Why web apps need to improve secure service access

by Louis Columbus | Apr 9, 2023 | Cybersecurity

Protecting modern distributed networks, including web apps, software-as-a-service (SaaS) apps, privately hosted apps and resources and the devices used to access web apps continues to elude enterprises, leading to data breaches, ransomware attacks and more. 

Most tech stacks aren’t designed to treat devices, personal identities and web access points as a security perimeter. Enterprises need to improve secure service access (SSA) by fast-tracking the adoption of the latest solutions to close gaps in network security and protect apps and the data they use.  

SSA is more relevant than ever because it presents how enterprises need to modify their cybersecurity tech stacks into a single integrated platform, replacing multiple point products with a cloud security platform.  

“As enterprises look to reduce their attack surface by reinforcing their security capabilities, they’re faced with a confusing array of alternatives. While some vendors deliver a single integrated platform offering end-to-end secure service access, others are repackaging existing point products, developing a common UI for multiple solutions, or riding the acronym bandwagon,” Ivan McPhee, senior industry analyst at GigaOm, told VentureBeat. “Decision-makers should look beyond the marketecture [an approach to marketing to simplify an org’s creations of products or services, while holding to marketing requirements] to find a robust, flexible and fully integrated solution that meets their organization’s unique needs irrespective of network architecture, cloud infrastructure or user location and device.”

Every multipoint product in a cybersecurity tech stack is another point of failure or, worse, a source of implicit trust that cybercriminals can exploit to access apps and networks in hours. GigaOm’s new report (access courtesy of Ericom Software) is a comprehensive assessment of the SSA landscape and the vendors’ solutions. 

Enterprises need to reorient tech stacks from being data-centered and edge-centric to focusing on user identities, which they can achieve by adopting SSA. That’s great news for enterprises pursuing a zero-trust strategy predicated on seeing human and machine identities as their organizations’ security perimeter.  

“As attacks morph and new devices are onboarded at scale, organizations should look for SSA solutions incorporating AI/ML [artificial intelligence and machine learning]-powered security capabilities to detect and block sophisticated new threats in real time with behavior-based, signatureless attack prevention and automated policy recommendations,”McPhee said. 

GigaOm’s report details how SSA is evolving to be cloud-native first, along with layered security functions. 

The design goal is to meet organizations’ specific cybersecurity needs irrespective of network architecture, cloud infrastructure, user location or device. GigaOm sees Cato Networks, Cloudflare, Ericom Software and ZScaler as being outperformers in SSA today, with each providing the core technologies for enabling a zero-trust framework.  

“The speed at which vendors integrate point solutions or acquired functions into their SSA platforms varies considerably — with smaller vendors often able to do so faster,” McPhee said. “As vendors strive to establish themselves as leaders in this space, look for those with both a robust SSA platform and a clearly defined roadmap covering the next 12-18 months.” 

McPhee continued, advising enterprises to not “… settle for your incumbent vendor’s solution. With the emergence of new entrants and exciting innovation, explore all your options before creating a shortlist based on current and future features, integration-as-a-service capabilities and in-house skills.”

The challenge of unmanaged devices

One of the most challenging aspects of access security for CISOs and CIOs is the concept of bring-your-own-device (BYOD) and unmanaged devices (e.g., third-party contractors, consultants, etc.). Employees’ and contractors’ use of personal devices for professional activity continues to grow at record rates due to the pandemic and widespread acceptance of virtual workforces. 

For example, BYOD usage increased by 58% during the COVID-19 pandemic. Gartner forecasts that up to 70% of enterprise software interactions will occur on mobile devices this year. 

In addition, organizations are relying on contractors to fill positions that have previously been challenging to fill with full-time employees. As a result, unmanaged devices proliferate in virtual workforces and across third-party consultants, creating more attack vectors. 

The net result is that device endpoints, identities and threat surfaces are being created faster and with greater complexity than enterprises can keep up with. Web applications and SaaS apps — like enterprise resource planning (ERP) systems, collaboration platforms and virtual meetings — are popular attack vectors, where cybercriminals first concentrate on breaching networks, launching ransomware and exfiltrating data. 

Unfortunately, the traditional security controls enterprises rely on to address these threats – web application firewalls (WAFs) and reverse proxies – have proven to be less than effective in protecting data, networks and devices. 

In the context of the security challenge, GigaOm highlighted Ericom’s ZTEdge platform’s web application isolation capability as an innovative approach to addressing the issues with BYOD and unmanaged device access security.      

How web application isolation works 

Unlike traditional WAFs that protect network perimeters, the web application isolation technique air gaps networks and apps from malware on user devices using remote browser isolation (RBI). 

