CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Archives for Jordan Baker » Page 23

Zero Trust Security Architecture

by | Aug 4, 2023 | Improve Network Security, Micro-segmentation, SecOps, Security Service Edge (SSE), User Management, Zero Trust Security

The words zero trust in a circle with simulated computer architecture as the background.

In today’s economy, businesses can’t afford to neglect their cybersecurity architecture. According to a recent report, cybercrime damages are expected to reach $10.5 trillion annually by 2025. Attacks are more frequent and damaging, thanks partly to the difficulty in establishing a solid security perimeter around a modern enterprise network. With Internet of Things (IoT) device usage on the rise and networks expanding to include remote branch offices and edge data centers, it can be impossible to clearly define the boundaries of a network, let alone effectively defend those boundaries. For example, many organizations use tools like Citrix to enable secure remote access to enterprise resources, but recently, high-risk vulnerabilities were discovered in several Citrix gateway products. The very tools we rely on to defend our expanding perimeter may leave us the most exposed to attacks.

The zero trust security methodology was created to address the challenges involved in traditional, perimeter-based defense strategies. This post defines a zero trust security architecture, discusses some of the gaps typically left in such an architecture and provides tips for avoiding these pitfalls.

Table of Contents:

What is a zero trust security architecture?

A zero trust security architecture is designed around the principle of “never trust, always verify.” Traditional security architectures assume that every user and device should be implicitly trusted as long as they’re inside the organization’s network perimeter. That assumption leaves compromised accounts and malicious insiders free to move laterally around the network, accessing and exfiltrating data or executing ransomware in the process.

On the other hand, a zero trust security architecture assumes that every account and device is already compromised unless trust is continuously established. The zero trust methodology was founded by Forrester analyst John Kindervag in 2009; the same year, Google’s BeyondCorp project launched with the sole purpose of defining and developing a zero trust security architecture.

Zero trust uses network micro-segmentation, advanced authentication, Layer 7 (application-level) threat monitoring, and highly-granular security policies to verify trust and prevent lateral movement. Risk is calculated for each resource on the network, and then micro-perimeters of specific security controls are built around the resource micro-segment. Users and devices must establish trust each time they hit a micro-perimeter no matter how elevated their accounts are or where they’re accessing the network from, making it easier to spot and disable a compromised account. This is how a zero trust architecture limits the blast radius and duration – and thus the cost – of cyberattacks.
.

Tips for building a zero trust security architecture

Tips for implementing zero trust without gaps

Zero trust is not a single solution to purchase and deploy in your enterprise – it’s a combination of tools, policies, and proccesses that contribute to a more resilient network. The complexity of a zero trust architecture makes it prone to gaps. For example, manually configuring and managing so many moving parts increases the risk of human error. Additionally, zero trust doesn’t prevent 100% of attacks, but many organizations lack a comprehensive recovery plan. Plus, you can’t have a zero trust environment unless you isolate all administrative interfaces for infrastructure.

During the planning stage of your zero trust security implementation, you should keep the following three questions in mind:

  1. How will you manage so many different policies and solutions?
  2. Do you have tools to aid you in recovering from a successful attack?
  3. How will you protect your control plane from malicious actors on your network?

Addressing these challenges with the following best practices will help you build a successful zero trust security architecture.

Reduce human error with centralized orchestration

A zero trust security architecture includes hundreds or thousands of individual security policies and solutions. Configuring and managing this architecture is a monumental task prone to human error, leading to potential vulnerabilities. According to Microsoft, configuration errors cause 80% of ransomware attacks, making human error a major threat to network resilience. The best way to reduce complexity and prevent mistakes is to be able to see and manage all your solutions from one place, with the ability to automate regardless of skill level.

A centralized security orchestration platform allows administrators to configure, monitor, deploy, and automation all their zero trust solutions from a single place. The best practice is to use a vendor-neutral platform that integrates with third-party zero trust vendors for identity and access management (IAM), next-generation firewalls (NGFWs), and more. Such a platform allows organizations to build bespoke micro-perimeters using the preferred solutions, regardless of vendor, and still manage the entire architecture from a single pane of glass. Plus, with a holistic view of the security architecture, organizations gain a more accurate perspective on their overall security posture and have the context needed to spot systemic issues or subtle indicators of a breach.

