Products and Solutions | Blog Category Feed Zscaler Blog — News and views from the leading voice in cloud security. en Data Protection Best Practices for Healthcare The healthcare industry is struggling to protect against increasingly sophisticated cyberattacks. According to the HIPAA Journal, healthcare data breaches of 500+ records reached a new high in 2023 at 725 large security breaches. One thing that’s common across all breaches is “Data” lockdown, exfiltration and/or encryption. Hence data protection is a top priority for all healthcare organizations that must protect patient data from malicious insiders, accidental data loss, and bad actors. In this blog, you will learn best practices and common challenges faced by Healthcare organizations. Why is this important?Privacy regulations describe sensitive information as any personal data or intellectual property - including trade secrets, patents, copyrights and trademarks, that could potentially cause harm, damage, embarrassment, or discrimination to an individual or organization if it is disclosed, accessed or used without authorization. There are two ways to look at this Sensitive Information: Either one can protect them or let them loose. In an organization, it’s either Owner, Founder, CXO or Security Officer, who needs to make those decisions based on their ‘Risk Appetite’. Either way, the exposure of this sensitive information will COST your organization. Challenges of securing your data landscape Cloud and mobility initiatives have distributed sensitive data across cloud apps and devices, but traditional data protection approaches aren’t built to secure data across distributed channels. 48% percent of board directors rank cyber risk as a top enterprise risk. In fact, cyber risks are among the most costly risks facing organizations today, with the average cost of a data breach reaching $8.64 million last year.” Source: Gartner - Data protection challenges in healthcare A day in the life of a Healthcare Security, Infrastructure & Data Protection team member includes a spectrum of activities: Constant M&A practices Managing complex network architecture Lack of network segmentation Pressure to serve up to skilled remote workforce Operating within HIPAA compliance framework Zscaler Data Protection provides a comprehensive, cloud-delivered platform built to safeguard all your sensitive data, everywhere. Delivery of data protection is attained through multiple dimensions, depending on what could be the source of data loss. In this blog, we will focus on the 4 most common data sources that often times lead to a data exfiltration event or a data breach: Secure Endpoint Data-At-Rest Prevent Inline Data-In-Transit (Motion) loss to Web and BYOD Secure SaaS Data-At-Rest with Out-of-band CASB Secure Unmanaged User access to resources Zscaler’s data protection journey starts with understanding the challenge Scenario 1 → Secure Endpoint Data-at-rest Every knowledge worker tends to use their organization's given device for personal work, be it to store and analyze personal financial or health related information. For example: A physician uploads 500+ PHI records onto their own personal cloud storage sync folders like Dropbox thick client on Windows PC. Applications like Dropbox thick clients are “certificate pinned” to protect application code vulnerability. Challenge:1. TLS inspection measures will break the application access, leading to an unhappy user experience. 2. Web proxy or network DLP controls are blindsided, leading to data hoarding events. Solution and Benefits:Endpoint DLP policy provides the following benefits and allows you to: Monitor, prevent, or block the leakage of sensitive data on endpoints (i.e., through printing, saving to removable storage, saving to network shares, or uploading to personal cloud storage accounts). Use Zscaler custom and predefined DLP engines to detect and take action on sensitive data. Monitor sensitive data and enforce endpoint DLP rules even when an endpoint doesn't have a network connection. Top Use Cases:Retire legacy endpoint DLP: Get rid of complicated point products and deliver data protection from one unified strategy Stop exfiltration during employee resignation: Secure the employee attrition process by stopping sensitive data exfiltration to personal and removable storage Boost data protection efficacy: Ensure your most sensitive data is properly tracked and consistently protected, no matter where or how it is accessed Improve compliance: Ensure regulatory compliance is maintained for required data and file types across your entire organization Scenario 2 → Prevent Inline Data-In-Transit (Motion) Loss to Web and Cloud Applications Internet transactions with destinations like web URLs or cloud applications have been considered as a top threat vector based on cyber phishing practices and breach prediction results. Traditional approach with limited SSL inspection and proxy controls has little to no control on data exposure. Today, your users are constantly on the run, they might have left the network (campus), but that doesn’t have to mean your sensitive data will leave with them. For example: A physician uploads 500+ PHI records onto their own personal cloud storage application or other destination over the web. Challenge:Minimal SSL/TLS inspection leads to blind spots. Lack of proxy and inspection policy leads to data exfiltration. Data being shared across different file formats, it becomes challenging to trace the activity. Lack of investigation tools to minimize the exposure window. Solution and Benefits:By leveraging Zscaler’s Zero Trust Cloud, Consistent data protection and full SSL inspection helps scan and monitor every byte inline, without capacity limits. Inline DLP, inline CASB custom and pre-defined DLP engines will help detect and block PHI record files from leaving your assets at all times, following the user mindset. Inline DLP enables you to protect sensitive data with advanced controls and granular policy, all while remaining in compliance with regulatory mandates. Top Use Cases:Better data protection: Get identical protection for all users and branches regardless of location Complete visibility: Illuminate blind spots by inspecting all your SSL traffic, without capacity limits or costly appliances. Elastic scale: Always enforce your policies inline with consistent performance A fully integrated platform: Eliminate the need for architectural changes and maintenance of point products Scenario 3 → Secure SaaS Data-At-Rest with Out-of-Band CASB Healthcare professionals tend to collaborate PHI records (data-at-rest) within approved cloud storage like M365 or Dropbox, with internal and third-party medical professionals for research, opinion, or guidance. Challenge:As we know, traditional network and security architecture has been less effective when it comes to decrypting TLS traffic or gaining visibility into data-at-rest DLP violations. With the influx of cloud applications, the use and abuse of free cloud storage has led to shadow IT challenges where the responsible custodians are informed after the event happens. Sharing of sensitive data with third-party users can lead to sensitive data loss or noncompliance. Solution and Benefits:Restrict collaboration of PHI records based on “what data is shared with whom” (OOB CASB will help). Granular data protection policies apply consistently across cloud apps to stop accidental or risky file shares and halt internal threats like intellectual property theft. IT gets to regain control and visibility into data stored in approved cloud storage. Historical scan allows investigation and incident management practices. Complete threat protection with cloud sandboxing enables automatic remediation of zero-day malware. Top Use Cases:Identify sensitive data assets: DLP dictionaries identify sensitive data within SaaS and public clouds like AWS Limit data sprawl: Collaboration control crawls apps for risky file shares and revokes them according to policy Cloud sandboxing: Continuous scanning of data at rest to identify and respond to zero-day