The Four Horsemen of Network Security

The Four Horsemen of Network Security

By Martin Roesch, CEO

One of the fundamental organizing principles of network security is that we have four fundamental elements to secure: users, applications, data and devices. I sometimes jokingly call them the four horsemen of network security where each represents a different facet when we think of securing the atomized network which includes legacy, on-premises, hybrid, multi-cloud and edge environments.

Most security technologies exist to secure the access of the four horsemen or brokers and manage the interactions between them. We deploy tools like cloud security posture management (CSPM), attack surface management (ASM), and firewalls to keep them secure. We also perform tasks such as vulnerability management and patching to enforce compliance policies. And we continue to raise the bar for attackers with aggressive measures like Zero Trust Network Access (ZTNA) with the goal of forcing authenticated access to resources on the network and devices and encrypting everything – including network traffic – by default.

Looking at this in the context of the threat continuum, organizations spend a lot of time and effort on the “Before” phase: discovering, configuring, and hardening the environment. The goal is to make it difficult to gain access to a network in the first place and hopefully obviate the need for other security technologies.

In practice, there are always access methods that people do not anticipate. Authentication mechanisms can be bypassed, software vulnerabilities can be exploited, and identity-based access control systems can be abused to gain deep network access. The widespread use of encryption has Blind Deep Packet Inspection (DPI) technologies we have traditionally relied on to detect attacks on the network in favor of identity-based mechanisms for access brokering. The recent Uber attack is a good example. As described onlinean attacker circumvented MFA by spamming a contractor’s MFA device, repeatedly asking the user to confirm they were logging in. Eventually, the contractor relented and clicked “yes”, and the attacker was inside and could move laterally to access critical infrastructure. .

Because user error reliably happens and we have the majority of our eggs in the Before basket, it is important to master the “During” and “After” phases, especially the After phase where the Real-time and retrospective technologies provide more “at bat” to identify an attacker’s presence after compromise so that the rest of the “carry/contain/fix” activities in the After phase can be initiated.

What happens when an attack lands unhindered on a device and the only line of defense at that point is endpoint detection and response (EDR), because the nature of today’s atomized networks hui makes traditional network-based DPI approaches unworkable? EDR is obviously valuable and provides unique visibility into local processes and system activities. However, its detection and containment capabilities are limited if the attacker uses techniques outside of its scope of coverage and area of ​​responsibility. Additionally, the number of devices on networks is growing rapidly and it is not uncommon for devices in atomized networks to be unable to run EDR agents. Entire classes of devices can be left unprotected, which means that having an effective network security architecture beyond access control and access brokering is even more important.

Enterprises have become functionally blind to the composition and activities of their atomized networks and where there is a trade-off that ultimately results in longer dwell time and more damage from attackers. After an attack, we need a way to gain visibility and control of network traffic between users, applications, data and devices that is unaffected by encryption and can be deployed when and where it is needed in minutes. The priority is to minimize detection and response time, as a quick response can mean the difference between a minor incident and a major breach.

Netography has the solution. We’ve rebuilt network security capabilities that have been blinded by encryption with an approach that lives off the ground, by relying on network streams, metadata and business context, not packets, to provide complete network visibility and control, including in places where EDR solutions simply cannot see independently. Our SaaS-based universal platform Deploys frictionlessly to deliver capabilities immediately when and where they are needed through the atomized network. A single portal provides a unified view of all data across the entire ecosystem, enriched with security and business context to provide a complete picture of what is happening so users can identify malicious activity. SOC and cloud operations teams can detect and respond to attacks in real time as they emerge, which offers the possibility of a rapid response so that attackers cannot exploit their footprint on the network.

With Netography, teams are no longer in the dark about the users, applications, data and devices they have, what they do and what happens to them. They can quickly replace the rapidly eroding fundamental network-based security capabilities needed to defend the four horsemen.

The post The Four Horsemen of Network Security appeared first on Netography.

*** This is a syndicated blog from Netography’s Security Bloggers Network written by Martin Roesch. Read the original post at: https://netography.com/four-horsemen-of-network-security/