The Many Flavors of Back to Office and Why Companies Need Zero-Trust Network Security (ZTNA)
Returning to the office represents a long-awaited milestone, a positive sign that we can engage more fully with colleagues, return to in person events, and move forward with our lives.
There are many flavors of what a back-to-office plan looks like, and everyone has an opinion. After several delays, Google has given employees a new return-to-office date for April 4. That’s when the new “hybrid” work schedules begin, and most employees will be expected in physical offices at least three days a week. Twitter has announced employees can start returning to the office in March if they want to. Twitter CEO Parag Agrawal said that he wants Twitter employees to work wherever they “feel most productive and creative” and that the company is committed to “truly flexible work.” In the meantime, Apple has fixed an April 11 deadline for its corporate employees in the US to return to the office. The company plans a hybrid pilot in a phased manner to ensure a smooth return. Dropbox has aimed for “virtual first” which means that remote work is the default, and offices transition to co-working spaces where employees can choose to hold meetings instead of places to work individually.
Many feel that hybrid is the future of work. Popping into the office one to two days a week to catch up with colleagues in person, while also still being able to productively work at home. Hybrid could offer the best balance between face-to-face collaboration while preserving the flexibility and benefits of working from anywhere.
One of the other less talked about aspects of remote work was the ability for companies to recruit talent from a wider geographical footprint. The same remote working tools that enabled Apple and Google employees to work from home enabled many companies to hire employees from all over the globe. There are many co-workers who have been hired and never met their colleagues in person, yet. For example, we hired a solutions engineer from Ohio and a sales director from Florida. None of us have met face-to-face (but that will be changing soon). Our PR team has members in Spain and California. Distributed work tools like Slack and Zoom have matured to the point that we operate at high degrees of interactivity and operate as a single entity. As the pandemic recedes into the rearview mirror, the capability of remote work will be essential for these increasingly distributed teams to deliver results. As a side note, this reality puts an additional burden on leaders to inspire employees to bring their best efforts and achieve greater fulfillment, because finding a replacement job and boss are easier than ever.
Reimagining the Security Perimeter
What impact does hybrid work have on network security and how have CISOs and IT departments had to reimagine the security perimeter to accommodate hybrid models? More importantly, as IT budgets for 2022 remain in question, here’s what it could mean for CIO IT spending priorities.
How do I solve the security weakness of the VPN I secured two years ago? Get LAN security or remote performance for less?
The entire workforce has become more flexible, and flexible work arrangements need to be dynamic, secure, and scalable. We can no longer trust ourselves to avoid inadvertent threats like losing a password, or worse, putting ourselves at risk with intentional threats from bad actors that try to take over our identity. The enterprise must also review the security perimeter they put in place two years ago and ask themselves: Can I do the same for less? Is VPN where I should put my budget? How do I best protect against future threats and scale?
The truth is that VPN was a knee-jerk reaction, and the past two years have only underscored some of their flaws including creating more security headaches and a costly per license situation. With some individuals returning to the office full-time to work, you don’t want to be stuck paying for unused licenses. Enterprises need a solution that improves performance but for less cost than two years ago.
With the 2021 Verizon DBIR report conveying that 61% of all confirmed breaches were related to password issues, such as account takeovers from hijacked usernames and passwords, phishing, etc., organizations are also looking to completely remove passwords from their environment.
Here is a Rude Awakening: VPN is not Zero Trust
Unless you have had your head stuck in the mud, you will have heard of Zero Trust Network Security (ZTNA). Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for secure access before being granted and maintained for permissions to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid, with resources anywhere as well as workers in any location.
Increasing regulatory requirements around zero trust security, make it imperative to move away from this model – because VPN is not a zero trust network and has been the cause of multiple breaches.
