The headlines over the past few years have been consistent – enterprises are pouring more and more money into cybersecurity countermeasures. Indications are that 2020 will be no different, with reports that nearly three quarters of CISOs plan to ask their CFOs for increased cybersecurity investment next year.
The CISOs I speak with are increasingly turning their investments towards improved prevention techniques versus remediation approaches. Its not that they’re not looking to improve orchestration and automation to deal with security incidents, but they are doubling down on trying to prevent incidents from occurring in the first place (or lessening their impact at the very least).
In terms of lessening impact, microsegmentation is an important theme that many groups are pursuing, and in the improved prevention realm, I am seeing organizations place bets on isolation technology.
The promise of the microsegmentation is straightforward: By creating very granular segments within an IT infrastructure, an organization effectively limits the size of their network’s attack surface by breaking it into a lot of small pieces. If a particular segment gets compromised, the other segments are “walled-off” and protected. Conversely, when an unsegmented network is penetrated, attackers have free reign to move laterally within it. The more granular your organization can make these segments, the less of an impact a security incident will have, since only that segment and the limited resources and data it contains will be exposed. Less exposure and less to remediate – what’s not to like?
Microsegmentation aligns with principles of zero-trust security, which enforces proper authorization and validation for limited access to applications, data or systems. With a zero-trust approach, all devices, networks and resources are microsegmented and individual access is restricted to give users only what they need access to. Granular microsegmentation can be complex to deploy and manage, but the finer an enterprise can make its segments, the greater the security benefits it will accrue.
From a technology perspective, next-generation firewalls (NGFWs) are key segmentation-enabling tools, but organizations need to leverage complementary techniques beyond NGFW, such as software-defined Perimeters (SDPs), cloud-access service brokers (CASBs), encryption and proxies to roll out a microsegmentation approach that protects their data wherever it resides.
One final point regarding microsegmentation – when identifying access policies for microsegments, applications and other system resources, it’s important to have a system that allows session-based information that can be used to modify your access policy decisions. One example is having the flexibility to reject an individual’s access to a database in Amazon Web Services (AWS) that they regularly have authorization to if the user requests access from a remote location or a device that does not have the latest required security update.
What do you do about resources that users need to access that cannot be easily segmented? The web is a case in point. Yes, you can use threat intelligence to try to identify known bad sites and known good sites, but what about the great big middle ground? There are millions and millions of sites that have limited reputational history and have risk scores akin to a 5 out of 10 on a 10-point scale. Should users be blocked from accessing them? It sounds reasonable, unless you are the employee that needs to get to a site to complete a critical business function and you cannot get there. But with the biggest threat vector for successful delivery of malware still being the web and email, excessive blocking has become the fallback position, creating frustrated users and operational headaches for IT teams.
But a new technique, called remote browser isolation (RBI), has changed the playing field for organizations who want to open up web access while improving threat-prevention and security. Here’s how it works: RBI prevents ransomware and advanced web threats from reaching user endpoints, by executing active web content in a remote, isolated container in the cloud. An interactive media stream representing the website is sent to the endpoint’s browser, providing a safe, seamless user experience. Whether users browse to a malicious site on their own or reach one by clicking a URL embedded in a phishing email or a malicious PDF document, they are safe, since no web content is ever executed directly on the device. Malware is “walled off” from the endpoint, regardless of the level of trust and organization places on the site. This approach is called zero-trust browsing.
Whether authorized users need to connect to network resources, or need to venture out to the web to complete important tasks, access can and should be granted through the lens of a zero-trust security framework. Wherever possible, deploy microsegmentation as a critical zero-trust network control. When its not possible or practical, look to complementary zero-trust techniques, such as isolation, to extend zero-trust to other aspects of your IT infrastructure.
David Canellos is president and CEO of Ericom Software.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.