IT departments and cybersecurity teams use application isolation to apply granular user-level policies to control which applications each user can access, and how and which actions they’re permitted to complete on each app. 

For example, policies can control file upload/download permissions, malware scanning, DLP scanning, limiting cut-and-paste functions (clip-boarding) and limiting users’ ability to enter data into text fields. The solution also “masks” the application’s attack surfaces from would-be attackers, delivering protection against the OWASP Top 10 Web Application Security Risks.

Protecting web apps with zero trust 

Streamlining tech stacks and removing point solutions that conflict with one another and leaving endpoints unprotected, especially users’ and contractors’ devices, needs to improve. GigaOm’s Radar on secure service access shows where and how leading providers bring greater innovation into the market. 

Of the many new developments in this area, web application isolation shows significant potential for improving BYOD security with a simplified network-based approach that requires no on-device agents or software.

10 steps every business can take to avoid a cybersecurity breach

by Louis Columbus | Apr 9, 2023 | Cybersecurity

Businesses that survive cyberattacks understand that breaches are inevitable. That’s a strong motivator to make cyber-resilience and business recovery a core part of their DNA. CISOs and IT leaders tell VentureBeat that taking steps beforehand to be more resilient in the face of disruptive and damaging cyberattacks is what helped save their businesses. For many organizations, becoming more cyber-resilient starts with taking practical, pragmatic steps to avoid a breach interrupting operations.

Invest in becoming cyber-resilient

Cyber-resilience reduces a breach’s impact on a company’s operations, from IT and financial to customer-facing. Realizing that every breach attempt won’t be predictable or quickly contained gets businesses in the right mindset to become stronger and more cyber-resilient.

However, it’s a challenge for many businesses to shift from reacting to cyberattacks to beefing up their cyber-resiliency. 

>>Don’t miss our special issue: The CIO agenda: The 2023 roadmap for IT leaders.<<

“When we’re talking to organizations, what we’re hearing a lot of is: How can we continue to increase resiliency, increase the way we’re protecting ourselves, even in the face of potentially either lower headcount or tight budgets? And so it makes what we do around cyber-resiliency even more important,” said Christy Wyatt, president and CEO of Absolute Software, in a recent BNN Bloomberg interview. “One of the unique things we do is help people reinstall or repair their cybersecurity assets or other cybersecurity applications. So a quote from one of my customers was: It’s like having another IT person in the building,” Christy continued.   

Boston Consulting Group (BCG) found that the typical cybersecurity organization spends 72% of its budget on identifying, protecting and detecting breaches and only 18% on response, recovery and business continuity. MIT Sloan Management Reviews‘ recent article, An Action Plan for Cyber Resilience, states that the wide imbalance between identification and response, recovery, and business continuity leaves organizations vulnerable to cyberattacks. It states that “the imbalance leaves companies unprepared for the wave of new compliance legislation coming, including new rules proposed by the U.S. Securities and Exchange Commission that would require companies’ SEC filings to include details on ‘business continuity, contingency, and recovery plans in the event of a cybersecurity incident.’” 

“To maximize ROI in the face of budget cuts, CISOs will need to demonstrate investment into proactive tools and capabilities that continuously improve their cyber-resilience,” said Marcus Fowler, CEO of Darktrace. Gartner’s latest market forecast of the information security and risk management market sees it growing from $167.86 billion last year to $261.48 billion in 2026. That reflects how defensive cybersecurity spending is dominating budgets, when in reality there needs to be a balance. 

Steps every business can take to avoid a breach 

It’s not easy to balance identifying and detecting breaches against responding and recovering from them. Budgets heavily weighted toward identification, protection and detection systems mean less is spent on cyber-resilience.

Here are 10 steps every business can take to avoid breaches. They center on how organizations can make progress on their zero-trust security framework initiative while preventing breaches now.

1. Hire experienced cybersecurity professionals who have had both wins and losses.

It’s crucial to have cybersecurity leaders who know how breaches progress and what does and doesn’t work. They’ll know the weak spots in any cybersecurity and IT infrastructure and can quickly point out where attackers are most likely to compromise internal systems. Failing at preventing or handling a breach teaches more about breaches’ anatomy, how they happen and spread, than stopping one does. These cybersecurity professionals bring insights that will achieve or restore business continuity faster than inexperienced teams could.