History has proven that VPNs are now a vulnerability in and of themselves and have become legacy for “secure” remote access. VPNs are discovered on the internet, making them easy to find and breach. Because of split tunneling, a compromised employee’s laptop working from home gives an attacker a free ticket right into your corporate network while enjoying the privacy of an encrypted tunnel that can’t be inspected until the traffic has extended past the VPN concentrator and is in clear textAlissa Knight, cybersecurity influencer and reformed hacker
According to recent research from Knight Ink: “Organizations are moving away from flat networks that provide an adversary unlimited east-west reach for pivoting in the environment once they’ve established a beachhead. In November 2021, a massive zero-day hole was found in Palo Alto Networks VPN firewalls allowing for unauthenticated remote code execution (RCE) estimating that it had affected over 10,000 VPNs. Alternative solutions that enable remote access for this new work at home economy offer additional security controls beyond just remote access, such as software defined perimeter (SDP) solutions are replacing VPNs.”
According to cyber security influencer Alissa Knight, “Organizations are looking not only for multifactor authentication (MFA) solutions to require far more than just a password, but MFA solutions that can potentially eliminate the password altogether by relying on something you have and something you are (i.e. the user’s own mobile device with a biometric). CISOs are leveraging SDP solutions to implement microsegmentation in their environments that used to have to be done at the hardware level in switches, virtual local area network (VLAN) access control lists (ACLs) or firewalls to route traffic between VLANs, which still didn’t implement a true zero trust security model between users, devices, applications, and data that’s now enjoyed in SDP.”
And what about resignations? Those that have left the company create additional security loopholes, in many cases, this gets at a very important, but difficult part of security management which involves maintenance of Directory Services (LDAP, Active Directory, etc.). Often those services feed into solutions that can determine who has access to what. Robustly off-boarding revokes permissions and access to sensitive information.
Now is the time to re-consider your hybrid remote security policy
Driven by events, from the increase in ransomware and phishing during the pandemic, the current war, geopolitical situation, and a return to hybrid office situations — cybersecurity is front and center of the agenda. The current administration is driving urgent efforts toward a new cybersecurity paradigm. President Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) focuses on advancing security measures for the federal government that dramatically reduce the risk of successful cyberattacks, and requires federal civilian agencies to establish plans to drive the adoption of Zero Trust Architecture.
The good news is that CISO’s and CIO’s security budgets are increasing and gaining power in the organization, but they are also in “subtraction mode’. They are looking across the entire security stack to ask themselves what they can remove or take out. It’s a more strategic discussion rather than just buying a collection of point solutions. They are overwhelmed with incremental purchasing. Networking used to be a separate category, but now it, and many other things, are being subsumed by security – it’s the elephant in the room. Ultimately, SDP solutions offer organizations secure remote access into their environments while darkening and cloaking assets that aren’t allowed to talk to specific nodes, implementing the concept of true zero trust security. No matter what happens with COVID and the hybrid working arrangements, SDP solutions enable broader access to remote talent, more flexibility, and a potentially more potent workforce that is safe from the barrage of cyber-attacks we are witnessing today. CISO’s and CIO’s can have their ice cream and eat it too.
Today, I want to talk about persistent threats. By now, I'm assuming that most of you have either heard about the recent persistent threat attacks - one being the sunburst attack on solar winds, secondarily the happening of attack on Microsoft exchange, or perhaps unfortunately your organization has been a part of those as a victim. As a result of all of those attacks, we've seen a tremendous amount of noise from the cybersecurity community, talking about strategies for prevention, mitigation, etc.
But the real question is, is anyone really doing anything to attempt to create a line of defense against these attacks? And at BlastWave, we would argue that for the most part, they're not. Yesterday, a colleague of mine, Paul Gracie put out an article. It was a short cheeky article entitled, “Is it just me or does the emperor have no clothes?”
If you want to read it, let me give you the link. Hold on. That's not the link here. It is. So this is the QR link. So you can just snap a picture of this with your phone and you should be able to connect to it. But as I said, it's a short article. It was a little bit cheeky and effectively. What it did is it kind of called out the establishment cybersecurity vendors on the fact that they're selling you security products that aren't actually securing your network.
It called out some burning problems that we have in the cybersecurity space today. And specifically around the questions of, are we creating this first line of defense and specifically beyond that in the event that someone may be able to penetrate your network and get on the inside. Do we have anything to mitigate the impact of those?
And so I want to walk through this and I'm going to use a combination of a PowerPoint and some information off the web to go through the disk. So let's begin by taking a look at how our networks are protected today, and this is going to be familiar probably to everyone. So it's usually a combination of three technologies in the wide area network.
