Posts

Ransomware, and Why Organizations of All Sizes Should Evaluate Network Segmentation

You’ve probably read or discussed the news articles and public disclosures.

A major bank gets hacked, the personal data of a 100 million customers falls into the wrong hands, and it costs the bank hundreds of millions of dollars to fix.

A major U.S. municipality is held ransom for database control, forcing it to rely on old-school data-keeping methods as it courageously defies the extortive criminal demands.

How can these kinds of attacks succeed in today’s cyber-vigilant day and age?

The aforementioned are just the high-profile cases. Below the radar of the headlines, smaller companies encounter spoofing ploys, ransomware and evolving malware, and every day too many of them get compromised or deceived into sending funds to a cybercriminal.

There will always be human errors and cyber-villains seeking to capitalize, so, what is it that we can actually change? The answer lies in an evolving security architecture and how we define next-generation network segmentation.

Traditional Security Architectures Pose Risks

Nearly every harmful corporate cyber-assault is a lesson in unsound traffic patterns, of network blind-spots, of organizations not sufficiently insulating enterprise jewels, not properly segmenting network traffic and not adequately shoring up endpoint protection and access control against powerful automated takeover attacks.

It’s nobody’s fault really. The private network has changed, gotten more complex, become a WAN without boundaries. You have users connecting into the private network while they’re plugged into data transaction points outside your network security team’s control on the Internet and in the cloud, some of these access points potentially vulnerable. Do you want to allow traffic and files from Internet and multiple cloud access points to merge with important private network traffic and databases via common pathways? From a smart central security perspective, the twain should never meet.

What’s more, cybersecurity skills, especially in cloud network security, are in short demand, and network and IT departments have to wear many other hats in their jobs. It gets challenging to structure network patterns to keep roaming users connected and satisfied while also prohibiting sneaky lateral movement of suspicious or known threats. A zero trust network approach must not result in an unintended plethora of zero-access lines. Connection hurdles can hurt your business: employees still need to get data and communicate.

Network Segmentation, Microsegmentation, and Access Control

Your users are traversing myriad websites and Internet access points, downloading tools, plugging in at public charging stations and then connecting to private enterprise assets. Network segmentation is about restricting direct gateways into the heart of the business so traffic flow patterns don’t inadvertently put the organization at high risk. But network segmentation has been difficult and expensive due to the amount of resources and effort needed to reconfigure distributed physical equipment such as VLANs, routers and switches.

A next generation of network segmentation, microsegmentation (or software-defined segmentation) is the partitioning of workloads from one another, including in the cloud, between multi-cloud access points, and between data centers and databases.

Gartner wrote: “Microsegmentation (also referred to as software-defined segmentation, zero trust network segmentation or logical segmentation) uses policy- and workload-identity-driven firewalling (typically software-based) or network cryptography to isolate workloads, applications and processes in data centers, public cloud IaaS and containers. This includes workloads that span on-premises and multiple public cloud IaaS providers.”

What this translates into from a security perspective is when some of your databases and servers are hosted they creep out of your view and control, so keeping the workloads of these different transaction points separate is mandatory in order to protect your most precious enterprise data and digital assets.

Workstation Microsegmentation

Securing this larger, more distributed attack surface without talking about endpoint agents (i.e., software-defined networking on portable laptops and other human-manned mobile workstations as well as virtual machines) is unrealistic. These devices are all part of your network, whether you’re in the cloud or not, and an initial point of potential compromise.

It’s a hybrid, multi-cloud network for many organizations, not just one big tidy cloud environment. More-granular segmentation is needed in both cloud environments and your endpoint-defined private network.

Microsegmentation tends to merely represent a granular, cloud- and data-center-workload-focused approach to segmentation. But your segmentation should not be restricted to just data centers and clouds when you have to also protect end users connecting to each other, to the cloud, and to on-premises network assets.

OPAQ offers both network segmentation and microsegmentation at the endpoints, that is, on the devices that connect or traverse Internet, cloud and multi-cloud access points. Each protected endpoint, whether stationary or mobile, carries security and segmentation policy, ensuring that these devices don’t act as the conduits for infection with each other or networks, servers or databases.

Microsegmentation doesn’t have to be impossible for small and midsize enterprises or new branch offices, all in the crosshairs of powerful distributed attacks. Neither should the ability to rapidly roll out next-gen network security policy to endpoints, which nowadays is crucial for small and midsize enterprises and large-enterprise branch offices alike. Your endpoints are your weakest links, a ‘way in’ for the sophisticated attack and bad actor. Segmenting cloud and database workloads is smart, but a lateral spread can still afflict your workforce and cost you if you don’t bolster your endpoints with advanced security policy including network segmentation by host and user groups.

Don’t underestimate the threat of malicious lateral movement through your security architecture.

Find out more.

Endpoint Control

Request a demonstration.

 

Strong Endpoint Security Offers Firewall Alternative for SMBs and Branch Offices

Ahh, the firewall… that invaluable tool which monitors and protects traffic to and from an organization, as employees and servers communicate with the Internet and other networks or devices.

What would we do without them? Firewalls can block unauthorized access and inspect packets and prevent malware from infecting your network. A company might have an enterprise firewall at its headquarters office in Austin, TX, and another at its branch office 1,200 miles away in Charlotte, NC, and use these firewalls to enforce traffic and security policy across its network and access points. It might open a new office location in Chicago, IL, and equip that location with a third firewall and integrate it into the traffic and protection scheme. Or, conversely, the company might turn to a cloud firewall model to eliminate the amount of investment in physical security equipment and maintenance at its various sites. Either way, the company is taking prudent steps by incorporating firewall protection to help keep its electronic databases and other assets safe from infection, corruption, misuse, theft or ransom.

