Back in the 1990s, we created our corporate networks with the objective of providing employees with a secure system on which to communicate and collaborate. Central to the concept of that network was the belief that, like a medieval castle, everyone allowed inside was trusted and everyone outside was suspect. While the network was built to enable an employee’s device to connect to any server in the most efficient manner, such connectivity created a key issue that has become a focal point in the latest attacks: by virtue of being a flat Ethernet network, everyone can see everyone.
Which brings us to WannaCry, the ransomware making its global rounds and giving all of us in IT security yet another serious wake-up call (has it already been 10 years since a worm, with similar ease, took down SCADA systems?). My team’s immediate and predictable reaction included questions like:
- Is the Zscaler IPS catching it? [Yes]
- Is Zscaler Cloud Sandbox detecting and blocking the payloads? [Yes]
- Are we finding the kill switches [Yes]
While these are the right and expected answers to questions about the attack, I received a note from a trusted Customer Advisory Board member that surprised me. Tom (not his real name) offered a different perspective: “Really glad I am working from home on Zscaler Private Access. Nothing in my network can see me, so there is no lateral attack that can hit my laptop. Isn’t it crazy that I am actually more secure OFF the corporate network than I would have been ON it?”
It dawned on me that while we can keep making noise about how our signatures and machine-learning protections can stop threats, there is a bigger swamp to drain. Today’s corporate networks and, sadly, the current remote access VPNs connect networks together. This means that even if users are sitting at home and connected on a VPN, they will still get hit by an SMB (Server Message Block) scan — SMB is the protocol that enabled the rapid proliferation of the WannaCry malware.
The solution is to have TRUE isolation. A network is a means for clients to find servers, or users to find applications. Any more trust in the network is bound to lead to the doom and gloom we currently face. Putting authentication and access controls ahead of any asset discovery — which is a big piece missing in DNS, SMB, SRV, port scans, etc. — ensures that lateral movement can happen only if authentication has been done. The mechanism of authentication before discovery is the basic building block for Zscaler Private Access and the reason Tom remains secure. It also ensures that traffic is initiated only by a client to a server, and never the other way around. In this scenario, a PC getting hacked without the user knowing becomes far more difficult.
Not only that, but if Tom should indeed have become infected, his machine was never actually connected to the corporate network, so he cannot infect any other clients or servers that were not mounted. A port scanner on his laptop will scan a 100.64 IP range that will find nothing else on it.
As Steve Riley and team wrote in their compelling Gartner report: It is time to isolate your assets from the Internet cesspool — and obscurity truly has a place in security frameworks. But this type of isolation runs counter to the notion of the corporate network, and it underscores the need to modernize.
I am amazed when I talk with folks running the systems at younger startups, because the concept of corporate networks is completely foreign to them. “In the world of O365, Salesforce, Google, Amazon, GitHub, and more, why would I need a corporate network…Starbucks is my office, man.” However, for large organizations that were not born in the cloud, the latest spate of attacks is a wake-up call to begin the journey from the corporate network to the cloud. Visionaries like Frederik Janssen of Siemens spoke about it at the Cloud Security Alliance Summit 2017, and thousands of organizations are well on their way to a cloud-enabled future. It is no easy feat, but we will be with you every step of the way on your journey.
Read more about a 3rd party perspective on SDN and ZPA