Remember when firewalls first became popular? When enterprises began installing firewalls in earnest, they quickly defined our network’s protective perimeter. Over the years, this perimeter has evolved from a hardware focus to one more defined by software, to where Bruce Schneier officially proclaimed their ultimate death a few years ago.
Part of this evolution is the changing nature of the attacks we experience along with the changing nature of our enterprise networks. Back when everyone was working from well-defined offices, we could definitely state that there was a difference between what was considered “outside” and “inside” the corporate network. But then the Internet happened, and we all became connected. Even before the pandemic, there was little difference. With the advent of the cloud, and definitely since the pandemic began, we are all out. That wise infosec sage Jerry Seinfeld once said this in an opening monologue to his TV series in 1989. We no longer worry about “bringing your own device.” We are all working from home, using devices that aren’t necessarily ones that IT has purchased and sharing them with other family members. As my colleague Scott Fulton wrote about this in 2017, “Once the distinctions between inside and outside have been effectively erased, an outside user would be treated exactly the same as one inside the office.” You could argue that he was talking from the opposite perspective, but with the same result.
This has given rise to the concept of zero-trust networks, a topic that I touched upon in my March 2019 post. In that post, I talk about the shades of grey that are now accepted as part of the authentication process: not only is there no distinction between inside and outside the corporate network, but there is nothing that is fully trusted anymore. As I mentioned in that post, the zero-trust concept is really a misnomer: instead, we should strive for a zero-risk model. RSA CTO Dr. Zulfikar Ramzan has long advocated doing this, because it gets IT staffs to examine what is really important: identifying and securing key IT assets and data, as well as that from third parties.
Once consequence of a zero-risk model is that today the new network perimeter really depends on the integrity of our endpoint devices. The endpoint is the first thing that can fall victim to a phishing lure and it is the first place that attackers look for a sign of an unpatched OS or a smartphone that is secretly running malware. Recent surveys show that the pandemic is making it easier for cybercriminals to target mid-level managers, with various lures such as Covid-related ones to more traditional business impersonations.
That doesn’t mean we need to let a thousand firewalls bloom, but it does mean that endpoint detection and response tools have to do a lot more these days than just scan for malware and compromises. Instead, we need a whole army of protective features that is working for us, to prevent our endpoints from being an attractive place for attackers to try to leverage. The vendors in the endpoint space have risen to meet these challenges, and have added features such as:
- Ad hoc queries (to search for new compromises),
- Better security policy enforcement and reporting,
- Automatic discovery of outliers and unmanaged endpoints,
- Detection of lateral network movement (for better early attack notifications),
- Better remediation and deployment tactics (to upgrade large populations of outdated endpoints),
- Better patch management (ditto), and
- Integration into existing protective gear such as event and service management tools.
That is a tall order for any security tool to handle. But as we continue to work from home, we need the appropriate protection. As Pogo once said, “we have met the enemy and he is us.”
The original idea behind honeypot security was to place a server on some random Internet link and sit back and wait until some hacker happened by. The server’s sole purpose would be to record the break-in attempt — it would not be part of a normal applications infrastructure. Then a researcher would observe what happened to the server and what exploit was being used. A honeypot is essentially bait (passwords, vulnerabilities, fake sensitive data) that’s intentionally made very tempting and accessible. The goal is to deceive and attract a hacker who attempts to gain unauthorized access to your network.