2. Get a password manager and standardize it across the organization.

Password managers save time and secure the thousands of passwords a company uses, making this an easy decision to implement. Choosing one with advanced password generation, such as Bitwarden, will help users create more hardened, secure passwords. Other highly-regarded password managers used in many small and medium businesses (SMBs) are 1Password Business, Authlogics Password Security Management, Ivanti Password Director, Keeper Enterprise Password Management, NordPass and Specops Software Password Management. 

3. Implement multifactor authentication.

Multifactor authentication (MFA) is a quick cybersecurity win — a simple and effective way to add an extra layer of protection against data breaches. CISOs tell VentureBeat that MFA is one of their favorite quick wins because it provides quantifiable evidence that their zero-trust strategies are working.

Forrester notes that not only must enterprises excel at MFA implementations, they must also add a what-you-are (biometric), what-you-do (behavioral biometric) or what-you-have (token) factor to legacy what-you-know (password or PIN code) single-factor authentication implementations.

Forrester senior analyst Andrew Hewitt told VentureBeat that the best place to start when securing endpoints is “always around enforcing multifactor authentication. This can go a long way toward ensuring that enterprise data is safe. From there, it’s enrolling devices and maintaining a solid compliance standard with the Unified Endpoint Management (UEM) tool.”

4. Shrink the company’s attack surface with microsegmentation.

A core part of cyber-resilience is making breaches difficult. Microsegmentation delivers substantial value to that end. By isolating every device, identity, and IoT and IoMT sensor, you prevent cyberattackers from moving laterally across networks and infrastructure.

Microsegmentation is core to zero trust, and is included in the National Institute of Standards (NIST) Zero Trust Architecture Guidelines NIST SP, 800-207. “You won’t be able to credibly tell people that you did a zero-trust journey if you don’t do the microsegmentation,” David Holmes, senior analyst at Forrester, said during the webinar “The Time for Microsegmentation Is Now” hosted by PJ Kirner, CTO and co-founder of Illumio.

Leading microsegmentation providers include AirGap, Algosec, ColorTokens, Cisco Identity Services Engine, Prisma Cloud and Zscaler Cloud Platform.

Airgap’s Zero Trust Everywhere solution treats every identity’s endpoint as a separate microsegment, providing granular context-based policy enforcement for every attack surface, thus killing any chance of lateral movement through the network. AirGap’s Trust Anywhere architecture also includes an Autonomous Policy Network that scales microsegmentation policies network-wide immediately.

5. Adopt remote browser isolation (RBI) to bring zero-trust security to each browser session.

Given how geographically distributed are the workforces and partners of insurance, financial services, professional services, and manufacturing businesses, securing each browser session is a must. RBI has proven effective in stopping intrusion at the web application and browser levels.

Security leaders tell VentureBeat that RBI is a preferred approach for getting zero-trust security to each endpoint because it doesn’t require their tech stacks to be reorganized or changed. With RBI’s zero-trust security approach to protecting each web application and browser session, organizations can enable virtual teams, partners and suppliers on networks and infrastructure faster than if a client-based application agent had to be installed.

Broadcom, Forcepoint, Ericom, Iboss, Lookout, NetSkope, Palo Alto Networks and Zscaler are all leading providers. Ericom has taken its solution further: It can now protect virtual meeting environments, including Microsoft Teams and Zoom. 

6. Data backups are essential for preventing long-term damage following a data breach.

CISOs and IT leaders tell VentureBeat that having a solid backup and data retention strategy helps save their businesses and neutralize ransomware attacks. One CISO told VentureBeat that backup, data retention, recovery and vaulting are one of the best business decisions their cybersecurity team made ahead of a string of ransomware attacks last year. Data backups must be encrypted and captured in real time across transaction systems.

Businesses are backing up and encrypting every website and portal across their external and internal networks to safeguard against a breach. Regular data backups are essential for companies and website owners to mitigate the risk of data breaches.

7. Ensure only authorized administrators have access to endpoints, applications and systems.

CISOs need to start at the source, ensuring that former employees, contractors and vendors no longer have access privileges as defined in IAM and PAM systems. All identity-related activity should be audited and tracked to close trust gaps and reduce the threat of insider attacks. Unnecessary access privileges, such as those of expired accounts, must be eliminated.

Kapil Raina, vice president of zero-trust marketing at CrowdStrike, told VentureBeat that it’s a good idea to “audit and identify all credentials (human and machine) to identify attack paths, such as from shadow admin privileges, and either automatically or manually adjust privileges.”

8. Automate patch management to give the IT team more time for larger projects.

IT teams are understaffed and frequently involved in urgent, unplanned projects. Yet patches are essential for preventing a breach and must be completed on time to alleviate the risk of a cyberattacker discovering a weakness in infrastructure before it is secured.

