At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”).

The chatter around AI shouldn’t have been a surprise to anyone who attended RSAC in 2023. Generative AI as we know it today was only a few months old then. Everyone wanted to talk about it, but no one was quite sure of the impact it would have on cybersecurity.

A year later, there are still a lot of questions, but the profession has embraced AI into its tools and solutions. It was by far the most popular topic across the educational sessions and in demonstrations and presentations across the Expo. But it wasn’t the only issue that cybersecurity professionals were contemplating. Here are some of the most popular topics that people at RSAC were talking about.

AI isn’t just generative AI

There were over 100 sessions that dealt with AI at the conference. Many conference attendees were most interested in the double-edged sword of generative AI: how to use it as a tool to detect and prevent cyberattacks and how cyber criminals use the technology to launch attacks. AI’s role in misinformation campaigns and developing deepfakes has many people worried about a significant shift in the way threat actors use social engineering. This worry only compounds with the concern that security awareness training won’t be able to keep up.

The term “shadow AI” was mentioned a number of times, often by CISOs who expressed concern that the risks faced through shadow IT and shadow cloud behaviors are beginning to repeat themselves in the use of unauthorized AI. Right now, much of shadow AI is related to employees who use tools like ChatGPT for research resources and trusting the information they receive as absolute truths. But as employees become more sophisticated in using AI tools and as generative AI shows itself as a potential security risk, CISOs want to see steps taken to get AI policies and approved tools adopted into the organizations sooner rather than later.

However, one of the issues that cybersecurity experts were quick to point out is the need to separate generative AI from other types of AI. Because of the overwhelming presence of AI throughout the conference, the technology has this feeling of newness to it, that it is something that was just introduced in the past year. Many of the panel discussions covered machine learning and large language models and how to build on the predictive benefits these technologies bring to cybersecurity tools. AI isn’t new, one CISO said; it’s been around in some form for decades. The hope is that the AI hype of this year settles down by RSAC 2025 and that there will be more positive discussions around building better predictive models with AI or more defined uses of the tool.

Data governance and AI

One topic that seemed to come up almost as much as AI was data governance. Some of the conversations were around AI’s role in data governance, but cybersecurity professionals spoke of the need to know their data and build out policies that will meet ever-evolving compliance standards. Data governance was commonly mentioned along with the SEC cybersecurity disclosure rules and other government regulations put in place. As one cybersecurity executive pointed out, the struggle with data governance comes down to the biases from three different areas within a company: the engineers who create data; the C-suite team who use the data and the CISO who controls the data and the security around it. There is no agreement on what determines metadata, and until there is governance that agrees with all biases’ points, true data governance will be difficult, if not impossible, to achieve—and that hurts overall security efforts.

The absence of zero trust

In 2023, zero trust was far and away the most discussed topic at RSAC. While everyone wanted to talk about generative AI last year, it was often centered around zero trust architecture and principles. This year, zero trust was pushed into the RSAC dustbin. Oh, it was still there: eight sessions had a focus on zero trust and it was highlighted in more than a few company displays. But it has moved beyond its initial buzz, which one CISO suggested wasn’t that surprising.

Applying zero trust principles is time-consuming and because it has been a couple of years since the White House released its cybersecurity executive order, many companies are already well into their zero trust journey. It may be because it is no longer the “it” buzz term or it may be because there isn’t the demand for more information, but the glow around zero trust has officially dimmed.

Budgets, or lack thereof

At the brunch roundtable mentioned earlier, one of the CISOs said they expected to hear a lot about security budgets, or, more to the point, the lack of security budgets. Funding for security was a topic that came up frequently, as many security professionals weren’t afraid to say they were dealing with a delicate balance to manage budget cuts with rising costs around cyber incidents.

IT and security departments need to do a better job of learning the language of business executives and explaining how and why cybersecurity fits into the corporate model and overall business operations. But if cuts to the security budgets continue, with layoffs of experienced security personnel and the inability to get the tools needed to keep up with the latest threats—especially around AI security models—companies will get hit with cyberattacks, and the costs will be greater than the budget cuts.

It’s clear from this year’s RSAC that we’re just at the tip of the iceberg when it comes to AI advancements—and the hype around it doesn’t appear to be going anywhere anytime soon. But what security concern, emerging tech or new marketing buzzword will be top of mind for attendees at next year’s RSAC?

The post Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about appeared first on Security Intelligence.

Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include:

• Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud)
• Spending too much time or energy on integrating detection systems
• An underperforming security orchestration, automation and response (SOAR) system
• Only capable of taking automated responses on the endpoint
• Anomaly detection in silos (e.g., network separate from identity)

If any of these symptoms resonate with your organization, it’s time to address PDR.

I know what you’re thinking, PDR isn’t really a thing. While the security industry already has an overloaded number of “DR” terms, like EDR, NDR, CDR, MDR, XDR, TDIR, etc., you’re right — there’s no industry PDR term, but the sentiment behind our playful acronym is certainly real. Case in point: look at the number of “DR” acronyms in our previous sentence. The industry as a whole is fragmented and this has resulted in many enterprises suffering from PDR.

Why PDR happens

PDR side effects often include malaise, restlessness, a sense of unmanaged risk, a willingness to get distracted by generative AI, a compulsion to attend conferences outside of the office and an uncharacteristic joyfulness when attending budget meetings. This all results from the fact that the road to recovery from PDR can often be difficult. How did you get PDR anyway?