malware and ransomware Platform approach: SSPM, CSPM, and CIEM help evaluate SaaS and IaaS configurations and permissions to remediate issues automatically Scenario 4 → Secure Unmanaged User Access to Resources Medical professionals expect to have access to data from anywhere, using any device without realizing the risk the threat or risk it brings to the business. This scenario is referred to as ‘Doctors Beyond Borders’. Since this group of professionals are revenue generators, IT (infrastructure team and application developers) willingly give them access to EMR or health records from Unmanaged or BYOD devices. Challenge:Typically these users are brought on the network by extending VPN which leads to increased attack surface. Onboarding non-compliant devices has its own challenges which could lead to data leak or compromised devices. Maintaining a list of unmanaged device databases, defining policies, and procedures and more importantly logging their activity adds up to more IT cost and complexity. Uncontrolled sprawl of these device access can introduce boundless challenges associated with exposure of sensitive data. Solution and Benefits:Leveraging Zscaler’s browser access, isolation platform, and full proxy architecture, we can present a pixelated stream of the web application on the unmanaged device. Some of the key benefits include: Enabling full productivity experience for unmanaged device access or BYOD users without security getting in the way. Protecting healthcare assets from web-borne threats, no matter where healthcare professionals work from, while minimizing IT help desk tickets. BYOD Users are never brought on the network via VPN. Secure sensitive data with an agentless approach. Top Use Cases:Eliminate the risk of evasive web threats: Reap all the rewards of internet productivity with none of the risk. Unburden IT teams and budgets: Spare IT from managing technology, policies, and procedures for unmanaged device or BYOD infrastructure. Unleash productivity for admins and users. Drive your business, not breaches: Better protect sensitive data against accidental exposure or sharing with fine-grained data loss prevention controls like watermarking, prevent copy paste, local printing, and much more. Boost productivity, even for BYOD: Give healthcare professionals, employees, contractors, and newly acquired teammates alike secure, agentless access to the applications they need, even on unmanaged/BYOD devices without the cost of VDI. Most IT professionals within Healthcare would be able to relate with these four scenarios. It’s likely that you do recognize the need for this solution but have pending questions like the following which requires further dialogue: What does an acceptable user policy for data protection look like within Healthcare? How do we investigate or analyze data violations? Who will take on the data custodian responsibility? Would Zscaler have access to our data? To summarize, it’s never late to engage and plan to deliver complete data protection with Zscaler The Zscaler Zero Trust Exchange is a high-performance SSE cloud that delivers complete data protection by intelligently discovering and securing data across all data channels. What customers say about Zscaler Data Protection It’s always great to hear from our peers. Recently IDC, a research partner, interviewed Zscaler customers detail their considerations and the capabilities of Zscaler Data Protection that drove their purchase decisions: Providing security for all types of employees and ensuring robust regulatory compliance: “We were looking for a solution to help protect our employees not just when they are in the office but when they are outside the office. We looked at Zscaler Data Protection to be able to protect both in the office and outside the office. Another key piece is that Zscaler Data Protection catches any credit card information or PII (personally identifiable information) information being sent out.” Selection based on features and capabilities: “When we chose Zscaler Data Protection, it was based on the features and capabilities of the tool, for example, the SSL inspection—not just blocking the site but also basically inspects the traffic and offers geography blocking.” Enhanced capabilities that reduce risk exposure: “Zscaler Data Protection brings capabilities that [our previous solution] didn’t have. Our off-network policy set can be the same as on-network with Zscaler and we couldn’t do that with [our previous solution]. If we had stayed with our [previous solution], we would have had greater risk exposure.” A cloud-based solution meeting the needs of a growing and distributed business: “We have a very distributed workforce, and having a cloud-based solution with Zscaler Data Protection allows us to ensure we’re protecting employees regardless of where they are in the world. Our big driver with Zscaler Data Protection is consolidation of data assets.” Source:IDC*1yoimtg*_ga*MTMxMTQ1MTIwNC4xNzE0NDExNzE4*_ga_10SPJ4YJL9*MTcxNTI4NTI1Mi4yMS4xLjE3MTUyODY1MjUuMTAuMC4w Summary This week Zscaler announced new AI innovations to power the industry’s more comprehensive data protection platform including new data security posture management (DSPM), inline email protection and GenAI security advancements to safeguard data-in-motion and data-at-rest across all exfiltration channels. The full press release can be read here. Please reach out to your Zscaler Account team to learn more about our solution and platforms. To learn more, please follow this link. Thu, 16 May 2024 07:15:14 -0700 Keval Shah Extend Complete Data Security to the Public Cloud with DSPM Recently, attacks directly targeting the cloud have increased by 288%.¹ With organizations now pushing zettabytes of data to the cloud, this is a recipe for disaster. Moreover, with sensitive data such as PII, PCI, PHI, and secrets scattered across multiple clouds, accounts, services, and data stores—paired with poor visibility and understanding—prioritizing your cloud data isn’t just an option anymore. It’s a requirement. Current Data Security Approaches Fall ShortOrganizations can spend millions of dollars every year on multiple security solutions to secure their data. But this approach doesn’t scale, and it requires a lot of manual operations, leading to alert overload and more security gaps, especially in complex multicloud environments. Meanwhile, the global average cost of a data breach increased 15% in the last three years to approximately $4.45 million, with 82% of data breaches involving data stored in cloud environments.² In addition, with traditional data security approach, organizations struggle to: Discover and classify cloud data: Where is sensitive data stored? What type of data is it? Identify cloud data: Who has access to this data? Is it compliant? Contextualize cloud data: Is data exposed? What is the security posture of my data? Hello World! Meet Zscaler Data Security Posture Management (DSPM)To address today’s cloud data security challenges, we’re excited to be launching our fully integrated Zscaler DSPM solution to proactively classify, detect, and protect your cloud data. As part of the Zscaler AI Data Protection platform, Zscaler DSPM extends robust, best-in-class security for your data into the public cloud. It provides granular visibility into cloud data, classifies and identifies data and access, and contextualizes data exposure and security posture, empowering security teams to prevent and remediate cloud data breaches at scale. As opposed to legacy or standalone data security solutions, it uses a single and unified DLP engine to deliver consistent data protection across all channels such as endpoint, email, SaaS, and now IaaS/PaaS. By following all users across all locations and governing data in-use, in-motion, and at-rest, it ensures both structured and unstructured data is seamlessly protected and compliant. Key Capabilities and Benefits: Discover and classify data: Scan and discover sensitive data across various cloud platforms and services in real time. Leverage precise, AI-based data classification