Prioritize incident response and recovery planning

According to a recent report from Check Point Research, the global volume of cyberattacks reached an average of 1168 per week per organization in Q4 of 2022. That means there’s no question of “if” a breach will occur, only “when” it will happen. It’s essential to consider incident response and recovery when you build your zero trust security architecture to reduce the cost of an attack.

Research from Sophos found that 70% of organizations hit by ransomware took longer than two weeks to recover, implying they didn’t have the right recovery architecture in place. Downtime gets more expensive the longer it goes on, so organizations must improve their recovery capabilities. For example, data backups are critical to recovery efforts, so they must be protected by zero trust authentication and policies to prevent compromise or corruption. In addition, backup data, systems, and infrastructure must be validated with security scans before they’re restored to ensure they don’t reinfect the network with malware. Getting business back up and running as soon as possible will decrease the cost of cyberattacks, which means a recovery toolkit is an essential component of a zero trust architecture.

Secure the control plane on a dedicated OOB network

The management interfaces used by administrators to control network infrastructure are often excluded from cybersecurity planning because because end users don’t access them. Only admins have usernames and passwords, and they trust their own security hygiene, so they (incorrectly) assume these interfaces are safe. If zero trust policies aren’t applied to the control plane, a compromised administrator account could completely wipe out your infrastructure and gain unfettered access to sensitive data and backups. The blast radius of such an attack would be devastating and severely hamper recovery efforts.

A recent CISA directive provides guidance for reducing the risk of open management ports. The best practice for a zero trust security architecture is to keep the control plane on a separate, out-of-band (OOB) network. An OOB network uses dedicated infrastructure that’s isolated from the production LAN, preventing lateral movement by attackers. This also allows administrators to perform recovery operations even when ransomware or hardware compromises bring down the production network. In addition, zero trust policies and controls must be applied to the OOB control plane to prevent a compromised administrator account from gaining too much access.

Tips for building a zero trust security architecture
  • A vendor-neutral security orchestration platform reduces management complexity and mitigates the risk of human error
  • Integrating a recovery toolkit in the architecture will help limit the cost and business disruption of successful attacks
  • Keeping the control plane on an OOB network and applying zero trust policies and controls will limit the blast radius of a breach

The zero trust methodology asks us to assume that devices and accounts are already compromised, and attackers have breached the network, requiring everyone to continuously prove trustworthiness before accessing enterprise resources. A successful zero trust architecture is unified by a vendor-neutral orchestration platform, prioritizes business resilience and recovery, and secures management interfaces with the same strict policies and controls as the production network.

Build your zero trust security architecture with Nodegrid

Building such an architecture is easier with the Nodegrid solution from ZPE Systems. Nodegrid is a vendor-neutral security orchestration platform that delivers unified control of the entire architecture of zero-trust policies and controls to reduce complexity and mitigate the risk of human error. Nodegrid branch gateway routers and serial console servers provide secure OOB management, so you get an isolated control plane without deploying an entire secondary network. You can even use Nodegrid to build an isolated recovery environment (IRE) to streamline ransomware recovery and reduce the business impact of attacks.

Learn how Nodegrid delivers unified orchestration and out-of-band management!

Nodegrid delivers unified orchestration and out-of-band management to help you build your zero trust security architecture. Contact ZPE Systems today to learn more.

Contact Us

SSE Magic Quadrant: Key Takeaways of the 2023 Report

by | Jul 28, 2023 | Consolidation, Improve Network Security, Remote Network Management, SD-WAN, Secure Access Service Edge (SASE), Security Service Edge (SSE), Uncategorized, Virtualization, Zero Trust Security

The SSE Magic Quadrant describes top cloud security service vendors, conceptualized as a cloud with glowing network nodes and a padlock.

Gartner’s SSE Magic Quadrant for 2023 identifies 10 key vendors currently providing secure service edge capabilities for the enterprise market. In this guide, we’ll summarize the common factors shared among leading SSE vendors, discuss what separates them from niche players, and share advice for connecting your edge network to SSE solutions via an SD-WAN on-ramp.

Table of Contents:
  1. What is Security Service Edge (SSE)?
  2. What is the need for SSE?
  3. What is the SSE Magic Quadrant?
  4. What has changed since the 2022 SSE Magic Quadrant?
  5. Key takeaways from the 2023 SSE Magic Quadrant
  6. SD-WAN: An on-ramp for SSE
  7. What to look for in an ideal SSE on-ramp
  8. Why Nodegrid is the ideal SSE on-ramp

What is Security Service Edge (SSE)?

