Our three-part blog series, Re-thinking Defensive Strategy at the Edge, has been focusing on outlining a new defensive edge strategy for today's enterprise. We began with a discussion of data and indicators. Most recently, our second post focused on using risk signals and correlating them for improved security controls. This last post in the series will transition the discussion from data and correlation into how to use these to enable adaptive actionable protection strategies.
The tension between usability and security needs to be balanced to enable a controlled environment and successful business. While devices can become compromised even when security controls are in place, the signals of compromised devices and users are not always deterministic, and can represent both malicious and benign activity. We want to establish and implement adaptive and actionable protective mechanisms that can reduce risk and mitigate potential damage while avoiding drastic impacts on usability.
Risk signals, in some cases, represent user behavior or a risk level that is not deterministic. It cannot guarantee malicious behavior exists, and it may result in false detection. The core concept behind being able to react to observed signals is to create limited usability impact while reducing the risk of compromised devices, and giving more time to security teams to be able to dig into the root cause of abnormal and risky behavior.
The defensive strategy needs to use a combination of deterministic and nondeterministic actions that will be used based on the level of risk associated with the devices and users. The defensive strategy should also be able to adapt and change the action based on a change in the risk level. The actions that need to be applied should utilize the remote accessibility infrastructure to be able to reduce risk by reducing the attack surface or access functionality.
Here are some use cases for implementing nondeterministic protective actions:
Multi-Factor Authentication (MFA)
The best example for nondeterministic protective action would be MFA, which can be used to reduce risk by verifying the connected user is fully authenticated and preventing threats such as compromised credentials. MFA effect on usability is minimal, as it requires a limited engagement from the user to be authenticated.
Creating granular application policies managed by application owners will limit access and will help with reducing risk by narrowing the attack surface that potential threats can traverse. Determine which applications should have limited access, especially those that are more sensitive in nature, and if compromised could result in significant damage to the organization's brand, reputation, and properties. For example, create a policy so that an enterprise employee from the finance department, if flagged as suspicious for being connected from a compromised device, will be able to only access nonessential applications, while being disallowed to access some of the financial applications that contain sensitive information, until being authorized by the security team. Policies can also be created that trigger remediation messages sent with simple instructions so users can self-remediate and offload some of the burden of the security team and help desk.
Enable application policies that take into account limiting or preventing access to application functionality that might lead to significant data leakage or exfiltration. Sufficient levels of usability can still be maintained while reducing the risk of data breach, giving more time to security teams to evaluate reported signals and the associated risk. For example, an enterprise employee in the legal department, if flagged as suspicious for being connected from a potentially vulnerable and unpatched device, could download and access sensitive files from the file-sharing service being used by that enterprise. A policy can be implemented that limits the size and number of files that can be accessed and downloaded each day. This approach can reduce the risk of massive data breach, and the user accessibility limitation can be adapted once security risk signals change.
While nondeterministic actions like these are important, deterministic actions -- such as isolating or blocking any access from risky remote connected devices -- are also a valuable part of security strategy. The trade-off between security and usability is subject to each enterprise policy and its sensitivity to security risks. A defensive strategy that uses adaptive access that changes based on the risk associated with the connected user and device as derived from risk signals is an essential piece that reduces the overhead of managing users, devices, and protective actions while adding another layer of defense.
The scale of users that are connecting remotely to the enterprise applications and servers has exploded, and their browsing habits and associated risks are forcing us to reevaluate our risk posture.
As enterprise-connecting entities have become increasingly distributed, defensive strategy that is network-centric might miss new threats that emerge from the distributed connected devices. Most existing security solutions are doing essential jobs in protecting against threats in a deterministic state of mind, focusing on protecting against threat once it emerges.
At the same time, we cannot ignore the fact that enterprise will always have blind spots and that threat actors are still penetrating enterprise fences. Therefore, we are recommending an adaptive risk-based complementary layer of defense that can reduce the potential impacts that are accompanied by remote connectivity, combined with compromised users' credentials and devices. As we outlined in this blog series, an additional layer of defense needs to include the components of data and indicators, risk-based signals and entities, and protective actions.
As the boundaries of enterprise networks continue to change, and a new model of applied distributed remote connectivity architecture that enables intelligent access decisions takes its place, a new form of defensive strategy needs to be considered as well. This new approach needs to be easy to adopt and integrate, focus on the connected entity and its posture, take into consideration threat signals that enable risk-based actionable protection, and enable autonomous adaptive access capabilities.
Remote is here to stay, so we need to evolve our security strategy to accommodate it. Enterprises need to proactively adjust defensive strategy, being able to be one step ahead and fight against the threats to come.