backed by the Zscaler Zero Trust Exchange™, which monitors billions of transactions daily. Map and track exposure: Get a unified view of security, inventory, and compliance for sensitive data in your multicloud environment. Receive a granular, risk-based, user-centric view over all access paths to mission-critical data assets and configurations. Analyze hidden risks such as misconfiguration, excessive permissions, and vulnerabilities. Remediate risk: Proactively mitigate risks by identifying potential security gaps and implementing necessary controls, and easily fix issues and violations at the source with context-based guided remediation. Ensure consistent security posture: Enforce consistent, best-in-class data security everywhere, from endpoint to email, SaaS, public cloud, etc. Compliance assurance: Ensure continuous compliance with industry regulations and data protection standards. Continuously map posture against regulatory frameworks such as GDPR, HIPAA, and PCI DSS to identify and remediate compliance violations. Integrated workflows: Seamlessly integrate with your existing security ecosystem, third-party services, native risk prioritization tools, and team collaboration applications. How Zscaler DSPM Can Solve Your Real Security Problems Discover and Classify Your Most Sensitive DataTo understand your data in the public cloud—including what types of data are stored, the services storing the data, and where sensitive data is located—Zscaler DSPM can scan your entire organization or specific accounts you want to protect. By default, Zscaler DSPM will take all available out-of-the-box AI classifiers, dictionaries, and DLP engines, as well as any customized engines, to discover and classify the data. DSPM enables security teams to discover and classify data across multiple cloud and network locations. It provides comprehensive visibility into file location, categorization, classification, access permissions, and compliance risks. This helps identify misconfigurations, improper access controls, and vulnerabilities that could lead to data breaches. Figure 1: DSPM Dashboard - Data Discovery Security teams can drill down to investigate data further by focusing on a specific data type, to learn related information such as volume, where the data is dispersed geographically, and the services storing this type of data. For example, we can see that medical records are mostly stored in storage buckets, some in VM drives, and just a few were detected in databases. For some organizations, it is important to inspect data from a geo-perspective, such as specific geography or view of the data breakdown by geography. With geo-fencing, Zscaler DSPM can help organizations inspect and restrict data usage to specific locations/geographies. Security teams can get clarity as to the types and volume of data stored in each location and understand the breakdown by data store type. This provides powerful visibility and control over what data runs in their clouds, enabling teams to optimize DSPM settings, keeping it as a wide full analysis, or focused on specific data types they care about. Figure 2: DSPM Dashboard - 360-degree view of data stores in data inventory Security teams can go a few levels deeper with investigation. From any of the links, you can drill down all the way to a single data store level, examine the specific information there, and get visibility into the data store. This makes it easy to understand posture, get information about the way data is tagged, or glean many other kinds of information (e.g., the project it’s part of, the owner) to help better understand the data. Identify, Investigate, and Remediate RisksHaving gone through different inspection modes, security teams now have complete clarity as to cloud data whereabouts. Their next concern would be: What are the top security concerns and risks to the data? Does the current setup of security policies restrict the risk of data loss? Does the current setup offer proper controls to avoid malicious access to, or accidental exposure of, the data? What can be the next step to protect sensitive data in the cloud and maintain consistent security posture? DSPM can automatically address these concerns, using AI and ML algorithms paired with advanced threat correlation to identify and prioritize data risks. It analyzes data context and content to identify sensitive information (e.g., intellectual property, PII, medical records), prioritize data risks, and help security teams focus their efforts on protecting the most critical data assets. Figure 3: DSPM Dashboard - Top Risk Data Stores Based on the posture findings and the sensitive data, the system ranks the data stores by greatest to least risk they pose to the organization. Basically, if you have just one hour to improve your cloud risk, start from the top of this dashboard and make your way down. You can also see that alerts were raised, each describing an attack vector that raised concerns. DSPM alert view provides an accurate, yet simple view detailing the detected issue. In the example in figure 3, the impact of a potential attack through these vectors would be huge as that S3 bucket contains a high volume of sensitive records. Combined, these yield a critical risk. Once security teams understand this, the next step would typically be to learn all about the data store and resolve the potential issues, thus reducing data security risk. DSPM offers complete understanding of security issues with step-by-step remediation guidance to help security teams, cross-functional teams, and project stakeholders address them. Let’s look at an example to understand how DSPM can help identify, prioritize, and remediate risk. Figure 4: Alert detailed view In this example, we were exploring an advanced attack vector allowing a malicious user to gain access to the sensitive data on a storage bucket. This storage bucket is properly configured: there is no direct access to it, it is backed up, and it has relevant logs enabled. Even so, it is exposed through a more advanced path—it can be accessed by multiple VMs (AWS EC2 instances). A valid business case may require this access. For example, a VM may run an application that requires access to the data on the storage bucket. These VMs, however, contain some CVEs and are configured in a way that they can be publicly exposed. You can learn all of that from the alert description, summary, and graph. This alert says a hacker can access each of these VMs (because they are publicly exposed), exploit the vulnerability in their running packages to gain control/access to that VM, and then use the VM to access the data on the bucket. At this point, security teams will be looking for more details. By selecting the services node, you can switch the context to learn about these VMs. You can then scroll through the VMs, examine their vulnerabilities, check what packages they are part of, whether a fix exists, and more. To get greater attack path analysis, you can explore deeper at a direct EC2 level through the public exposure path. Figure 5: DSPM - Alert Details Figure 6: DSPM - Alert Details - Public exposure path Here, we can see that the public exposure path for this EC2 involves the security group and VPC ACL associated with the VM, a load balancer and an internet gateway service. DSPM also highlights the security group with an exclamation mark, denoting that it plays a key part in this exposure. Clicking on the security group will change the context to it and provide information about the security group itself. Figure 7: DSPM - Alert Details - Public exposure root cause Even if your team members are not cloud experts, they will be able to easily identify root cause for the security group inbound rule. That rule allows for direct access. They can inspect or copy the rule and share that with the cloud architect or developer who will be fixing that issue. In other cases, instead of (or in addition to) fixing the public exposure, teams may wish to examine the entitlements granted to this VM and explore why it has access to storage bucket. Figure 8: DSPM - Alert Details - Access path Similar to the public exposure path, teams can click on the “access path” this time, and observe a simple graphic representation of the access entitlements. Permissions in the public cloud are highly granular. DSPM does the heavy lifting and explains that access. In this case, the EC2 has an instance profile associated with a certain role that is tied to three policies, each of which grant different levels of access to the bucket. Again, teams can examine each of the objects on the graph, copy the relevant metadata, or even go directly to the AWS console and fix the issues. Through our remediation capabilities, security teams can then get a step-by-step guide on how to resolve issues and ensure that your cloud data remains protected. To learn more about Zscaler DSPM, watch launch webinar. Additional ResourcesDSPM webpage: Data sheet: Zscaler DSPM at-a-glance Zscaler DSPM demo video Footnotes1. Cloud Security Alliance, The Common Cloud Misconfigurations That Lead to Cloud Data Breaches, October 11, 2023. 