How to automate your network edge security to protect against human error and prevent cyberthreats from spreading
By Graham Walker, VP Marketing, Allied Telesis
“Protect your network borders; don’t let the bad guys win!” is a persistent message coming from cybersecurity vendors. While this may be a prudent strategy, it’s not the only one a modern organization should adopt to protect its network. Every week we see examples of network breaches, data theft, and cyber-crime affecting organizations of all sizes and across all industries.
The fact of the matter is that threats do not only come from malicious sources but also manifest themselves as accidental configuration errors by trusted network admins and from employees following poor security practices. Both ultimately lead to network outages, disrupting business through exploitation or neglect of these vulnerabilities.
A 2018 Cost of a Data Breach Study found that around 25% of all US data breaches resulted from carelessness or user error. It’s time that companies realize that even if they have adopted conventional network security measures, their most significant vulnerability is their people.
There is no exception even to the largest organizations with abundant resources. In July 2019, Capital One Financial Corp. revealed it had discovered a breach affecting 106 million people in North America. Forensic analysis found that a configuration vulnerability had enabled a cyber-thief to download 30 GB of sensitive financial information. If a large financial services company like Capital One failed to get it right, what can we expect of everyone else? The correct assumption is that companies must expect a security breach will eventually occur and urgently adopt a variety of strategies to plan for it.
Security that isn’t secure
It’s incredibly challenging to build a network that has a 100% secure border. Almost all networks have vulnerabilities, and often, the people that work within the network offer the highest risk. Yet, very few companies adequately train their staff with the necessary skills to identify and prevent these threats. MediaPro’s State of Privacy and Security Awareness report claims that 70% of US employees don’t understand cybersecurity.
Sometimes breaches are deliberate and malicious, where an employee abuses their trust and causes damage, steals, or facilitates others to steal from the company. Restricting access to sensitive data, data leak prevention, network segmentation, enforced policies and procedures, and audit trails are effective ways to limit this exposure. Although insider threats are less common than external threats, the damage can be worse, and a determined actor with malicious intent and access to company data can be almost impossible to stop.
One of the most infamous and damaging insider breaches was when the contract employee Edward Snowden stole classified information from the National Security Agency (NSA) and exposed it to journalists. If one of the top security-conscious agencies on the planet can’t safeguard and prevent its most confidential secrets from insider threats, what other organization out there can?
A more common threat is the inadvertent mistake of an employee who “just forgot” or “wasn’t thinking”. According to the Ponemon Institute Cost of Insider Threats Report, 65% of insider incidents in 2018 resulted from accidental mistakes or misuse. These common mistakes often include the use of unknown USB sticks, sharing passwords (yes, this still happens), storing sensitive information on unsecured devices then losing them, connecting unauthorized devices to the company network, falling prey to phishing campaigns, forgetting to apply a security patch, and more. Each of these mishaps has the potential to invite a multitude of threats that may lead to business disruption, reputational damage, significant fines, and other financial outlays.
Consider the class of mistakes that enable threats to enter the network by a backdoor or an alternate route other than the usual email or weaponized website. Since most organizations rely on their firewall to protect them from threats—the “secure border” model – these mistakes are of critical concern. Bypassing the border (just as the Greeks entered Troy inside the famous wooden horse!), leaves the network defenseless, and allows threats to spread and wreak havoc with nothing to stop them.
Even worse, in the event of the firewall telling the administrator that it sees a threat, what can the admin do about it apart from pulling network cables out? These threats can spread too fast for a human to react. Hence it is a justified approach to defend the border at all costs and keep the bad actors out—the reason being that once the attackers get inside, as the Trojans discovered, it doesn’t end well.
A solution you can rely on
The better approach is to apply a different, forward-thinking strategy that accepts threats can and will enter the network but offers solutions for how to deal with them effectively and rapidly. Ideally, the network itself would not only identify the threat but also take immediate action to shut it down and quarantine any affected devices before more damage is done. This is precisely what the Self-Defending Network solution from Allied Telesis does.
No replacement or reconfiguration is required for the existing firewall as the Self-Defending Network can react whenever the firewall sees a threat to identify the source and isolate the affected user device. Other solutions do the same thing, but they all require agent software to control the endpoint devices. This complicates the deployment of new devices, adding to the administrator’s busy workload and limiting the solution’s value.
Our Self-Defending Network is different because we control the network and not the device. There is no agent software to deploy, and we can protect against threats on any user device, including mobile since we can control both wired and wireless networks. However, the primary advantage is that the responses to threats are immediate and automated. So, a threat can be shut down quickly and without manual intervention, giving it no chance to spread, therefore solving the problem of how to stop a threat from spiraling out of control once it penetrates past the border. As this solution is automated, the risk of human errors is vastly reduced, particularly useful in a crisis when stress levels are high.
The Self-Defending Network is built on our automation engine, called Autonomous Management Framework (AMF). AMF contains an intelligent security component called AMF Security (AMF Sec), which works with threat detection applications to instantaneously respond to alerts and block attacks within a wired or wireless network. Unlike other solutions that control the endpoint device, AMF-Sec isolates and quarantines compromised endpoints without the need to install agent software.
When a threat is detected, AMF-Sec responds to locate and quarantine the suspect device immediately, without affecting other network users. Responses are configurable – for example, log a message, block the device, quarantine it on a VLAN – and comprehensive logging provides a clear audit trail on what has taken place. Remediation then can be applied by the network administrator so the device can re-join the network with little to no disruption.
Deployment is painless because AMF-Sec works with a wide range of physical and virtual firewall products without any reconfiguration. Two options are available for communication with network switches: either with OpenFlow or AMF. AMF-Sec can use either method to control device access, which provides flexibility and reduces the need for equipment changes.
The takeaway is this: The Self-Defending Network works with your existing firewall to deliver real value with immediate threat responses and reduced operating costs without increased complexity.
The conventional security approach concentrates on defending the network border, working on the assumption that it is the only way threats can enter the network. As we have shown, this is not true, and companies that adopt this approach can be blindsided if they do suffer an insider attack. Whether the attack is malicious or the result of human error, the consequences can be devastating. Therefore, organizations must be well-prepared for insider threats in whatever form they take.
The most effective countermeasures are frequent security awareness training and implementing best practices such as least-privilege, need-to-know, network segmentation, etc. However, it’s wise to adopt a belt-and-braces approach that reinforces best practices with automated solutions to reduce mistakes and defeat malicious actions as soon as they are detected.
About the Author
Graham Walker is the Vice President of Marketing for Allied Telesis. He has worked with Allied Telesis for almost 20 years, having recently moved to the US from Allied Telesis Labs in New Zealand where he was the Product Marketing Manager for the APAC region. Graham’s experience includes software development, project management, and product marketing. He is a forward-thinking professional who enjoys understanding customer’s requirements and discussing the benefits and pitfalls of technology. His focus is to ensure that everyone knows that Allied Telesis make secure and reliable networking easy! Graham holds a bachelor’s degree in Computer Science from Strathclyde University in Scotland and can be reached online at LinkedIn and via our company website https://www.alliedtelesis.com/