Security service edge (SSE) is a cloud-centric security methodology for protecting edge network traffic. It rolls up technologies like Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), and Cloud Access Security Brokers (CASB) into a single service. These technologies offer threat protection, security monitoring, access control, and data governance.

What is the need for SSE?

With the frequency and severity of ransomware attacks and other cybercrimes increasing daily, security is a major priority for any organization. To protect your enterprise from cyber threats, you need to be able to extend your security policies and controls to all the remote and geographically distributed systems at your network edge. Historically, that meant backhauling all remote traffic through your primary firewall, which would inevitably cause performance issues for everyone on the network. This is frustrating and can greatly impact the business when much of your remote traffic is destined for cloud and web resources that aren’t even on your enterprise network.

SSE solves this problem by taking advanced enterprise security technologies and making them available as a cloud-based service. You can use SD-WAN with intelligent routing (more on that later) to send remote and branch office traffic through your SSE stack. This allows you to apply consistent policies and controls to your enterprise and edge traffic while reducing bottlenecks and increasing overall network performance.
.

Learn more about SSE:

Gartner’s 2023 SSE Magic Quadrant Summarized

Challengers

Leaders

Cisco (SIG)

Netskope
Zscaler
Palo Alto Networks (Prisma Access)

Niche Players

Visionaries

Broadcom
iboss
Cloudflare

Skyhigh Security
Forcepoint (Bitglass)
Lookout

There are many reasons why an SSE vendor would be considered a niche player, including that the market hasn’t caught on to them yet due to poor marketing or sales strategies. However, one common caution among niche players is a failure to fully integrate SSE components, which means customers must use multiple dashboards to manage a single SSE solution. Another common issue is poor support during sales, implementation, and operation, leading to frustration among enterprises with less experience in edge networking and security.

On the other hand, the leaders of the SSE Magic Quadrant share a few common characteristics as well. For one, they have strong marketing and sales outreach, a clear vision, and a roadmap for the future. This vision is essential because it allows enterprises to ensure their goals and strategies align with where their SSE vendor is headed.

In addition, these solutions’ components are tightly integrated with a single, unified management platform for more accessible and efficient operation. Magic Quadrant leaders invest in and implement new security features frequently, bug-free, and with adequate documentation and support. That means customers can stay ahead of emerging security threats without worrying about breaking their existing setups.

What has changed since the 2022 SSE Magic Quadrant?

There are three major changes to Magic Quadrant this year.

  • Palo Alto Networks moves from Challenger to Leader: In 2022, Palo Alto extended its Prisma Access SSE solution to better integrate with Prisma SD-WAN, enhance its proxy and ZTNA components, and add SaaS Security Posture Management (SSPM).
  • McAfee splits its cloud business into Skyhigh Security: Early in 2022, McAfee enterprise split into two, with its cloud business now known as Skyhigh Security. This split disrupted Skyhigh’s growth and market share and moved this SSE offering from the Leaders quadrant to the Visionaries quadrant.
  • Versa leaves the SSE Magic Quadrant: Versa no longer ranks in the top 20 organizations in Gartner’s market momentum index (MMI), so it isn’t included in the 2023 Magic Quadrant.

Key takeaways from the 2023 SSE Magic Quadrant

  • Most vendors prioritized improving their core capabilities and better integrating their product, rather than focusing on new features and other innovations.
  • Vendors who fail to fully integrate their SSE offering into a unified platform are quickly losing market share.
  • WFH traffic is less of a concern for enterprises than branch/edge sites, so SD-WAN access and integrations are critical.

Overall, the biggest takeaway from the SSE Magic Quadrant is the importance of a seamlessly-integrated platform. A consolidated platform ensures complete visibility and control over your security service edge solution without needing to learn and operate multiple consoles.

On top of this, to use SSE’s cloud-delivered solution, you need a reliable way to send traffic from your branch and edge locations to the SSE stack. That means part of the architecture needs to include an access solution that can tunnel traffic from these locations to the cloud, such as SD-WAN. The access solution serves as an on-ramp to SSE, and requires a physical appliance for on-premises installations. This framework combining SD-WAN access with SSE is how SASE (secure access service edge) is built.

SD-WAN: An on-ramp to SSE

Security service edge provides the technology to protect your edge-based cloud-destined traffic, but you still need a way to get that traffic to your SSE platform. This is known as an SSE on-ramp, and it’s not included in any of the SSE Magic Quadrant solutions. However, one of Gartner’s selection criteria was the ability to integrate with SD-WAN technology.