You're leveraging some type of SSL, VPN technology. So a virtual private network at the remote client, you're using hopefully some type of multi-factor authentication that is hopefully passwordless. To be able to protect your client's identity, and then within your local area network, where your protected systems and applications lie, you attempt to protect those through access control and segmentation.
And so if we look at that, we begin to ask the question, well, are these networks, and are these technologies that are designed to protect our critical systems today, are they actually doing what they're supposed to do to protect them? Well, Let's take a look at the statistics. So let's go and let's start with an interesting stat.
So this year we, as a globe, a global economy spent $25 billion in VPN. It looks like it's going to be all $76B by 2027. So we know we are continuing to invest in this technology. If we look at the leading vendors in this space, and we're not gonna mention any names, but you could see them. Number one, number two.
Number three and this may change, but in general, over time, they're all kind of the same list of vendors. If we were to look at them and ask ourselves, well, how secure are these particular vendor solutions? Well, let's, we could look at number one, so we could go over to NIST and do a quick search on this particular vendor.
And we can see that right now, there are roughly 20 known vulnerabilities that range from pretty severe to maybe reasonably severe. And that's 20 doors of entry for a malicious actor. If we were to take that same approach and look at number two then if we look at their statistics, they're doing a little bit better less, but it looks like at least one, if not more of their vulnerabilities are highly critical.
So there are multiple paths of entry for, it would be actor as well. Then finally, if we look at number three, which is a very well-known name, and we look at theirs - 70. 70 known vulnerabilities from companies who are the leaders in providing virtual, private networking technology. Now, why do we care about this?
Well, we care because these vendors, these solutions that are supposed to be our first line of defense against these persistent threats are the very technologies that are being bypassed, being bypassed in many of these attacks. And so if we think about that, it makes sense. Right. And let's walk through this.
So if we're deploying VPN within our wide area network, then for the most part, we're using technology that's 20 years old, that as we've seen a moment ago, has hundreds of known vulnerabilities. And each time a vulnerability is reported, those vendors have to go and create a patch. That patch has to then be rolled out into their customer community and then be propagated across the customer's networks.
So in many cases it could be weeks or months before the door is closed effectively for malicious actors. Now, if we move over to the left and look at the remote user, I think we're, beginning to do a good job by applying multi-factor authentication. Hopefully most of those that are being leveraged now are passwordless, so that's good.
But many of them are single surface based, which means that you can steal something. You can steal a single thing, and once you've stolen that single thing, a key fob, etcetera, then now they can take that and pretend to be you anywhere else in the world. So they're usually highly vulnerable to theft, but more importantly, they're not policy-aware. And what we mean by that is that the devices that sit down here that perform the authentication process are largely unaware of what policies for access you might be granted or not granted.
And so by that fact, that puts them in a position where this network is kind of a set of disparate parts. They're not all one acting in unison. Now, when we get to your LAN most companies good old fashioned segmentation, right? So through access control lists, etc., they're segmenting the network.
It's a very time consuming process for network engineers. Usually it is well, not usually it is in fact, very prone to human error, more than 90% of all vulnerabilities and outages within networks today, come from human error. Somebody made a configuration change that caused either an outage or a gap and created an opportunity.
And so while it's a great attempt, these are really complicated, prone to human error. And so as a result, they're really vulnerable to insider threats. And if we take a look at these attacks, we can see that that's the case. So, we need to ask ourselves, why do we care about this? And in asking that we want to look at the behavior for how these persistent threats break into your network and there's no magic to it.
While they all may look unique in their approach, they all use a very common pattern. And the first portion of the pattern is reconnaissance. So effectively, what they want to do is they want to identify a system somewhere inside of your network that they can somehow connect to or get to, and then use that to match up a vulnerability doubt.
That may be a publicly known vulnerability as the list that we just went through a moment ago, or it might be a personal or a private vulnerability that they have discovered. But in either case, their goal is to find a system on the inside of your network, which leads to the next step, which is to create a piece of malicious code that they can then drop down into that system, that’s sitting inside your network.
Once the code's there then now, what do they want to do? Now they want to poke around. So they want to use the inherent vulnerabilities of your segmented LAN to scan around and find other systems that they can get to. And then once they've done that, they'll try to propagate or replicate that particular piece of code to another system.
