The RSA Report: Boots on the Ground

All good things must come to an end, and the RSA Conference is no exception. But this year’s RSAC ended on a definite high note, packing as many actionable insights as possible into the final few sessions.

Much of today’s cybersecurity guidance advises businesses to think in terms of when an attack occurs, not if. But very little of it explains what that eventuality might look like. “Ransomware: From the Boardroom to the Situation Room” pulled the curtain back on the government’s response to a series of ransomware attacks on our country’s critical infrastructure. The real-time simulation offered the audience a seat at 1600 Pennsylvania Avenue as key members of the National Security Council’s staff, staff of the National Cyber Director and representatives of various federal departments convened to discuss what had happened and how best to respond.

Obviously, given the high total cost of ransomware, it’s best to avoid an attack in the first place. SonicWall’s multi-layer solutions are designed to stop even the most advanced ransomware attacks. SonicWall has helped countless companies harden against ransomware, including McAuley House School, which switched to SonicWall after a series of successful ransomware attacks and called their new SonicWall solution the “best security investment decision we’ve ever made.”

Incident response was also a theme in the next session, “Investigation & Incident Response Challenges for the Hybrid Enterprise.” This session explored a survey of more than 250 individuals involved with cyber investigations in a wide swath of industries, in public, private and government organizations of all sizes. This survey yielded some alarming results: Less than a third of respondents were confident in their team’s ability to track an incident through both cloud and legacy environments, and nearly three-fourths weren’t confident that they collected all data needed to investigate a breach.

Part of the problem stemmed from the tools used: While 74% said they used a SIEM, there were limits on the collection and retention of data due to the work and cost intensiveness involved. And with under a third of respondents integrating non-security data into investigations, investigating some incidents — particularly those involving insiders — will prove much more difficult.

Unfortunately, incidents involving insiders are increasingly common: In “Ghosts in the Machine: Is There a Security Patch for People?,” FBI Special Agent Greg Concepcion and Nisos Intelligence Advisor Paul Malcomb revealed that today, 82% of security incidents are related to insiders — up 72% since 2020. The speakers explained the various groups who generally represented insider threats, from VIPs and Money Movers to Sensitive IP handlers and System Admins and Developers — along with what sort of threat they were most likely to fall for (phishing ranked high on the list for almost everyone) and the best way to limit their ability to cause accidental or intentional harm.

Sine most of the harm is non-malicious, there are many steps that can be taken to reduce your risk, such as implementing multifactor authentication and ensuring employees are following basic best practices concerning password hygiene, double-checking urgent requests for money or sensitive information, and phishing awareness.

Another step that can help is the implementation of Zero Trust, but as the panelists in “It’s All Geek to Me: Communicating the Business Value of Zero Trust” explained, it can be difficult to get leaders and stakeholders on board with making that investment. However, since the impact Zero Trust can have on your security posture can be enormous, it’s important to frame the ideas of identity, the integration of security controls, and risk in a way that’s accessible and not overly technical or complex.

If you’re ready to explore a zero-trust solution, SonicWall or one of our trusted partners can help you put together the case for taking this positive step for your network security.

While we’re always a bit sad to see RSA draw to a close, we know the lessons and key learnings we gained on this journey will continue to inform and enrich us well into the future. Thanks for following our RSA coverage, and we hope to see you next year at RSAC 2024!

Why 5G Needs to Start with Secure Network Access

The latest cellular connectivity standard, 5G, has taken wireless performance to the next level. Apart from improving throughput speeds, efficiency and latency, 5G will be able to support a massive scale of devices and simultaneous connections.

The software-defined architecture of 5G, including 5G security, brings forward use cases that were not previously imaginable. 5G is the first generation of cellular technology that is designed with virtualization and cloud-based technology in mind. With cloud-based technologies, software execution can now be disconnected from specific physical hardware by utilizing Software Defined Networking (SDN) and Network Function Virtualization (NFV).

Mobile security has significantly evolved since the 4G days, and today’s 5G standard offers several strong security capabilities, such as features for user authentication, traffic encryption, secure signaling and user privacy. However, as the technology is still new and evolving, the concept of “5G security” lacks an official definition.

While 5G networks are still in the deploy-and-expand mode, the introduction of untested and unverified 5G-enabled products and services has created opportunities for bad actors to exploit the new technology and architecture.

As 5G adoption accelerates, organizations will need higher levels of network security and reliability to protect both their users and their business-critical applications. Here are a few reasons why:

  • 5G enables digital transformation, but also enables opportunities for cybercrime.
  • The migration of applications and network functions to the cloud, along with network slicing, opens new attack surfaces.
  • An ever-increasing number of endpoints and the adoption of distributed or remote work arrangements redefine the network perimeter daily.
  • Network and threat visibility challenges lead to an increased attack surface, thus creating new entry points for bad actors.
  • This expanded and undefined security perimeter is hard to control and monitor.