An SSE on-ramp uses SD-WAN (software-defined wide area network) technology to route remote and branch office traffic to your SSE stack in the cloud. SD-WAN separates the control and management processes from your underlying WAN hardware and virtualizes them as software, making it possible to centrally control and orchestrate even very complex and distributed WANs. With SD-WAN, you can use intelligent and application-aware routing to connect your edge users directly to the SSE platform, cloud, and web resources.

What to look for in an ideal SSE on-ramp

The ideal on-ramp to SSE will support seamless integration with your SSE platform, and vice-versa. In addition, the right solution will provide additional capabilities like the ones listed below.

Features of an ideal SSE on-ramp include:

Versatile tunneling

Physical hardware that’s easy to provision with a versatile tunnel mechanism to SSE, including IPsec and WireGuard, with simple cloud management. Ideally this tunneling mechanism uses application-aware traffic steering to make it an effective part of an SD-WAN on-ramp.

Integrated L3/L4 firewall

Integrated Layer 3/Layer 4 firewall technology to secure incoming traffic to your remote and branch locations, including VPN support. The ideal on-ramp has local segmentation capabilities and zero-trust, since SSE can’t do local segmentation on its own without help from on-premises equipment, agents, or VMs.

Out-of-band (OOB) management

OOB management for a direct, dedicated network connection to the SD-WAN on-ramp that doesn’t rely on cloud-based in-band connectivity. OOB access and provisioning are ideal to gain greater control over remote networking infrastructure on a dedicated connection.

Multiple WAN interfaces

Flexible and redundant WAN interfaces to ensure 24/7 availability. At least one of these should include a 5G/4G LTE modem with 2 SIM slots for high-speed cellular failover and out-of-band access when the primary WAN link is down.

Terminal server

Terminal server/serial console/”jump box” port management for easy remote management of edge infrastructure. This should include the ability to host third-party troubleshooting tools so admins can easily recover from outages without going on-site.

Computing power

Compute capabilities to run third-party apps and Docker containers right at the network edge. With built-in compute it’s easier to extend the functionality of SSE with additional applications that may not be part of the SSE stack or need an edge Docker footprint, like vulnerability scanning or user experience monitoring agents.

Centralized automation

Unified management of automation like Zero Touch Provisioning (ZTP) to automatically spin-up edge devices and connect them to SSE. Automation can significantly speed up branch deployments while reducing the risk of human error.

Why Nodegrid is the ideal SSE on-ramp

The Nodegrid branch and edge networking solution from ZPE Systems combines all the capabilities of the ideal SSE on-ramp in a single platform. For example, the Nodegrid Net Services Router (NSR) is a customizable, all-in-one device with available modules for storage, compute, serial console management, and more. The vendor-neutral NSR can host your preferred SD-WAN solution and supports easy integrations with SSE Magic Quadrant Leaders like Palo Alto Prisma Access, or you can use ZPE Cloud’s integrated SD-WAN app.

Thanks to the open-architecture, Linux-based Nodegrid OS, you can also extend Nodegrid’s capabilities with your choice of custom and third-party applications for security, monitoring, automation, and more. Plus, every device, application, and integration connected to the Nodegrid platform is brought under a single management umbrella for a unified and efficient orchestration experience. 

The Nodegrid platform from ZPE Systems rolls up everything you need in an SSE on-ramp and delivers it in one powerful, unified edge networking solution.

Learn how Nodegrid easily hosts and integrates Gartner’s picks for the 2023 SSE Magic Quadrant!

Contact ZPE Systems today!

Contact Us

What is an Application Delivery Platform?

by | Jul 26, 2023 | Application Hosting, Edge Computing, EdgeOps, Improve Network Security, Network Automation, Remote Network Management, SD-WAN, Simplify Branch Infrastructure, Virtualization, Zero Touch Provisioning (ZTP)

An illustration showing a breakout of various software application components to highlight the need for an application delivery platform

Modern software architectures are highly complex and often very difficult to maintain and operate. A single enterprise application comprises hundreds (or even thousands) of individual services, technologies, and toolchains while requiring a lot of underlying infrastructure, such as servers, routing and load balancing rules, and security controls. All of this complexity increases overhead costs and adds to the ever-growing workloads of software, network, and infrastructure teams, especially when you multiply this effort across dozens or hundreds of software deployments.