2. IBM, Cost of a Data Breach Report 2023, July 24, 2023. Sat, 18 May 2024 19:14:07 -0700 Ofer Yarom Trailblazing innovations that revolutionize Data Protection This blog is a summary of Zscaler's new Innovation Launch around Data Protection. To watch the virtual event and see all the new innovations in action, see the Launch Event Page A Unifed Approach to Securing DataToday’s new innovations announced around Zscaler’s Data Protection platform are important steps in the next phase of data security. Organizations are thirsty for smarter, better, and more streamlined approaches to data protection. With that, Security Service Edge (SSE) has been the fastest growing security architecture of the last 10 years, so it’s clear that cloud consolidation of data protection is here to stay. But why is it that the gold standard for data protection is now consumed from an SSE Cloud? It starts with three little letters: DLP. Often confused with Data Protection, DLP is the underlying technology where all the magic happens, as its main goal is to find and classify data as sensitive or not. Any data protection team knows that DLP is the heartbeat of their program. Once you have your DLP policies in place, the next logical step is to send it hunting for data. This is where the platform comes into play. It should bring everything together and secure as many channels as possible, like web, endpoint, email, SaaS, IaaS, private apps, and BYOD. As you read about all our new Data Protection innovations, you’ll quickly understand that Zscaler has been squarely focused on extending their industry leading platform in new ways that fundamentally helps supercharge DLP. With these new approaches to data protection, protection teams can improve visibility, control, and context more than ever before, so sensitive data and risks can be better controlled Let’s see what all the fuss is about with these new innovations: Innovation 1: More AI Auto Data DiscoveryIn 2022, Zscaler announced an industry-first innovation around inline auto data discovery. Leveraging AI/ML, Zscaler’s cloud was able to quickly and accurately classify data as it moved through an organization's Zscaler tenant and interactively provide guidance on where it was going and who was putting it at risk. This enabled the organization to drastically accelerate deployments by understanding their data landscape with tremendous speed right out of the box. Building on this innovation, Zscaler has now scaled AI/ML auto data discovery to endpoints and public clouds (via our DSPM). This further extends data protection teams ability to understand even more data risks across devices, inline and clouds. With complete visibility, it becomes even easier for organizations to enforce meaningful protections that will keep data safe. Innovation 2: Data Security Posture ManagementDSPM is one of the hottest new technologies out there and many vendors and organizations are starting to take notice. Built to help organizations understand the data risks associated with misconfigured public clouds, DSPM is an important step to help improve data hygiene across AWS, Azure, and GCP. But it must be asked: Where should DSPM be consumed from? At its core, DSPM is about understanding where your sensitive data is and what risks it is exposed to. In addition to understanding misconfigurations, a great DLP engine is core to this exercise. For data protection teams that are using their centralized DLP to protect endpoint, email, and SaaS; adding public cloud to this is a no brainer. This ensures you get consistent alerts on data as it moves through the organization. For example, data downloaded from AWS, attached to an email, and uploaded to Google Drive to share should all be inspected and blocked by the same DLP engine. With SSE now the de facto standard from which Data Protection and DLP should be consumed, adding DSPM to this equation makes a ton of sense. This allows Data Protection teams to round out their protection landscape to new channels with existing policies, while understanding what risky public misconfigurations need attention. Zscaler's DSPM deliver all of this on all fronts. With an integrated approach to data protection, organizations get complete control over their public cloud data and configurations. Quickly auto discover shadow data and understand all misconfigurations attached to this data that expose it to risk. After risk is understood, in-depth remmediation help IT teams quickly close gaps and secure all public cloud data. Best of all Data Protection teams can easily add this to their existing DLP policies, so deployment is a snap. Zscaler DSPM Dashboard - Data and Exposure Visibility Innovation 3: GenAI SecurityThe hottest IT challenge on the planet right now is GenAI applications. As a shadow IT app on steroids, these new GenAI apps have the ability to drive significant productivity, but at what cost? Scared of the data loss potential, many organizations are flat out blocking all of these apps, which is understandable. With this challenge in mind, Zscaler has released powerful new capabilities that enable IT organizations to get maximum visibility into the use of these AI apps so as to make better blocking decisions. Centralized around a new dashboard, Zscaler reveals everything you need in one place for great data protection. From AI usage, to peer comparison, to in-depth understanding of all data loss, this dashboard enables teams to quickly understand AI risks. But the real power of this approach is seeing the actual input prompts that users are sending to AI applications. For every user you can see the AI app they are using, the input prompt they sent to the App, and what type of data was in that prompt. This is contextual visibility at its best, so you can make better blocking decisions. With Zscaler you can then enforce DLP inspection to block sensitive content or even isolate users and AI apps in our secure cloud browser. Zscaler Gen AI Security - App Usage Visibility Zscaler Gen AI Security - In-depth visibility of user input prompts Innovation 4: Email DLPEmail is one of the most dangerous channels for data loss. It’s extremely easy to attach data to emails and purposely or accidentally send them in risky ways. New to Zscalers platform is the ability to do real-time inspection of email via SMTP relay. Delivered as a Smarthost, Zscaler can now be easily inserted into organizations email infrastructure as an additional hop. It works with existing MTAs and gives you DLP actions like Caution, Block, Quarantine, Encrypt, or even Custom Headers. The best part is it seamlessly integrates with Zscaler’s centralized DLP, so all your existing policies and engines can be quickly scaled into email to inspect content and attachments for sensitive data risks. This enables organizations to further consolidate around SSE and reduce the cost and complexity of existing point product email solutions. Innovation 5: Unified SaaS SecuritySecuring SaaS Platforms can often be a tricky task. Sometimes overlooked, these platforms need special