Zero Trust has become so prevalent that it has lost some of its stopping power
Just based on the number of cybersecurity firms that have popped up in the last few years, it’s not hard to see that we’re having a moment of heightened anxiety. Some organizations are on alert because they know their networks have already been targeted by state-sponsored hackers, others know their executives are being targeted by fraudsters, and yet others are worried about insider threats and intellectual property theft.
The kind of anxiety depends on the organization, and the solutions for it depend on what cybersecurity company they are talking to: some deal in improving threat response, while others solve specific problems, such as detecting and remediating malware attacks.
While awareness and vigilance are not the biggest worry today, the real issue we now face is that all these security companies are focused on dealing with security after the fact, once indicators of compromise have surfaced. By then, the damage is done; the latest annual IBM Cost of a Data Breach report found the cost of a data breach has hit a record $4.35 million on average, and that doesn’t count all the damage to reputation and other intangibles that follows a cyber attack.
So an ounce of prevention is definitely worth a pound of cure when it comes to cybersecurity. Companies need to place a stronger focus on prevention, just as they now dedicate to detection and response. To make a difference in cybersecurity, rather than deal with incidents after they’ve already happened, defenders need to prevent them; fight the disease, not its symptoms.
Many companies have embraced zero trust architectures as a prevention tool, but zero trust has become so prevalent that it has lost some of its stopping power. Everybody now has a different definition of what zero trust is to their organization, and the bad guys are finding ways around the certificate handshakes and verifications that make it work.
Zero trust has fallen out of the realm of prevention. If your security’s starting point is denying access to everything and working up to the necessary access, things become too hard to manage. You trade off a sense of security for endless configuration and maintenance. It’s like a treatment on an exclusion diet: an endless process of adding one thing at a time until the patient gets sick to identify what the problem is.
Obviously, shutting attackers out is crucial, but how do we make sure that this doesn’t happen again? Few security companies or software tools take this proactive approach. That’s the problem with the cybersecurity industry: investors are putting money into a lot of tools that aren’t addressing prevention. It’s as if we searched for a cure for cancer by investing in chemotherapy and radiation, instead of researching what actually makes cancer cells mutate.
Most security staff spend their days on watch for alerts, chasing down and patching software vulnerabilities and resetting suspect credentials. We need to free them to become more proactive so they can focus on prevention, at a time when security operations centers (SOCs) are already operating low on staff — due to the shortage of cybersecurity talent.
Since most business and productivity tools used by organizations are now accessed through a web browser, it has become a gateway to the network and a target for bad actors. One technology that’s been around for a while is remote browser isolation, or RBI. It executes web applications in the cloud, so attacks only affect a temporary browsing instance that is terminated once the user closes it. This approach ensures that any malware doesn’t affect a company’s systems, and attackers can’t learn anything about its IT attack surface because they are only able to see the isolated session.
Since RBI is essentially transparent to users, it doesn’t rely on them being hypervigilant or to always make the right security decisions. This also means that security teams can stop spending all their time on user training and making endpoints bulletproof, and can focus on other work to add defense in depth inside the network.
Meanwhile, a stronger emphasis on threat intelligence can feed the prevention focus. We know that threat actors’ are endlessly mutating their tactics and techniques, like aggressive cancers. Knowing what to look for is the first step to heading off attacks before they present in your network.
There are many excellent researchers and research organizations continuously working to identify and publicize threats. Armed with advanced network monitoring tools and algorithms for parsing data, researchers are increasingly producing better and more actionable intelligence about who the bad guys are and how they operate. In addition, they are able to identify the infrastructure belonging to threat actors, sometimes before they even use it. Since this intelligence can be consumed by many security products, it can play an important role in helping organizations proactively head off and mitigate threats.
But mostly, we need to change the way that we think about security. Zero trust is a great way to approach security, but we need to change the paradigm to prevent threats, instead of just detecting them. That’s how we will make much more progress.