The single biggest concern organizations face today is the security of their data, and the prevention of data exfiltration by a malicious actor—both externally and internally. It’s important to remember that today’s threat actors are highly motivated and highly financed to go after your data—your most valuable asset. It’s not enough to just have a firewall anymore, companies also need to be monitoring and controlling their data to keep it from leaving the organization. One of the best new ways to do this is by adopting a Zero Trust security posture.
In the last two years alone, the rise of ransomware has been unprecedented in both the number and sophistication of attacks. The financing of threat actors to attack, steal, and exfiltrate data from networks represents a perfect storm of increasingly capable ransomware payloads, combined with the rise of cryptocurrencies that drive the extortion payment process (and make it effectively irrecoverable by law enforcement.) The trend towards cloud-enabled networks and remote-working have made enterprise data exfiltration by cyber-threat actors hugely profitable—ransomware increased 75% in just the first quarter of 2021. In fact, this cybercriminal “industry” is now the biggest illegal industry in terms of revenue dollars from cyber theft.
The strategic direction enterprises, of all sizes, must take to reduce ransomware risk and minimize their attack vector is to adopt a Zero Trust architecture. A recent Executive Order to improve U.S. cybersecurity included a mandate that directs the federal government to move towards a Zero Trust architecture.
Listen to this podcast episode with Palo Alto where we discuss what Zero Trust is, how it can make an impact on an organization of any size, and how to go about implementing it.
Zero Trust: Defined
It’s important to note that Zero Trust isn’t a product. Zero Trust is a strategic approach to cybersecurity that eliminates implicit trust and continuously validates every stage of the digital interaction. Zero Trust is valuable regardless of an organization’s size, industry, or the location of its workloads and/or data.
Traditionally, corporations implicitly trusted those inside the core data center or within the company perimeter. Once you were past the outwardly-facing firewalls, the thinking went, you were A-OK. But Zero Trust means: trust no one, verify all, and validate every transaction, including every interaction inside the firewall. Simply put: Zero Trust involves the verification of three things:
- The user
- The application
- The infrastructure
Crucially, Zero Trust means that this verification happens everywhere in your IT footprint- regardless of whether the traffic is flowing north-south or east-west.
There are also three big transformations occurring in the IT landscape. First, the shift to remote work has caused a huge network transformation by necessitating a seamless experience for all users—whether they’re in the network, in the corporate data center, in Starbucks, or traveling internationally. The second big transformation is the move to the cloud. This can mean a company has a wider dispersion of IT resources than ever before—resources that are going to need to be secured just as tightly as systems that remain on-prem.
The third transformation that should encourage organizations to redesign how they deliver security is automation. Today’s threat actors are attacking with ransomware, automation, and Machine Learning, so leveraging an automated response to such threats becomes absolutely critical. This third point is kind of a ‘fight fire with fire’ situation; you are being attacked by systems that are increasingly automated. Automation is going to be essential to any security organization that hopes to keep up.
Securing users with Zero Trust
In a Zero Trust model, securing users involves verifying four things: the user’s identity, the user’s device (and the workload that the device is trying to access), the least privileged access for the workload, and finally, the user’s permission to perform the transaction. Zero Trust for users means verifying identity, device, access, and transaction.
Securing applications with Zero Trust
The four pillars of securing applications in a Zero Trust architecture are essentially the same. First, verifying the applications are coming from and through an approved device, and verifying the application has permission and the access to conduct the transaction. Often, threats that get inside the data center’s external firewalls may try masquerading as an approved and trusted application. So it’s critical to verify that they are who they say they are, and that they really have access to “X application” or to “X data” that resides in the cloud or behind the firewall.
Securing infrastructure with Zero Trust
Securing infrastructure through Zero Trust follows what, by now, probably feels like a familiar pattern: validate all users with access to the infrastructure, identify all devices—including IoT—incorporate least privilege access segmentation for the native and third-party infrastructure, and scan all content to look for any malicious activity and data theft.
Tools And Techniques For Getting For Zero Trust
With our three pillars in mind, (users, applications, and infrastructure,) ask yourself, “How do you establish if a user has truly been granted access to an application and tools when most users have multiple identities, and/or paths into and around inside our perimeter” The answer is by adopting a true Layer 7 visibility approach to understanding the user, the app, and the application they’re connecting to—and then writing security controls for that user and application. This is foundational to a Zero-Trust architecture. A traditional Layer 3-only approach is limited, it only points to an IP Address or website without looking at the user or the application. But identifying the user and the application, and then being able to tie the two together, is foundational to a Zero Trust architecture.
