Three Ways to Narrow the Attack Surface with Zero-Trust

Credit: Getty Images

Stressed to the brink as they scrambled to help their organizations adapt to the realities of the COVID-19 pandemic, IT teams saw digital transformation timelines accelerated. For some, the pandemic demanded throwing caution to the wind to remain productive.

Author: Stephen Helm, product marketing manager, WatchGuard Technologies
Author: Stephen Helm, product marketing manager, WatchGuard Technologies

As a result, many businesses deployed resources to remote workers with a sense of urgency that may have neglected security best practices. With 67% of businesses expected to offer their employees the flexibility to work remotely in 2022, businesses are turning to MSSPs to help modernize their security stack to support this new reality, IDC says. In fact, according to a Survey by IDG, 99% of businesses recognize they will require managed cybersecurity services to meet remote work needs in the near term.

While the opportunities for MSSPs are great, the challenges are not for the weak of heart. With more and more corporate devices connected from outside the network than ever before, your clients now face a growing attack surface, ripe for exploit. Worse still, many of businesses simply didn’t have security skills in-house to deploy and manage the solutions their employees need to stay safe when they are working from home. You may be essentially starting from scratch.

It’s not surprising that zero-trust approaches have been a hot topic as of late. Zero-trust provides a methodology for user-centric security that is flexible enough to accommodate the workforce wherever they connect. As my colleague Sam Manjarres recently explained, with zero-trust, you always know who, what, when, where, and how someone is trying to access sensitive resources and applications. This provides your team with the information you need to properly judge risk, and limit exposure on behalf of your clients. When properly implemented, zero-trust approaches can dramatically reduce the threat surface of a remote workforce and simplify security overall.

Here are three tips when using zero-trust to narrow the attack surface:

1. Bias Towards Deny by Default

While a traditional network is built around the idea of inherent trust, Zero-Trust takes a “never trust, always verify” approach to security. Limiting access based on identity provides centralized oversight across all common IT systems while limiting access to specific users, devices or applications. This mitigates the threat of unauthorized access, which could give attackers access to sensitive areas of your client’s network while making it easy to control access privileges. Some solutions can even help you identify and classify applications and unpatched systems to help you rein in vulnerabilities, untrusted applications, and shadow IT.

2. Apply Risk-Based Authentication

Risk-based authentication enhances both security and user experience by allowing you to rank the resources you want to protect based on risk level and type of user. Risk policies can be used to define more granular rules based on dynamic situations, which better fits the current remote access trends and hybrid work models that businesses are experiencing. This gives you the power to create rules that are unique to the security structure in your organization, therefore enabling more flexibility and higher protection only when necessary.

3. Automate Telemetry Correlation

Sophisticated malware is no longer rare – it’s widely available on the dark web. Evasion techniques are now common, and threats have only accelerated as a result of coronavirus. The Zero-Trust framework assumes that malware has compromised every device trying to connect to the network. Staying on top of threats requires persistent, advanced security that goes beyond endpoint antivirus.

Correlating telemetry across users, hosts, networks, and applications exposes stealthy threats and eliminates alert confusion. Automating correlation can help your team spend less time on alert triage and reduce the number of alerts needing investigation. As part of an integrated approach, infected devices can even be prevented from connecting to the network entirely, and automatically, stopping VPN connections from introducing infection to the broader network.

Coordinated Attacks Need Coordinated Response

EMOTET, one of the most active and dangerous botnets in history, was recently taken down by international authorities. Like many other malware variants, EMOTET attacks were sophisticated and multistage.  Typically starting with a successful phish of an employee, EMOTET allows bot herders (those in control of a botnet) the ability to install anything they like on victim machines or to use the resources of the devices in their botnet in many malicious ways.

Zero-trust approaches help mitigate EMOTET attacks by:

  • Blocking malicious URLs and connections to C2 channels
  • Preventing script execution with macro detection or context-based detection
  • Blocking all unknown binaries coming from outside of the device

More: Are you looking to provide a zero-trust approach for your customers? Learn how in our eBook, "Is EMOTET really gone forever?"

Author Stephen Helm is product marketing manager at WatchGuard Technologies. Read more WatchGuard guest blogs here.