PDR may have snuck into your security program. You were happy with your SIEM and then extended detection and response (EDR) came along and demanded to run “outside the SIEM” and you thought, “That’s not so bad.”

Then attack surface management (ASM) came along and didn’t integrate with anything, but you knew you couldn’t detect and respond to threats in assets that you don’t know about, so you needed to buy that stand-alone ASM tool.

Identity threat management came along but that was only available from your current identity vendor and didn’t integrate with your user behavior analytics (UBA) system. Next thing you know you’ve got PDR.

Five treatment goals for PDR

1. Consolidation

We’re not just talking about vendors, but tool and workflow consolidation. Most of the new security technologies you bought as an independent capability over the last 3-5 years have been paired or integrated by a vendor looking to capture market share by adding adjacent capabilities. Make sure you understand what can be “good enough” versus “best in class” when looking to consolidate capabilities. If you’re consolidating vendors, select vendors that first and foremost commit to extensibility and integration.

2. Proactive security

Instead of merely reacting to threats, focus on proactive measures. Reduce your attack surface by investing in exposure management. Establish a program that includes services such as code analysis, attack surface management, enterprise detection engineering, penetration testing, adversary simulation, threat hunting, and vulnerability management.

3. Zero trust in the cloud

You might be wondering how zero trust earned a spot in a detection and response to-do list. I recognize that distributed (aka federated) enterprise threat detection and response (TDR) is still maturing.

A common current security scenario is one where a hybrid cloud environment exists, utilizing cloud-native capabilities, but due to the cost-prohibitive nature of extracting data from cloud hyperscalers, security teams are supporting two disconnected environments. Until federated detection and response tooling improves, the best universal strategy is to use the cloud detection and response tooling needed to support the business transition to cloud, but focus more security attention on prevention when adopting cloud-native security capabilities. Ensure all the zero trust concepts you worked so hard to define and implement in your legacy environment also extend to your cloud environments.

4. Strategic planning

Take an inventory of your current PDR capabilities and define your future state. Realize that your strategy may need to play out over multiple years.

5. Threat management architect

Appoint a threat management architect with both technical expertise and the ability to evangelize security principles. They should understand the holistic concept of cyber resilience, which encompasses more than just backups and recovery but also anticipates and prepares for threats while maintaining business continuity.

Seeking help from a PDR professional

If PDR is deeply embedded in your organization, consider enlisting the expertise of a PDR professional. Look for a professional with advanced capabilities who can enhance your existing investments rather than pushing for new software adoption. They should offer a range of services, including application and database security, and be well-versed in cloud environments. Ensure your chosen PDR professional can provide a comprehensive portfolio of services, spanning threat prevention to incident response.

Overcome PDR with threat detection and response services

IBM Consulting has services professionals who are certified PDR recovery professionals. The new Threat Detection and Response (TDR) service from IBM’s Cyber Threat Management Services is designed with many of the principles covered here. You don’t need to make a massive investment in AI; we’ve been doing that for years. You don’t need to rip and replace any of the investments you’ve made; we support the broadest ecosystem of vendors.

Starting with TDR is as simple as joining us for the webinar on November 1 to learn more, or reading the press release to learn how you can reduce cyber risk and lower incident costs by 65% with the Threat Detection and Response service. You can also check out our recent managed detection and response (MDR) market leadership in this KuppingerCole Report.

We’ll get you on the road to PDR recovery in no time.

The post Does your security program suffer from piecemeal detection and response? appeared first on Security Intelligence.

How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not.

Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability into the mix, and the danger of cyberattacks has become alarmingly high. From a debilitating ransomware strike to the exfiltration of delicate customer data, the risks are tangible and potentially devastating.

Given the current context, zero trust has emerged as the most prevalent security strategy by far. The fundamental idea behind zero trust is simple: trust nothing; verify everything. Zero trust enables organizations to adopt a holistic security approach that verifies the credibility and authenticity of all users, devices and systems that interact with their networks and data. As attacks continue to escalate, companies are realizing that zero trust is becoming essential for business survival.

As with any substantial strategy change, implementing zero trust can be difficult. While many companies have started the journey, few have successfully implemented an organization-wide zero trust security approach. In fact, Gartner predicts only 10% of large enterprises will have a mature and measurable zero trust program in place by 2026.

Are there any ways to facilitate a faster move to zero trust?

Moving forward on zero trust security

Zero trust is more a security philosophy rather than a security architecture. For this reason, a successful transition to zero trust security requires strong leadership. Business leaders must avoid the misconception that zero trust is just another set of security tools. If done correctly, adopting zero trust is taking charge of a new core security strategy for the entire organization. And this requires someone to claim ownership over driving the change.

How critical is the need for this new approach? The Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027, according to Department of Defense CIO John Sherman. This is further backed by an announcement from the Executive Office of the President about government-wide zero trust goals. Top-level buy-in is essential to move forward with zero trust implementation.

Key concepts of zero trust governance

As the perimeter model for security has become obsolete, context has emerged as the most viable way to envision secure networks and data. The question is who (or which software or machines) should have access to what, when and for how long? Zero trust mandates that security teams capture and use information from across the business to create context. This enables quick and automated decision-making about each connection’s trustworthiness. And given today’s attack surface fluidity, execution must be continuous and AI-assisted.

Organizations frequently drop the ball on zero trust since they fail to grasp the underlying governance required. Once these concepts are fully understood, then the right tools can be selected to make zero trust a reality.