5G and Secure Network Access

Security teams have a gigantic task ahead of them when it comes to securing their network for 5G, including implementing the right policies for users, devices and applications. Organizations must adopt models like Zero-Trust Network Access (ZTNA), which allows security teams to set up least-privilege and granular access alongside authentication and authorization of every user and device throughout the network, which substantially lowers the chances of bad actors infiltrating your network.

ZTNA’s emphasis on eliminating implicit trust and requiring validation of each access request is the new secure way to move forward. A Zero Trust framework ensures complete visibility and control of the 5G infrastructure, including connecting devices, networking interfaces, applications and workloads. Zero Trust security can help organizations quickly identify and act against various security threats.

ZTNA is flexible enough to be adapted for various systems. 5G Zero-Trust architecture is end-to-end — including radio access network, transport and core — and consists of multiple layers. Zero-Trust Architecture Logical Elements (as defined in NIST SP 800-207) security establishes trust in user identity and device, enhanced end-to-end visibility, and control of every device accessing the network using any cloud deployment model. Below is the logical Zero-Trust architecture for 5G (as per NIST SP 800-207) that can be employed by 3GPP-based systems:

This graphic illustrates zero trust architecture (zta) and policy components described in the article.

Together, the Policy Engine (PE) and Policy Administrator (PA) form the Policy Decision Point (PDP), which makes decisions enforced by the Policy Enforcement Point (PEP). Policy frameworks are employed in 3GPP-based systems to manage access to resources in different security domains.

While adopting Zero-Trust principles for 5G security, organizations can improve security from multiple angles:

  • Least Privilege: Allows precise access, clubbed with context, to 5G network functions.
  • Identity Validation: Defines identity to encompass all users and devices that require access to protected resources.
  • Network Segmentation: Protects sensitive data and critical applications by leveraging network segmentation, preventing any lateral movement.
  • Security Policies: Implement precise 5G security policies for granular control over data and applications.
  • Continuous Validation: Eliminates implicit trust and continuously validates every stage of digital interaction.
  • Protection of Cloud-Native Network Function (CNF) Workloads: Protects CNF running on public or private cloud throughout their Continuous Integration / Continuous Deployment lifecycle.
  • Monitoring and Auditing: Monitors all interactions between users, devices and network functions at various layers.

The bottom line is this: ZTNA for 5G presents an opportunity for organizations to rethink how users, applications and infrastructure are secured — and ensure that they’re secured in a way that is scalable and sustainable for modern cloud, SDN-based and open-sourced environments while supporting a smoother, more efficient path to digital transformation.


Enhance Security and Control Access to Critical Assets with Network Segmentation

Before COVID-19, most corporate employees worked in offices, using computers connected to the internal network. Once users connected to these internal networks, they typically had access to all the data and applications without many restrictions. Network architects designed flat internal networks where the devices in the network connected with each other directly or through a router or a switch.

But while flat networks are fast to implement and have fewer bottlenecks, they’re extremely vulnerable — once compromised, attackers are free to move laterally across the internal network.

Designing flat networks at a time when all the trusted users were on the internal networks might have been simpler and more efficient. But times have changed: Today, 55% of those surveyed say they work more hours remotely than at the physical office. Due to the rapid evolution of the way we work, corporations must now contend with:

  • Multiple network perimeters at headquarters, in remote offices and in the cloud
  • Applications and data scattered across different cloud platforms and data centers
  • Users who expect the same level of access to internal networks while working remotely

While this is a complex set of issues, there is a solution. Network segmentation, when implemented properly, can unflatten the network, allowing security admins to compartmentalize internal networks and provide granular user access.

What is network segmentation?

The National Institute of Standards and Technology (NIST) offers the following definition for network segmentation: “Splitting a network into sub-networks; for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.”

The main principle of segmentation is making sure that each segment is protected from the other, so that if a breach does occur, it is limited to only a portion of the network. Segmentation should be applied to all entities in the IT environment, including users, workloads, physical servers, virtual machines, containers, network devices and endpoints.

Connections between these entities should be allowed only after their identities have been verified and proper access rights have been established. The approach of segmenting with granular and dynamic access is also known as Zero Trust Network Access (ZTNA).

As shown in Figure 1, instead of a network with a single perimeter, inside which entities across the network are freely accessible, a segmented network environment features smaller network zones with firewalls separating them.

Achieving network segmentation

Implementing segmentation may seem complex, and figuring out the right place to start might seem intimidating. But by following these steps, it can be achieved rather painlessly.

1. Understand and Visualize

Network admins need to map all the subnets and virtual local area networks (VLANs) on the corporate networks. Visualizing the current environment provides a lot of value right away in understanding both how to and what to segment.

At this step, network and security teams also need to work together to see where security devices such as firewalls, IPS and network access controls are deployed in the corporate network. An accurate map of the network and a complete inventory of security systems will help tremendously in creating efficient segments.

