[BreachExchange] A New Year's Resolution: Security is Broken…Let's Fix It

[Destry Winant]

https://www.securityweek.com/new-years-resolution-security-broken%E2%80%A6lets-fix-it

As we near the end of 2018, another wave of massive cyber-attacks has
exposed personally identifiable information belonging to hundreds of
millions of people and will cost the impacted businesses untold
amounts of dollars in lost revenue, settlements, and fines. The data
breaches at Marriott International, Dell, Dunkin Donuts, Atrium Health
combined with research by IntSight, showing that online phishing sites
skyrocketed by 297 percent during the past year, is a clear indicator
that security is broken.

According to Gartner, worldwide IT security spending is expected to
exceed $114 billion in 2018. Despite these massive investments, 66
percent of companies are still being breached according to a study by
Forrester Research — and worse, they’re breached on average five or
more times over a 12-month period. As an industry, our New Year’s
resolution should be to rethink traditional approaches to security to
account for the current threatscape.

The post-mortem analysis of most data breaches typically boils down to
two essential findings:

Credential Abuse is at the Core of Hacks

The easiest way for a cyber-attacker to gain access to sensitive data
is by compromising an end user’s identity. Equipped with the right
credentials, cyber adversaries and malicious insiders can wreak havoc
on an organization’s network, exfiltrate sensitive data, or even
siphon off funds — all while concealing their malicious activities
from threat detection solutions.

Things get even worse if a stolen identity belongs to a privileged
user who has even broader access, and which provides the intruder with
“the keys to the kingdom”. In fact, 80 percent of security breaches
involve privileged credentials, according to Forrester Research. In
addition, 65% of enterprises allow for the unrestricted, unmonitored,
and shared use of privileged accounts, according to Gartner.

These findings only scratch the surface of how privileged credentials
can be exploited and the damage they can cause in the wrong hands. As
the Marriott breach illustrates, it takes just one compromised
privileged credential to affect millions of data records. With
privileged access abuse being the #1 cause for today’s breaches, it is
mindboggling to see that the industry spends less than 5 percent of
the world’s IT security spending on identity-related technologies. For
its part, Gartner recommends putting Privileged Access Management on
top of an organization’s list of security projects.

Hackers Exploit an Ever-Expanding Attack Surface

Organizations need to recognize that perimeter-based security, which
focuses on securing endpoints, firewalls, and networks has lost much
of its effectiveness due to the ever-expanding attack surface. Today’s
environments are completely different and offer bad actors a far
broader point of attack. Privileged access not only covers
infrastructure, databases, and network devices but also extends to
cloud environments, Internet of Things devices; it includes big data
projects, it must be automated for DevOps, and it now needs to cover
hundreds of containers or microservices to represent what used to be a
single server.

Considering the breadth of attack surface organizations need to
secure, they must discard the old model of “trust but verify” which
relied on well-defined boundaries. They should, instead, pursue a
“never trust, always verify, enforce least privilege” approach to
privileged access.

Welcome to a World of Zero Trust

Acknowledging we live in a Zero Trust world and need to assume that
untrusted actors are already present inside the network, organizations
must move towards a security model that requires granting least
privilege access based on verifying who is requesting access, the
context of the request, and the risk of the access environment. This
Zero Trust Privilege approach is based on six fundamental elements:

• Verify Who - Today, identities include not just people but
workloads, services, and machines. Properly verifying who means
leveraging enterprise directory identities, eliminating local
accounts, and decreasing the overall number of accounts and passwords
to reduce the attack surface.

• Contextualize the Privileged Access Request - For each privileged
access request, it is important to know why somebody, or something is
performing the activity. To do this, we must understand the context
behind the request for access, as well as review and approve it based
on the context provided.

• Establish a Secure Admin Environment - When accessing privileged
resources, it is critical that we do not either enable malware access
to servers or introduce infections during connections. To achieve
this, we need to make sure access is only achieved through a clean
source (e.g., Web-based access to sensitive systems via an
administrative jump box).

• Grant Least Privilege - Least privilege establishes granular
role-based access to privileged resources. Another objective to
granting least privilege is to limit lateral movement across the
network.

• Audit Everything - For privileged sessions, it is a best practice to
audit everything. With a documented record of all actions performed,
audit logs can not only be used in forensic analysis to identify the
source of a problem but also to attribute actions taken by a specific
user. Because these sessions are so sensitive, it is also a best
practice to keep a video recording that can be reviewed or used as
evidence, especially in regulated industries.

• Apply Adaptive Security Controls - Gartner promotes CARTA –
Continuous, Adaptive, Risk and Trust Assessment – and it’s absolutely
required for privilege access too. Living in a world of Zero Trust
means knowing that even if the right credentials have been entered by
a user, other risk factors (like the request originating from an
unusual location, or at unusual time of day) may dictate that a
stronger form of verification is required. Modern machine learning
algorithms can analyze a privileged user’s behavior and identify
“anomalous” or “non-normal” (and therefore risky) activities, and
alert or notify security.

With 2019 just around the corner, organizations should examine their
overall cyber security and identity management strategies and align
them to address the #1 cause of today’s data breach — privileged
access abuse. By implementing least privilege access, organizations
can minimize their attack surface, improve audit and compliance
visibility, and reduce risk.