The ThreatTrends in Network Security to defend against the outsider, the insider and the over privileged

VPN - It Isn’t Working…

Nation StatesWell Funded Groups

Script Kiddies

The Threat: lions, tigers and bears…OH MY!

OUTSIDERSOver Privileged UsersComplexityLazinessMistakes

INSIDERS

What is a Malicious Insider?

4

Over-Privileged Users and Third-Party User AccessWhat is a Malicious Insider?

Malicious insiders are defined as individuals who are deliberate in their theft, misuse or

destruction of data or systems.

Insider threats are a topic many organizations would prefer to avoid addressing. Attempts to

raise insider threat issues are sometimes countered with arguments that insider threat incidents are urban myths or unlikely events.

Gartner, May 2016

The Threat is REAL…

Percentage of data breaches due to insider threat vary…

5

…but regardless of the number, the threat is real!

Celent (2008)60%

36% CSO Online (2013)

39% Forrester (2012)

Ponemon Institute/Symantec (2012) 39%

Online Trust Alliance (2015) 29%

Central European University's Center for Media, Data and Society (2014)

57%

How are Networks Vulnerable Today?

Yesterday’s network security doesn’t address today’s IT reality

Perimeter security has remained largely unchanged for the past 2 decades.

1996 2019

VPN - It Isn’t Working…

8

• VPNs Do NOT Equal Secure• Over-Privileged and Off To The Races

“60% of enterprises will phase out network VPNs by 2021.” - Gartner

VPNs – They Aren’t Working…

KEY ISSUES:

• Lateral Movement• Horrible User Experience• Not Built for Cloud

CHALLENGES CREATED:

9

Firewalls - It Isn’t Working…Traditional Firewalls – They Aren’t Working...

• Static - Configure and Forget• Ports and Addresses, Not Users

KEY ISSUES:

• Over-Privileged Users • Exceptions Proliferation• Complex, Difficult to Manage• Not Designed for Cloud Architectures

CHALLENGES CREATED:

Its ComplicatedComplicated setup and management

Show Me The MoneyGenerally very expensive and proprietary solutions.

It Takes a VillageLOTS of components and add-on solutions for it to work.

Network Access Control

10

NAC

NACs – They Aren’t Working...

Common Weaknesses of Current Solutions…

Users are NOT IP Addresses or Devices

Connect First, Authenticate Second

Static Controls for Dynamic Environments

The Perimeter has Changed…and Continues to Change

Users are not always People

The Bad Guys are Not Just on the Outside…

We Need a New Approach…

Waving the Wand: What Would We Conjure?

Works Today

• Existing infrastructure

• Existing protocols

Works Everywhere

• Physical Data Centers

• Cloud Providers

Works on Anything

• PCs, Servers,

• Mobile Devices

• IoT Devices

14

“Zero Trust is a fundamental transformation of corporate security from a failed perimeter-centric approach”

“Security Architecture & Operations Playbook”, Forrester, 2018

ZERO-TRUST MODEL

IDENTITY-CENTRIC ACCESS LIVE ENTITLEMENTS MICRO-SEGMENTATION

15

A better approach to network security:Software-Defined Perimeter

1Identity-centric

User- or device- based access control

Integrates with directory services and IAM

Context sensitive

Zero-trust model

Authentication before connection

Dynamically-provisioned 1:1 connectivity

Unauthorized resources completely dark

2Built like cloud, for cloud

Distributed, stateless and highly scalable

Programmable and adaptive

Dynamic and on demand

3

16

SDP: An industry consensus

SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems. It is easier and less costly to deploy than firewalls,VPN concentrators and other bolt-in technologies.”

“

Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”

“

BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user.”

“

The SDP security model has been shown to stop all forms of network attacks including DDoS, Man-in-the-Middle, Server Query (OWASP10) as well as Advanced Persistent Threat.”

“

How Does a SDP Work?

Software-Defined Perimeter

Traditional TCP/IP

Not Identity Centric – Allows Anyone Access

Identity-Centric – Only Authorized Users

“Connect First,Authenticate Second”

“Authenticate First,Connect Second”

SDP and Zero Trust

“Budget and pilot two zero trust networking projects in 2019 —microsegmentationand a software-defined perimeter —to significantly improve the security posture of the organization. “

A Powerful Combination

Cloud & hybrid nativeResilient and massively scalable

Powerful API and deep business system integrationsFull-featured network security platform

SOFTWARE-DEFINED PERIMETER & MICROSEGMENTATION

Reduce equipment, bandwidth and operating costs by

Decrease network complexity

Leverage existing investments

Reduce firewalls and legacy VPNs

Cloud Migration

Remote & Third-Party Access

Enable Secure DevOps

Powerful feature set supports broad range of use cases

• Automatically secure workloads• Enforce consistent, hybrid controls

• Enforce identity-centric policies• Remove over-privileged access

• Remove onerous management• Grant timely and precise access

Software Defined Perimeter

Operational Benefits of SDP

20

Social healthcare site reduced the number of firewall rules by 90%

Multinational retailer reduced the FTEs managing firewall rules from 52 to 13

Governmental agency reducedFTEs managing access to key systems

from 8 to 1 for over 15,000 users

Financial services reporting body reduced audit prep time from

2.5 months to 17 days

Cyber security consulting firm eliminated redundant firewalls

and VPNs into remote offices

Global 50 financial replaced Cisco ISE to avoid $20K per

switch upgrades as they expand

90%8 1

Summary

Summary

22

Insider threats are in your Network

• The perimeter is not a unbreakable wall, as it was in the past. It is fuzzy (at best) and constantly changing.

• At least a quarter of all data breaches are due to an insider threat.

• The threats are not just on the outside anymore.

Today’s Solutions Do Not Work

• Firewalls, VPNs and NAC solutions are yesterday’s technology, and unable to meet today’s insider threats.

• The dynamic nature of users and cloud infrastructures demand an easier to manage, more flexible, and scalable solution.

A Software-Defined Perimeter Solves!

• Creates a dynamic, individualized perimeter for each user and user-session –a network “segment of one”.

• Entitlements can be modified dynamically as necessary to meet environmental changes.

• One solution to address security and compliance challenges – on premise and in the cloud.

“Complexity is the bane of security” – Brigadier General, USAF (ret) Greg Touhill,President, Cyxtera Federal Group