A zero trust governance model is determined by:

• Context definition. Context means understanding users, data and resources to create coordinated security policies aligned with the business. This process requires discovering and classifying resources based on risk. From there, resource boundaries are defined and users are classified according to roles and duties.
• Verification and enforcement. By quickly and consistently validating context and enforcing policies, zero trust provides adaptable but secure protection. This requires AI-assisted monitoring and validating all access requests against policy conditions to grant the right access quickly and consistently to the right resources.
• Incident resolution. Resolving security violations through targeted actions helps reduce the impact on business. This requires preparation and context-specific action, such as revoking access for individual users or devices, adjusting network segmentation, quarantining users, wiping devices, creating an incident ticket or generating compliance reports.
• Analysis and improvement. Continuous improvement is achieved by adjusting policies and practices to make faster, more informed decisions. This requires continuous evaluation and adjustment of policies, authorization actions and remediation tactics to secure each resource.

The risks of not implementing zero trust security

The IBM Security X-Force Threat Intelligence Index 2023 reveals that phishing remains the top way attackers gain access (41% of incidents evaluated) to sensitive data and networks. For example, LockBit is perhaps the most active and dangerous ransomware today. During the past several weeks alone, reports have surfaced naming the threat group in breaches of the U.K. Royal Mail, the Argentine Grupo Albanesi, Indian chemical business SRF, over 200 CEFCO convenience stores in the southern US and a Portugal water authority.

LockBit usually gains a foothold through phishing and social engineering techniques. While employee cyber awareness makes a difference, a finite number of phishing attempts are likely to result in a breach. And once LockBit attackers gain entry, they will seek to elevate access privilege.

Privileged users have elevated access to critical systems, data and functions. But security solutions must vet, monitor and analyze their advanced entitlements to protect resources. As a cornerstone of zero trust, privileged access management (PAM) and its cousin identity and access management (IAM) can discover unknown accounts, reset passwords automatically and monitor anomalous activity.

PAM is one way zero trust strategy manages, protects and audits privileged accounts across their life cycles. The same security measures can apply to devices, servers and other endpoints with administrative privileges. Both PAM and IAM are tools available now, and these methods can successfully detect and deter Lockbit-like intruders attempting to gain access to sensitive data.

The alternative is to rely on employee cyber training, ineffective firewalls and antiquated first-generation identity as a service (IDaaS) solutions to catch intruders who can lurk in networks for months before being detected.

Zero trust secures the new perimeter-less reality

Modern security should allow work from any place on any device with access to tools and data within any ecosystem. It should provide real-time context across all domains. Meanwhile, threats continue to grow in severity and sophistication. This is why organizations are quickly moving to implement zero trust solutions. Leveraging a standard, cloud-based authentication platform would be a critical first step to modernizing identity services for zero trust.

In conclusion, zero trust has moved far beyond the conceptual phase. In some enterprises, it already supports tens of millions of internal and external identities. With the rise of cyber threats, the time for zero trust is now.

The post Zero trust data security: It’s time to make the shift appeared first on Security Intelligence.

For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists.

Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps, APIs and IoT devices all clamoring to connect to networks. And from a security standpoint, the disappearance of the perimeter represents unprecedented challenges.

Back in 2009, Forrester analyst John Kindervag saw this change coming fast, and he coined the term zero trust. It centers on the belief that trust is a vulnerability, and security must be designed with the strategy, “Never trust, always verify.”

How has zero trust changed the course of cybersecurity? Let’s find out.

Operation Aurora

Operation Aurora was a series of cyberattacks carried out by advanced persistent threats (APTs) allegedly linked to China. Made public in a Google blog post in 2010, these attacks took place from mid-2009 to late 2009.

Several well-known organizations, such as Adobe Systems, Akamai Technologies, Juniper Networks and Rackspace, confirmed that these attacks had targeted them. Other companies such as Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical also reported that they had suffered from malicious actions.

In response to these attacks, Google created BeyondCorp — which became the company’s implementation of the zero trust model. In a 2014 newsletter, BeyondCorp stated:

“With the advent of a mobile workforce, the surge in the variety of devices used by this workforce and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy… One should assume that an internal network is as fraught with danger as the public Internet and build enterprise applications based upon this assumption.”

Zero trust quickly evolves

From 2014 forward, the concept of zero trust quickly evolved. In its true sense, zero trust can be considered a framework, an architecture or even a philosophy. For example, in 2018, Forrester developed seven core pillars of zero trust. However, the firm has since moved away from that stance. They more recently offered this definition of zero trust:

“Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”

In response to requirements like these, the security industry has developed tools such as identity and access management (IAM) built along with least privilege access. This means that only the minimum necessary rights should be assigned to any user (or software) requesting access to a resource. Additionally, privilege should be in effect for the shortest duration necessary.

Meanwhile, comprehensive security monitoring is accomplished by solutions such as Security Information and Event Management (SIEM). As cybersecurity threats become more advanced and persistent, it requires increasing amounts of effort by security analysts to sift through countless incidents. By leveraging threat intelligence, SIEM makes it easier to remediate threats faster with high-fidelity alerts.

Too many security concerns, so little time

A patchwork of disjointed security solutions makes the current security landscape more complicated. This leads to increased manual tasks for security teams and a lack of context to effectively minimize the attack surface. With rising data breaches and heightened global regulations, protecting networks has become increasingly challenging.