Platform engineering is a new discipline introduced by Gartner to address these challenges by reducing the complexity of software engineering, network operations, and application delivery. The platforms built by these engineers are known by several names, including internal developer platforms, internal developer portals, and application delivery platforms. This guide defines an application delivery platform, discusses the underlying technology, and highlights a leading platform engineering solution.
.

Table of Contents:
  1. What is an application delivery platform?
  2. What is the importance of an application delivery platform?
  3. What technology makes up an application delivery platform?
  4. Introducing ZPE Systems’ Services Delivery Platform

What is an application delivery platform?

An application delivery platform is a suite of technologies that handles all the services that support an application, including security, traffic management, load balancing, and data management. Platform engineers combine all these services into a common toolset used to deploy applications at customer sites, so there’s no need to build a new architecture every time. This streamlined experience makes application delivery cost-effective by significantly reducing workloads and deployment timelines.

What is the importance of an application delivery platform?

The goal of an application delivery platform is to reduce deployment and management complexity. Deployment complexity leads to a greater risk of human error when configuring things like security controls and access policies, and any mistakes are likely to be found and exploited by cybercriminals. Management complexity makes it harder to stay on top of patch schedules. Unpatched software often contains vulnerabilities that are exploited by cybercriminals; for example, known ransomware groups targeted unpatched IBM software earlier this year.

By reducing complexity, an application delivery platform also reduces the attack surface, improving an organization’s overall security posture.

What technology makes up an application delivery platform?

By its very nature, an application delivery platform is highly customized to fit the needs of the applications being supported. Here are some examples of the services and technologies that are often included.

  • Server storage & compute: The platform needs storage (usually solid-state) and processing units (CPUs or GPUs) to run the applications and store necessary data. Ideally, the OS and computing architecture will support containers (e.g., Docker) for microservices applications.
  •  
  • Automation tools: A key feature of application delivery platforms is the ability to automatically provision and deploy new environments, apps, and network services as well activate services licenses and service chaining. That means the platform should host automation tools for configuration management, code delivery, and software-defined networking (SDN).
  •  
  • Security: The ideal platform makes it possible to deliver applications without configuring security every time. That means it provides unified management and repeatable deployments for security services like firewall traffic inspection, access control lists, and advanced authentication.
  •  
  • Routing & load balancing: A lot of backend networking goes into the typical application deployment to ensure traffic is routed correctly and optimized for performance. An application delivery platform should support network functions virtualization (NFVs) and SDN so standard network configurations can be easily deployed alongside the applications being delivered.
  • Management tools: Engineers need a way to remotely access, manage, and troubleshoot application deployments, even (and especially) during major service disruptions. The ideal platform includes out-of-band serial console management and supports third-party troubleshooting tools so remote teams can quickly recover systems and applications without an expensive on-site visit.

While this list is far from exhaustive, it covers the foundational technology that supports an application delivery platform. Platform engineering is still in its infancy, and many organizations struggle to efficiently execute it because of how many moving pieces need to be considered. The goal is to find a solution that provides the best framework of hardware and software capabilities that platform engineers can build upon, so they can create a fully customized application delivery platform without reinventing the wheel.

Introducing ZPE Systems’ Services Delivery Platform

Zero Pain Ecosysteme

The Services Delivery Platform from ZPE Systems is the perfect foundation for any platform engineering initiative. Nodegrid edge routers serve as the hardware backbone, providing networking and failover capabilities, OOB serial console management, and plenty of memory, storage, and CPU headroom for additional apps and services. You can build a fully customized hardware platform with the modular Net Services Router (NSR), extending your storage or compute capabilities or adding more ports to support your application deployment.

The vendor-neutral, Linux-based Nodegrid OS can run your custom applications as well as third-party automation, security, DevOps, and management tools. Plus, Nodegrid unifies all connected services and applications under a single management umbrella, allowing teams to oversee and orchestrate all of their deployments from one convenient portal.

 

Ready to Learn More?

The Services Delivery Platform from ZPE Systems simplifies platform engineering with powerful, multipurpose hardware and an open, vendor-neutral OS. Contact us today to learn more about using Nodegrid for your application delivery platform!

