Network security today is clouded in more complexity than ever. Only a few years ago, a network security engineer moving from one organisation to another could rely on being faced with a relatively similar challenge in their new post as they had faced in their previous one. Networks, no matter how multi-layered or how diverse the equipment, were still primarily a collection of trusted subnets shielded from the untrusted wider internet by firewalls and DMZ servers. These days, we hear talk of the post-perimeter world, cloud architecture, zero trust networking, microsegmentation and, of course, the ‘Internet of Things’, aka IoT. In this article, we explore these concepts and look at the challenges and solutions for organisations trying to cope with this seismic shift in enterprise networking.
Why ‘securing the perimeter’ is no longer enough
The demise of the perimeter has been a prominent theme in cybersecurity for the past several years, and for good reason. Traditionally, enterprise IT architecture was comprised of a data centre, internal network, endpoints and an internet gateway. To secure this “traditional” architecture, organisations needed a firewall to police inbound traffic, a sandbox to inspect incoming files (usually by email), network security solutions for packet capture and network traffic analysis, and endpoint security solutions to protect the endpoints themselves.
This architecture has always faced inherent security challenges. From social engineering and phishing attacks that abuse the naive assumption that authenticated traffic can be trusted to vulnerabilities in firewall hardware and software, threat actors have always found ways to gain access to enterprise networks.
But the rapid adoption of mobile devices and then cloud technologies has seen the traditional enterprise architecture change, and with it the apparatus needed for security. Today, an enterprise is more likely to have a mixture of local networks, endpoints, mobile devices, cloud applications, and networked devices (whether legitimate or rogue). Employees need access to network assets from mobile devices, and on-premise data centres have widely been replaced in part or entirely by external Cloud providers, storing sensitive organisational data on rented servers whose physical location and security is opaque.
This new architecture increases the organisation’s attack surface tenfold and makes the old ‘secure the perimeter‘ paradigm obsolete.
How do organisations cope with network security today?
Organisations have coped with this seismic change mostly by trying to do more of the same, while integrating new methodologies and, to a lesser extent, new security solutions. The focus is on identity and access management solutions and network segregation as embodied in the zero trust, microsegmention and SDP methodologies. Let’s take a look at these.
One of the most prominent approaches adopted by many organisations is that of “Zero Trust”, a term coined by research firm Forrester, and its main principle is “never trust, always verify”. It is especially suited to organisations that use cloud applications and infrastructure as it assumes that even entities within the perimeter cannot be trusted.
Zero trust is still very much a buzzword that is used for selling authentication mechanisms for cloud applications and by no means can obviate endpoint or network security solutions.
Microsegmentation emphasises the creation of secure zones to allow organisations to ‘segment’ or isolate workloads so that they can be protected individually. This is utilised mostly in asset-rich environments such as data centres and cloud deployments. However, doing this in a large enterprise environment, with multiple networks, cloud platforms and firewalls is very complicated and presents a challenge to network engineers to deploy and configure in a secure manner.
Effective microsegmentation requires visibility, something many sprawling, disparate networks lack. Without knowing what devices are on the network, it can be difficult for network engineers to know what to segment.
Software-defined perimeter (SDP)
Software-defined Perimeter (SDP) is a security framework developed by the Cloud Security Alliance (CSA) that controls access to resources based on identity. The aim of an SDP is to allow users to connect to applications, services and systems on the network in a secure way by hiding the underlying infrastructure, including such things as IP addresses, port number and DNS information. This “closed” or “dark cloud” model, in which a network device denies connections from all others applications and devices except the one “that needs to know”, means that attackers are prevented from deploying lateral movement techniques, running distributed denial of service attacks and exploiting other common network incursion TTPs.
Like zero trust and microsegmentation, SDP is useful in certain scenarios; however, these technologies are lacking when it comes to integrating with SIEM, which is where most organisations desire to manage their security operations from.
And what about the Internet of Things (IoT)?
The problem of visibility is even more acute when it comes to IoT devices. Handling complexity is one thing, but handling things you don’t even know are there is even harder. The new security approaches like those mentioned above (SDP, Zero Trust, Microsegmentation), and even the traditional ones (Network, perimeter and endpoint solutions) are completely oblivious to other entities and threats that modern networks are exposed to, such as “Smart” or IoT devices. The fact that the network is now connected to some Linux server out there (aka “in the Cloud”) and is open or accessed by connected devices makes the perimeter truly irrelevant, along with traditional security solutions, too.
How do you handle scale and machine speed?
In addition to all the challenges mentioned, we need to consider the fact that things are not merely getting more complex and difficult to inventory, but things are getting more numerous. There are more endpoints, servers, connected devices, cloud applications and users than ever before, and that all adds up to more entry points into the network.
On top of the sheer quantity of devices connecting to company assets, these elements operate, generate data and communicate at a much greater speed than in the past, giving IT and security personnel less time to react to threats and malfunctions.
As much as security people would like these trends to reverse, it’s impossible to turn this ship. Cloud, hybrid networks and connected devices are integral parts of the modern enterprise.
Augmenting existing solutions with a security platform
Enterprise will continue to use existing solutions such as firewalls, NTA and endpoint security. But trying to combine multiple, existing solutions in conjunction with new methodologies and products, all from an array of different vendors, is a sure way to increase complexity, reduce visibility and generate more work.
Integrating new products and workflow could be a real burden, and if you think that alert fatigue is bad today, wait and see how hard it will be to manage thousands of alerts on multiple systems, various consoles and diverse dashboards.
The answer to this cloud of chaos is to reduce complexity, to unify these solutions onto a single platform that can – from a single console and single endpoint agent – enable autonomous, prevention, detection and response. A single platform that can hunt in the context of all enterprise assets, be they on-premise, in the cloud or just rogue devices, such as insecure BYODs attached to the network by employees and outside of IT control or external attackers spoofing legitimate devices into connecting to them.
This platform should be automated, and future-proof – meaning it must be able to integrate with additional solutions and cloud platforms through a rich set of native APIs – and, of course, it must be able to counter novel threats through utilising machine learning and behavioural detection.
Such a platform should enable all required security functionalities – external device and firewall controls, alert handling, forensic investigation and proactive hunting, on all endpoints, IoT devices and cloud platforms, and it should not require extensive training or manpower to operate.
A single security platform that can solve the challenges of modern enterprise architecture and not only cater for today’s complexities and threats, but also easily “grow” along with the organic growth of the organisation, is the only plausible investment in the future of your enterprise security.
Yotam Gutman, Director of Marketing, SentinelOne