By Tim Brown, VP of Security, SolarWinds MSP
We must change the way we think about security. For years, security professionals emphasized protecting the perimeter. If you could set boundaries around network access points and put up the proper defenses, you could keep criminals out of the corporate network and prevent them from doing damage. This was the model for years.
However, technology and the way people use it has changed. The growth of mobile devices means more devices get onto corporate networks. Remote work means employees need to stay productive while on home Wi-Fi (with various levels of security) or on public networks. The rise of cloud services has introduced new risks to businesses as each service has its own varying level of security.
With these trends firmly in place, the old perimeter-based model no longer cuts it. There are simply too many access points from which criminals can launch attacks.
Instead, many cybersecurity professionals have moved to a new model focused on zero-trust identities and zero-trust networks. If you’re in charge of security for an organization, you should consider implementing zero-trust policies.
Living in the Post-Perimeter World
In a perimeter-based model, we assumed almost anything in the network could be trusted. However, as mentioned before, businesses need to consider a higher volume of access points than they have in the past. (Even those on a corporate network could still leave the business open to an insider attack).
Instead of this old model, businesses need to implement zero-trust identities and networks. The zero-trust identity model comes from the idea that access should be denied by default, granted only when the user passes through appropriate gates. These gates may seem complicated at first, but they don’t have to be. For example, allowing access could be as simple as checking whether the person is an employee, has a specific role, and uses a known computer in a known location. If all those attributes check out, they’re granted access and never get prompted for additional information. But, if one attribute doesn’t check out, they may be prompted for additional information. These “gates” would therefore prove user-friendly to pass through—unless something’s amiss.
With zero-trust networks, we embrace deperimeterization. We acknowledge and accept that we have many separately protected environments. Think of seeds within a pomegranate. Each seed must be protected with a hard shell. Once zero trust is embraced, we can look at each environment, determine how sensitive the environment is, and decide how much security is needed for it.
Additionally, you need to carefully police the applications used within the business. Thankfully, the rise of data privacy regulations—like GDPR—have improved transparency from software vendors. You can get a lot more information on the steps they take to ensure security than you could a few years ago, so make sure to do your due diligence and keep insecure applications out of the network.
Finally, consider individual users and the risks they represent. Segment those users into risk buckets based on the access they need to do their job. This allows you to be strategic about your protection. You can “increase the pain” on roughly 20% of high-risk users, while the other 80% can operate on a lower level of security. For example, you could force high-risk users to use app-based or physical, USB-based multifactor authentication (MFA) and require them to use a VPN to connect to systems from outside the corporate network. For lower-risk users, you might allow them to simply use SMS-based MFA for their accounts and use their devices as normal at home. Additionally, I strongly recommend focusing your security monitoring efforts on the high-risk users. If you have a SIEM solution in place, crank up the profiles on the high-risk users.
The Important Role of Endpoints
There’s another important shift we should make. We need to start thinking of the endpoint as the start point. Endpoints have often been the launch point for wider attacks—like using webcams for denial-of-service attacks.
The sheer volume of endpoints and the fact that we cannot see into many of them makes them very difficult to protect. In just my own home network, I manage 30 endpoints via my RMM. Businesses have far more. It’s critical to understand what you can directly protect and what you need to indirectly protect. For example, for internet of things (IoT) devices you can’t add software to, you need to segment them properly. For devices you can directly protect with software, you should protect them to the full extent possible.
Here’s where analytics, artificial intelligence, and machine learning come into play. Endpoint detection and response products use behavioral AI to establish baseline behavior and flag deviations from the norm. It can look for patterns, like unusual access over RDP, attempts to change the system registry, spikes in CPU cycles for cryptomining attacks, or attempts to delete local backups. It also can take actions like shutting down malicious processes, quarantining files, or rolling back the endpoint to a previously healthy state after a ransomware attack.
In the previous section, I mentioned segmenting your users into risk categories. Those in the higher risk categories will need stronger endpoint protection. If you only put AI-driven protection on some endpoints, prioritize these high-risk users.
The Future of Cybersecurity
Cybersecurity will continue along this path. Administrators will have to deal with more devices, more complex use cases, and newer, hard-to-detect cyberthreats. To combat this, we have to embrace the future and adapt. Unfortunately, too few companies have adapted enough to embrace both zero-trust identities and zero-trust networking. Businesses must if they want to remain secure. And they have to embrace new technologies, like analytics, AI, and machine learning, to keep their highest risk users safe.
If you’d like to hear more about security from Tim Brown and other experts, visit the SolarWinds MSP blog.