Data access has become a critical requirement for modern organizations, necessitating a robust security infrastructure. Zero trust aims to address this need. The goal is to offer dynamic and ongoing protection for all users, devices and assets. Unlike perimeter security, zero trust requires constant verification to be fully effective, enforcing security for every transaction, connection and user.

Implementing a zero trust framework provides a comprehensive view of an organization’s security posture. Furthermore, it helps security teams proactively manage threats. With consistent security policies and rapid threat response, zero trust offers a more secure and efficient solution to modern data access needs.

Further benefits of zero trust

Beyond the core security benefits, IT teams quickly recognized other advantages to zero trust models. The corollary benefits of zero trust include:

• Enhanced network performance from a reduction in traffic on subnets
• Improved ability to address network errors
• More simplified logging and monitoring process due to heightened granularity
• Shorter breach detection times.

Facing today’s threat reality

The modern cyber threat terrain is more treacherous than ever. The diversity and volume of attacks continue to increase, and multiple incidents per victim are quickly becoming the norm. We want a world where we can connect from any place, anytime. But this implies that attacks can come from any place, anytime as well. As a result, zero trust is quickly becoming the de facto security strategy.

In January 2022, the Executive Office of the President released an announcement about government-wide zero trust goals:

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” the memo states. The White House stresses that incremental improvements will not provide the necessary security. Instead, the Federal Government seeks to make bold changes and significant investments to “defend the vital institutions that underpin the American way of life.”

The Pentagon plans to implement a zero trust architecture across its entire enterprise by 2027, according to Department of Defense Chief Information Officer John Sherman. “What we’re aiming for is by 2027 to have zero trust deployed across the majority of our enterprise systems in the Department of Defense in five years,” said Sherman.

Because zero trust implementation is not simple, the U.S. Government has set an ambitious goal. However, with current and growing adversary capabilities, there may be no other choice.

The post How zero trust changed the course of cybersecurity appeared first on Security Intelligence.

Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.

At first glance, it feels like the concepts are very similar. But while there is some overlap, these strategies work together by managing or overseeing different parts of cybersecurity. Some layer on top of each other, and others work collaboratively. Most organizations find that they can most effectively protect their infrastructure by combining the four technologies together.

Let’s take a look at these four common cybersecurity concepts and how they work.

Zero trust

With remote work now a permanent shift, organizations cannot protect a physical perimeter — because it does not exist. Zero trust is an organization-wide philosophy that assumes the network is always at risk for both internal and external threats. With this approach, you can proactively protect your organization regardless of the physical location of the infrastructure, users and devices. As a default, all resources are inaccessible, and accessing them requires proving one’s credentials.

With zero trust, you apply the principle of least privilege access to every aspect of IT. That means each person only has the access that they need for their own work-related tasks. When granting access, the framework assumes the user, app or device requesting access is unauthorized and must prove their credentials. Zero trust networks always log/inspect all corporate network traffic, limit/control access to the network, and verify/secure network resources.

Zero trust is first on this list because it’s the underlying foundation of cybersecurity that provides the most protection and risk reduction in the current cybersecurity environment. While the other technologies provide different benefits, SOAR and SIEM work on top of zero trust, and SASE partners side-by-side with zero trust.

SOAR

Protecting an organization from cybersecurity threats requires a lot of collaboration between people and tools. Many organizations are turning to security orchestration, automation and response (SOAR) technology to meet this need. Gartner defines SOAR products as platforms with threat and vulnerability management, security incident response and security operations automation.

With a single platform to manage all security processes, cybersecurity teams have all the intelligence and tools needed to proactively prevent attacks and minimize damage when they occur. Additionally, by automating cybersecurity tasks, organizations free up time for team members to focus on tasks that require a human touch.

Many people assume zero trust is a single piece of technology. However, zero trust is a framework comprising different strategies typically implemented by cybersecurity automation and tools. SOAR provides the platform that manages the different strategies, such as PAM and micro-segmentation, that create the zero trust framework. As part of its move towards zero trust, the Biden administration is requiring government agencies to use SOAR technology to help connect the pillars of zero trust.

SIEM

With cyber criminals working 24/7, organizations need the ability to continuously monitor their infrastructure for signs of potential threats or risks. Security information and event management software (SIEM) uses AI to watch for changes and patterns matching current threats and proactively provides alerts on potential cybersecurity issues. Because each alert takes the IT team away from other tasks, it’s crucial to have a tool that prioritizes alerts, so the team knows where to focus their limited time and resources. Additionally, SIEM tools need to integrate with other tools and technologies.

Creating an environment of “never trust, always verify” can easily turn into an overwhelming experience for users and employees. And IT teams can quickly become overwhelmed when it comes to managing these environments. By using SIEM as part of zero trust, organizations have the necessary visibility and security without disrupting the experience.

While SIEM and SOAR are both cybersecurity tools, they perform different roles in protecting infrastructure and data. SIEM focuses on identifying and logging events, while SOAR manages all cybersecurity tools — including SIEM. For example, if a SIEM detects a potential issue, SOAR can take automated action based on AI, such as removing access for a suspicious user or isolating a malicious file. Without SOAR, a SIEM system can create additional manual work for the IT team and make it challenging to take the quick actions needed to protect the network.

SASE

As both security and business needs rapidly change, organizations need the ability to quickly scale their cybersecurity efforts. By using secure access service edge (SASE), organizations have a cloud architecture that combines network and security-as-a-service functions. Gartner explains that SASE’s capabilities are “based on the identity of the entity, real-time context and security/compliance policies.”