According to an Ivanti survey on patch management, 62% of IT teams admit that patch management takes a back seat to other tasks. Sixty-one percent of IT and security professionals say that business owners ask for exceptions or push back maintenance windows once per quarter because their systems cannot be brought down and they don’t want the patching process to impact revenue.

Device inventory and manual approaches to patch management aren’t keeping up. Patch management needs to be more automated to stop breaches.

Taking a data-driven approach to ransomware helps. Ivanti Neurons for Risk-Based Patch Management is an example of how AI and machine learning (ML) are being used to provide contextual intelligence that includes visibility into all endpoints, both cloud-based and on-premise, streamlining patch management in the process.

9. Regularly audit and update cloud-based email security suites to their latest release.

Performing routine checks of cloud-based email security suites and system settings, including verifying the software versions and all up-to-date patches, is critical. Testing security protocols and ensuring all user accounts are up-to-date is also a must. Set up continuous system auditing to ensure that any changes are properly logged and no suspicious activity occurs.

CISOs also tell VentureBeat they are leaning on their email security vendors to improve anti-phishing technologies and better zero-trust-based control of suspect URLs and attachment scanning. Leading vendors use computer vision to identify suspect URLs to quarantine and destroy.

CISOs are getting quick wins in this area by moving to cloud-based email security suites that provide email hygiene capabilities. According to Gartner, 70% of email security suites are cloud-based.

“Consider email-focused security orchestration automation and response (SOAR) tools, such as M-SOAR, or extended detection and response (XDR) that encompasses email security. This will help you automate and improve the response to email attacks,” wrote Paul Furtado, VP analyst at Gartner, in the research note How to Prepare for Ransomware Attacks [subscription required]. 

10. Upgrade to self-healing endpoint protection platforms (EPP) to recover faster from breaches and intrusions.

Businesses need to consider how they can bring greater cyber-resilience to their endpoints. Fortunately, a core group of vendors has worked to bring to market innovations in self-healing endpoint technologies, systems and platforms.

Leading cloud-based endpoint protection platforms can track current device health, configuration, and any conflicts between agents while also thwarting breaches and intrusion attempts. Leaders include Absolute Software, Akamai, BlackBerry, Cisco, Ivanti, Malwarebytes, McAfee, Microsoft 365, Qualys, SentinelOne, Tanium, Trend Micro and Webroot.

In Forrester’s recent Future of Endpoint Management report, the research firm found that “one global staffing company is already embedding self-healing at the firmware level using Absolute Software’s Application Persistence capability to ensure that its VPN remains functional for all remote workers.”

Forrester observes that what makes Absolute’s self-healing technology unique is the way it provides a hardened, undeletable digital tether to every PC-based endpoint.

Absolute introduced Ransomware Response based on insights gained from protecting against ransomware attacks. Andrew Hewitt, the author of the Forrester report, told VentureBeat that “most self-healing firmware is embedded directly into the OEM hardware. With cyber-resiliency being an increasingly urgent priority, having firmware-embedded self-healing capabilities in every endpoint quickly becomes a best practice for EPP platforms.”

Get stronger at cyber-resilience to prevent breaches 

Having a breach-aware mindset is essential to achieving business continuity and getting results from zero-trust security strategies. To increase their cyber-resilience, businesses need to invest in technologies and strategies that improve their ability to respond, recover and continually operate.

Key strategies include hiring experienced cybersecurity professionals, using password managers, implementing multifactor authentication, using microsegmentation to shrink attack surfaces, using remote browser isolation, keeping regular backups of data, auditing administrators’ access privileges, automating patch management, regularly auditing and updating cloud-based email security suites, and upgrading to self-healing endpoint protection platforms.

When businesses become more cyber-resilient, they will be better equipped to handle a breach, minimize its impact and quickly recover.

How AI protects machine identities in a zero-trust world

by Louis Columbus | Apr 9, 2023 | Cybersecurity

Bad actors know all they need to do is find one unprotected machine identity, and they’re into a company’s network. Analyzing their breaches shows they move laterally across systems, departments, and servers, looking for the most valuable data to exfiltrate while often embedding ransomware. By scanning enterprise networks, bad actors often find unprotected machine identities to exploit. These factors are why machine identities are a favorite attack surface today.

Why machine identities need zero trust 

Organizations quickly realize they’re competing in a zero-trust world today, and every endpoint, whether human or machine-based, is their new security perimeter. Virtual workforces are here to stay, creating thousands of new mobility, device, and IoT endpoints. Enterprises are also augmenting tech stacks to gain insights from real-time monitoring data captured using edge computing and IoT devices. 