And then finally, what they want to do is call back home, right? So connect back home for the purpose of creating a command and control channel for that malicious actor. And if we take a look at that, then there's really no magic. Right? They're coming into your network via one of a couple of methods.
They're either coming through your secure network or they're walking in the front door. And in most cases, it's through your secure network that they're using to get there. In the case of SolarWinds, if we look at that real quickly, SolarWinds was a perfect example of that.
Effectively, what they did is the malicious entity had a malicious payload. They had identified through surveillance and reconnaissance, a system that was vulnerable inside the SolarWinds build servers. So they dropped it down there and they simply let it use its own secure communication channels to be able to propagate that update across to their SolarWinds Orion instances that are sitting inside of the customer. From there, that instance replicated itself up to other systems and then created a command and control channel back home, using the security technologies that we spent 20 some odd billion dollars on this year or not using them effectively bypassing them.
In the case of the Hafnium attack, it was a very similar scenario. So in this case, they were able to identify a vulnerability that allowed them effectively to bypass the exchange authentication process. So they were able to connect into exchange. And then from there deliver a piece of malicious payload onto that. That allowed them to execute a script from there in an Alec web access and basically drag a bunch of exchange emails back into wherever their servers are and who knows what? I don't even think we know what yet, yet how much impact that's going to have.
So those technologies that were used to protect the network to create that first line of defense were exploited in both of these attacks. And I think many in the community would argue that as it pertains to advanced persistent threats, this is just the beginning. So we've got to create that line of defense.
And let's talk about that. I want to introduce you to BlastWave. BlastShield is our product. BlastShield is a software-defined private network overlay that can be deployed over any packet based network. When it's deployed, it renders your protected systems, applications mechanical systems and industrial settings, it could be sensors, etc. - it renders those systems invisible. So the network itself, the BlastShield network and all protected systems are effectively invisible. You can't scan it. You can't see it. You can't talk to it.
Remote user access into a BlastShield network is performed via a very convenient, but highly secure three surface multi-factor authentication process. And the reason that we use that model is it makes it immune to your common phishing exploits, but also reduces the risk of theft because of the requirement of multiple surfaces. And then more importantly, within that multi-factor authentication process, your users, access and visibility are bound to each other by policy.
This inhibits the ability for, let's say an actor pretending to be one of your remote users that connected into your network to now poke around because they can't see other systems, unless they're granted a specific access to this. BlastShield is built on a proprietary transport methodology that is immune to SSL, BP, and exploits. So all of those hundred plus exploits we just saw today, it is immune to those.
Effectively it delivers this encrypted edge to edge network that runs across the entirety from your edge user, into your application. And it's all manageable from a single policy orchestrator.
And so how does this relate to the attack vectors that we looked at before? Well, if you start with reconnaissance since this network and the assets that are protected behind it are invisible, then it makes it really difficult for reconnaissance to be performed because you can't identify those assets. And if you can't identify them, then it removes the ability for you to begin to identify what exploits might be associated with those assets, which really leads to the second step, which is in terms of weaponization and delivery.
If you can't find systems protected by that particular network, then it makes it really difficult for you to deliver those systems into a protected system or protected system. And so in terms of delivery, it really inhibits the malicious actor’s ability to get their payload down inside your network.
Now we all recognize we don't live in a perfect world. And so if in fact, a malicious payload is dropped into your network, this is where BlastShield’s ability to provide granular visibility bound to access control together, and inhibits the ability for a piece of code to move laterally. And so you can envision a scenario where in the event that maybe somebody walked through the door and dropped a piece of code onto a server. Well, if that server is protected behind a BlastShield network even if that code were dropped in via a USB stick or something like that, then it makes it really difficult for that malicious code to propagate because it can't scan, because it's scaning ability and its ability to connect to other systems is controlled by policy. So it can't see or connect. So it really inhibits that.
And then finally since BlastShield effectively creates this air gap around these assets, it's effectively air-gapping the malware as well. So that prevents the ability for it to beacon back to its home base and prevents the ability for command and control channels to be built.
