Cyber security is a market plagued by acronyms, especially on the networking side. This doesn’t simplify matters. The real problem is that the security technology landscape, like its lingo, is too complex. How can anyone with their back against the wall make sense of the options presented to them in the Cyberscape? The reality is that we need to get back to basics. What businesses large and small need to be asking is: what’s essential to maintain business continuity safely and securely? 

Don’t let the Cyberscape fool you. When it all boils down, cyber security can be fundamentally bucketed into three areas:

1. Network Security
2. Endpoint Security
3. Application Security

While security software vendors have made the subcategorization of these areas into a cottage industry, this overarching security trilogy is pretty straightforward. In essence, companies should seek to secure their networks, the devices in use across those networks, and the business applications in use across those devices.

Network Security

Simply put, network security is a set of rules and configurations designed to protect computer networks and the data in transit across them via software and hardware. Organizations large and small require a degree of network security to protect it from the proliferation of cyber threats we covered earlier.

Network security typically consists of three different controls: physical, technical and administrative. Physical security controls are designed to prevent unauthorized personnel from gaining physical access to network components such as routers, wiring closets and so on. 

Technical security controls protect data that is stored on the network or which is in transit across, into or out of the network. Protection is twofold: it needs to protect data and systems from unauthorized personnel, and it also needs to protect against malicious activities from employees, contractors and guests on the network. 

Administrative security controls consist of security policies and processes that control user behavior, including how users are authenticated, their level of access and also how the IT department can implement changes to the infrastructure.

Endpoint Security

Endpoint security is the practice of protecting enterprise networks against threats originating from on-premises or remote devices. An endpoint is any device that provides an entry point to corporate assets and applications and represents a potential cyber security vulnerability. Examples include desktops, laptops, servers, workstations, smartphones and tablets.

Historically, most organizations have relied on tools such as firewalls, VPNs, and antivirus programs to safeguard sensitive information, prevent unauthorized access to critical applications and IT systems, and protect against malicious software and other vulnerabilities. 

As we’ve touched on, however, companies are increasingly adopting mobile applications and cloud services that erode the once well-defined enterprise network perimeter. Many enterprises are now taking a defense-in-depth approach to endpoint protection, instituting a wider range of security controls to protect against a broader array of threats.

Application Security

Application security is the discipline of processes, tools and practices aiming to protect applications from threats – both internal and external to an organization. Cyber threat actors exploit vulnerabilities in enterprise applications to capture data, intellectual property, and more – often with impunity. Application security can help organizations protect all kinds of applications (such as legacy, desktop, web, mobile, etc.) used by corporate stakeholders including customers, business partners and employees.

Most successful breaches target vulnerabilities that reside in the application layer, such as the recent log4j vulnerability. As a result, IT teams must be extra vigilant about application security. To further compound the problem, the number and complexity of applications is growing, as is the number of devices and device types running them.

Even a decade ago, the operations, systems and digital footprints of most medium to large companies had become overwhelmingly complex. Over the last ten years, these digital corporate footprints have expanded to reach and capture growth from previously untapped corners of the world. More recently, the business imperatives of the COVID-19 pandemic spurred faster adoption of enterprise software solutions – particularly Software-as-a-Service (SaaS) – that pushed data beyond the organization’s physical perimeter. This has all added significant pressure to already lean IT teams.

The truth is that lean IT teams have to reassess and realign their priorities. This means leveraging technical security essentials in a way that eases the burden on them. In practice, the first step is to begin adopting network security solutions that accommodate today’s most common networking hardware; provide out-of-the-box integrations with critical security tools such as InTune, MFA, and popular SIEM solutions; and work in conjunction with firewalls and endpoint security solutions.