Forrester estimates that machine identities (including bots, robots, and IoT) grow twice as fast as human identities on organizational networks. These factors combine to drive an economic loss of between $51.5 to $71.9 billion attributable to poor machine identity protection. Exposed APIs lead to machine identities also being compromised, contributing to machine identity attacks growing 400% between 2018 and 2019, increasing by over 700% between 2014 and 2019. 

Defining machine identities 

CISOs tell VentureBeat they are selectively applying AI and machine learning to the areas of their endpoint, certificate, and key lifecycle management strategies today that need greater automation and scale. An example is how one financial services organization pursuing a zero trust strategy uses AI-based Unified Endpoint Management (UEM) that keeps machine-based endpoints current on patches using AI to analyze each and deliver the appropriate patch to each. 

How AI is protecting machine identities 

It’s common for an organization not to know how many machine identities it has at any given moment, according to a recent conversation VentureBeat had with the CISO of a Fortune 100 company. It’s understandable, given that 25% of security leaders say the number of identities they’re managing has increased by a factor of ten or more in the last year. Eighty-four percent of security leaders say the number of identities they manage has doubled in the last year. All of this translates into a growing workload for already overloaded IT and security teams, 40% of which are still using spreadsheets to manually track digital certificates, combined with 57% of enterprises not having an accurate inventory of SSH keys. Certificate outages, key misuse or theft, including granting too much privilege to employees who don’t need it, and audit failures are symptoms of a bigger problem with machine identities and endpoint security.

Most CISOs VentureBeat speaks with are pursuing a zero trust strategy long-term and have their boards of directors supporting them. Boards want to see new digital-first initiatives drive revenue while reducing the risks of cyberattacks. CISOs are struggling with the massive workloads of protecting machine identities while pursuing zero trust. The answer is automating key areas of endpoint lifecycle management with AI and machine learning. 

The following are five key areas AI and machine learning (ML) show the potential to protect machine identities in an increasingly zero-trust world.

• Automating machine governance and policies. Securing machine-to-machine communications successfully starts with consistently applying governance and policies across every endpoint. Unfortunately, this isn’t easy because machine identities in many organizations rely on siloed systems that provide little if any visibility and control for CISOs and their teams. One CISO told VentureBeat recently that it’s frustrating given how much innovation is going on in cybersecurity. Today, there is no single pane of glass that shows all machine identities and their governance, user policies, and endpoint health. Vendors to watch in this area include Ericom with their ZTEdge SASE Platform and their Automatic Policy Builder, which uses machine learning to create and maintain user or machine-level policies. Their customers say the Policy Builder is proving to be effective at automating repetitive tasks and delivering higher accuracy in policies than could be achieved otherwise. Additional vendors to watch include Delinea Microsoft Security, Ivanti, SailPoint, Venafi, ZScaler, and others. 

• Automating patch management while improving visibility and control. Cybersecurity vendors prioritize patch management, improved visibility, and machine identity control because their results drive funded business cases. Patch management, in particular, is a fascinating area of AI-based innovation for machine-based innovation today. CISOs tells VentureBeat it’s a sure sign of cross-functional teams both within IT and across the organization not communicating with each other when there are wide gaps in asset inventories, including errors in key management databases. Vulnerability scans need to be defined by a given organizations’ risk tolerance, compliance requirements, type and taxonomy of asset classes, and available resources. It’s a perfect use case for AI and algorithms to solve complex constraint-based problems, including path thousands of machines within the shortest time. Taking a data-driven approach to patch management is helping enterprises defeat ransomware attacks. Leaders in this area include BeyondTrust, Delinea, Ivanti, KeyFactor, Microsoft Security, Venafi, ZScaler, and others.    

• Using AI and ML to discover new machine identities. It’s common for cybersecurity and IT teams not to know where up to 40% of their machine endpoints are at any given point in time. Given the various devices and workloads IT infrastructures create, the fact that so many machine identities are unknown amplified how critical it is to pursue a zero-trust security strategy for all machine identities. Cisco’s approach is unique, relying on machine learning analytics to analyze endpoint data comprised of over 250 attributes. Cisco branded the service AI Endpoint Analytics. The system rule library is a composite of various IT and IoT devices in an enterprise’s market space. Beyond the system rule library, Cisco AI Endpoint Analytics has a machine-learning component that helps build endpoint fingerprints to reduce the net unknown endpoints in your environment when they are not otherwise available. Ivanti Neurons for Discovery is also proving effective in providing IT and security teams with accurate, actionable asset information they can use to discover and map the linkages between key assets with the services and applications that depend on those assets. Additional AI ML leaders to discover new machine identities include CyCognito, Delinea, Ivanti, KeyFactor, Microsoft Security, Venafi, ZScaler, and others.    