So thank you for your time. I wanted to walk through this. As you can see, we are very serious about the subject of creating a first line of defense against these persistent threats. We would enjoy a conversation if you're interested in learning more, I'm going to put two links up real quickly.
First, this again is the link to Paul's article that he wrote. Along with that. If you want to speak to Paul live, this is a QR link to his LinkedIn profile. Additionally, you can reach us at www.blastwave.io, and we would love to have communication with you. Thank you for your time. I appreciate it.
Hey, welcome back. Again, I'm Tom Field with Information security Media Group. We are at RSA conference 2021 topic I'm speaking about in this segment is defending entry points. Really pleased to welcome to the studio Tom Sego is the founder and CEO of BlastWave Inc. Tom, thanks so much for taking time to speak with me.
Thanks again, Tom. It's good to see you.
So let's start our conversation here. In what ways do you now see security requirements getting so complex, that they're exceeding the capabilities of current protection solutions?
Yeah, I think in terms of the requirements, the requirements are kind of going like this, they're going kind of straight up. And the security protection solutions are almost flatline, there's very little innovation that's occurred in those, there's been a lot more focus around the detection and remediation areas. So if we look at the security requirements that are driving that, we're seeing like the device level, there's a lot of smart sensors for everything. We're also seeing at the data level 90% of the world's data has been created in the last two years. And then there's a lot going on at the network level. networks in devices and factories used to be air gapped and immune from network borne malware. But now while those can no longer function in a world in which everything is connected, the global supply chain industrial operations, everything needs to be connected, for remote access for people working from home. Furthermore, the corporate network used to be this castle moat situation. And now you have public cloud hybrid cloud on prem, and even the employees home as part of that corporate network now. And then there's this complexity around provisioning, and setting control access and almost an infinite number of combinations of human to application human to machine, machine to machine and machine to application. And the past, we could just tack up VPN client server solutions, but those days are gone. There's the VPN technology itself is 25 years old, and almost no innovations are occurring. The majority of VPN vendors also use the exact same SSL VPN stack, which makes it trivial for malicious actors to identify their products. In recent years, they tried to put together these SD LAN products Software Defined wide area networks in response to the dilemma. But if you peek under the hood, you see the same basic SSL VPN stack with the same old vulnerabilities and a new wrapper.
So Tom talked a little bit more about that. Where do you see some of the current protection technologies most obviously failing?
Yeah, well, really, there's no magic to this, whether it's carried out in applications data, mechanical industrial systems, attacks really only come through two sources, either physical or through the network. And statistically speaking, most of it comes through the network. In fact, there's an entire framework that describes is called the cyber Kill Chain. This is really important because it basically maps out the pattern that every attacker follows, to perpetrate whatever they're trying to do. And if you can interrupt or break that chain, you can make a huge impact on protecting your critical assets. So let me just kind of walk through a couple steps in this common pattern. First of all, malicious actors perform reconnaissance or recon try to scan and see what assets and vulnerabilities exist. From there, they try to gain access to the network through the weakest link. Typically, it's credential theft, phishing or using an SSL VPN exploit. Next, they perform internal reconnaissance to identify the high value asset servers and data within that land. And then they try to use the same secure connection to deliver a payload and establish the back door.
Tom Field 03:56
So Tom give us some context, what evidence do you see as some of the latest attacks that have been getting our attention and news is full of them?
