For most organizations, the network map has changed dramatically. Once organizations had a defined network perimeter that clearly distinguished “inside” from “outside.” Endpoint devices like workstations and desktops were “inside,” physically and virtually. They could be authenticated once and trusted thereafter. After all, these devices never left the building.
Physical security further reinforced the fortress approach. Users were authenticated by the card reader at the front door or the security officer at the front desk, assuring their identity. Once inside they were clearly visible to co-workers, making it difficult for an outsider to pretend to be that trusted employee John.
Three trends are dissolving the network perimeter
Three major trends have completely upended this concept of the corporate IT network providing a protective perimeter around IT assets and data. Today, virtually every organization employs SaaS (software as a service) applications that, along with their associated data, reside outside of the network. Additionally, hybrid cloud has become the new normal, with IT resources residing in the public cloud as well as on premises.
And now, with mobility and employees working remotely, your endpoints and their users could be anywhere - grandma’s house, the kids’ soccer game, or on vacation in Costa Rica. The additional methods you used to rely on to validate that user - the front door card reader, the security guard, the co-workers - are long gone.
You can’t make assumptions about users based on IP address, because people can access your network from anywhere on the internet. When Netsurion went to a work-from-home mode during the pandemic, we got an alert that there was a successful login to our network from Cuba. It turned out Cuba was home to one of our South Florida employees. So, when we said, “Work from home,” he went home. But that location was out of the ordinary for us, so it got our attention. We investigated, and his manager confirmed that the location was valid. It was not a case of credential compromise.
The point is, location has changed so drastically that the assumption you made in the past - that if you know the endpoint and the IP address, you know the user - no longer applies.
The big risk: when outside attackers look like insiders
Why is protecting identity so important? If an attacker succeeds in masquerading as a legitimate user, then that outsider suddenly looks like an insider - and insider attacks are typically extremely difficult to detect. The potential for damage from an outsider masquerading as an insider is significant. The attacker can stay undetected inside your network for a long time, lying dormant or sniffing around to scout out valuable data to steal. Their behavior looks legitimate, and they don’t leave a trail of invalid or failed logins that usually indicate a breach.
If the attacker compromises a user with administration privileges, that’s an open door to go anywhere in the network that your configurations allow. That happened to one organization we know that failed to subdivide their network into domains, and an attacker was able to login to multiple departments over several months and access systems and data. The attacker got spooked by the arrival of law enforcement at the front door. Mistakenly assuming he had been detected, he burned the infrastructure down. In the subsequent postmortem, a pattern of unexpected logins showed the probing conducted by the attacker in the months prior to detection.
Looking forward, user identity is the new endpoint to be protected, rather than only the device
That means you have to find a way to authenticate that your user John really is John, and not an attacker who has found a way to log on as John.
Passwords versus multi-factor authentication
If you are only relying on passwords, your protection is weak. Passwords are relatively “soft” targets that, in today’s interconnected world, are easily compromised. Stolen passwords are always for sale on the dark web, and there are many easy-to-access password cracking tools that attackers can use. And even though user education has gotten much better, the attackers using phishing and social engineering are also persistent in compromising user identities.
Much stronger protection comes from good password hygiene, like requiring password changes every 30 or 60 days, and even more so from multi-factor identification (MFA). With MFA, the user has to have two things simultaneously: something they know, like a password, and something they have, like a mobile phone where you can receive a one-time authentication code or a fingerprint for a biometric fingerprint reader on a laptop.
In our experience, convenience is the greatest enemy of security. When people bypass the default or don’t elect to implement MFA to protect their identity, they put your network at risk.
The next level of protection: User and Entity Behavior Analytics
The defense against insider attacks - or outsiders that have gained insider access - is User & Entity Behavior Analytics (UEBA). It uses machine learning (ML) to establish a baseline of normal behavior for each network user. Then the ML monitors massive amounts of telemetry to detect behavior that falls outside that normal range.
Anomalous user behavior revealed one of the largest security breaches of the 21st century. A security company (not ours) questioned a long-time employee’s request to register a new phone for MFA. By contacting the employee, the analyst discovered that the request came from an attacker already inside the network. That started the forensics that ultimately led to discovering the supply chain breach involving SolarWinds remote management software.
Netsurion employs UEBA as part of our Managed Open XDR solution, using our ML technology and analyst expertise to stop malicious insiders and outsiders masquerading as insiders. Once our ML identifies anomalous behavior by a user or a system, it is automatically elevated to a Security Operations Center (SOC) analyst for review. With advance directives from the customer, we can immediately block the suspicious action to protect highly sensitive data or systems.
Alternatively, we escalate what we’ve observed to the network owner for visibility. That’s how we found out that it was our employee logging in from Cuba, not an attacker. You can learn more about our UEBA capability here, or schedule time with a Cybersecurity Advisor to see if our managed service is a good fit.
Join us as we explore how evolving threats bypass legacy defenses.
Date: December 5th, 2024
Time: 11:30AM MST