care and attention as tons of business data resides in platforms like Office 365 or Google. Up until now there were several disjointed approaches needed to accomplish SaaS Security. CASB allows you to control risk sharing and SSPM enables you to scan for dangerous misconfigurations. To manage risky integrations of third-party apps organizations have had to look to SaaS Supply Chain Security. To help organizations bring this all together and drive better correlation, Zscaler has released Unified SaaS Security. This new approach consolidates everything you need into on platform and workflow, so you can manage and secure all aspects of your SaaS Security. With CASB, SSPM and SaaS Supply chain integrated into one single approach, organizations get the complete visibility and correlation they need to make better risk decisions around these important SaaS Platform. Bring it all togetherAs you can see, Zscaler has doubled down in several areas to help further extend the industry's most comprehensive Data Protection Platform. With one platform you can easily inspect structured and unstructured data, across data in motion, at rest and in use, across all the channels you need to properly secure all your data. The power of this platform helps you find data faster, secure data better, and retire legacy technical debt around one consolidated approach. If you’re ready to see how Zscaler can help you transform your data protection strategy, we’d love to hear from you or tell you more. Here are a couple options: Innovation Launch: Watch our launch event and see all these innovations up close and personal Deep-Dive Breakouts: If you want to double click on any innovation or explore resources, you can see several breakouts around AI, DSPM, SSPM and Email Learn about Data Protection: Explore our Data Protection Solution Talk to someone: Reach out to us to get a demo or see if Zscaler may be right for your organization Mon, 13 May 2024 18:00:01 -0700 Steve Grossenbacher Why VPNs and Firewalls Can’t Build a Zero Trust Architecture In today's rapidly evolving threat landscape, it’s clear that traditional perimeter security measures can’t protect organizations from sophisticated cyberattacks. The rise of remote work, cloud computing, and sophisticated AI-related cyberthreat has brought newly dangerous cybercrime to light. As a result, organizations face an urgent need for a more proactive security strategy. In the age of sophisticated cyberthreat, it’s crucial to adapt quickly and provide robust protection for sensitive data and critical systems. Implementing a zero trust architecture is strongly recommended as a force against this advanced threat landscape, but what is zero trust architecture? Some vendors are using the term “zero trust” loosely and presenting solutions that simply repackage existing perimeter-based security tools. Whether tools like firewalls are deployed as hardware or as virtual appliances in a cloud instance, they are no match for the relentless and advanced cyberattacks that organizations face today. These approaches operate on the assumption that everything outside the network is untrusted, while everything inside is trusted. With perimeter based security, the network is still exposed, and placing more firewalls in the cloud doesn’t live up to the scalable, multitenant, cloud-first architecture that is necessary when securing your users, workloads, and devices with a true zero trust architecture. Perimeter-based security has weaknesses Perimeter security has a glaring weakness—a lack of control across resources once a bad actor has accessed the network. Traditional perimeter security controls interact with the whole network—where IP addresses are left exposed. These exposed IP addresses can easily be exploited by attackers. Once they have access to the network through exploiting these public IP addresses, they can move laterally across the network, find valuable data, and exfiltrate it. Another weakness of perimeter security comes from attackers who exploit social engineering tactics or vulnerabilities in the network infrastructure. Bad actors are always looking for ways to penetrate enterprise networks. They do this through attacking IP addresses, social engineering, and various infrastructure vulnerabilities. Once inside, attackers can easily bypass perimeter security controls and access any resource they please. A cloud native zero trust architecture has 4 key principles To address these weaknesses and provide a more robust security approach, organizations need to adopt a zero trust architecture. At the core of zero trust is the assumption that all users, devices, and traffic, whether inside or outside the network perimeter, are untrusted by default. This approach eliminates the concept of a trusted network and instead verifies every access request, regardless of its origin. Zero trust enforces strict identity verification, least-privileged access, and continuous monitoring and analysis of network traffic to ensure that only authorized users have access to the resources they need. Implementing zero trust requires organizations to embrace key principles: Never trust, always verify: All users, devices, and traffic must be verified before being granted access to any resources. Trust is not assumed, but earned through rigorous verification processes—including using context signals as a key verification point. Least-privileged access: Users should only be granted the minimum level of access necessary to perform their job duties. This principle ensures that even if a user's credentials are compromised, the potential damage is prevented. Continuous monitoring and analysis: All network traffic must be continuously monitored and analyzed for any signs of suspicious activity. This proactive approach allows organizations to detect and respond to potential threats in real-time. Assume a breach, evaluate risk: This principle operates on the assumption that a breach has already occurred or will occur. By adopting this mindset, organizations are better prepared to detect and respond to potential breaches, minimizing the impact on their networks and resources. Why firewalls and VPNs fall short of true zero trust architecture While firewalls and VPNs have traditionally been used to secure networks, they are not sufficient for delivering robust zero trust security. Firewalls and VPNs operate on the principle of perimeter security, assuming that everything outside the network is untrusted, and everything inside the network is trusted. However, this approach falls short in the face of today's sophisticated cyberattacks. While firewalls and VPNs are included by many vendors as part of their “zero trust” solutions, they shouldn’t be confused with zero trust architecture. Firewalls can help block unauthorized access to the network, but they cannot prevent lateral movement by attackers who have gained access unless you spend an exorbitant amount of money continuously buying more and more firewalls. VPNs can secure remote access to the network, but they cannot prevent attackers from exploiting vulnerabilities in the network infrastructure. To implement a zero trust architecture, organizations need to adopt a comprehensive approach that doesn’t put the whole network at risk. Zscaler is a Leader in zero trust architecture When it comes to implementing zero trust architecture, organizations can turn to Zscaler, the leader in zero trust. The Zscaler Zero Trust Exchange provides a comprehensive approach to securing access to applications for users, workloads, IoT/OT, and third parties in any location. Zscaler's Zero Trust Exchange is a cloud native platform with high availability and scalability. It offers an intelligent switchboard that connects users, workloads, B2B partners, and devices to resources directly. Zscaler also provides advanced security functionality like least privileged access, continuous monitoring, and risk evaluation. This approach protects organizations and data from various threats by ensuring no one is put on the network directly. The Zscaler cloud secures 400B+ transactions