VPN Won’t Keep You Safe Without a Strong SIEM By Its Side

Virtual Private Networks (VPN) have been with us for over twenty years. A VPN implements a secure channel that allows employees to send and receive data from their organization’s network in a more secure way from afar – particularly relevant for working from home (WFH).

However remote working is facing a watershed moment; COVID-19 drove millions to WFH, and a recent Gartner CFO survey revealed that 74% of companies intend to shift some employees to remote work permanently after the end of the pandemic.

As WFH becomes the new normal, cyber-criminals are focusing their efforts on penetrating VPNs, and many are successful. U.S. government agencies issued a warning back in March on the risk of VPNs being hacked and urged organizations to tighten security measures. It was reported that a hacked VPN likely started the Mitsubishi Electric attack, and an unpatched Pulse Secure VPN server was reported to have helped facilitate an attack on the UK National Grid electricity system.

Once an attacker has penetrated through VPN and entered the organization’s network, they can explore the network and services, and look for system weaknesses, misconfigurations, and vulnerabilities. The consequences can be disastrous for the organization, and include manipulation of data, interruption or even destruction of systems and more.

There are basic steps all organizations should take to strengthen their VPN. These include enforcing strong password policies such as complexity, uniqueness, and periodic change, enforcing “role-based access control” – meaning limiting permissions to resources by groups (i.e. marketing doesn’t need access to R&D resources and vice versa), and demanding multi-factor authentication for privileged users and to sensitive assets.

These steps are important, but they are not enough to protect networks from sophisticated cyber attackers. The key to securing your organization is a sophisticated Security Information and Event Management (SIEM) platform. SIEM is the tool that is tasked with correlating the data and information from all the organization’s security tools – including the VPN.

To be effective against VPN hacks, SIEMs must break the siloed approach to cybersecurity. SIEMs, by definition, store huge amounts of data. A truly effective SIEM will use the power of the data to transform raw event logs into meaningful insights, and implement automatic correlation to weed out the truly high-risk events from the noise.

Let me give you an example. If my colleague John, who’s in the Boston office, connects to the VPN from Boston, and then one hour later from Orlando, the SIEM should be “smart” enough to identify that this is an impossibility and flag it as suspicious behavior.

Other examples that should raise alerts include a connection from an unfamiliar device, an unusual location and more. Even if logs are received from different sources, such as a VPN and a cloud service, an effective SIEM will enrich them with entity and location information, connect the dots and detect the anomalous behavior.

Furthermore, a sophisticated attacker doesn’t walk one straight path, rather he will try to simultaneously connect into the network through different routes. This type of “redundant access” means that even if he is blocked in one route, he’ll get in through the back door. The expectation is that an intelligent SIEM will proactively look for such related activities and raise the risk level accordingly.  

VPN is a better protected channel for data transfer, but it is far from foolproof. Like other security tools – from firewall to endpoint security and everything in between – in order to really protect the organization, they all need to feed into an advanced SIEM that is able to correlate the data from the different sources, analyze it intelligently and quickly to identify attacks, flag them and stop them in their tracks.


Sivan Omer, today Product Manager at cybersecurity SIEM startup empow, joined the company almost five years ago, while still in her junior year of college studying Industrial Engineering at Israel's Shenkar College of Engineering, Design and Art.  One of the company's first dozen employees, as it has grown Sivan has advanced from a part time administrative role, to QA Engineer and in the past two years Product Manager, and an influential voice in the empow team.


What’s Hot on Infosecurity Magazine?