By Micha Rave, Sr. Director, Zero-Trust Product Management, Proofpoint
Here’s some good news. Your team doesn’t have to be vulnerable to wormable exploits like BlueKeep, WannaCry, and the most recent wormables found across MS Windows platforms. But to safeguard your system, you may need to make a change in your current approach to security.
Traditional platforms for securing endpoints—think endpoint detection/response tools and anti-virus software—are ill-equipped to prevent wormables from wreaking havoc. Even informing users about the risks will not help. Simply connecting an infected device to a network can cause wormable malware to spread and infect healthy machines throughout the so-called “secure” zone. Similarly, the products that protect your network, like firewalls and network access control solutions, will not prevent lateral movement.
But the good news I alluded to above is that you can use a software-defined perimeter, or SDP, for a much better defense against BlueKeep and its ilk. SDPs do so by providing what’s known as “zero-trust” security for networks via a dual-defense system that features two complementary defenses:
- Preventing an initial wormable infection from happening to a user’s device.
- Preventing the spread of the worm, network-wide, from one infected device.
What’s the Problem with Firewalls and VPNs?
Before delving deeper into SDP solutions and their benefits for protection against wormables, let’s first drill down into what’s wrong with the approach you may currently be using to secure access to your network—enterprise firewalls and VPNs.
Firewalls are designed to keep evil-doers and attackers outside of the enterprise network, and they do a good job mostly. However, wormable exploits spread laterally inside the enterprise network, which is why firewalls are largely ineffective against them once they get inside. Take BlueKeep as an example, which took advantage of the Remote Desktop Protocol (RDP) port. While firewalls may be used to prevent a worm from entering your local area network (LAN) in the first place by blocking susceptible ports, like RDP or RPC, this can’t always be relied upon as a solution since such a block may be infeasible in certain circumstances, for example, when remote workers need remote RDP access. It also won’t keep the wormable from infiltrating the LAN in a situation where a device that became infected outside of the perimeter physically brings the worm in (effectively bypassing the firewall).
And as a TechCrunch report on BlueKeep stated, “If servers at the enterprise firewall level are hit…the potential of every other computer connecting to it fac[es] a similar fate.”
What about the VPN? VPNs are often still the enterprise’s go-to choice to connect employees working remotely; contractors, and third parties who are conducting business virtually—but they shouldn’t be. In fact, the majority of VPN deployments create vulnerabilities to wormables because they are not “always on.” This means when employees are roaming with their devices on public, potentially hostile networks, their devices may become infected. If that does happen, the VPN allows the infection to be passed along to the local network as soon as the device connects over the VPN, again, bypassing the firewall guard.
Health IT Security quoted Simon Pope, Director of Incident Response for Microsoft Security Response Center, when BlueKeep was first reported: “Future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
What Helps: Network Segmentation
To provide real security, enterprises need a way to minimize the potential surface for attack, and this is achieved by defensively partitioning the network via micro-segmentation. Yet while offering only finely grained access to each user based on the actual services and applications that a specific user requires for business purposes is considered a best practice, it’s complexity can keep many enterprises from taking advantage of it.
Zero-Trust SDP to the Rescue
A zero-trust SDP solution is a much easier way for an enterprise to allow third-parties micro-segmented access to only the exact resources that each individual needs, regardless of where a device is connected: in or outside of the enterprise network. This model is important because when you think about it, it’s simply foolish to trust a device, third-party, or user automatically without proper authorization and verification. Instead, every user should have a fixed identity that’s uniquely customized just to him or her. All other network resources should be invisible to each user, and that’s exactly what happens in an SDP model. In this scenario, even if a device gets infected, at least it won’t automatically contaminate the entire network. Deploying an SDP solution is significantly easier than manually partitioning the network, and can scale dynamically with your network, users and applications.
When comparing SDP options, an important distinction to recognize is that not all solutions prevent a wormable infection from occurring on a public network. Since devices can end up infected by a worm just by connecting to a “dirty” network, the best approach is to deploy an always-on, zero-trust SDP solution to keep a wormable infection from happening in the first place to minimize its effect in the case that it does.
Micha Rave is the Senior Director of Zero-Trust Product Management for Proofpoint and former VP of Products of Meta Networks. He is an experienced strategic product manager and team leader with substantial experience managing innovative product lines such as Proofpoint’s Software-Defined Perimeter (SDP) platform.
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
 for a much better defense against wormable expoits like BlueKeep and WannaCry.){kind=link}