• Key and digital certificate configuration. Arguably one of the weakest links in machine identity and machine lifecycle management, key and digital certificate configurations are often stored in spreadsheets and rarely updated to their current configurations. CISOs tell VentureBeat that this area suffers because of the lack of resources in their organizations and the chronic cybersecurity and IT shortage they’re dealing with. Each machine requires a unique identity to manage and secure machine-to-machine connections and communication across a network. Their digital identities are often assigned via SSL, TLS, or authentication tokens, SSH keys, or code-signing certificates. Bad actors target this area often, looking for opportunities to compromise SSH keys, bypass code-signed certificates or compromise SSL and TLS certificates. AI and machine learning are helping to solve the challenges of getting key and digital certificates correctly assigned and kept up to date for every machine identity on an organizations’ network. Relying on algorithms to ensure the accuracy and integrity of every machine identity with their respective keys and digital certificates is the goal. Leaders in this field include CheckPoint, Delinea, Fortinet, IBM Security, Ivanti, KeyFactor, Microsoft Security, Venafi, ZScaler, and others.    

• UEM for machine identities. AI and ML adoption accelerate the fastest when these core technologies are embedded in endpoint security platforms already in use across enterprises. The same holds for UEM for machine identities. Taking an AI-based approach to managing machine-based endpoints enables real-time OS, patch, and application updates that are the most needed to keep each endpoint secure. Leading vendors in this area include Absolute Software’s Resilience, the industry’s first self-healing zero trust platform; it’s noteworthy for its asset management, device and application control, endpoint intelligence, incident reporting, and compliance, according to G2 Crowds’ crowdsourced ratings. Ivanti Neurons for UEM relies on AI-enabled bots to seek out machine identities and endpoints and automatically update them, unprompted. Their approach to self-healing endpoints is noteworthy for creatively combining AI, ML, and bot technologies to deliver UEM and patch management at scale across their customer base. Additional vendors rated highly by G2 Crowd include CrowdStrike Falcon, VMWare Workspace ONE, and others. 

A secure future for machine identity

Machine identities’ complexity makes them a challenge to secure at scale and over their lifecycles, further complicating CISOs’ efforts to secure them as part of their zero-trust security strategies. It’s the most urgent problem many enterprises need to address, however, as just one compromised machine identity can bring an entire enterprise network down. AI and machine learning’s innate strengths are paying off in five key areas, according to CISOs. First, business cases to spend more on endpoint security need data to substantiate them, especially when reducing risk and assuring uninterrupted operations. AI and ML provide the data techniques and foundation delivering results in five key areas ranging from automating machine governance and policies to implementing UEM. The worst ransomware attacks and breaches of 2021 started because machine identities and digital certificates were compromised. The bottom line is that every organization is competing in a zero-trust world, complete with complex threats aimed at any available, unprotected machine.

What identity threat detection and response (ITDR) means in a zero-trust world

by Louis Columbus | Apr 9, 2023 | Cybersecurity

Identities are one of the most attacked perimeters an enterprise has, and the trend continues to accelerate. Cyberattacks aimed at bypassing identity access management (IAM) are succeeding, with cyberattackers moving laterally across enterprise networks undetected. 

By obtaining privileged access credentials, cyberattackers are also exfiltrating enterprises’ most valuable data, including employees’ and customers’ identities and financial information. 

Stolen credentials now account for 61% of all data breaches and it’s growing as cyberattackers and more sophisticated advanced persistent threat (APT) organizations look for new ways to compromise IAM platforms. For example, the SolarWinds breach started with attackers getting administrative permissions to the company’s global administrator account. 

From there, they used a trusted security assertion mark-up language (SAML) token signing certificate to forge SAML tokens whenever they wanted, enabling them to move across SolarWinds’ infrastructure at will. Gartner predicts that 75% of security failures are attributed to not managing identities, access and privileges, up from 50% in 2020 — which seems low given how many IAM-based attacks are happening in 2022.

Protecting identities starts with a hardened IAM infrastructure

The limitations of IAM and privileged access management (PAM) are also apparent in multicloud infrastructures. 

Every public cloud provider relies on specific versions of IAM, PAM, policy management, configuration and admin and user access controls, leaving gaps between cloud platforms that cyberattackers are exploiting today. Closing multicloud security gaps and multicloud identity management are two areas where cybersecurity startups are providing much-needed innovation. 

