Anyone else ran in to this issue? Any ideas?
We have a couple client end-users using privacy VPNs (ProtonVPN, ExpressVPN, Nord) which are triggering SOC alerts for anomalous travel or logins outside the US, etc.
I am aware of the concerns about allowing a client to install apps, byod devices, etc but wondering if you have dealt with it.
We simply don’t support it, and are clear that using them when logging in can risk account lockdown that requires support to unlock and a password reset.
It usually only happens once and while support is helping them, they also offer to help uninstall the VPN software. The inconvenience it causes is usually enough.
Nah our SOC doesn’t have issues with this. If it’s not an approved country they aren’t allowed. Then they will use history to determine if a user is known to use specific VPNs and from specific regions typically.
We block authentications by using this method. MS maintains a DB of VPN service IPs. - Blocking sign-ins from Tor & other anonymous proxies in Microsoft 365 (linkedin.com)
Look at something like Timus. If they need SASE security, then why not provide it for them? They get a static IP for the SMB, and you control the ruleset and where the gateway resides. It seems like a business opportunity, and once sold, it negates the other challenge!
I would blacklist them. There is no reason. To use something like nord vpn on a company laptop.
Otherwise. These are self inflicted by the user. Charge the client time and expense for these events
Every one of those products are a significant risk. I appreciate customers are difficult about these things, at which point the answer is “thank you for opting out of security, we’ll keep this recorded”.
We dont allow end users to install software on their machines.
Yes. We uninstall those and slap the user upside the head.
I’ve seen this with employees logging into M365 from their personal devices. Due to the nature of the business we have to allow this, but it’s quite limited. I had one person shared to failed a few times from an “unusual IP”, Then successfully logged in from that same IP. An hour later he came in from a totally different geo. Later rinse repeat. Most of the IPs were flagged as bad IPs from our Threat Intelligence enrichment. Looking into it, they were all registered to tunnlebear VPN. These all happened late at night early AM, so definitely suspicious. We contacted him out of band and confirmed that he didn’t have a VPN on his computer or his phone. Then proceeded to reset his password, kill all sessions, set up MFA. (This was before MFA was rolled out to front line workers). Then, that night… The same damn thing, even with MFA setup. Dug some more into what Tunnelbear was and it turns out that McAffe bought them a few years back and have embedded them into some of their consumer Internet security packages. So the SIEM alerted to the VPN activity for unusual source IP and threat intelligence. I sometimes see an alert for unusual data exfil to an unusual IP or Geo.
Hey, I’m investigating some of the same incidents occurring. I can’t verify with the dozens of users if they actually use VPN or MacAfee but I am exploring possible reasons multiple users are causing anomalous token incidents. Are there any links you could send me about MacAfee embedding Tunnel Bear into their internet security packages? I can only find articles about how they acquired Tunnel Bear. TIA
That’s all I could find is that they acquired them. Then spur.us identified the service as tunnlebear. The end user found that he had a McAfee suite that had a VPN, when he turned it off the traffic stopped coming from tunnlebear services.