers “Remediates risky issues identified on remote networks.” What it seems to mean, at least from the product documentation, is that it will provide details of vulnerabilities. What is needed is the ability to generate quick action plans for employees to fix their home networks. Maybe that will come in a later version of the product.