Even when an enterprise has defined and begun to deploy its zero-trust framework, there are still trust gaps in infrastructure and potentially within and between IAM platforms. Zero trust must treat all forms of identity as a threat to be effective, not just user trust alone. 

Application, data, device, transport/session and user trust must be addressed in any zero-trust framework that also looks to harden IAM infrastructure. Identity threat detection and response (ITDR) addresses gaps in identity protection left open by how isolated IAM, PAM and identity governance and administration (IGA) systems are. 

Given the gaps in multicloud architectures and an exponential increase in human and machine-based identities, CISOs and security teams are evaluating ITDR to harden IAM platforms first, especially those deployed in multicloud infrastructures. 

ITDR vendors claim their platforms can provide more efficient investigations into identity-based breach attempts, enable remediation and terminate RDP sessions to prevent administrator accounts from being compromised, along with several other benefits. 

Leading vendors who have announced ITDR solutions or are bundling applications to deliver a unified platform include Authomize, CrowdStrike, Illusive, Microsoft, Netwrix, Quest, Semperis, SentinelOne (Attivo Networks), Silverfort, SpecterOps, Tenable and others. 

Identity threat detection and response in a zero-trust world

A central precept of zero trust is least-privileged access. It’s a core design criterion in the leading IAM, PAM and IGA systems today. These systems are designed to authenticate and authorize an identity request for every least privileged access session, whether the identity is human or machine-based. 

ITDR providers are designing their systems to strengthen least-privileged access by identifying entitlement exposures, privileged escalations that could indicate a breach and identifying credential misuse before a breach can occur. 

Making ITDR a priority is a necessity, knowing that multicloud and container-intensive infrastructures are popular attack vectors, with cyberattackers looking to capitalize on how isolated IAM, PAM and IGA systems are. 

Breaching an IAM gives cyberattackers the keys to the kingdom because they have all the credentials they need to take over an enterprise network. There’s also the issue of getting identity orchestration right across multiple cloud platforms, another area IDTR and SIEM providers are concentrating on providing solutions for today. 

CISOs see value in ITDR from a zero-trust standpoint for several reasons. First, ITDR shows the potential to help consolidate their tech stacks and reduce the overhang of legacy systems and their associated maintenance costs. 

Closing the gaps in multicloud infrastructure by enforcing additional areas of trust over and above user identities is needed. ITDR shows the potential to eradicate any implicit or assumed trust across infrastructure and tech stacks. 

Additionally, CISOs see the potential in ITDR to progress on their zero-trust initiatives without adding more applications to address each identity-based threat surface on their networks. Cyberattackers have successfully used malware to compromise an Active Directory (AD) configuration, gaining access to privileged access and identity management data. 

The collection of technologies and applications that comprise ITDR platforms shows the potential to detect and stop credential theft and privileged misuse. 

What CISOs are doing now 

The CISOs with a budget for zero-trust initiatives are after quick wins for those projects delivering measurable value and results. Multifactor authentication and endpoint security for virtual workforces are two examples. 

Given how many workloads they have moving into multicloud infrastructure, closing the gaps between cloud providers’ unique IAM and PAM systems is also a high priority. 

CISOs may get an opportunity to build a new business case for additional zero-trust funding this year, given how attacks on identity management are increasing. 

As for enterprises’ interest and commitment to zero trust, Ericom’s 2021 Zero Trust Market Dynamics Survey found that 83% of security and risk professionals believe zero trust is strategically important to their businesses. 

Additionally, 52% see zero trust as a more proactive than traditional approaches to securing their enterprises. Identity and access management is where 42% of security and risk professionals plan to get started with zero trust. Securing those new IAM, PAM and IGA systems needs to be considered in any new business case this year, as attacks to circumvent identity systems and exploit them are increasing.

Why SASE will benefit from faster consolidation of networking and security

by Louis Columbus | Mar 29, 2023 | Cybersecurity

Seventy-five percent of enterprises are pursuing vendor consolidation, up from 29% just three years ago, with secure access service edge (SASE) experiencing significant upside growth as a result. SASE is also proving effective at improving enterprise security postures by providing zero trust network access (ZTNA) at scale.

CIOs tell VentureBeat SASE is getting traction because of its potential to streamline consolidation plans while factoring in ZTNA to the endpoint and identities. 

“If I have five different agents, five different vendors on an endpoint, for example, that’s much overhead support to manage, especially when I have all these exceptional cases like remote users and suppliers. So number one is consolidate,” Kapil Raina, vice president of zero trust, identity, and data security marketing at CrowdStrike, told VentureBeat during a recent interview.

