[BreachExchange] Perimeter Defenses are Dead, So Now What?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 1 20:20:04 EDT 2018


The castle walls, moat and drawbridge have been overrun. It is obvious to
all of us – the use of perimeter defense as the key cyber strategy is dead.

Over time, the internet has added so many new entry points into the
enterprise that they are unmanageable. You have too many administrative
interfaces to maintain at ever-increasing cost and complexity. Off the grid
Shadow IT products and services also bring new cloud applications to the
enterprise unknown to the security operations defenders. Borders that had
been well defined have become porous and open.

There is so much traffic moving in and out of the network that it is almost
impossible to discern the contents by intention, especially since both
enterprise and attacker tools use encryption. The sum total of your
personnel, tools and tactics do not provide better security but instead
offers an almost certain target to any persistent attacker.

Exploiting Trust

At the core of this is the issue of trust. If you are in the enterprise
physical hard-wired network, security protocols are designed to implicitly
reward you. You are inside the network and, therefore, we know who you are
and we can trust you. Now inside of the network and trusted, you can
navigate nearly anywhere. Once there, you need permissions to access
certain application resources, but, in the meantime, you have almost a
complete run of the network.

This implicitly delegated trust gives you visibility to network traffic and
resources, and, if you are a cyber attacker, with a few tools you are
almost immediately positioned to intercept messaging, observe processes and
capture authentication. Attackers look around and sooner or later, if not
caught, they manage to intercept administrator credentials. Game over.
TCP/IP was designed to be an open protocol and has virtually no
capabilities for trust or identity management integrated at any level.

Storm Cloud

The cloud has amplified this problem to new heights. Attackers have a
virtual library of new attack vectors through which to gain access. The
cloud not only stores valuable enterprise data but provides a conduit back
to closely guarded, on-premise assets. A large percentage of data exposure
and potential data breach has been caused by misconfiguration. We’ve seen
many examples of this, impacting Amazon AWS, Google Cloud services and
Azure customers alike.

Even when using basic encryption for data at rest, we have seen that the
recently announced data exposure in the Salesforce Marketing Cloud was
caused by access through the applications program interface (API). Once the
attacker is in the network, they can compromise the API and then gain
access to the encrypted data.

Trust Nobody

One strategy that can add strength and resiliency to your defense-in-depth
strategy is to move to a posture of Zero Trust. The Zero Trust model was
first conceived by Forrester Research in 2009, when it noted that it was
inherently flawed to consider everyone inside the network as trusted, and
everyone outside of the network as untrusted. The basic assumption of Zero
Trust is that every user, both inside and outside the network, is to be
considered untrusted and hostile. Zero Trust turns this legacy perimeter
defense model upside down and, evolving with industry participation, now
presents a strong and viable alternative.

Zero Trust also brings changes to both policy and architecture by assuming
that threats exist all the time, both inside the network and externally,
and enterprise and government must operate accordingly. Every user and
device on the network must be authenticated and authorized. Policies should
limit the user to access to the minimal subset of network resources they
need to do their job – no more. No more wide-open view of the internal
network and data sources. No more easy access to data resources –
everything should be hardened, encrypted end-to-end, and locked up tight.

Zero Trust is straightforward to implement. You need to define and adopt
key Zero Trust policies that align with your current defense-in-depth
deployment. You then need to make decisions about operations, procedures
and best practices and then select and deploy the new technologies required.

Building Zero Trust

A change to Zero Trust can be made by enterprise and government at a pace
that matches their need for stronger security. Each enterprise can
implement the additional technologies, policies, and encryption at their
own pace. Zero Trust is relatively easy to implement, as there is minimal
impact to the existing base of devices and TCP/IP infrastructure already in
place. Zero Trust builds upon the existing TCP/IP infrastructure.

There are paid solutions that bring Zero Trust encryption for cloud
deployment. These can provide enhanced visibility, threat and data
protection, and strong controls for implementation of compliance. By
overlaying clouds with the resiliency, they can add the increased
capabilities required to identify the new wave of cyber threats that could
overrun your network and shut down access to critical resources.

Two-factor authentication is another powerful and mandatory tool that
should be part of any Zero Trust environment. All applications should be
authenticated by the use of two-factor authentication technologies.
Deception technology is another Zero Trust technology, as are newer
technologies such as moving target defense.

Perimeter defense is long dead as a primary strategy but good alternatives
exist. Building out a Zero Trust strategy results in an environment which
is much more robust and capable of stopping many of the attackers that seek
to compromise your on-premises networks and clouds. When cyber attackers do
successfully penetrate your networks, Zero Trust will help reduce the time
to breach detection, substantially limit or eliminate attackers’ ability to
cause damage or steal data. It also helps to promptly mitigate the attack
so you can resume normal operations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181001/36f25c82/attachment.html>

More information about the BreachExchange mailing list