Securing Networks is Only Getting Harder

Events like the recently exploited Log4j vulnerability continue to keep IT security teams on their toes. Little can be done to plan for, let alone prevent, such wide-reaching software flaws – hundreds of Cisco, VMWare, IBM and Oracle products were affected in this instance, including more than 120 different configurations of Cisco Identity Services Engine (ISE). The unfortunate reality is that these events ultimately mean lost weekends patching systems, as well as assessing the damage done to the network and the devices. In many cases, it means bringing in more skilled professionals to investigate, diagnose, and implement – a costly endeavour you likely would not have budgeted for. Other on-going IT priorities are also inevitably pushed to the side with mitigation underway.

Such exploits and subsequent critical system fixes are particularly hard felt by the mid-market. This segment is often considered the backbone of the economy, yet they’re underserved when it comes to having purpose-built network security essentials, including network access control technologies. 

Lean IT Should Maximize Value

For resource-strapped IT teams, these unpredictable security incidents can seem insurmountable, especially when the onus is on the customer to patch their own software. Constant fire drills lead to stress, burnout and turnover – something many organizations simply can’t afford. Instead of helping alleviate stress on lean IT teams, traditional on-premise network security vendors make the problem worse. Their solutions require extensive, ongoing integration and maintenance. Complicating matters further, specialized point solutions don’t mesh easily to provide a holistic view of the network. 

This then brings us to the question of value. Wouldn’t it be more valuable to bring in IT security essentials that can reduce this stress and anxiety by eliminating the need for heavy systems maintenance? Wouldn’t it be valuable to free up that time spent putting out fires and use it to modernize your IT security stack? In practice, this means adopting and deploying network security solutions that deliver the essential functionality and capabilities we laid out earlier. It also means turning to SaaS for security. And for network security, it means choosing the right cloud-native NAC.

Expanding Network Edges & Device Proliferation

With the advent of COVID-19, an enormous push to hybrid work changed the threat landscape. Many more activities have become remote, and therefore more reliant on and demanding of secure remote network connections. As more organizations expand their hybrid workforce models, the network edge continues to push out and the number of potential entry points for attackers increases. Device proliferation – specifically BYOD – is exacerbating this trend. As of 2021, 67% of employees use personal devices at work, and 59% of organizations have adopted BYOD.  IoT device proliferation is also broadening the threat surface, adding to the list of endpoints not only in the office, but also in the operating room, the factory floor and the shipping warehouse. There may be some 21.5 billion IoT devices by 2025 – a number that keeps IT security professionals up at night. From security cameras to connected multifunction copiers, IoT devices open the real potential for breaches. 

The Role of Network Access Control

With so many diverse, dispersed devices requesting network access, security teams must be more diligent about setting and enforcing access control policies. To maintain vigilance, security teams need to focus their efforts on network access control (NAC). In a perfect world, this means deploying a NAC that offers cloud RADIUS services, a variety of authentication methods, as well as 24/7 endpoint risk assessment and remediation across all prominent access layers – wired, wireless and VPN. Simple, yet powerful – a NAC that’s easy to use while providing the extensive security coverage needed to confront these challenges head-on is required.

Threat Surfaces Are Expanding

The proliferation of devices requesting access to the network, driven largely by the adoption of BYOD policies and utilization of IoT devices, has forced network security teams to be more diligent about setting and enforcing effective access control policies. Despite best efforts, attempts to address this evolving problem are akin to putting a finger in the dike – rogue devices inevitably slip through the cracks, leaving corporate networks vulnerable to ransomware and countless other cyber threats.

What’s more, network complexity complicates the issue. Today, networks consist of an ever-increasing number of WANs, LANs, VLANS, SD-WANs, MPLS, VPNs, employees’ homes, coffee shops, hotels, airports – wherever authorized devices can connect to gain access to company resources. As if the industry needed another acronym – some are calling it Bring Your Own Network (BYON). Regardless of how we define the trend, access to everything (from everywhere) has changed the security dynamic.

