They say the definition of insanity is doing the same thing over and over expecting different results. I swear, network security - specifically using VPNs to protect your assets - has become a new form of this madness that plagues so many companies today.
Last year we spent over $25B on network security technologies, like VPN. And are we more secure as a result? Statistically speaking, no! In fact, the very protection technologies that were supposed to protect us from cyberattacks and malware have fallen behind because of their reliance on 20+ year-old technology. The evidence is there in black and white- just look at the most recent examples. The SolarWinds state-sponsored attack gave malicious actors admin-level access to thousands of network devices and servers - leaving most companies still unsure to what extent they’ve been impacted. Shortly thereafter, another state-sponsored attack on Microsoft Exchange servers exfiltrated sensitive emails from over 60,000 servers. Who knows what intellectual property or trade secrets were stolen. And, now we’re seeing attacks on critical infrastructure ranging from water supply tampering to disruption of our fuel supplies just this week.
So, the question we have to start asking is what can we do to prevent these attacks?
For starters, we have to fundamentally re-think network security. We can’t secure networks by cobbling together disparate virtual private networks, segmentation policies, multi-factor keys, firewall rules, etc., and hope to secure our assets. In order for the network to be truly secure, security has to be engineered from the ground up - and pervasive across the entirety of the network.
First, we have to create a way to secure any connection between any two entities edge-to-edge by unifying remote user authentication, WAN encryption, LAN protection, and segmentation into a single layer. This removes the most common attack vectors.
Next, securing your accounts with multi-factor authentication is an absolute must! This morning, I read an article by Jamil Farshchi - CISO at Equifax. In his article, he discussed the Colonial Pipeline attack and what we can do to prevent these attacks from happening. Specifically, he cited this as the first line of defense, and we believe this is absolutely true!
In fact, we believe you can take this a step further by binding the user’s identity to access and visibility privileges that are policy controlled. This removes the ability for malicious actors to use secure connections to perform reconnaissance or move laterally through the network.
But, if we’re going to go this far, why not just make the network invisible and undetectable to anyone (or anything) not authorized and authenticated into the network. This has two positive effects. First, it makes it almost impossible to perform reconnaissance since malicious actors simply cannot see the invisible network and protected systems, and it removes the attacker’s intent - as they simply don’t know the system exists. Sound like science fiction? It's not, in fact, we've patented this very concept in our network protection solutions - but I digress...
In addition, security can't come at the price of complexity, otherwise, we introduce the risk of human-error-induced vulnerabilities. Protection solutions must be easily deployed and managed, right? So let’s wrap the network with an operational experience that takes away complexity. Deployment and provisioning should be zero-config - eliminating the requirement for network changes. In addition, management of segmentation and access control should be simple, allowing access control policies to be created and modified at a single touch - without requiring tedious changes to the network underlay. This reduces operational overhead and eliminates the risk of human error.
Oh, and while we’re at it, let’s not expose the management console via an open web port? Let’s secure it behind the invisible network as well!
Now that I think about it, I can’t believe I actually have to say this in 2021, but almost every VPN vendor out there exposes their admin console through an open web interface!
We live in a time of massive complexity, and often cybersecurity amplifies that complexity. Our industry is one filled with acronyms and buzzwords, and it seems not a day goes by that we don't read about new analytics, forensics, automation, or intelligence tools. So, it stands to reason that talking about good old-fashioned "preventative network protection" might seem passe. But, let's face it, every attack we read about has one thing in common - they're coming in through the network! Maybe it's time to think about defending it - at BlastWave, this is all we think about.