per day across more than 40% of the Forbes Global 2000 companies. Zscaler's Zero Trust Exchange is supported by a 24/7 customer support team experienced in deploying and managing zero trust architecture. For leading zero trust solutions, choose Zscaler. Learn more about what a robust zero trust solution looks like at one of our monthly Intro to Zero Trust webinars. Wed, 15 May 2024 09:00:01 -0700 Sid Bhatia Simplify Healthcare Boardroom Meetings and Compliance with Risk360 When I was a customer, I was tasked with implementing new compliance controls and decreasing risk. The challenge was that vendors would tell me, “...we can provide you Y to be compliant with your standards”, which would mean a 500-page document covering how to enable all of these toggles in order to be compliant. We all know how risk averse healthcare is; the last thing I would want to do is start blocking and turning on new security controls without in-depth testing. Then how would I even know where to begin? Do I start at page 1 or page 60 because secure DNS is easier to implement? I needed a tool that could not only ingest a compliance framework but give me easy-to-understand feedback as to where I was compliant, where I wasn’t, the risk(s) of noncompliance, financial or otherwise, and, most importantly, how to become compliant. Here comes Zscaler Risk360 to save the day! I wish this had existed when I would prep the C-suite to speak to the board. Zscaler Risk360 offers a clear view of risk criteria, financial impact, simple C-level reporting, and insights into where the most risk is coming from. I can take high-priority recommendations and see exactly what’s going on in my environment for that set of criteria. For example, I can view a high spike of malicious content blocks discovered on Jan 24. I can then see which users are being targeted and the threats they’ve tried downloading or executing. This allows me to proactively ensure a machine is not infected. Then, the financial risk dashboard will show me how much the infection could cost me. I can see if risky application usage, such as going to free PDF converter websites with poor terms, causes a severe impact to risk.. I can even run a Monte Carlo Simulation. My favorite part of Zscaler Risk360 is the framework piece. As I said before, I could go through a long process of searching through all the documents to make sure all my resources are compliant, but that takes time—time healthcare customers don’t have. If I look at MITRE for example: Looking at MITRE ATT&CK, I can see where I am configured correctly, misconfigured, or not configured at all. It will consider my current Zscaler license subscription as well to tell me where Zscaler could be helping me that maybe I haven’t thought of. I have talked to many healthcare providers that weren’t aware Zscaler has certain features for data protection. Instead they were paying for multiple products that all had overlap. You have heard me talk before about the healthcare mantra “do more with less”; well, here is a perfect chance to live out that mantra and find out where you can reduce cost on overlap. If I click on one of the framework toggles, I will get a window that will not only give me the MITRE link with information on the selected section, but also tell me what Zscaler product if applicable fixes it. I can also use custom coverage or add notes if I know for example a certain technology I have covers something that Zscaler doesn’t. This allows me to continuously work towards being compliant in easy digestible chunks vs. a 500-page document all at once. I want compliance to be easy for our healthcare providers because it wasn’t for me. I want to ensure that you only end up in the boardroom explaining the good things you are doing to protect your organization while offering the plan to secure the rest of the organization. Thu, 09 May 2024 08:44:40 -0700 Steven Hajny AI/ML-Powered URL Classification: Categorize and Conquer If you ever try wrapping your head around the sheer enormity of the internet, your brain might start to hurt. The indexed internet teems with roughly 4.5 billion unique web pages at any moment, with countless subpages. That's almost 4.3 billion IPv4 and more than 340 undecillion (that’s 36 zeroes) IPv6 addresses! Add to that the explosive growth of generative AI capabilities. Like the Usain Bolt of website creation, GenAI is sprinting ahead to build sites faster than you can say “HTML.” But all these lightning-fast developments have left URL block lists obsolete and many organizations vulnerable to evolving web threats. With a gazillion domains, URLs, sites, and IP addresses, getting lost in the internet's forbidden corners is almost inevitable. That’s precisely why understanding URLs is crucial for IT security. Navigating the web’s maze with AI/ML-powered URL categorizationSo, how do IT teams turn URL clues into Sherlock-worthy deductions to gather actionable intelligence and implement remediation? Enter Zscaler AI/ML-powered URL categorization. This feature classifies web URLs and assigns them specific categories by using AI and ML to analyze text and visuals. For instance, by analyzing the frequency and presence of words across different categories, the model can predict a new URL’s category based on its “bag of words” representation. Basically, it can figure out the type of a given website by looking at words in the HTTP header payload—enabling businesses to implement robust filtering mechanisms. As they continuously learn and adapt, these systems ensure effective web access management in compliance with regulatory requirements and protect against inappropriate content. Key component of your GRC FrameworkURL categorization ties directly into the ongoing stampede of businesses trying to align their security posture with the Governance, Risk, and Compliance (GRC) framework. Governance Part of effective governance entails managing employee productivity. According to a recent study, if done right, each 1% increase in employee productivity can lead to a 1% increase in shareholder value. URL categorization helps businesses achieve this by restricting access to non-work-related websites, fostering a more focused work environment. Moreover, with clearly defined web governance policies, businesses don’t have to trust that employees will know how to navigate the web safely; instead, they can guarantee it! RiskIn addition to identifying and blocking access to sites known for hosting malicious content, phishing scams, or malware, and helping the security team prevent botnet callbacks, cross-site scripting, and so on, URL categorization can support incident response efforts by providing valuable information about the source of an incident. By analyzing URL access logs, organizations can trace the origin of malicious activities, identify affected systems, and take appropriate remediation measures to contain an incident and prevent further damage. ComplianceURL classification enables businesses to categorize websites associated with embargoed countries or containing content restricted by trade embargoes as high-risk or prohibited content. For example, financial institutions may use URL classification to block access to gambling websites to comply with regulations such as the PCI DSS. Similarly, it can assist in identifying and blocking access to websites hosted in jurisdictions with inadequate data protection laws or surveillance practices, in line with the Schrems II regulation. Lastly, URL classification and categorization systems can generate reports on web usage patterns, blocked sites, and compliance violations. This provides valuable data for compliance reporting purposes—a must-have capability required by many regulatory bodies. Where traditional approaches fall shortAlthough legacy approaches to URL categorization may have been effective in the past, they often fall short in addressing the complexities and scale of the modern web. 1. Lack of the secret (AI/ML) sauceManual URL categorization is nearly impossible in the new AI/ML-driven world order. A manual approach will quickly run into speed, cost, and scale constraints. Plus, different people may categorize URLs differently based on their personal biases, experiences, and interpretations, leading to inconsistencies and inaccuracies. 