In this blog, we address at a high level how a Zero Trust strategy can make for a powerful defensive stance.
An assortment of attack vectors that bad actors exploit, and enough structural vulnerabilities in organizations working under the implicit trust model, allow attackers to move laterally across the network after managing to access the targeted system. The most common ingress vector is spearphishing (social engineered e-mails) combined with zero-day vulnerabilities. Attackers then move laterally to spread and detonate the payload to exfiltrate and encrypt sensitive data. After the initial breach, it can take months for the attack to be detected. The worst-case scenario happens when detection happens too late: when the endpoints and servers were encrypted, the data has been exfiltrated, and the ransom is being demanded.
It’s long been stated that prevention alone is not enough. Constant patching, firewalls, network access control, and endpoint, mail, and server security are necessary to mitigate risk. Still, ultimately hackers will find a way to breach traditional perimeter defenses, as it is being proven repeatedly. Yet, historically, cybersecurity investments are biased towards these preventive security controls, which for the most part, are complex to manage effectively and, as a result, are usually underutilized or poorly configured. Next-gen firewall policy drift is a common ailment, and so is the network performance and availability impact of security controls that hairpin traffic through choke points. While Zero Trust Access (ZTA) solutions certainly lower the risk of an initial breach, they boost detection and response speed and effectiveness by:
To top it off, a well-designed ZTA solution architecture avoids the security vs. network availability trade-offs.
287 is the average number of days to identify and contain a data breach. The longer it takes to identify and contain, the more costly the breach."
Cost of a Data Breach 2021, IBM/Ponemon Report
There is some degree of fatalism or pessimism in the definition of Zero Trust. The concept starts from the premise that breaches are inevitable and that enterprises must always assume a breach has already occurred and an attack is in progress. Therefore, organizations must also focus on investing in rapid detection and response capabilities with the same emphasis they invest in prevention, if not more. This not-so-new paradigm of Zero Trust challenges the importance of firewalls and of any security tool that works under the old implicit trust model. Under the zero trust edge model, the new perimeter centers around user, device, app, and data identities, their behavior, and the context, with policies enforced as closely as possible to the resource being accessed. Under this model, authentication and authorization are evaluated constantly to inform adaptive policies, hence the “zero trust” monicker. Location in the network is not as important as it used to be, while identity gained center stage.
Arguably, Zero Trust changes the definition of a breach. Because breaches will always occur and are as inevitable as zero-day vulnerabilities and human ingenuity, the zero trust model may not consider a breach the unauthorized access into the network, but the exfiltration, destruction, and/or encryption of data by the attacker. It is not the ingress but the egress what causes the damage. A data backup won't bring back your sensitive data that is out in the wild. In short, a ransomware attack may be in progress, but if detected, contained, and eliminated quickly, it is not successful, there was no breach (no detonation, no exfiltration), and it is just “business as usual”: the SOC team catching bad guys "in fraganti". True zero trust network security tools, not the same old ones being stamped with the zero trust seal for marketing purposes, deliver enough time to the SOC to detect and respond effectively to ransomware attacks.
$4.62m is the average total cost of a ransomware breach. Ransomware and destructive attacks are costlier than other types of breaches.
Cost of a Data Breach 2021, IBM/Ponemon Report
A successful defense against the constant threat of ransomware depends on making the infrastructure as hard of a target as possible. It makes an attack costly and therefore unprofitable to criminal organizations. In short:
$1.76m is the cost difference in breaches where mature zero trust was deployed vs. no zero trust."
Cost of a Data Breach 2021, IBM/Ponemon Report
A ZTA platform in combination with SDP capabilities, manned by a talented team of operators, can slow down the attacker by:
A talented team with the right ZTA platform that leverages sound integrations, and the help of a multiplier such as AI, can detect, contain, and eradicate ransomware threats fast enough to help organizations always stay ahead of attackers. The battle is won, not when any given attack by a bad actor is unsuccessful, but when the attacker quickly perceives the target is too hard and decides to prioritize its resources to go after softer ones.
There is no silver bullet against ransomware unless everyone stops paying the ransom. Only working constantly towards the aspirational goal of eliminating the attack surface increases the outcome of attacks being ultimately unsuccessful. Your intelligence is your best weapon. You can equip it with the visibility tools and AI assistance for higher efficiency and accelerate your organization’s journey towards a zero trust network architecture. Make your organization and your supply chain smart and resilient, and the cybercriminal rings will eventually focus their targeted efforts elsewhere.
Elisity offers an identity-driven control plane for corporate networking and remote access without tying customers to a particular network or network security technology. Its Cognitive Trust platform, delivered as a cloud-based service, is deployed as an overlay or underlay on whatever WAN and/or SD-WAN infrastructure an enterprise prefers to protect data, users, devices, and applications in the data center, the cloud, at home, and everywhere. Request a demo and see the possibilities with Elisity Cognitive Trust.
These Stories on Blog
Support | Terms of Service | Privacy Policy | Careers | Sitemap
© Copyright 2023 Elisity, Inc. All rights reserved
No Comments Yet
Let us know what you think