Defense in depth is the best solution with regards to cybersecurity, many security experts agree. With the upward trend in BYOD, many enterprises are forced to choose between security considerations and the need for employees to access the data they need to be optimally productive. Cyber adAPT’s Eric Green agrees that defense in depth is important—but a blend of security, usability and access to needed data is less intrusive, and more convenient for the end user.
Cyber adAPT’s Eric Green explains the importance of strong access control for secure communications
Green has been active in the security space for more than 15 years, and is part of Cyber adAPT through its acquisition of Mobile Active Defense. He spoke to ITWatchIT about secure device management and the latest threats in cybersecurity, including insider threat, ransomware and the blockchain.
IoT Devices and Mobile Security
IoT is a very scary environment, and we have only seen the tip of the iceberg, said Green. We operate in the area of secure communications and we operate IPsec for the reason that people can’t break it, as opposed to SSL/TLS, where people can do man-in-the-middle attacks. If you look at IoT, there is no standard in place for secure communication between devices, which should scare the living daylights out of everybody.
There are lots of bodies talking about it, and since we understand secure communications, we are trying to be a part of that conversation. Most of the things getting connected these days are unnecessary, but that doesn’t really matter since it’s out of the gate. We are going in that direction, there is a huge market for it, and people are going to start building these things more and more. Security awareness works mainly for organizations because you can enforce it, and make employees watch videos and so on. When it comes to these IoT devices, we need to have security built in.
We treat mobile devices like any device on a network. Just like a workstation, we can apply rules and policies to them. It eliminates the need for segregation because it is somewhat segregated in the sense that the mobile device comes into the network edge in the DMZ, where all the inspection is done. It gets decrypted at the server and the traffic gets inspected, then assigned rules as to where to go in the network. Since you’re using certificates, you know the individuals and the devices. You also have username resolution and can define where the user can go in the network, just like a workstation. The difference is that the inspection is done at the network perimeter, so if there is a problem, you remediate before it actually gets on the network proper.
Shadow IT is Comprised of Pretty Determined Folks
You’re treating these devices as if they are on the network, since they have certificates attached to them. This allows them to access parts of a network assigned to them by the IT administrator. For instance, the IT administrator might say these people can access Salesforce, HR systems and mail, and that would be it. The rest of the network would be restricted to them, and our controls are designed to make that happen.
We are a firewall that sets up the traffic rules for where people can go. Nothing is impenetrable, but since we are doing certificate authentication, we know that we are specifically defining where people can go, based on the user group they fall into. If someone ends up where they are not supposed to, we know who that is and what that device is. You can easily do a query to see what device is going where, and this is part of the threat detection, since we are looking for anomalous behavior. If there is a device that is only supposed to access email which is suddenly in the financial systems, or in the intellectual property for software or something, then you can set up alerts.
No system is impenetrable, and if someone gets through us somehow, and they are on a device, the only reason they were able to do so is that they abused the privilege on the firewall. The certificate is still there and we can track them, which allows us to figure out what went wrong and stop it.
We really can’t prevent someone coming onto the network and downloading data, but we can certainly put controls in place. We can prevent someone from doing it on a managed device. From the access control standpoint, it’s up to your IT people and network administrators to put blocks in place. You have computers without USB ports, and you can trace if people have downloaded data from different workstations. As long as those controls are in place, we can track people who do that with their mobile devices.
Cyber adAPT is in a unique place in the industry after the acquisition of Mobile Active Defense. We do mobile security, as opposed to mobile device management, which everybody does. We also do that, but are more concerned with strong access control and secure communications, or certificate-authenticated IPsec. We are doing what Blackberry does, and that is our portfolio from the mobile standpoint. The combination with Cyber adAPT gives us the added leverage of threat detection, making us the only company today doing full-on mobile threat detection.
This changes the landscape for bring your own device BYOD in a big way. My theory about BYOD is that it’s your own device, and the expectation that there isn’t bad stuff on it is nonexistent. It is almost guaranteed to have bad stuff on it, and I don’t care, neither should my customers care about the bad stuff.
What you do care about is if it is trying to exfiltrate information and data, and you also care if it’s going to penetrate the network. Since we have all of this IP traffic coming off the device anytime it’s network-bound, we are able to do a threat detection when it hits the perimeter of the network. We are on that traffic with remediation tied to the device.