Tom Sego 04:04
If you're not kidding, I think in the last two quarters, we've witnessed at least five major ones with one last week. Starting with the solar winds attack, which was the supply chain attack, state actors perform reconnaissance on the solar winds network. They then use compromised credentials to locate and gain access to the Orion build server. Then they use that same channel to deploy a payload that went to the update build. And then they simply let the server update itself to all of its customers. Once the malware was inside the customers network, it again scanned and moved laterally, and then created a control back channel for future nefarious capabilities. The next big one was the half name attack on Microsoft Exchange. And again, actors were able to get inside the secure network most likely through compromised credit. Then they performed recon to identify the Exchange servers. From there, there was a publicly known vulnerability that bypass the authentication process. And they downloaded a payload, ran a script, created a remote command control back channel and exfiltrated email database. The next one was the Oldsmar water treatment plant in Pinellas County, Florida. And they're a hacker performed, guess what reconnaissance to the plant to discover how best to gain remote access through the TeamViewer. app. They then obtained a set of compromised credentials to connect to the command console. Have you heard this before? That Yeah, and then the next last week, the colonial pipeline attack was really bad. It brought down 45% of the fuel supply on the east coast. And guess how they started, they perform recon, they gained network access through compromised credentials or through a VPN exploit. They perform lateral movement to do recon within the network, deploy a payload, establish a backdoor, etc. So most of what you described isn't particularly sophisticated, but I haven't met anyone yet that said, they fell victim to an unsophisticated attack. In what ways would you say our adversaries are upping their sophistication? Yeah, well, I think there's three trends that are enabling that sophistication. And the first is just around monetizing anonymously, the ability to get paid through cryptocurrency. I think the second though, is there's this blurring of lines between cyber criminal groups and state actors to conduct political espionage or cyber warfare. And cyber criminals are almost like a well paid some subcontractor for these state actors. And finally, there's these explosion of tools ransomware as a service, we'd never heard of that before. And today, kids can learn how to hack into networks simply by watching YouTube videos, and downloading kits running these things from the dark web or internet. So really, there's kind of never been a better time to be a cyber criminal. It's easier and cheaper than ever. And plus, it's hard to get caught. Because attribution is really tricky in cyberspace, much more so than in the real world.
Well, good news is that there's job security and cyber security. So what new approach Do we need to take now to defending these entry points to the network?
Yeah, now we're getting down to the most important part in terms of what do we do about it? Well, I think we fundamentally need to rethink network security. We can't just secure networks by cobbling together these disparate tools and widgets, such as VPN segmentation policies, firewall rules, and hope to secure our assets. This is a game of whack a mole that the industry stuck in. So in order to create a dramatically more secure protective solution, it must be engineered from the ground up to eliminate massive classes of vulnerabilities. So we've got to break that cyber Kill Chain I talked about. So let me give you some specifics. So number one, we have to stop both external and internal reconnaissance by making those networks invisible and unresponsive to network scanning. Number 290 percent of network access as a result of phishing or credential theft, we need a better identity mechanism, this 50 year old approach of usernames and passwords, we need to get rid of them all together, so there's nothing to steal. Number three, we need to ensure that the connection is truly edge to edge. And it's impenetrable by combining remote user authentication when encryption land protection into a single layer, so you can't sniff the VPN tunnel, you can't use an SSL VPN exploit, you eliminate lateral movement within the land by binding access and visibility through policy. Number four, make it easy to deploy, provision and configure. Number five make it easy to use without requiring extensive training or changes to the network underlay. This takes a huge burden off the network team as segmentation and access control changes are massively time consuming, and fraught with human error. And the last thing I would do is make the product very lightweight and software base so you could effectively run it anywhere. And that's our team's vision for network protection in the modern world.
Well, that's exactly what I asked you about. Talk to me about BlastWave. How are you addressing these issues we've just talked about?
Well, everything I just described to you are the pillars of our flagship product blast shield, so deploys over any packet based network. It's built on self organizing patented peer to peer architecture and it deploys in minutes. Once it's deployed. Blast shield is itself invisible and renders your critical system and applications invisible to both outsiders and insiders. You can't do reconnaissance if you can't see it. The icing on the cake for my 10 years at Apple in terms of making things easy to use is to make remote access Dirt simple and use a multi factor authentication process that's similar to Apple Pay. And then lastly, you put the entire network provisioning and management console in an orchestrator that's hosted within the blashill network. So there's no exposed web services. And this last points a very big deal and a high point of differentiation because if you look at the specific CV ease for existing VPN vendors, a large portion of the vendors and vulnerabilities are in the web services, and we eliminate this entire class and greatly reduced the surface of the process.
Tom Field 10:41
Well said, Tom, I appreciate your time today. Thanks so much for taking time to speak with me and to shed some light on blast play.
Thank you, Tom.
You've just heard about defending entry points you've heard from Tom Sego. He is the founder and CEO of BlastWave Inc., for Information Security Media Group at RSA conference 2021 I’m Tom Field, and as always, I'm grateful you gave us your time and attention. Thank you so much.
Thank you, Tom.