At first glance, SASE and zero trust appear very similar. However, SASE helps vendors design security solutions for the future, while zero trust reduces business risk across the infrastructure. The technologies work together to manage the permissions that expose apps, systems and data to risks using micro-segmentation and software-defined perimeter (SDP) tech. They also partner to protect browser software from malicious websites, with zero trust protecting the endpoint’s browser software and SASE remotely isolating suspicious website code.

Putting it all together

Moving from the traditional approach of protecting the perimeter to a proactive strategy that protects your modern data infrastructure requires the right tools. As you begin designing your cybersecurity, consider starting with a zero trust framework and then adding SOAR, SIEM and SASE to help support the zero trust principles. Each one plays a key role in helping protect your infrastructure, apps and data. When you create an ecosystem that collaborates and works together, you can get the most value and protection from your cybersecurity technology.

The post SOAR, SIEM, SASE and zero trust: How they all fit together appeared first on Security Intelligence.

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces.

Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications and policy creation to define what communications are permitted. In effect, microsegmentation restricts lateral movement, isolates breaches and thwarts attacks.

Given the spotlight on breaches and their impact across industries and geographies, how can segmentation address the changing security landscape and client challenges? IBM and its partners can help in this space.

Breach landscape and impact of ransomware

Historically, security solutions have focused on the data center, but new attack targets have emerged with enterprises moving to the cloud and introducing technologies like containerization and serverless computing. Not only are breaches occurring and attack surfaces expanding, but also it has become easier for breaches to spread. Traditional prevention and detection tools provided surface-level visibility into traffic flow that connected applications, systems and devices communicating across the network.  However, they were not intended to contain and stop the spread of breaches.

Ransomware is particularly challenging, as it presents a significant threat to cyber resilience and financial stability. A successful attack can take a company’s network down for days or longer and lead to the loss of valuable data to nefarious actors. The Cost of a Data Breach 2022 report, conducted by the Ponemon Institute and sponsored by IBM Security, cites $4.54 million as the average ransomware attack cost, not including the ransom itself.

In addition, a recent IDC study highlights that ransomware attacks are evolving in sophistication and value. Sensitive data is being exfiltrated at a higher rate as attackers go after the most valuable targets for their time and money. Ultimately, the cost of a ransomware attack can be significant, leading to reputational damage, loss of productivity and regulatory compliance implications.

Organizations want visibility, control and consistency

With a focus on breach containment and prevention, hybrid cloud infrastructure and application security, security teams are expressing their concerns. Three objectives have emerged as vital for them.

First, organizations want visibility. Gaining visibility empowers teams to understand their applications and data flows regardless of the underlying network and compute architecture.

Second, organizations want consistency. Fragmented and inconsistent segmentation approaches create complexity, risk and cost. Consistent policy creation and strategy help align teams across heterogeneous environments and facilitate the move to the cloud with minimal re-writing of security policy.

Finally, organizations want control. Solutions that help teams target and protect their most critical assets deliver the greatest return. Organizations want to control communications through selectively enforced policies that can expand and improve as their security posture matures towards zero trust security.

Microsegmentation restricts lateral movement to mitigate threats

Microsegmentation (or simply segmentation) combines practices, enforced policies and software that provide user access where required and deny access everywhere else. Segmentation contains the spread of breaches across the hybrid attack surface by continually visualizing how workloads and devices communicate. In this way, it creates granular policies that only allow necessary communication and isolate breaches by proactively restricting lateral movement during an attack.

The National Institute of Standards and Technology (NIST) highlights microsegmentation as one of three key technologies needed to build a zero trust architecture, a framework for an evolving set of cybersecurity paradigms that move defense from static, network-based perimeters to users, assets and resources.

Suppose existing detection solutions fail and security teams lack granular segmentation. In that case, malicious software can enter their environment, move laterally, reach high-value applications and exfiltrate critical data, leading to catastrophic outcomes.

Ultimately, segmentation helps clients respond by applying zero trust principles like ‘assume a breach,’ helping them prepare in the wake of the inevitable.

IBM launches segmentation security services

In response to growing interest in segmentation solutions, IBM has expanded its security services portfolio with IBM Security Application Visibility and Segmentation Services (AVS). AVS is an end-to-end solution combining software with IBM consulting and managed services to meet organizations’ segmentation needs. Regardless of where applications, data and users reside across the enterprise, AVS is designed to give clients visibility into their application network and the ability to contain ransomware and protect their high-value assets.

AVS will walk you through a guided experience to align your stakeholders on strategy and objectives, define the schema to visualize desired workloads and devices and build the segmentation policies to govern network communications and ring-fence critical applications from unauthorized access. Once the segmentation policies are defined and solutions deployed, clients can consume steady-state services for ongoing management of their environment’s workloads and applications. This includes health and maintenance, policy and configuration management, service governance and vendor management.

IBM has partnered with Illumio, an industry leader in zero trust segmentation, to deliver this solution.  Illumio’s software platform provides attack surface visibility, enabling you to see all communication and traffic between workloads and devices across the entire hybrid attack surface. In addition, it allows security teams to set automated, granular and flexible segmentation policies that control communications between workloads and devices, only allowing what is necessary to traverse the network. Ultimately, this helps organizations to quickly isolate compromised systems and high-value assets, stopping the spread of an active attack.

With AVS, clients can harden compute nodes across their data center, cloud and edge environments and protect their critical enterprise assets.

Start your segmentation journey

IBM Security Services can help you plan and execute a segmentation strategy to meet your objectives. To learn more, register for the on-demand webinar now.