We reduce the risk without changing the user experience, and that is our main goal. When it comes to user experience versus security, you have the one side that believe they can do whatever they want to do and people have to deal with it. Then you have people like me who have been here long enough to realize that if people don’t like it, or feel it doesn’t work properly, they are going to find a way around it, or they won’t use it. To avoid that, we try to be as invisible as we can until someone does something wrong, then there’s automated remediation.
Defense in depth isn’t a bad thing, but it’s also pretty intrusive and changes the user experience, for instance, resulting in false alarms and so on. From our perspective, we concentrate on the traffic, because that’s where the bad stuff lies.
Ransomware Growing Alarmingly
The growth of ransomware is fueled by its success. Social engineering is still the best way to get into any network, and ransomware relies greatly on social engineering, since someone has to click on something for anything to happen on the network. Organizations are supposedly getting attacked by nation states now, but they are technically getting attacked by organized criminals funded by the state. Whether they are state-funded or just criminals, the reason they are using it is because it works. It doesn’t matter if they are acting on behalf of nation states to steal information, trying to steal intellectual property, trying to bring financial systems down, or they are trying to make money – the bottom line is that it is working.
The best scenario for ransomware is that you are brought to your knees, and you basically wipe everything and start all over again from a backup, which is why you should have almost real-time backup of data.
The whole concept of breaking data up into several packets and encrypting them for bitcoin and the like, so no one has access to any individual packet, then bringing them together for different individuals is where blockchain comes in. it’s revolutionized the way people use payments on the internet. It hasn’t been widely accepted for real commercial use, but is beneficial for certain uses. It also benefits the bad guys since it allows them to process payments invisibly. We are just at the surface of how the technology can be used, and it will take endorsement by a major organization, such as Amazon, for people to associate it with actually paying for goods and services. The technology also needs more work to make it viable. It’s one thing for a major organization to decide that it’s money, and it’s another for you and I to accept that it is a payment option. There will probably have to be an incentive for the public to go in that direction.
People both inside and outside security tend to view insider threat as just employees who have access to something they are not supposed to have access to. But when you look at it critically, then you realize it could come from almost anybody. But the network is porous in the sense that your suppliers have access to your network, as do your partners and customers. Suddenly, it seems like almost everybody has access. Insider threat is very real and social engineering is still widely used in such situations. It could be used against the supplier, and Target is a good example. The criminals got in through the HVAC guys. Supply chain security now plays a great role in insider threat.
Zero Trust Model—Everyone is Potentially a Threat
About 80 percent of networks are flat. Unless you have proper access controls in place, someone who gets on the network is there and can access things with varying degrees of difficulty or ease. From that perspective, you have to really control the access privilege side. Zero trust basically states that your employees should only be allowed to access very specific data that is tied to their function to let you track them. It may look like it makes sense, but the whole idea of productivity is to let people get the things they need to perform optimally. If they cannot get to what they need, it defeats the whole purpose. You just need to define securely what people can and cannot access based on their user level.
Speaker: Eric S Green
Security Strategist, Cyber adAPT & Program Director, SC Magazine
Eric is the Security Strategist for Cyber adAPT through the acquisition of Mobile Active Defense. In that role he’s been consulting as a subject matter expert (SME) with primarily the FORTUNE 500 and Federal Agencies on the subject of mobile security and management. This includes serving as an SME for both the NSA’s National Information Assurance Partnership (NIAP) in developing the requirements for the mobile device management protection profile used to create a Common Criteria for mobile device management as well as for CompTIA in the creation of a mobile security management certification. Outside of that role, he has been involved in the security industry for over a decade. Past experience also includes running a technology book division publishing 12 books with a wide variety of industry luminaries, primarily in security. For the last 9 years, Eric has and continues to also serve as program director for SC Magazines SC Congress events.
Cyber adAPT® secures mobile-enabled enterprises protecting real-world reputations. It is the only platform to combine powerful Secure Device Management, guaranteeing secure access to cloud and network services, with real-time Attack Detection inside the network. Cyber adAPT instantly illuminates otherwise hidden, malicious behavior ensuring more real attacks are found more quickly. www.cyberadapt.com