2. Size doesn’t matterOnce upon a time, IT teams boasted extensive lists of IPs and sources as an effective way to track and block network connections to malicious sources—the bigger the list, the better the flex. Not anymore. Firstly, these static lists are no match for the dynamic nature of the internet. Relying on IP block lists for categorization is bound to generate false positives and negatives. Secondly, many websites are hosted on shared hosting platforms or content delivery networks, meaning multiple websites may share the same IP address. Categorizing URLs solely based on IP addresses can lead to inaccuracies and misclassifications. 3. Boiling the oceanWhat if we crawl every web page, file, and link there is for malicious content? After all, ChatGPT does something similar to gather information. Maybe. However, crawling websites without permission may violate terms of service or copyright laws. Some websites explicitly prohibit web crawling through their robots.txt file or terms of service agreements. Web crawlers are ideally used in conjunction with other approaches, such as machine learning, keyword analysis, reputation systems, and human moderation, to achieve more accurate and comprehensive URL categorization. Zscaler AI/ML-Powered URL categorizationZscaler offers powerful URL categorization as a native feature of Zscaler Internet Access™, the world’s most deployed security service edge (SSE) platform, which includes industry-leading secure web gateway, data loss prevention, cloud-gen firewall, and more. Our powerful URL categorization leverages AI and machine learning to analyze uncategorised URLs in real time. Based on dynamic content analysis, ZIA then assigns appropriate categories, making sure policies are enforced consistently. This ensures that the majority of the URLs accessed via our cloud are categorized—in addition to expanding our URL categorization coverage and accuracy. How does URL categorization work?The user forwards internet-bound network traffic to the closest available Zscaler Service Edge (SE). The SE downloads the user policy from the Central Authority (CA) for inspection and processing of the URL. The next step is deciding whether the network traffic needs to be decrypted for SSL inspection inside the Zscaler cloud or not.If SSL inspection is disabled or not applied to that location, the HTTP request will be forwarded for URL filtering inspection. The Zscaler service intercepts the HTTPS request, and through a separate SSL tunnel, sends its own HTTPS request to the destination server and conducts SSL negotiations with the user’s browser, validating the certificate chain. Inside the Zscaler cloud, the URL filtering engine filters content by criteria, and the URL policies are evaluated and applied based on configuration. Predefined classes and super-categoriesZscaler provides a comprehensive hierarchy of categories, including Business & Economy, AI and ML applications, Social Networking, Entertainment, and many more. This lets you create granular policies, blocking, allowing, or monitoring access to specific categories. In addition to predefined categories, you can create custom categories based on URLs or IP addresses, keywords, and IP ranges. With URLs or IP addresses, you can block specific websites. With IP ranges, you can block a specific range of IP addresses for websites. With keywords, you can block websites based on any words that may appear in a URL. For example, you could block all websites with the term “gambling” in the URL. Zscaler URL categorization also enables ‌you to create policies based on top-level domains (TLDs). There’s more.In addition to all the features and capabilities just discussed, Zscaler AI/ML URL categorization also facilitates: Browser isolation: Zscaler Browser Isolation works in tandem with URL filtering to render websites in an isolated environment—protecting user devices from potential malware or exploits. Users can still interact with the content, but any malicious code is contained within the isolated session—also isolating uncategorized or unknown sites. Identification of newly created and revived domains: Zscaler can identify and categorize newly registered and revived domains that usually pose a higher security risk—preventing them from passing through traditional filtering methods. Safe search integration: Zscaler works with popular search engines to enforce safe search options. This helps users avoid encountering inappropriate content during web searches. Compliance with the Children's Internet Protection Act (CIPA): Zscaler classification aligns with CIPA regulations, ensuring a secure browsing experience for educational institutions and organizations that work with children. Embedded sites categorization: Our URL categorization engine can also identify sites that have been translated using translation service websites. Is your business planning to invest in URL categorization?Our experts can help you understand the options that best fit your unique requirements. Ready to start a conversation? To see our URL categorization in action, watch this demo. Fri, 10 May 2024 07:23:37 -0700 Nishant Kumar Cloud Native Secure Web Gateway: Adaptive Protection Legacy SWGs Can’t Match Rapid adoption of cloud-based apps and services has transformed business, enabling greater agility, scalability, and cost savings. But it has also introduced security challenges: countless new attack paths and a massive volume of threats. Detecting and stopping those threats at scale requires a new technology approach. Cloud native secure web gateways (SWG, pronounced “swig”) address these challenges, enabling organizations to protect their employees from malicious websites, malware, and other cyberthreats lurking in web traffic. In this blog, we’ll explore the weaknesses of legacy SWGs, the key components of a cloud native SWG, and how to choose an effective SWG to protect your organization in hybrid environments. Securing the hybrid workforce requires zero trustHybrid work is here to stay. The dynamic nature of modern work has shifted the boundaries of traditional offices‌, creating a new norm in which all companies must empower employees while protecting the organization from cyberthreats. This new norm also brings challenges in securing access to SaaS applications and the internet. Reliance on cloud-based applications and services has transformed business operations. However, it has also introduced new vulnerabilities that traditional perimeter-based security measures often fail to address. SaaS applications, the gateway to valuable data, are now accessed from anywhere, including beyond the confines of the corporate network. Distributed access increases the risk of unauthorized intrusions and data breaches. Therefore, it is imperative to adopt a zero trust security strategy, empowering users to securely connect to apps and the internet. The internet offers countless tools for a hybrid workforce, but it also provides an attack surface threat actors can use to target your organization. Malicious websites, phishing scams, and cyberattacks pose constant threats: a single click can compromise a device, potentially leading to the theft of sensitive data and wreaking havoc in an organization's IT infrastructure. A SWG is a key tool for defending against these internet-based threats. An effective SWG inspects and filters all internet traffic ‌at scale — encrypted or not‌ — and blocks malicious traffic. By blocking access to malicious websites and employing advanced inline threat detection, an effective SWG shields users from the perils of the internet and safeguards an organization’s sensitive data. Securing access to SaaS applications and the internet isn’t an option; it’s a necessity. A SWG stands as a cornerstone of a security strategy that provides organizations the ability to protect their sensitive information and stay compliant. Why