The traditional approach to cybersecurity for many businesses has involved creating an IT security perimeter.
That means they’ve aimed to build an internal safe zone, within which there tends to be more relaxed controls, and a lower level of visibility when it comes to interactions and user activity inside this zone.
Within this perimeter paradigm, the “stronghold” is defended as much as possible from the outside. Unfortunately, there’s a fundamental problem with this approach: any attacker who manages to breach the perimeter gains access to a wide range of IT resources and faces very little oversight.
Detailed analysis of major cyberattacks that have happened in the last few years show that the majority of compromise indicators could be observed by reviewing events that took place inside the “safe” segments.
In other words, in most cases, even if the initial breach was initiated from outside the perimeter – such as an email message carrying malware files or URLs – there were multiple unrealized opportunities for a second review of this suspicious activity once it passed the first layer of security filtering.
A better approach, which offers a high probability of blocking or at least detecting these types of events – before they cause major damage – involves ensuring sufficient attention is also given to internal events.
It’s increasingly apparent that the perimeter approach isn’t fit for purpose. Long before businesses began scaling up their remote working capability in response to the coronavirus pandemic, organizations were increasingly using public cloud environments, along with IoT devices with both direct internet connectivity and corporate network connections, while in some cases there were bring your own device (BYOD) policies that lacked adequate control or oversight.
With the perimeter no longer effective, a new approach is required.
Zero Trust
We call this new approach “Zero Trust”, a modern, fit-for-purpose concept that involves securing, managing and monitoring every component used to access information systems and to handle company data.
There are two key components to the “Zero Trust” approach: visibility and control. Ensuring adequate visibility over devices that connect to the network or that access business applications is vital, with none of these being considered authorized or “safe” by default. Equally, control measures should be in place across all devices and users that act either inside or outside of the company on its IT assets. These measures should be tailored to the assets’ criticality and the company’s risk analysis results, as there is usually a balance between risk level and effort when implementing additional controls.
Insider threat scenarios – when the attacker does not actually breach the company’s borders because he is already present behind the wall – are also well handled with this approach.
There are two measures that will make it significantly more difficult for an attacker to propagate or escalate following an initial breach: multi-factor authentication and behavior monitoring of users and devices that access IT resources. When implemented properly, these measures can play a crucial role in facilitating early detection and the proper response.
Of course, these measures alone are not enough, but they lay the groundwork for a more robust control system, while being added to existing principles regarding resource access authorization, such as “need to know”, “need to use”, “minimal required privilege” and “segregation of duties”.
The power of cyber intelligence
A very valuable set of information can be found in cyber intelligence in the form of Indicators of Compromise, or IoCs, that are related to cyberattacks that were previously detected by trusted and qualified third parties, such as cybercrime units in law enforcement agencies. Such intelligence usually includes IP addresses, malware files or malware trace files, and URL or domain names, such as command and control centers for botnets, watering holes – where attackers guess sites organizations visits and infects these with malware – or drive-by downloads, in which attackers use a pop-up or attachment to trick users into downloading malware without their knowledge.
This information can be used to proactively block any access to resources that carry a potential risk, while also allowing forensic work to be performed on events that happened in the past, based on known indicators and techniques.
In an ideal scenario, cyber intelligence may be distributed to IT security tools so that these detect threats with greater efficiency.
Last but not least, an additional protection layer can be provided by implementing “threat hunting” processes, meaning that the company actively tries to identify and analyze events that were not detected by current security controls, but may represent traces of unauthorized activity disguised as legitimate actions. This is done in order to act promptly for risk mitigation, improve the overall security level and understand data flows. Actions that may result from “threat hunting” include blocking a legitimate user’s access if their credentials might have been compromised, restricting access to an external IP address where unauthorized data uploads are being performed and removing potentially malicious files or processes from the infrastructure.
Four key steps to cybersecurity
Reaching an adequate resource visibility level, for both internal and externally exposed IT assets, is crucial to achieving information systems security. Internal events should be closely monitored alongside external access and the correlation of the two is highly recommended in order to ensure the timely detection of cyberattacks.
Implementing a Zero Trust framework on IT assets has the potential to drastically limit the escalation potential an attacker might have available once infrastructure has been breached. This does not require the overburdening of business processes, but involves implementing friendly, easy-to-use technical solutions that ensure IT security objectives are met (such as multi-factor authentication) and significantly reduce the impact in cases of a security incident.
Shifting from the “fortress-and-moat” to a trust AND verify model is a better approach, especially when company’s IT assets are being accessed simultaneously from different geographical locations, from fixed and mobile devices, by secure (such as VPN) or direct connections, by company staff and third parties, or even robots, and the control level must be implemented based on risk assessments.
Security zones segmentation (network, users, application stacks) and using relevant cyber intelligence data from both trusted third parties and data recorded by the company itself represent good practice and can meaningfully increase resiliency in case of a cybersecurity incident or attempted breach.