Over the last nine months, we’ve seen unprecedented growth in the number of corporate employees working away from the office. Many rely on VPNs for connectivity; IT Security and Network Ops trust the Virtual Private Networks with their cadre of external and internal firewalls grouped around the concentrator typically within a conventional perimeter network.
VPNs have served us well – until now. VPNs represent a huge and popular attack surface and are complex and expensive to implement and manage in dynamic environments. Vulnerabilities in VPNs are exploited by hackers within hours of disclosure. Malware gets planted on concentrators as part of APT (advanced persistent threat) campaigns with goal of stealing sensitive data. We’re not telling you anything you don’t already know.
Comcast Business, a prominent telecommunications company serving thousands of large and small businesses, launched a campaign promoting their emphasis on security. They sponsored an IDG report titled, Shifting Cybersecurity to Support the Expanded Remote Workforce explaining that the increase in remote workers is resulting in an increase in threats from outside the corporate network. Phishing attacks, using email, plant malware inside the network. Identities are stolen and spoofing penetrates corporate networks with the goal of stealing data or money.
Business Email Compromise or BEC is a common method used to acquire publicly available email accounts of executives. With the stolen credentials, fraudsters impersonate CEOs or other executives and initiate elaborate plans to exfiltrate data or perform fraudulent wire transfers siphoning funds to private accounts.
Email platforms have new features to enlist users to detect phishing. The user reports phishing from their Outlook ribbon, for example, alerts Security Operations and a workflow is kicked off to ring fence the perpetrator. In the meantime, the VPN, with little knowledge of which users are authorized to access which services, is wide open to the attacker, opening the door to attackers. With a little luck Security might be able to ring fence the phishing attack in several hours – more likely it will be days or weeks. Regardless, the business is disrupted and the expensive, time consuming clean up begins. Does it really have to be this way?
No. Security practitioners are beginning to understand that services, especially in the cloud, can be protected by selectively replacing VPNs with the software defined perimeter (SDP). The deny all, authenticate-first architecture of the SDP is like having a private application VPN – but without the vulnerabilities. Unauthorized users trying to access services or data are denied by a software gateway to the application or service. The SDP gateway denies access to imposters attempting access without a SPA packet – dynamically enforcing policy. SDP – the Future
Zero Trust models and SDP (software defined perimeter) can hide applications and services from attackers. The RESILIANT SDP prevents access to attackers using stolen credentials with a powerful combination of SPA packets and the RESILIANT software gateway designed to automatically drop packets in real time. We believe that SDP will make BEC more difficult by quickly denying access when credentials have been compromised.
Another advantage to the RESILIANT SDP is that it integrates into the CI/CD, imbedded in OpenShift as an example, ensuring access and authorization policies are built into the application/service and instantiated at run time. Did you know that SDP, with an efficient design scales and reduces or eliminates operational overhead and automatically drops connections in real time if unauthorized users, compromised devices or rogue services are detected?
Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.
To learn more about RESILIANT and SDP as a pillar of your Zero Trust model check out the whitepapers HERE.
To download the specifications for the Cloud Security Alliance Open-Source SDP visit www.waverleylabs.com.