Contact Us

The Biggest Ransomware Attack You Haven’t Heard of…Yet

by | Jul 6, 2023 | Data Logging, Improve Network Security, Micro-segmentation, Minimize Impact of Disruptions, Network Automation, Out of Band Management, SD-WAN, SecOps, Secure Access Service Edge (SASE), Security Service Edge (SSE), User Management, Zero Trust Security

James Cabe CISSP

This article was written by James Cabe, CISSP, whose cybersecurity expertise has helped major companies including Microsoft and Fortinet.

MOVEit over SolarWinds — The largest and most successful ransomware attack ever recorded is happening. Right now. It’s attacking healthcare and financial institutions with high rates of success, and recently stole sensitive data of 4 million more healthcare patients. It uses something called CL0P ransomware, and the threat actor is a well-known criminal group with the name FIN11. Many organizations are finding it difficult to stop the attack because they have no way to access infected devices, take them offline, patch, or even replace them. So, what exactly is going on?

The group responsible for the attack

FIN11 is a cybercriminal group that has been active since 2016 or before, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, their focus has shifted towards other initial access vectors. FIN11 often runs high-volume operations targeting industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP).

FIN11 is responsible for multiple widespread, high-profile intrusion campaigns leveraging zero-day vulnerabilities, and the group likely has access to the networks of many more organizations than it is able to successfully monetize. Despite this, they’re currently attacking MOVEit, a well-known SaaS provider who relies on a file transfer appliance called Accellion lFile Transfer Appliance (FTA). This legacy product remains unpatched, which has led to the breach of many Fortune 100 companies and state and federal agencies.

FIN11

How did the ransomware attack start?

The ransomware attack began with several Accellion FTA customers, including those in industries like healthcare, legal, finance, retail, and telecom. Companies such as Jones Day Law, Kroger, Singtel, and many others had no idea that they had been attacked, because the initial breach was quiet and headless.

Their only indication came after receiving a threatening email aimed at extortion. 

In this email, the group threatened to publish stolen data on the “CL0P^_- LEAKS” .onion website, according to an investigation from Accellion. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to the investigation, four zero-day security holes were exploited in the attacks:

  • CVE-2021-27101 – SQL injection via a crafted Host header
  • CVE-2021-27102 – OS command execution via a local web service call
  • CVE-2021-27103 – SSRF via a crafted POST request
  • CVE-2021-27104 – OS command execution via a crafted POST request

And, the published victim data appears to have been stolen using a “WEB SHELL”. These web shells give remote administrative access to the web server and create a jumping off point to attack the rest of the internal network. Mandiant, a well-known cyber investigation arm of Google, added, “The exfiltration activity has affected entities in a wide range of sectors and countries” (Threatpost). Exfiltration is the unauthorized removal of important or damaging data from an organization.

However the biggest problem is that these web shells are what researchers call “PERSISTENCE”. This means that an attacker can remain in your network indefinitely to continue damaging and attacking your resources. Researchers call these “APTs,” or Advanced Persistent Threats.

Why is the ransomware attack still going strong?

The ransomware attack is still going strong because there’s no patch available. According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Accelion’s appliance that is the backbone of a solution known as Progress Software’s MOVEit Transfer service. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505, which is the group responsible for the Dridex trojan and Locky ransomware, conducted zero-day-exploit-driven campaigns against Accellion FTA devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

What most organizations want to know is: How do you quickly respond to issues like these? How can you be properly prepared to respond to an issue you didn’t cause or didn’t expect?

Patching is a good response. However, it takes an average of 205 days to patch a recently known zero-day exploit like the MOVEit vulnerability. While patching alone is typically the ideal response, it isn’t automatic nor can it be done quickly.

Another approach involves removing the offending software or appliance, or cutting off access to the software or appliance. But once you remove this access, how do you continue normal operations, and how can you easily bring the software/appliance back online? Without adequate infrastructure in place, physically deploying to each site is not practical, especially for distributed organizations.

CISA and the FBI encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents. The Mitigations section describes many approaches, including patching, removing software/appliance access, and implementing a recovery plan. But all of these take too much time and too many resources, which leaves organizations vulnerable as they scramble to create an adequate response.

The great news is, organizations can cover all their bases without having to reinvent the wheel. This approach is recommended in one of CISA’s recent directives, and gives organizations somewhat of a silver bullet that allows them to quickly defeat ransomware and remain prepared for any future attack.

What approach does CISA recommend to address ransomware attacks?