The post Contain breaches and gain visibility with microsegmentation appeared first on Security Intelligence.

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived.

Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a “default deny” security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource.

Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach occur. In the modern digital frontier, this approach has become invaluable.

Zero trust succeeds when nothing else does

Perimeter protection defined most previous security models. The idea was that a company firewall would protect computers and services from outside interference. But combined with physical security, plus VPNs for “tunneling” remote, traveling or other outside-the-perimeter access, perimeter security has been steadily weakening.

Now, this type of security is nearly obsolete. Mobile computing, insider threats, remote work, the Internet of Things, cloud computing, sophisticated malware and just about every other major trend in business networking and global cybersecurity have obliterated the perimeter as an effective defense.

Instead of relying on a perimeter, zero trust uses continuous monitoring, validation and repeated authentication of users and devices. Zero trust works so well because every networked resource has its own multidimensional security requirements. For example, if a malicious hacker sits down at an authorized logged-in machine with authorized software installed, the attacker themselves shouldn’t be authorized.

In another case, an attacker might download usernames and passwords from the dark web. Those won’t work if they’re attempting a login using unauthorized systems, software or other telltale metadata such as location.

Even in an extreme example, where an attacker establishes user, system, software and contextual authentication — as might be the case with a malicious insider — they’ll be limited by permissions to specific narrow access.

How zero trust principles compliment zero trust technologies

Zero trust is an abstract security model based on four broad principles:

1. Verify every person and device each time it attempts to access network resources. This is governed by policies, which should consider factors such as location, IP address and operating system.
2. Assume a “default deny” posture. This model denies every person, device or application automatic access based on any criteria except authentication.
3. Microsegment networks into small zones, each of which requires full authentication to access.
4. Real-time, continuous monitoring for breaches and anomalous behavior.

Zero trust itself is not a technology, but it does require the following categories of technology products or services:

• Identity and Access Management (IAM)
• Strong encryption
• Permissions
• Network microsegmentation technologies in the categories of agent-based, network-based or native cloud controls
• Next-Generation Firewall (NGFW)
• Secure Access Service Edge (SASE).

Zero trust security depends on designing the architecture, deploying the technologies and applying the practices in alignment with zero trust principles.

How and why zero trust implementation is lagging

The overwhelming majority of security professionals believe implementing zero trust is a major priority. But actually, very few organizations have fully embraced it or even begun the transition. One survey found that three-quarters of organizations say zero trust is critically important, but only 14% have implemented a zero trust strategy.

Why is that?

The same survey found that a “lack of clarity” or organizational understanding is the main barrier to adopting zero trust. About 94% of organizations say that they face those challenges.

Another major barrier is simply the time and energy it takes to make such a large transition. Achieving zero trust can take two or three years to implement and mature.

The common sticking point is clarity — clarity about what zero trust is exactly and clarity about how to go about implementing it.

Why zero trust should be a higher priority

Years ago, zero trust tended to be categorized as “an interesting idea that everybody should embrace someday.”

In the last two or three years, that view escalated. “Yeah, we really should get going on a major zero trust initiative” quickly became a more common refrain.

Today, the playing field is vastly different. So many organizations are likely to use zero trust over the next few years that malicious attention may be concentrated among the laggards. The pressure to adopt zero trust is higher than ever.

A boost came in the form of an executive order by President Joe Biden. The order will soon require all federal agencies to embrace zero trust security. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), responded to the president’s order with detailed guidance. The OMB gave federal departments and agencies until 2024 to implement zero trust.

This huge federal initiative is rapidly growing the knowledge base, expertise and product focus in the industry around zero trust, which can serve as a catalyst for organizations of all types to embrace the zero trust approach.

Beware, though. “Zero trust” has become a meaningless marketing phrase in some circles. Because it’s so powerful, companies are advertising their individual products as zero trust tools.

Remember that “zero trust” is a methodology and an architecture, not a product. Zero trust begins with developing a roadmap: a step-by-step plan for educating all stakeholders about the need for zero trust security, starting small and scaling up.

The post Why zero trust works when everything else doesn’t appeared first on Security Intelligence.

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations.

But first, let’s review this zero trust business.

What is zero trust?

Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer.

It’s not about whether a person or device is trusted. It’s really about no longer using trust or distrust as a test for access. In the perimeter-security past, anyone inside the firewall was assumed to be an authorized user using authorized devices. The zero trust model doesn’t privilege users inside firewalls but instead defaults to no access for each user — to applications, API data, servers and more — unless they can authenticate their devices and themselves each time they connect via dynamic policies that use multifaceted contextual data.

Zero trust demands strong identity and access management systems that minimize effort and inconvenience on the part of users. It calls for the micro-segmentation of networks into smaller zones to contain malicious actors who breach the network. And finally, implementing zero trust is a journey, not a destination, demanding real-time monitoring and threat detection (preferably AI-based) to identify and respond to potential security threats. This can involve the use of security analytics tools, machine learning algorithms and other technologies to identify and respond to potential threats in real-time.

Many people contextualize zero trust as a business enterprise architecture. But the Pentagon’s plans are extremely interesting.

DoD guidelines and recommendations

The U.S. Department of Defense (DoD) recently rolled out a zero trust strategy and roadmap that directs future cybersecurity investments by the U.S. military and partners over the next five years. The initiative, in a nutshell, requires a full embrace of zero trust over perimeter security.

