I have been working in cybersecurity for 25+ years and for the past five years in multifamily IT environments. I have learned about the typical scenarios in multifamily property management:

(1)   numerous remote users (even before COVID!),

(2)   heavy reliance on cloud and Software-as-a-Service (SaaS) – from providers such as Yardi, RealPage, Entrata, and ResMan, and

(3)   often a sense that those SaaS providers are “taking care of security for me.”

But only after a firm is called in to do Digital Forensics and Incident Response (DFIR) cleanup on a company hit with ransomware, do they realize they have a lot more IT infrastructure than just the data hosted by those online providers. And often, these companies have zero detection or incident response capability. So, when that attack comes, it is devastating, and they run around with their hair on fire because they were unprepared.

The goal of this blog post is to provide multifamily IT leadership with the best practices needed to be proactive and succeed in the cybersecurity “game.”

I call it a game, because in some ways it is. There is a playbook that attackers usually use, and our goal is to stop them as early as possible before their intrusion becomes an expensive breach, causing loss of important data, productivity, and money.

But let’s start with the data: where is it? The important and valuable data of a company includes personally identifiable information (PII) of clients and employees, sensitive financial information, and intellectual property. Often times, we find that companies may not even know where their critical data is, because they have these hybrid environments that have come together over time, acquisitions, and rapid growth. They may have some data on a server in a closet at the headquarters, other data in a data center (and perhaps a disaster recovery site), some in regional offices, some in the cloud (let’s not forget how much data is in email – say, in Google Workspace (formerly G-Suite) or Microsoft Office 365), and some residing with those major multifamily SaaS providers mentioned above.

Just being able to discover that data, classify it by its type, and control its access and dissemination is a challenge. There are tools to help with that. 

My second question: is all of this data under centralized IT visibility and control? The answer, for most organizations, is no. Often times, we see that human resources manages the HR portal, finance manages the payroll portal, PR manages social media, etc. Does account provisioning, identification and authentication, audit logging, etc. fall under IT visibility and control? Often not. So, that means that these systems are being managed by security “amateurs” and are subject to attacks – such a phishing and social engineering.

An example: we were called in to do DFIR for a company whose HR director had been phished (sent an email redirecting her to a fake website that stole her login credentials). The attackers then created new payroll employees that received direct deposit payments into bank accounts, which were, in turn, wire transferred overseas to countries with which the US has no legal reciprocity. These transactions weren’t noticed for two weeks, by which time the possibility of doing a financial “kill chain” had passed (the window is only 72 hours). The company was out around $450,000 with no means for recovery.

What were the failures in this case?

(1)   Lack of training for the employee to avoid being a phishing victim.

(2)   Lack of monitoring to see if the employee was phished – i.e., through certain technologies, we can see in real-time when someone is redirected to a fake site and enters their login credentials.

(3)   Lack of checks & controls on the account creation and provisioning process – i.e., how were the new payroll accounts created without having a third-party approve them?

(4)   Lack of monitoring for privileged use – i.e., when creating a new account, someone should be watching and be aware of this, especially if it involves transfer of funds.

There were probably other failures as well, but we could easily have addressed several of those through continuous monitoring.

Having a Security Information and Event Management (SIEM) and eyes-on-glass continuous monitoring 24/7/365 is the most important security solution any company can have.

For the uninitiated, SIEM is a powerful tool that allows us to see and correlate both network and host-based events. SIEM analyzes all traffic traversing corporate firewalls, as well as events from the network infrastructure (routers, switches, VPN concentrators, etc.), servers (domain controllers, databases, files, etc.), endpoints (workstations, laptops, mobile, etc.), and cloud (SaaS applications, access control (Okta, Duo, etc.), Microsoft 365, Azure, AWS, etc.). It has more than 30,000 pre-built rules to detect indicators of compromise (IOCs) and has a continuously updated threat feed.  Security Operations Center (SOC) analysts watching the SIEM will immediately see if anything anomalous is happening and initiate an incident response.

Security policies, vulnerability scanning, firewalls, endpoint protection, training for employees, penetration testing, etc. – these are all vitally important and part of a comprehensive cybersecurity program – however, none of these can tell you, right now, if an intruder is inside your environment. That’s why having SIEM/SOC capabilities in place is so critically important.

We will do everything possible to prevent cyber-attacks, but the new normal is assumption of breach. That is, we assume that an attacker is already insider our network with the potential to do harm. How well I can detect, limit, and contain that attacker is really the measure of my cybersecurity readiness.

Also, if you are completely putting your trust in those large SaaS providers with no additional checks & balances of your own, you are definitely at risk. Let’s take the recent SolarWinds breach as an example. SolarWinds is a network health and status monitoring tool used by 30,000 companies. An Advanced Persistent Threat (APT) – i.e., likely a nation-state backed group – attacked the software build process of SolarWinds itself to embed a Trojan Horse in SolarWinds Orion software updates, thereby enabling them to create covert channels and steal data from SolarWinds customers. The software was “signed” (i.e., cryptographically “guaranteed” by SolarWinds) and assumed to be trusted – but unfortunately it could not be.

Again, the only solution to this issue was to have continuous monitoring in place. Because even if you thought you had trusted software in your environment, if it started doing “naughty” things, you could detect and contain these.

The image below represents the MITRE ATT&CK Framework, which is a study of our adversaries’ tool, techniques, and practices. We have learned over time that all of these attackers follow a basic pattern of surveillance, gaining a foothold (through phishing, remote access misconfiguration, or other vulnerable services that are public-facing to the Internet), pivoting into other systems, escalating privileges, establishing external command & control, stealing data, encrypting files, charging a ransom, etc. If through SIEM/SOC/Continuous monitoring, we can detect any of these activities, then we can stop the incident before it becomes a critical breach resulting in financial loss, reputation hit, and so forth.

To conclude, I will mention this: having the SIEM/SOC/Continuous monitoring and incident response capability could be daunting and expensive.

For example, say a mid-sized enterprise were to run its own security operations center internally, it would (minimally) need the following:

·      SIEM solution at $36,000

·      Additional monitoring infrastructure (servers, cloud, VMs, monitors, etc.) at $20,000.

·      SOC Manager - $100,000 annual salary

·      SOC Analysts - 3 (1 per shift) x $60,000 annual = $180,000

TOTAL: $336,000 annual

Note: These are very conservative estimates. You would also need to outlay $56K of capital at the outset… and we’ll assume your analysts never get any vacation time. ☺

On the other hand, you can hire an outsourced provider to do this service at roughly $10K per month, which is about one-third the price of running your own SOC.