5 Steps to Combating Emerging Threats with Network Security
In today’s rapidly evolving threat landscape, cybercriminals have become more sophisticated than ever, making it crucial to stay abreast of the latest trends and tactics. The challenge is exacerbated by the expanding attack surface as more devices and device types connect to enterprise networks: IT, OT, IoT and IoMT devices, all with known vulnerabilities that can be exploited. Managing this growing attack surface requires adopting measures like passive asset discovery, risk-based vulnerability prioritization and zero trust network segmentation, to name a few.
Recently, we’ve seen cyberattacks grow in sophistication and frequency, with malicious actors benefitting from growing geopolitical conflicts, economic uncertainty and rapid digitalization. One consequence of this digitalization is that organizations are more connected than ever. Many enterprise networks combine traditional IT devices with smart IoT sensors, and OT assets that interact with the physical world. This drastically increases the attack surface and creates new network blind spots.
Protecting ourselves from emerging threats means we can’t continue using the same approach we’ve been taking to network security.
Here are five essential steps for combating emerging threats. You can also download the full eBook.
Step 1: Know what assets are connected to your network
Asset management lays the foundation for network security. You need to know what’s connected, who uses it, where it’s located and what it communicates with. Preferably all this information is in one place, but that’s usually not the case.
If you’re using tools for endpoint detection, vulnerability assessment and configuration management, each of them likely has an inventory of assets or IP addresses. They probably overlap quite a bit since they’re typically deployed on managed assets such as laptops and workstations. But today’s attackers are targeting smart sensors in power generating stations, IP cameras in retail locations and industrial controllers on assembly lines. To fully understand your attack surface, you must deploy multiple discovery techniques to uncover the unmanaged assets hiding in your blind spots.
The Forescout® Platform uses more than 30 active and passive discovery techniques to deliver complete visibility of every connected asset. Certain types of assets require a specific approach to identify, classify and assess them without disrupting their operations. This is essential because some of these assets might monitor or perform critical processes that could severely impact your business if they were compromised or taken offline.
Step 2: Control network access
The next step is controlling which assets should and shouldn’t be on your network. But controlling network access isn’t just about authentication. Many unmanaged or unagented assets don’t have the concept of a “user” or “identity” to authenticate with.
How do you handle these assets when you want to enforce pre-connect authentication like 802.1X? Typically, security teams end up with a bypass list that connects anything with an allowed MAC address onto the network. This puts attackers one spoofed MAC address away from gaining access to your network.
A better approach is to go beyond basic authentication and assess an asset’s compliance and risk posture before granting access and continuously thereafter, watching for changes in configuration, communication and behavior that go against your policies. This best practice derives from a core principle of zero trust: never trust, always verify.
The Forescout Platform features a flexible policy engine that enables you to automate and apply targeted control actions, from moderate to stringent, based on your needs. For example, you can apply policy-based controls that enforce device compliance or quarantine an infected endpoint to rapidly respond to incidents.
Step 3: Limit asset movement and communication on the network
Another core principle of zero trust is to assume you’ve been breached.
When an attacker exploits a vulnerability in an IP camera, their end goal isn’t to simply kick back and watch the video feed; they want to move and propagate across the network in search of something worth extorting – such as customer data, financial results, or patents and other intellectual property.
The best way to fight extortion is before it happens. That means enforcing least privilege access through dynamic network segmentation and access controls that restrict unauthorized communication and shrink the blast radius if someone gets in. Flat, undersegmented networks allow emerging threats to propagate, increasing risk and exposure.
First, you need to analyze how assets are communicating. Being able to map the connections between assets allows you to effectively implement policies to block communication over certain protocols or to certain IPs, while allowing normal business operations to continue.
With Forescout’s traffic matrix and segmentation simulator, you can test policy changes and see how they impact communication flows before implementing them to minimize risk and the chance for costly disruptions or project delays.
Step 4: Leverage your existing security tools
It’s no secret that there’s a major cyber skills shortage, not to mention the alert fatigue and burnout experienced by many security teams. To manage this, you must integrate your existing cybersecurity tools so that they share information and can perform orchestrated workflows without human intervention. For example, you could trigger a scan from your endpoint detection and response (EDR) tool whenever a transient device rejoins the network instead of waiting for the next scheduled scan. Or, you could update your configuration management database (CMDB) whenever a new asset is identified and classified.
Just because you know a device exists doesn’t mean it can be secured like a traditional asset. Take patching vulnerabilities. When Microsoft releases a new patch, deploying it across affected devices is relatively easy. But what about smart devices or IoT sensors? Their embedded firmware will rarely see an update; even if they do, many perform critical functions and can’t easily be taken offline for the update to be applied.
When dealing with thousands of these unmanaged devices, combined with the skills shortage and alert fatigue, a risk-based approach to prioritizing your efforts is essential.
Step 5: Automate remediation and incident response
Attackers can move at machine speed because they deploy automation to test and exploit vulnerabilities at scale. That means you must automate your response, too.
This includes everything from automatically remediating noncompliant assets so they can quickly and safely connect, to dynamically quarantining risky assets so attackers can’t use them to infiltrate the rest of the network.
Within a zero trust architecture (ZTA), it’s the policy decision point, or PDP, that orchestrates the enforcement of security controls and responds to threats through your various enforcement points. The PDP is the central repository for your security policies, making managing and auditing your practices easier. It collects multiple intelligence sources to make decisions carried out by the enforcement points.
That’s why there’s no such thing as a single-vendor, all-in-one zero trust solution. Each piece of the architecture plays a vital role in keeping your network, assets, applications and users secure.
Forescout’s flexible policy engine has fully customizable policy templates for discovering and assessing unmanaged assets and automating your response to threats. A robust PDP that centralizes your security policies builds a strong foundation for your ZTA.
Putting it all together
Traditional ways of identifying devices using point-in-time scans or software agents don’t cut it with today’s rapidly evolving threat landscape. Any asset that goes undiscovered on your network introduces potential risks to your organization. That’s why total visibility is essential to hardening your security framework against emerging threats.
Think about how much of your attack surface you can see today – 20%? 50%? 85%? How confident are you in your coverage and intelligence on unmanaged, non-traditional assets?
If you don’t like the answer, follow the steps in this post to modernize your network security to combat emerging threats.