But what about a company that has only one office and 50 employees distributed across the country, most of whom travel extensively and are out of the firewall’s protective range? Do we expect them to log into the VPN when they work from their home offices or while visiting a client or attending a conference? Do we trust that they will log in? Does an enterprise-firewall-with-VPN strategy do much good here? And what if this small company doesn’t have the servers, routers and other equipment in its HQ office and instead leverages infrastructure in the cloud? Is a firewall appliance or cloud firewall really the most appropriate security solution for this type of organization?

Consider this: Firewall appliances at each office are there to protect the resident users, equipment (physical and virtual), and data. If your organization becomes so distributed as to have only a few people in the office and your server and database equipment in the cloud, the whole premise of the enterprise firewall loses its purpose. With intellectual property no longer on the premises to protect, it’s smart to consider a strategy in which network and security policy follow your employees wherever they are and wherever they go as they access private enterprise data from the cloud, and share data with one another.

Security at the Endpoint

Endpoint security is a strategy in which organizations or individuals attempt to stave off cyberattacks by fortifying remote equipment with on-device cybersecurity protection. Typically, this protection consists of antivirus software and scanning and complements a firewall. But when the firewall and VPN are eliminated from the equation, endpoint security must be stronger.

Cyber-attacks target individual users and their workstations via ransomware, Web browsers, document viewers, and multimedia players that download and execute content from the Internet in the hope of gaining a beachhead into the corporate environment. One wrong click or download by the end-user and the infection can spread laterally (east-west)… within the firewall… and across the internal network. No longer limited to big organizations and brands, SMBs are in the crosshairs of cyberattacks, with 43% of cyberattacks worldwide targeting small businesses.

Strong endpoint protection doesn’t replace all rationale for firewall use, but it can supplant traditional firewall and VPN strategies in certain scenarios.

  • In organizations in which many IT applications (e.g., Office 365 and Salesforce) and/or sensitive digital assets are no longer hosted in internal network datacenters. Often, traffic from remote workers is backhauled over the VPN to an enterprise control center, from which it is then routed back over another VPN connection to IT services in the cloud. This method of backhauling traffic is expensive, unreliable, and slow.
  • In organizations in which there are few or no company offices, and employees operate outside any firewall protection… Here, the workforce is largely distributed and transient, connecting to enterprise apps hosted in the cloud. In this scenario, endpoint protection needs to be more advanced and adaptive than static antivirus and firewall protection, and the flexing protection must be always-on.
  • In small organizations consisting of an owner and one or more 1099 employees, where workstations are limited to computers located in remote offices. Firewall and VPN protection for these companies may seem heavy-handed, while host-based antivirus and scanning may not be enough to enforce security concerns and Zero Trust best practices.

In these scenarios an organization wants to be able to protect its remote workers from cyberattacks, protect these users’ connections to Internet and cloud access points, and prevent the spread of malicious code or file-less malware. The firewall becomes obsolete in some environments, and the VPN impractical. Strong endpoint protection and network segmentation become a smart, effective defense.

OPAQ Endpoint Coverage

OPAQ Endpoint Protect provides easy-to-deploy advanced security-as-a-service for your distributed endpoint users. Organizations can employ it as a complement to the firewall or when firewall or VPN protection doesn’t make sense – for example, small offices of 25 to 50 users.

OPAQ secures remote workers and the private network from the latest threats. Security follows users wherever they go – whether they are in a coffee shop, inside an airport or on a plane or train. The protection goes beyond host-based antivirus signatures and scans and includes:

  • Network intrusion prevention and detection (IPS/IDS)
  • Network anti-virus/malware/spyware
  • External IP inspection and filtering
  • Network URL inspection and filtering
  • Zero-Day protection
  • Internet exposure minimization
  • Protection from both DNS- and Web-based assaults.

Meanwhile, OPAQ Endpoint Control governs your lateral traffic, providing secure access control and network segmentation. Using OPAQ Endpoint Control, organizations can place sensitive IT applications on the open Internet or in the cloud, while ensuring that only authorized users can access those applications. It can also be used to lock down internal networks, closing off unnecessary avenues for lateral movement by attackers who have compromised devices behind the corporate firewall.

Benefits:

Firewall displacement: Is a physical firewall at every office a waste? Are your remote users not logging into the VPN? OPAQ offers always-on advanced protection that doesn’t require your staff to invest and maintain the equipment.

Tightened endpoint security. Endpoint Protect ensures that every Internet connection initiated by the endpoint goes through OPAQ’s security cloud. This model provides affordable cloud-delivered enterprise-grade security for organizations that previously couldn’t afford or manage advanced security.

Stopping stowaways. The best approach to distributed security is to segment internal networks using software to contain the spread of attacks. OPAQ Endpoint Control is a network segmentation solution that gives you the visibility to see suspicious activity, quickly search for malicious network processes across your user base, and stop all network communication from infected endpoints.

Backhaul offload. Many organizations today are stuck backhauling full tunnel VPN traffic from remote workers to their enterprise. IT applications are increasingly hosted in private clouds, which are reached over endless VPN connections. Using OPAQ Control, organizations can break free from this inefficiency, moving to a model where trust is anchored in the user and the device, rather than the network they are on.

Security cannot be a static defense. To protect remote workers harnessing the cloud, leave the firewall behind and leverage strong, smart endpoint protection that is always on and evolving ahead of the latest threat.

Learn more about OPAQ EndPoint Protect

Read about Securing Remote Workers