Nearly all cybersecurity leaders have consolidating tech stacks on their roadmaps  

Leading cybersecurity providers, including CrowdStrike, Cisco, Fortinet, Palo Alto Networks, VMware and Zscaler, are fast-tracking product roadmaps to turn consolidation into a growth opportunity. Nearly every CISO VentureBeat spoke with mentions consolidation as one of their top three goals for 2023.

That’s a point not lost on cybersecurity industry leaders. Cynet’s 2022 survey of CISOs found that nearly all have consolidation on their roadmaps, up from 61% in 2021. CISOs believe consolidating their tech stacks will help them avoid missing threats (57%) and reduce the need to find qualified security specialists (56%) while streamlining the process of correlating and visualizing findings across their threat landscape (46%).

At Palo Alto Networks’ Ignite ’22 conference last year, Nikesh Arora, Palo Alto Networks chairman and CEO, shared the company’s vision for consolidation — and it’s core to the company’s strategy.

Nikesh added that “customers are actually onto it. They want the consolidation because right now, customers are going through the three biggest transformations ever: They’re going to network security transformation, they’re going through a cloud transformation, and [though] many of them don’t know [it] … they’re about to go to a security operations center (SOC) transformation.” Ignite ’22 showed Palo Alto Networks doubling its R&D and DevOps teams fast-tracking Prisma SASE with new AI-based enhancements.

SASE grows when network and security tech stacks consolidate 

Legacy network architectures can’t keep up with cloud-based workloads, and their perimeter-based security is proving to be too much of a liability, CIOs and CISOs tell VentureBeat anonymously. The risk levels rise to become board-level concerns that give CISOs the type of internal visibility they don’t want. In addition, the legacy network architectures are renowned for poor user experiences and wide security gaps. Esmond Kane, CISO of Steward Health, advises: “Understand that — at its core — SASE is zero trust. We’re talking about identity, authentication, access control and privilege. Start there and then build out.” 

Gartner’s definition of SASE says that “secure access service edge (SASE) delivers converged network and security-as-a-service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch offices, remote workers, and on-premises secure access use cases.

“SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”

Foundations of SASE

Gartner developed the SASE framework in response to a growing number of client inquiries about adapting existing networking and cybersecurity infrastructure to better support digitally driven ventures.

Enterprises are on the hunt for every opportunity to consolidate tech stacks further. Given SASE’s highly integrated nature, the platform delivers the opportunities CIOs and CISOs need. Combining network-as-a-service and network-security-as-a-service to deliver SASE is why the platform is capitalizing on consolidation so effectively today.

To become more competitive in SASE without committing all available DevOps and R&D resources to it, nearly all major cybersecurity vendors rely on joint ventures, mergers and acquisitions to get into the market quickly. Cisco’s acquisition of Portshift, Palo Alto Networks’ acquisition of CloudGenix, Fortinet’s acquisition of OPAQ, Ivanti’s acquisition of MobileIron and PulseSecure, Check Point Software Technologies’ acquisition of Odo Security, ZScaler’s acquisition of Edgewise Networks and Absolute Software’s acquisition of NetMotion are just a few of the mergers designed to increase SASE vendors’ competitiveness. 

“One of the key trends emerging from the pandemic has been the broad rethinking of how to provide network and security services to distributed workforces,” writes Garrett Bekker, senior research analyst, security at 451 Research, part of S&P Global Market Intelligence, in the 451 Research note titled “Another day, another SASE fueled deal as Absolute picks up NetMotion.” Garrett continues, “this shift in thinking, in turn, has fueled interest in zero-trust network access (ZTNA) and secure access service edge.”

SASE’s identity-first design further accelerates consolidation  

For an SASE architecture to deliver on its full potential of consolidating network and security services to the tech stack level, it must first get real-time network activity monitoring and role-specific ZTNA access privileges right. Knowing in real time what’s happening with every endpoint, asset, database and transaction request to the identity level is core to ZTNA. It is also essential for continually improving ZTNA security for distributed edge devices and locations. 

ZTNA secures every identity and endpoint, treating each as a security perimeter with multiple digital identities that need constant monitoring and protection. 

SASE is helping close the gaps between network-as-a-service and network security-as-a-service, improving enterprise networks’ speed, security and scale. ZTNA and its related technologies protect endpoints. The increasing number of identities associated with each endpoint increases the risk of relying on legacy network infrastructure that relies only on perimeter-based protection. This is one place SASE and ZTNA are proving their worth.