The impact on corporate bottom lines is tangible. The risks and costs associated with network breaches are growing larger by the year. It seems as if every day a new Fortune 500 company is reporting a costly cyberattack. Data breaches from January through September 30, 2021 (9 months), exceeded the total number of events in the entire year of 2020 by 17% (1,291 breaches in 2021 compared to 1,108 breaches in 2020). Adding to the challenge, threat actors are becoming more sophisticated and prevalent, leaving organizations on their heels fighting to catch-up.

A New Age of Cyber Threats

Cyber threats have become alarmingly prevalent, with malware increasing 358% overall and ransomware increasing 435% in 2021 compared with 2019. All threats, from phishing to attacks on Internet of Things (IoT) devices and supply-chains, have grown exponentially. Attacks on IoT devices tripled in the first half of 2019 and supply chain attacks were up 78%.

Costs have escalated in tandem. The average ransomware payment rose 33% in 2020 over 2019, to $111,605. The total cost of cybercrime for each company increased 12% from $11.7 million in 2017 to $13.0 million in 2018. Data breaches cost enterprises an average of $3.92 million annually.

In an attempt to mitigate these costly risks, many companies have opted to deploy niche solutions and tools such as network and host intrusion detection, various threat intelligence feeds, and mobile device management. While useful in isolation, these disparate tools (e.g., Network Performance Management, SIEM, XDR, SOAR, etc.) create many different panes of glass, leaving gaps in network security and complicating IT infrastructures.  All this means extra work for already thinly-stretched IT teams. In this sense, less really is more.

Essential Areas of Cybersecurity

The cybersecurity software market is oversaturated with tools that have been designed for very siloed tasks. Many of these have been developed in direct response to new threats, and require a certain focus and sophistication that doesn’t lend itself to the average IT professional’s chaotic daily life. Instead, companies need to develop a simple, yet solid security foundation that consists of three essentials:

1. Firewalls to monitor incoming and outgoing network traffic
2. Network access control to enforce access policies, assess connected device risk and remediate non-compliant devices
3. Endpoint protection like antivirus to prevent, scan, detect and eliminate malware and other viruses from devices

The First Form of Security

In the beginning – or at least near the beginning – there was the password. This rudimentary method of security pre-dated computers by at least two millennia, and was commonly utilized by militaries like the Roman Legion to maintain secure access to bases, resources and other high-ranking officers across a wide swath of newly conquered territory.  

As we fast forward to the 20th Century and the advent of the computer, passwords became the primary method of personal identification and access to systems, applications, networks…you name it. As computers became increasingly integrated into the daily lives of people both at work and at home, passwords became even more prevalent and served as the de facto method of security. 

Password Management Today

Today, much to our chagrin, we all juggle passwords across our laptops, tablets and phones in work and personal lives. Remembering the multitude of passwords needed to access different areas of our digital existence has become an onerous, often screen-punching task. It has also become a task rife with security vulnerabilities – particularly at the corporate level. Everyone is now required to remember so many passwords that they resort to insecure practices like writing them down, using easy-to-guess passwords, or using the same password over and over again. 

Most security experts see passwords as one of the weakest links in the security system, but many of the procedures that IT teams undertake with the intent of improving security – like requiring frequent password changes – makes the problem worse. If a hacker guesses a password or gains access to a password from one breach, they can try it again across other applications. Such tactics became household names in IT. For example, inputting a bunch of common passwords is known as “password spraying,” and reusing previously breached passwords is known as “credential stuffing.” 

Password-focused attacks are extremely common. For instance, in the well-publicized campaign of attacks on SolarWinds and many other vendors in 2019, the US  Cybersecurity and Infrastructure Security Agency (CISA) noted that “incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying…” 

The Move to Single Sign-On (SSO)

As corporate employees found themselves needing to log into more and more different devices, applications and network types, IT teams began leveraging SSO technology to help simplify the process and eliminate the need for people to remember every single password use. At its core, SSO intended to allow employees to have one password that provided them access to all necessary corporate resources.   