CISA’s recent directive (23-02), which addresses the vulnerability of Internet-exposed management interfaces, calls for organizations to create an isolated management infrastructure (IMI) via out-of-band connectivity. This is a drop-in solution that the military, telcos, and hyperscalers/cloud companies use to respond to widespread ransomware and other issues impacting security and resilience. This approach — which ZPE Systems has perfected in the last decade with the help of Big Tech — gives organizations a completely separate control plane through which they can monitor and manage their entire IT infrastructure in a safe and dedicated fashion.

What is isolated management infrastructure?

Isolated management infrastructure consists of the hardware and software that create a management network that’s fully separate from other production and management networks. The key to this is in out-of-band connectivity, which is defined as connectivity other than TCP/IP. Out-of-band can include direct USB, serial, or even non-routed zero-trust connections to crown-jewel assets.

Essentially, the IMI gives an organization complete oversight and control of their widespread IT infrastructure, in a way that is secure and accessible only to their IT teams.

In this diagram, the production infrastructure (blue ring) sits at each distributed location. The out-of-band infrastructure for LAN (OOBI-LAN) is the green ring and surrounds the production infrastructure with one layer of isolated management. The OOBI-WAN (orange ring) is what provides a second layer of isolated management, which teams can access from a central or remote location, to gain access to the OOBI-LAN and ultimately the production infrastructure.

ZPE Automation

Knowing these assets and providing access across the organization can be easy and does not have to disrupt current operations. 

How can IMI stop the FIN11 ransomware attack?

In the ongoing FIN11 ransomware attack, Internet-facing applications are targets of the zero-day exploit. This means that no amount of security solutions can pre-mitigate the attack (i.e., there’s nothing you can do to stop it). This is where IMI shines.

Isolated Management Network diagram sitting beside production infrastructure

Remember the OOBI-LAN/OOBI-WAN diagram? Here’s a zoomed-in view of the isolated management infrastructure sitting beside the production infrastructure. The IMI connects via serial, Ethernet, and USB to production gear, and provides the necessary functions (routing, storing golden images, hosting jumpbox tools, etc.) to recover from attack. But how?

IT teams can use OOBI-WAN to remotely access their OOBI-LAN and production gear. They can pull affected devices offline and bring them in for forensics, which takes place in an Isolated Recovery Environment (IRE). This means these assets and networks are still reachable by analysts and responders, but isolated from other vulnerable assets. This allows an organization to quickly and even automatically deploy tools and resources inside of this environment through devices like ZPE Systems’ Nodegrid.

To combat the FIN11 attack, organizations don’t need to unplug cables or shut their devices off. They can instead deploy their IMI as the framework for closing the attack surface while maintaining access and critical data to aid in recovery.

Get the blueprint for isolated management infrastructure

Don’t wait until the next attack to shore up your defenses. ZPE Systems has worked with Big Tech for ten years developing the isolated management infrastructure. It’s now available inside the Network Automation Blueprint, and walks you through how to implement your own IMI. Download the blueprint now to stay ready for any attack.

Download blueprint

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

How to Implement Zero Trust for OT

by | Jun 26, 2023 | Improve Network Security, Micro-segmentation, Remote Network Management, Zero Touch Provisioning (ZTP), Zero Trust Security

zero trust for ot
Enterprise security teams traditionally focus on IT networks, but operational technology (OT) security is just as important. OT comprises equipment that interacts with the physical world, such as sensors, temperature gauges, and motors, as well as the systems used to control that technology. Attacks on OT systems have a huge impact on business operations and customers, often causing more devastation than an IT breach. For example, an attack on an oil pipeline’s control systems could shut down production for weeks and affect millions of people in the region.

“Zero trust” is a security methodology designed to reduce the risk of attack through network segmentation, granular access policies, and advanced security technologies. Many organizations use zero trust to protect their IT networks, but it’s just as critical to the safeguarding of operational technology. This post defines zero trust security before explaining how to implement zero trust for OT.

Table of Contents:

What is zero trust for OT?

According to recent research by Barracuda Networks, more than 90 percent of manufacturing organizations saw cyberattacks hit their production or energy supply in 2021 alone. OT is a frequent target because of how devastating an attack can be on business operations and because it often lacks the same security policies and controls that protect IT infrastructure. To solve this problem, teams need to apply zero trust security principles, policies, and technology to their OT networks. The zero trust security methodology follows the motto “never trust, always verify.” That means operating under the assumption that no users or devices should be trusted, even if they’re logging in from within the main office. Achieving a zero-trust architecture means segmenting IT and OT networks and creating micro-perimeters of highly specific security policies and controls to protect each segment. Zero trust often uses advanced security technologies like AIOps and machine learning to enforce those policies, identify subtle signs of compromise, and quickly resolve security incidents.