Be sure your vendor (or potential vendor) provides enterprise-level security that ensures visibility into the actions of both users and applications so rules may be written accordingly. Security tools that can leverage multiple identity providers (whether from Octa, Google, Azure, or Ping, etc.) enable visibility into access requests based in any SSO and Identity Access Management provider that might be in use, giving you a big advantage when it comes to verifying users at the front door. Again, the foundational core for Zero Trust user architecture is verifying users and verifying they’re actually allowed to access an application—and denying all else.
Another key to success is the migration of rules from legacy tools: assessing traditional (IP-address-target-application) approaches and writing new Zero Trust policies around IT interactions that are user/application-specific. Companies like Palo Alto Networks offer built-in tools to enable this migration. Again, Zero Trust for applications means having visibility into an application and constructing rule sets to define usage.
Similarly, Zero Trust for infrastructure involves having visibility into core transactions: looking at the actual flow in the network to reduce the risk of phishing, malicious websites, and DNS attacks. DLP is important here in enabling the tagging, tracking, unpacking, and encrypting, of critical data. Defending against threat actors is nearly impossible if visibility into data traffic is lacking. Without clear rules about what traffic is acceptable, you are limiting your ability to determine if there is malware or other malicious files in your environment.
For many organizations, the solution isn’t as simple as an end-to-end product and the platform shouldn’t just involve physical hardware. It shouldn’t be data-center centric or cloud-centric but must offer a hybrid solution—because modern users are hybrid. The same security policy must apply whether a user is physically inside the corporate firewall, connecting through a local VPN connection, or accessing a SAS application from a remote location. You need a consistent policy in order to provide a consistent user experience that delivers the best (and most transparent) security possible.
Next-Generation Security Products
Finally, a brief discussion on what to look for when it comes to devices (or appliances) that can be used in your environment to help build towards a Zero Trust environment. Traditionally, security vendors provided point products: a URL-filtering product to block malicious websites, a sandboxing product to analyze files for malicious content prior to being delivered to the user, and an intrusion detection and prevention product—often bought from separate companies. It is common to see traditional network infrastructure typically involve seven or eight security providers having some role in providing security, oversight, and control.
A next-generation firewall consolidates the functionality of multiple security vendors into a single platform. This enables operational efficiency for customers (i.e., one security provider, one console, one policy, the famous ‘one throat to choke’) while also eliminating redundancy and providing a performance advantage from not running multiple stacks of network gear. Standardization and centralization provide an operational advantage, better security, and reduce risk. Keep in mind that without visibility into traffic through SSL decryption, security controls are substantially less effective.
The Role of AI and Machine Learning in Reducing the Risk of Ransomware, Zero-Day, And Other Attacks
Traditionally, the industry has approached the problem of threat actors by creating a database of malicious IP addresses. But this list of malicious URLs has become obsolete. Threat actors today will spin up a URL for a single attack—buying IP addresses that haven’t been navigated by crawlers—in which to hide malicious content through cloaking. These attacks are nearly impossible to stop with traditional neural filtering databases. Research revealed that traditional databases failed to block 48% of malicious URL websites deployed by threat actors over a three-day period. Thankfully, network security leader, Palo Alto Networks introduced an advanced way to defeat these evasions by analyzing web traffic through Machine Learning, to provide real-time enhancements to URL protection. So, reducing your risk of ransomware and threat actors means adopting more advanced capabilities that include Machine Learning and Artificial Intelligence (AI).
Next Steps in Getting Started with Zero Trust
Understand and adopt a user, application, and infrastructure-based identification and verification approach. Never assume a user should have access to an application or a database simply because they’re on the corporate network. Take advantage of tools that identify applications automatically and that integrate user identification into your existing Identity and Access Management system.
It’s important to realize that no organization is too small to be attacked by today’s threat actors because, frankly, it’s a numbers game. Threat actors will gleefully go after small organizations with the same vigor as large ones because they’ve experienced success at getting ransoms paid there as well.
That said, the best place to start is with a current-state assessment from Verinext to understand where you are and where you need to be. We have had enormous success helping customers reduce their risk, improve their security posture, and remove a good deal of worry from their business by taking advantage of the latest innovations and capabilities. Let Verinext help you get there.