Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
The dissolving of the conventional boundary is occurring quickly. So what about the endpoint?
Investment in boundary security, as defined by firewall software, managed gateways and invasion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns unable to get rid of the costs and intricacy to develop, preserve, and validate these antiquated defenses.
Not only that, the paradigm has altered – workers are not solely operating in the office. Many people are logging time from home or while out in the field – neither location is under the umbrella of a firewall system. Instead of keeping the bad guys out, firewall programs frequently have the opposite effect – they avoid the good guys from being productive. The paradox? They develop a safe haven for opponents to breach and hide for months, then pass through to vital systems.
So What Has Altered So Much?
The endpoint has ended up being the last line of defense. With the above mentioned failure in perimeter defense and a “mobile everywhere” workforce, we should now impose trust at the endpoint. Easier said than done, however.
In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even ingenious companies like Okta, OneLogin, and cloud proxy suppliers such as Blue Coat and Zscaler can not conquer one simple truth: trust exceeds basic identification, authentication, and authorization.
File encryption is a second attempt at protecting entire libraries and specific assets. In the most current (2016) Ponemon research study on data breaches, encryption just conserved 10% of the cost per breached record (from $158 to $142). This isn’t really the remedy that some make it seem.
The Whole Picture is changing.
Organizations needs to be prepared to embrace brand-new paradigms and attack vectors. While companies need to offer access to trusted groups and individuals, they have to address this in a better method.
Critical business systems are now accessed from anywhere, at any time, not simply from desks in business office buildings. And contractors (contingent workforce) are rapidly consisting of over half of the general business workforce.
On endpoint devices, the binary is primarily the problem. Presumably benign occurrences, such as an executable crash, could suggest something basic – like Windows 10 Desktop Manager (DWM) restarting. Or it could be a much deeper issue, such as a malicious file or early indicators of an attack.
Trusted access doesn’t resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human elements. This requires more than simple IAM – it requires behavioral analysis.
Instead of making good better, perimeter and identity access companies made bad faster.
When and Where Does the Bright Side Begin?
Going back a little, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made considerable development. Other businesses – from corporations to federal governments – have actually done this (in silence and less severe), but BeyondCorp has done this and revealed its efforts to the world. The style approach, endpoint plus (public) cloud displacing cloistered business network, is the key concept.
This changes the entire discussion on an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint really is the last line of defense, and must be protected – yet also report its activity.
Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to tools and services based upon a user’s physical location or the stemming network; rather, access policies are based on information about a device, its state, and its associated user. BeyondCorp thinks about both external networks and internal networks to be totally untrusted, and gates access to applications by dynamically asserting and imposing levels, or “tiers,” of access.
By itself, this appears harmless. But the truth is that this is a radical brand-new model which is imperfect. The access criteria have shifted from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a central design with capacity for data breaches, hacking, and dangers at the human level (the “soft chewy center”).
The good news? Breaching the boundary is very challenging for would-be attackers, while making network pivoting next to impossible when past the reverse proxy (a common mechanism utilized by enemies today – proving that firewalls do a better job of keeping the cyber criminals in rather than letting the good guys get out). The opposite design further applies to Google cloud servers, probably tightly managed, inside the boundary, versus client endpoints, who are all just about everywhere.
Google has actually done some nice improvements on proven security approaches, notably to 802.1 X and Radius, bundled it as the BeyondCorp architecture, consisting of strong identity and access management (IAM).
Why is this important? What are the gaps?
Ziften believes in this approach since it emphasizes device trust over network trust. However, Google doesn’t specifically reveal a device security agent or highlight any kind of client-side monitoring (apart from extremely strict setup control). While there may be reporting and forensics, this is something which every company should be knowledgeable about, given that it’s a matter of when – not if – bad things will occur.
Because carrying out the preliminary phases of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a typical rate of about three million daily, totaling over 80 terabytes. Retaining historical data is important in allowing us to comprehend the end-to-end lifecycle of a particular device, track and evaluate fleet-wide patterns, and perform security audits and forensic examinations.
This is an expensive and data-heavy process with 2 shortcomings. On ultra-high-speed networks (utilized by organizations such as Google, universities and research companies), adequate bandwidth permits this type of communication to occur without flooding the pipes. The first concern is that in more pedestrian corporate and government circumstances, this would trigger high user disruption.
Second, computing devices should have the horsepower to constantly collect and send data. While most workers would be delighted to have existing developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them regularly makes this over the top.
An Absence of Lateral Visibility
Few systems really produce ‘enhanced’ netflow, augmenting standard network visibility with rich, contextual data.
Ziften’s trademarked ZFlow ™ offers network flow information on data generated from the endpoint, otherwise accomplished using brute force (human labor) or costly network devices.
ZFlow serves as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, permitting security groups to make quicker and more educated and precise choices. In essence, purchasing Ziften services result in a labor cost saving, plus a boost in speed-to-discovery and time-to-remediation due to innovation serving as an alternative to human resources.
For organizations moving/migrating to the public cloud (as 56% are planning to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften uses unequaled visibility into cloud servers to better monitor and secure the total infrastructure.
In Google’s environment, only corporate owned devices (COPE) are permitted, while crowding out bring your own device (BYOD). This works for a company like Google that can hand out brand-new devices to all staff – smart phone, tablet, laptop, and so on. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device should meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X. 509 cert used to confirm device identity and to facilitate device-specific traffic file encryption. There should be numerous agents on each endpoint to verify the device recognition asserts called out in the access policy, which is where Ziften would have to partner with the systems management agent service provider, given that it is likely that agent cooperation is necessary to the process.
In summary, Google has developed a world-class option, but its applicability and functionality is limited to organizations like Alphabet.
Ziften provides the exact same level of functional visibility and security protection to the masses, utilizing a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to enhance consumption of data and activating response actions).
This yields the benefits of the BeyondCorp design to the masses, while securing network bandwidth and endpoint (machine) computing resources. As companies will be slow to move entirely far from the enterprise network, Ziften partners with firewall and SIEM vendors.
Lastly, the security landscape is steadily shifting towards managed detection & response (MDR). Managed security companies (MSSP’s) offer traditional monitoring and management of firewall programs, gateways and border invasion detection, however this is inadequate. They lack the skills and the technology.
Ziften’s system has actually been evaluated, integrated, approved and executed by a number of the emerging MDR’s, highlighting the standardization (ability) and versatility of the Ziften platform to play a key function in removal and event response.