How to implement zero trust for OT

Let’s discuss the requirements and best practices for implementing zero trust for OT.

Isolate critical systems with segmentation

Zero trust requires custom-tailored security policies and controls to protect specific network resources. That means network teams must logically segment the network based on which resources need to be protected by which policies and technologies, a practice known as micro-segmentation.

OT is often grouped together into a single micro-segment under the assumption that all OT needs the same protection. However, not all OT is created equally, especially in the eyes of a would-be attacker. For example, a programmable logic controller (PLC) gives cybercriminals control over manufacturing processes, but compromising an access control system lets them physically infiltrate the building. Some organizations take zero trust even further by using nano-segmentation to isolate individual systems, applications, or containers to create extremely effective micro-perimeters to address specific vulnerabilities.

Micro- and nano-segmentation are the backbone of a zero-trust architecture, enabling the creation of micro-perimeters using granular access policies and security controls customized for the protected resources.

Create and enforce strong security policies

Zero trust security policies determine who can pass through each micro-perimeter and who can access each OT resource. These policies should follow a least-privilege approach, meaning everyone gets the bare minimum privileges required to complete their workflows and nothing more. The best practice is to use role-based access control (RBAC), categorizing individual accounts based on their role (e.g., system administrators or machine operators) and giving each role least-privilege access to the resources required for that job.

The best way to create and enforce zero trust security policies is with an identity and access management (IAM) solution. A zero-trust IAM solution monitors each micro-perimeter to verify the identities of all accounts requesting access and attempts to establish an account’s trustworthiness using methods like two-factor authentication (2FA). Some advanced IAM solutions even use machine learning technology like user and entity behavior analytics (UEBA) to monitor account activity on the network and spot anomalous behavior that could indicate compromise.

  • IAM = Identity and Access Management: Creates and deploys policies, verifies identities, and establishes trustworthiness.
  • 2FA = Two-Factor Authentication: Requires an additional form of identity verification (besides the username and password), such as a code sent to an authorized mobile device.
  • UEBA = User and Entity Behavior Analytics: Uses machine learning to monitor account activity, creates baselines for normal behavior, and identifies anomalies that could mean an account is compromised.

Strong, granular security policies and zero-trust IAM solutions help protect OT by limiting account privileges and preventing compromised accounts from accessing network resources.

Leverage advanced security technologies

There are additional security technologies that support or enhance zero trust for OT. For example, a next-generation firewall (NGFW) makes network segmentation easier and includes advanced features such as application-aware filtering and deep-packet inspection. Secure access service edge (SASE) delivers zero trust security solutions to the network edge, safeguarding OT at remote branch sites with the same policies and controls as the central enterprise network. AIOps uses artificial intelligence for better threat detection and faster incident recovery.

Organizations use advanced security technologies to fortify micro-perimeters, extend zero trust to the edge, and gain enhanced detection and recovery capabilities.

Implement zero trust for OT with Nodegrid

Zero trust security protects operational technology using network segmentation to create micro-perimeters of strong security policies and advanced security technologies custom-tailored to each individual resource’s requirements and vulnerabilities. Achieving zero trust is typically a long and tedious process because of how many solutions and devices you must deploy.

The Nodegrid solution from ZPE Systems alleviates this challenge by providing a vendor neutral platform capable of hosting and deploying all your zero trust security technologies. For example, Nodegrid network edge routers deliver all the networking capabilities required to spin up an OT branch and can directly host your choice of third-party security solutions. Nodegrid reduces hardware expenses by consolidating network functionality onto fewer devices while unifying network and security management under a single umbrella for greater operational efficiency.

In fact, Nodegrid is an entire Services Delivery Platform that you can deploy anywhere in your network architecture to host your critical third-party SaaS (software as a service) solutions. That means you can create a customized branch-in-a-box that combines gateway routing, switching, out-of-band (OOB) management, NGFW, SASE, infrastructure automation, and more in a single device.

Ready to Learn More?

Contact ZPE Systems to learn more about implementing and enhancing zero trust for OT with the Nodegrid Services Delivery Platform.

Contact Us