The DoD’s conception of their new cybersecurity specifies 45 capabilities — 20 of them connected to the Continuous Diagnostics and Mitigation (CDM) program run by the Cybersecurity and Infrastructure Security Agency (CISA) — organized on seven pillars. The pillars are users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.

The roadmap doesn’t specify any product, solution or vendor. It leaves that part up to the agencies and military services to choose. Still undetermined are the details for cross-agency coordination, which is necessary in the world’s largest unified military organization.

Only specific agencies will need to maintain what the Pentagon calls an “advanced” level of cybersecurity — agencies like intelligence agencies, special weapons systems and others.

Crucially, the DoD accompanied the strategy with an execution roadmap designed to provide clear, concrete steps.

The Pentagon is also working on zero trust roadmaps for both a “commercial cloud” and “private cloud” that will enable faster implementation of zero trust.

The DoD will probably test its new security approach with the major U.S. cloud providers.

Four pillars of zero trust adoption

The DoD revealed four strategic goals for achieving the zero trust timeline:

1. Cultural adoption

The Pentagon intends to make zero trust training and education mandatory for literally all employees. This will focus not only on knowledge but also support for architecture and its methods.

2. Cybersecurity software, hardware, systems and services

This part aims to implement the practices and infrastructure for zero trust across all systems, new and legacy. Pentagon departments should begin the deployment of zero trust systems by the end of 2023.

3. Technology acceleration 

This strategic goal is simple: Never fall behind again. The intent is to stay ahead of industry advancements — or at least keep up with them.

4. Enablement

Complementing training, infrastructure and the goal to stay ahead of security technology trends, the Pentagon also intends to keep pace with policies, processes and funding. Each department must submit zero trust execution plans by late 2023.

How the DoD’s use of zero trust can secure critical resources

In some ways, the Pentagon is like any business enterprise. It’s got employees working together for a common purpose, communicating, moving around documents, deploying software, provisioning hardware and more. But in others — especially in the cybersecurity requirements behind weapons — it’s totally unlike private businesses. As one extreme example, a cyberattack cannot and must not, under any circumstances, breach weapons systems controlled and maintained by information systems.

Private corporations manufacture all these high-tech weapons systems. And so, the highest levels of security must be deployed at the level of manufacturing, in the supply chain, in transport, in deployment and on an ongoing basis.

This level of security is possible only with total comprehensiveness. Take the example of physical infrastructure that has to be maintained, guarded and moved not by white-collar office workers but by people who work in the field and are on the move. These are the very kinds of people who need training in zero trust security, along with the infrastructure, procedures and policies and all the rest. Every single person involved in critical physical infrastructure has to stay knowledgeable about security.

Another key component of the Pentagon’s plans is the assumption of a radically modernized cloud environment, which the U.S. Army is already implementing. That arm of the military has already moved more than 100 key applications to the cloud, which utilizes zero trust security principles.

The DoD’s zero trust strategy, roadmap and plans will no doubt prove highly valuable not only for offering guidelines and examples for implementation. But it will also drive expertise and new markets for the development of next-generation tools for implementing zero trust.

The post What to know about the Pentagon’s new push for zero trust appeared first on Security Intelligence.

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy.

One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders.

Clearly, proper management of access privilege is critical for strong security. In this article, we’ll explore how least privilege works to make this happen. We’ll also see how least privilege fits into broader privilege access management and zero trust strategies.

What is least privilege?

Bank tellers have access to their workstations, but only during their work shifts. And only a few employees have access to the main vault. If a bank employee leaves the bank, they have to relinquish access. That’s how least privilege works.

According to Cybersecurity and Infrastructure Security Agency (CISA), least privilege means “only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary.”

The business drivers behind using least privilege are varied. First, there’s the need to thwart threats (intentional or unintentional) that come from employees, third parties and attackers. Compliance is also a common reason to adopt least privilege efforts.

A single compromised endpoint with admin rights can provide an adversary or malicious insider the means to gain undetected network access. And today’s endpoints are more diverse and distributed than ever, with more remote workers, billions of IoT devices and the ongoing migration to the cloud. Least privilege helps manage the expansion of endpoints that organizations encounter as the security perimeter disappears.

How is least privilege implemented?

Every least privilege approach must evolve to fit the organization. Overall strategy can be developed based on key activities, which include:

• Discovery – Assess identities, assets, risk and access. Identify the business-critical assets that would have the greatest impact if they were breached, stolen or compromised. Discovery tools can quickly identify local admin accounts, service accounts and applications in use on endpoints.
• Defined policy – Your policies define the level of acceptable risk for applications, identities and services. Policy also determines how you monitor and verify access to secure assets based on a user’s behavior. The key is to balance security and trust with minimal disruption to the end user.
• Management – Least privilege management involves ongoing efforts to discover privileged accounts, audit usage and apply new security controls and policies. Orchestration and automation make management efforts easier. The key is to remove potential points of exposure by elevating and removing privileges in real-time.
• Detection and response – Detection efforts reveal and resolve instances where an identity no longer needs privileged access. Behavioral analytics allow organizations to respond to a user’s context or unusual behavior. Sign-in attempts from a new location or device could trigger a requirement for identity verification. High-risk behavior results in an immediate user account or application quarantine.
• Reviews and audits – Reviews and audits should tell a clear story about your organization’s success at contextual privileged account management. Review key metrics over time to monitor privileged account ownership or policy-based application controls, and use this intelligence to refine the life cycle.