For several few years, while most applications still resided inside of a local IT datacenter, many organizations turned to tools like Microsoft’s Active Directory (AD) to manage user identity and access policies. The rise of AD adoption pushed other application vendors to support AD, further supplanting SSO as the then go-to method for password management and access security. 

Then along came Software as a Service (SaaS), and the game changed. SaaS apps went from novel to common incredibly quickly thanks to the simplicity, efficiency and cost effectiveness they promised. As cloud services like Amazon Web Services (AWS) and Microsoft Azure made it easier to build SaaS apps, these tools went from common to ubiquitous. Today, most companies have so many SaaS applications in use that their IT teams need to subscribe to other SaaS apps to help them discover and manage their active SaaS app portfolio.  

Every one of these new SaaS apps now in use utilized passwords. While early on some of these apps supported MS AD or its successor, Microsoft Azure AD (Azure AD), most did not at first. A such, it quickly became clear that successfully rolling out SSO universally was a daunting undertaking for most mid-sized businesses with complex IT environments and limited internal IT resources. After all, a company-wide password manager doesn’t eliminate the proliferation of passwords, and compromised SaaS apps can serve as gateways into the larger corporate network. 

The Rise of Multi-Factor Authentication (MFA)

The explosion of passwords and password-based attacks has created a market for password management software. There are a plethora of vendors who deal solely with simple passwords (e.g., LastPass, Keeper Security, Dashlane), SSO (e.g., Okta, SailPoint, One Identity), or the third and most recent phase in the evolution of the password: MFA (e.g., Cisco Duo).   

Out of SSO emerged MFA, which compliments and strengthens password management and network security efforts by introducing another means of identity verification on top of a person’s username and password. Most MFA vendors today provide mobile-based authentication, which can include methods such as push-based, QR code-based, and one-time password authentication (event-based or time-based), as well as SMS-based verification.  

MFA, like SSO, has its own shortcomings. Mobile-based authentication is particularly vulnerable as mobile devices can be cloned, and apps often run simultaneously across several mobile devices. Advanced hackers can, in theory, intercept an MFA code sent via SMS or email. While this added layer of security raises the necessary skill level to execute a successful attack against a company’s network, critical vulnerabilities still exist. 

The Gold Standard: Network Access Control (NAC)

With enterprise SaaS adoption and corporate networking eco-systems expanding and becoming more complex, MFA alone simply isn’t equipped to provide the secure access and authentication functionality needed to maintain an effective network security posture. 

As we enter a period of unprecedented device proliferation, network expansion, and increased threat sophistication, NAC has emerged as the gold standard for establishing secure access and authentication to corporate networks, applications and other internal resources. NAC, for lack of a better word, has raised the bar and left hackers with their work cut out for them.  

NAC systems evaluate whether a user and their device should be allowed onto a network, based on a series of security checks, MFA included. NAC combines MFA with other unique data points, such as the location of the device or the MAC address of the device to either grant or block their access to the network. Once connected, a NAC goes a step further by continuously measuring the security posture of each device, taking steps to either quarantine or boot the device off the network should it surpass the organization’s desired risk threshold. Additionally, a NAC can control which segment of the network a device can access, further limiting any impact of an intrusion.  

As such, a NAC is a strong addition to tighter password management and MFA because its security controls are complimentary rather than overlapping. NACs were once thought to be powerful, yet complex and hard to manage. With the advent of cloud-native NAC such as Portnox CLEAR NAC-as-a-Service, however, companies can access that power without the hassle. 

The Future of Password Management

While there are efforts to eliminate the need for passwords altogether, most business software will continue to require a username and password to gain access. Therefore, businesses must do more to secure their environments in the face of so many passwords.  

No combination of security controls can guarantee protection, but if an organization operates with a limited IT budget and staff, a combination of password management, MFA, and cloud-native NAC will substantially reduce its risk of cyberattacks.