Defense in Depth: How to Fight Cybersecurity Threats with ZTNA & EDR
Today networked resources extend far beyond the office, control over connected devices is less direct, and the definition of “user” has become more nebulous. When you add ever more sophisticated cyber criminals into this mix, the classical approach to network security becomes untenable. The pandemic-enforced shift to work-from-home operations simply served as a wake-up call that we need a new approach to network security.
Alex Marshall, our Co-Founder and Chief Product Officer, joined a recent Coalition Security Week webinar to discuss how modern network security methods can prevent business disruption. Coalition is a leading cyber insurance and risk management services provider which gives it a unique view into cybercrime’s full impact. Coalition’s host, Jen McPhillips, facilitated a discussion between Alex and two other guests: Adam Kujawa, Director of Malwarebytes Labs, and Tommy Johnson from Coalition’s Threat Intelligence team.
The Defense in Depth: ZTNA + EDR webinar sparked interesting conversations about the nature of today’s cyberthreat landscape and about the defenses made possible by new network security technologies.
Here are a few insights from their exchange. To get all the details, check out the full video at the bottom of this post.
Alex kicked things off by discussing the evolving concept of a network perimeter. Even before the pandemic, the traditional castle-and-moat paradigm had become less relevant. Trends such as device diversity, flexible workforces, and cloud services have pushed networks and business information far beyond the physical central office.
At the same time, Adam added that network entry points are proliferating thanks to outside relationships such as third party vendors and APIs. In effect, granting a vendor access to networked resources expands your perimeter to include their perimeter.
Tommy explained how Coalition assesses a client’s cyber risk. In addition to reviewing the client’s application, Coalition scans the client’s perimeter to see how exposed its networks are to potential adversaries. Risk factors at the perimeter could make the client uninsurable unless an independent audit determines it is not compromised.
Adam cautioned that cyber criminals’ sophistication and the “insane” amount of social engineering behind attacks should alarm everyone. As one example, the current generation of malware spends less time trying to download tools from outside the network’s perimeter. Instead, once inside the network, the malware “lives off the land” using the network’s own administrative tools.
Yet even as adversaries are becoming more sophisticated, too many of their victims make things easy for them. Tommy explained how some of the worst claims Coalition receives are from organizations that had simple, flat networks. One compromised domain controller gives bad actors free rein over the entire network and to cripple anything within it — this sometimes includes critical industrial machinery.
Eliminating public entry points may be the lowest-hanging fruit for securing a network. However, making a network invisible to the internet is only the first step. And relying upon security through obscurity alone is a recipe for disaster.
The network must be structured to limit the blast damage when an attack succeeds. Segmentation makes it harder for adversaries to penetrate deeper into the organization.
Least-privilege Zero Trust Network Access (ZTNA) technologies take trends in segmentation and the perimeter to their logical conclusion. Alex explained that ZTNA assumes malicious intent behind every network connection. No traffic — on any network — is allowed unless it is expressly authorized based on the user’s identity, the posture of the device, and the context of the network connection.
Jen teed up more conversations by citing Coalition’s recently published report on cyber insurance claims. Based on Coalition’s own claims data, the report found 47% of incidents could be traced back to a successful phishing attack. Tommy observed that phishing’s effectiveness is why cyber insurance will always be around. The human element is just as much a part of the attack surface as the technical element.
Several war stories highlighted how difficult it is, even with the best training, to prevent socially engineered attacks. Adam said that, though phishing works and may never stop working, these attacks tend to rely on generic malware that Endpoint Detection and Response (EDR) tools can detect quickly.
Throughout the webinar, everyone made the point that network security professionals need to think like their adversaries. Adam pointed out that, in most cases, adversaries do not target an organization — they target an opportunity. The external perimeter presents an attack surface that influences cyber criminals’ behavior. Making it harder to get in by being invisible lowers the risk of an attack.
But the perimeter is only part of the equation. Tommy pointed out that defense in depth is the best protection. Micro-segmentation and software-defined perimeters can reduce the impact of a successful breach and minimize your organization’s overall cyber risk.
Alex’s closing comments reiterated the need for organizations to change the way they approach network security. Remote access security is not a special situation — it is the way to protect the entire network. Stop focusing on a perimeter that no longer exists and focus instead on the context of every one-to-one connection between users and resources.
Click here to watch the entire event, or jump directly to a section of interest:
- 1:57: Panelist introductions
- 4:56: What are the digital perimeters of an organization?
- 10:40: How are perimeters taken into account in underwriting and threat assessment?
- 13:10: How can you reduce the risk of being targeted?
- 20:43: How do you see organizations’ networks typically being breached?
- 30:40: What is the most interesting breach story you have?
- 38:10: How does this impact claims and insurability?
- 43:50: What defenses should a company put in place in their internal network to prevent email phishing or other common threats from compromising the entire network?
- 48:50: How has remote work and the pandemic changed how people should think about securing their company’s perimeter?