2. Segment and Create Policies

The next step in the process is to create the segments themselves: Large subnets or zones should be segmented, monitored and protected with granular access policies. Segments can be configured based on a variety of categories, including geo-location, corporate departments, server farms, data centers and cloud platforms.

After defining segments, create security policies and access-control rules between those segments. These polices can be created and managed using firewalls, VLANs or secure mobile access devices. In most cases, security admins can simply use existing firewalls or secure mobile access solutions to segment and create granular policies. It’s best for administrators to ensure that segments and policies are aligned with business processes.

3. Monitor and Enforce Policies

After creating segments and policies, take some time to monitor the traffic patterns between those segments. The first time the security policies are enforced, it may cause disruption to regular business functions. So it’s best to apply policies in non-blocking or alert mode and monitor for false positives or other network errors.

Next, it’s the time to enforce policies. Once the individual policies are pushed, each segment is protected from cyber attackers’ lateral movements and from internal users trying to reach resources they are not authorized to use. It’s a good idea to continuously monitor and apply new policies as needed whenever there are changes to networks, applications or user roles.

Policy-based segmentation: A way forward for distributed networks

What today’s enterprises require is a way to deliver granular policy enforcement to multiple segments within the network. Through segmentation, companies can protect critical digital assets against any lateral attacks and provide secure access to remote workforces.

The good news is that, with the power and flexibility of a next-generation firewall (NGFW) and with other technologies such as secure mobile access and ZTNA solutions, enterprises can safeguard today’s distributed networks by enforcing policy-based segmentation.

SonicWall’s award-winning hardware and advanced technologies include NGFWs, Secure Mobile Access and Cloud Edge Secure Access. These solutions are designed to allow any network— from small businesses to large enterprises, from the datacenter to the cloud — to segment and achieve greater protection with SonicWall.

Learn more about how segmenting your network can help you enhance security and control access to your organization’s critical assets.

Unpacking the U.S. Cybersecurity Executive Order

Amid the 2021 wave of frequent, high-profile ransomware attacks on U.S. organizations, the White House issued its “Executive Order on Improving the Nation’s Cybersecurity.” Section 3 of the order states:

The federal government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

There are several important implications in this section that will have lasting impact on the cybersecurity industry as a whole.

Zero Trust Architecture

The Zero Trust cybersecurity model implements the elusive concept of “never trust, always verify.” While the concept has been around for longer than most practitioners realize, the recent uptick in cybercrime and the responding push by various security analysts and vendors has put the idea back in the spotlight.

The executive order directs government agencies to move towards a Zero Trust model, but the effects will be much further reaching. As government agencies rush to implement Zero Trust, enterprises working with these agencies are expected to follow suit to protect both the government and their own infrastructure. This will accelerate the already-in-progress shift to Zero Trust security.

Unfortunately, malicious actors don’t discriminate between federal agencies and the private sector. Whether your organization is a small business trying to get off the ground or an established one with millions of dollars’ worth of federal government contracts, it’s essential for it to follow the best practices and implement Zero Trust Network Access (ZTNA).

A Move Towards the Cloud

I remember when as-a-service cloud solutions were first introduced. Most vendors had two sets of offerings — one in the cloud and another in the form of an appliance for government agencies that were cloud averse. Those days are long gone: Today many cloud providers have their own government-sanctioned, FedRamp-compliant cloud solutions.

This executive order is asking the federal government to embrace and implement cloud XaaS solutions, be it SaaS, IaaS or PaaS. Due to federal regulations, government agencies were the last holdouts to cloud transformation, and this order is removing that hurdle.

Whether your organization is using cloud services like AWS, Azure or Google Cloud, or is running its own private cloud, it is important to plan and implement security guard rails in your architecture from the beginning.

Centralized Management

Note that the order is asking for a centralized and streamlined access to analytics. While this is not directly mandated in the order, this screams cloud delivered management services. After all, what better way to centralize and streamline access to a resource than by putting it on the cloud? However, there are many pitfalls associated with this approach.

IT Supply Chain: A Word of Caution

The recent pandemic has shown how interconnected the global supply chain really is. We are seeing delays and increased costs in everything from electronic chips to bicycle parts. Security admins should also consider the interdependencies of security in their IT supply chain.

Recent high-profile attacks like that on SolarWinds reiterated the old adage that any system is only as strong as its weakest link. Many multinational enterprises were impacted because they were using SolarWinds’ technology. Malicious actors infiltrated the supply chain of SolarWinds and inserted a backdoor into their product. When customers downloaded the Trojan Horse installation packages from SolarWinds, it gave hackers access to the partners’ environment. This was a sophisticated attack: the cybercriminals even randomized their code in order to bypass the traditional scanners looking for known indicators of compromise (IOC).

Unfortunately, one of the downsides of moving to the cloud is the dependency on other vendors’ infrastructure and security practices. This issue becomes even more relevant as the cloud infrastructure becomes more complex and interconnected.

Security admins would be wise to audit their partner infrastructure, especially XaaS ones, to ensure that they are not inadvertently integrating with a vulnerable environment.