Part of privilege access management

When considering access, we often think of users. Least privilege is a core component of a larger privilege access management (PAM) approach. PAM also monitors applications and processes that must access different network areas and other apps to function.

This strategic approach grants or denies privileged access to the network — including infrastructure and apps. PAM purposely manages access using a single point of sign-on for users and a single point of management for admins. Privilege access management refers to the tools used for access management and the overall PAM process.

It’s critical, however, that performance also remains uncompromised. PAM strategies must also allow for fast access to multiple databases, applications, hypervisors, network devices and security tools to manage across an expanding attack surface. Ideally, PAM solutions should deploy rapidly with turnkey installation and out-of-the-box auditing and reporting tools.

Embracing zero trust

Threat actors will take advantage of stolen credentials and weaponized APIs to penetrate networks. Meanwhile, machines request access faster and at exponentially higher volumes than humans. A massive quantity of automated applications and APIs also require authentication.

New approaches are required to secure this ever-expanding universe of connectivity. Both least privilege and PAM strategies fall under the umbrella of a zero trust approach. Zero trust architecture extends the perimeter to its furthest end, be it a user, device, application or API asking for network access. Denial of access is the default position until identity and authenticity can be verified.

By enforcing these strategies, organizations can reduce their attack surface and remain better protected against breaches.

The post Effectively enforce a least privilege strategy appeared first on Security Intelligence.

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running.

Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed guidance for federal agencies. The National Cybersecurity Center of Excellence issued how-to guides and example approaches to using a zero trust architecture.

The OMB gave federal departments and agencies until 2024 to implement zero trust. CISA has outlined five pillars for zero trust: identity, devices, networks, applications and workloads and data. NIST plans to publish its guide in four phased volumes: summary; approach, architecture and security characteristics; how-to guides; and functional demonstrations. Cybersecurity experts are keeping close eyes on these, as they may provide definitive best practices and guidelines for rollouts.

Benefits of following CISA’s guidance

CISA pointed out all this guidance does and will provide myriad benefits to organizations of all kinds, not just federal agencies.

The goals of the government’s zero trust push are familiar to chief information security officers (CISOs) steeped in the details of zero trust:

• End reliance on securing perimeter defenses. Clear perimeters no longer exist for most organizations thanks to remote work, cloud computing, mobile devices and the Internet of Things.
• Make sure both access for authorized parties and security aren’t tied to location. That means insiders aren’t automatically allowed and outsiders aren’t automatically excluded.
  Gaining access to one resource doesn’t mean other lateral resources open up without further authorization.
• Other elements include strong data encryption, increased centralized visibility into who is accessing what and improved cybersecurity practices across the board.

The challenges of meeting zero trust requirements

NIST defines zero trust as a “collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Sadly, a survey by General Dynamics Information Technology found that less than half of federal agencies are expected to meet all zero trust needs by the 2024 deadline. The survey found also that 58% of respondents felt that rebuilding or replacing existing legacy infrastructure was one of the primary challenges to using zero trust. Around half (48%) also thought that their agencies lack the needed expertise.

So, legacy infrastructure is a major challenge. That isn’t just because of the infrastructure itself, but the practices that go with it. The move will be challenging in part because of how governments manage and classify their datasets.

Another challenge is training. Note the famous ‘skills gap‘.

“We have enough people, the issue is training,” Department of Agriculture CISO Ja’Nelle Devore said. “When you have several tools that will be part of your zero trust utilization, you have to re-integrate how they work.”

Next, how do you adopt zero trust while maintaining or achieving regulatory compliance objectives? Start by aligning zero trust strategy with compliance requirements. (This is why the NIST guidelines will call for developing compliance and zero trust initiatives together.)

Lastly, vendors normally used by U.S. government agencies aren’t ready to support or execute zero trust in all cases.

A hands-on team effort

What the government’s zero trust initiative lays bare is that zero trust is not possible in isolation. Transforming authentication and security also demands transformation in legacy systems and legacy data management, employee training and in regulatory compliance. It demands change in IT architecture — namely, transformation in cloud security strategy.

And what’s true of federal agencies is also true for enterprises looking to embrace zero trust fast.

The truth is that zero trust is not a set-it-and-forget-it proposition. It takes ongoing change.

The mandates don’t provide enough help with funding, given other priorities. The government’s mandates also generally need better guidance on the specifics around avoiding tool sprawl.

After all, it doesn’t provide straight answers about how to establish authentication. Issues around biometrics and privacy, for example, also need to be resolved. Zero trust calls for ongoing monitoring and validation of every identity among authorized employees and non-employees alike.

How the NIST guidelines can help

One major benefit of all the material and guidance developed by NIST and the other agencies is that they help normalize, articulate and justify investment in zero trust architectures for enterprises. The days when lone, nerdy voices touted zero trust are dead and gone. Now it’s the stuff of emergency presidential executive orders and total federal government transformation.

Organizations not on board will suffer the consequences. It’s time to add quotes from and references to official NIST materials, mandates, white papers and even executive orders to C-suite and board-meeting pitches for zero trust investment. This improves leadership alignment, currently the biggest obstacle to zero trust in large organizations.

For example, the white paper Planning for a Zero Trust Architecture by NIST’s Scott Rose is excellent for these purposes.

There’s much to be learned, and much to be gained, by CISOs from NIST’s zero trust guidelines. Above all, understand that the zero trust era is truly here.

The post What CISOs want to see from NIST’s impending zero trust guidelines appeared first on Security Intelligence.