legacy secure web gateways are failingMany security vendors offer a SWG deployed as an on-premises appliance or cloud-based service that supposedly simplifies management, maintenance, and upgrades. However, while these virtualized SWGs can operate in hybrid environments, they still share many of the disadvantages of their hardware predecessors. They were designed for a time when most applications were hosted on-premises and internet traffic was relatively simple. Today's cloud-based applications and services are distributed and use newer network protocols, making them much more complex. They also generate exponentially more traffic, creating challenges for virtualized SWGs based on legacy approaches: Lack of visibility and control to protect against modern threats: Legacy SWGs are often blind to encrypted traffic and unable to inspect it for malicious content. Since 95% of all internet traffic is now encrypted, inspecting it is essential. Can't keep up with innovations in cloud computing: New cloud-based apps and services are constantly being released, and legacy SWGs cannot quickly adapt to these changes, leaving organizations vulnerable to new threats. Too expensive to deploy and maintain: Legacy SWGs require specialized hardware and software, and they can be complex to manage, making them a poor fit for organizations with limited budgets or resources. In short, legacy SWGs are failing to meet modern organizations’ needs. Now, let’s look at what defines a cloud native SWG capable of securing today’s distributed workforce and applications. Key components of a cloud native secure web gatewayThe foundation of a cloud native SWG should be a zero trust architecture, combined with real-time threat intelligence, advanced threat protection, secure web browsing, data loss prevention, and AI/ML-based protection. Let’s briefly look at each of these: Zero trust architecture assumes all users and devices are untrusted and must be verified before being granted access to network-based resources. This is done by implementing strong authentication and authorization mechanisms combined with continuously monitoring user activity for suspicious behavior. Real-time threat intelligence provides up-to-date information about the latest threats, such as malware, phishing attacks, and zero-day vulnerabilities. Security teams use this information to block access to known malicious websites as well as identify and mitigate potential threats. Advanced threat protection uses various techniques, including sandboxing, URL filtering, and intrusion detection, to detect and block advanced threats such as malware, ransomware, and phishing attacks. Secure web browsing via browser isolation provides a safe and secure way for users to access the internet. This is done by blocking access to malicious websites and preventing users from downloading harmful content. Secure web browsing also prevents copy-and-paste of sensitive information into websites. Data loss prevention (DLP) stops sensitive data from being leaked or stolen. This is done by scanning all data that passes through the SWG for sensitive information, such as credit card numbers, social security numbers, and intellectual property. AI/ML-based protection uses artificial intelligence and machine learning to identify and block new and emerging threats. This is done by analyzing large amounts of data to identify patterns and anomalies that indicate a threat. By combining these key components, cloud native SWGs provide businesses with a comprehensive solution for protecting their users and data from internet-borne risks. Cloud native secure web gateway benefitsCloud native SWGs offer organizations several advantages over legacy SWGs, including: Enhanced security efficacy: Cloud native SWGs can identify and block the latest cyberthreats, including zero-day attacks and advanced persistent threats (APTs). They do this with real-time threat intelligence, sandboxing, ML, inline traffic inspection, and other security features. Improved performance: Cloud native SWGs are highly scalable and efficient, able to handle large volumes of traffic without compromising performance. They can also provide real-time protection to safeguard businesses against sophisticated threats. Reduced costs: Because they are easier to deploy and manage, cloud native SWGs are more cost-effective than legacy SWGs. Increased scalability: High scalability enables cloud native SWGs to easily accommodate traffic spikes. They can also be deployed in multiple locations, which can improve performance and reliability. Improved agility: Cloud native SWGs can be deployed and configured more quickly than legacy SWGs, as well as easily updated with new features and security patches. This allows businesses to respond quickly to changing threats and business needs. Choosing the right cloud native secure web gatewayTo choose a SWG that helps secure your cloud environment, consider these key factors: Robust security features: Choose a SWG that provides comprehensive security with zero trust architecture, multifactor authentication, and advanced threat protection. It should safeguard against malware, phishing attacks, and emerging cyberthreats. Inspection of encrypted traffic at scale without impacting the user experience: A cloud native SWG can inspect 100% of TLS/SSL traffic to find and stop threats—a must-have with 86% of threats now delivered over encrypted channels. Support for the latest network protocols: A future-proof SWG must inspect traffic using the latest network protocols, including IPv6 and HTTP/2, which support more robust security while enabling superior user experiences. IPv6 provides more efficient routing without the need for network address translation (NAT). IPv6 adoption stands at about 48% and growing, so your SWG of choice needs to support it. Superior performance and scalability: Consider the SWG's ability to handle your traffic without compromising speed or user experience. It should seamlessly scale its traffic inspection to accommodate demand, providing optimal performance even during traffic surges. Seamless integration: Look for a SWG that integrates effortlessly with your existing security toolset, including firewalls, intrusion detection systems, and security information and event management (SIEM) tools. This integration streamlines threat management and provides centralized visibility and control over your security posture. Cost-effective solution: Compare total cost of ownership, including licensing fees, maintenance costs, and ongoing support. Choose a solution that offers a cost-effective approach that delivers strong security. Real-world validation: Read customer reviews and case studies to gain insights into the practical experiences and benefits of using a particular cloud native SWG. This feedback can provide valuable information about reliability, performance, and customer satisfaction. Next-level web security with Zscaler SWGPart of the Zscaler Zero Trust Exchange™, our cloud native SWG provides comprehensive security services applied inline between your users, the web, and SaaS apps. By terminating every connection inline, inspecting all internet traffic, and applying a user-centric security and access policy, you can eliminate the attack surface, prevent compromise, stop lateral movement, and halt sensitive data loss. Our AI-powered SWG provides innovative features that legacy technical approaches can’t match: AI-powered proactive defense capabilities: Phishing detection: Detect and block patient zero phishing pages inline with advanced AI-based detection. Command-and-control (C2) detection: identify and stop attacks from never-before-seen botnets inline, including advanced evasion techniques. Browser isolation: Robust, proprietary AI models and one-click configurations automatically identify and isolate risky, suspicious, or malicious websites. Full TLS/SSL traffic inspection: Regardless of the network protocols used for the underlying data transport, Zscaler SWG can fully inspect traffic at scale while supporting protocols including IPv4 as well as the newer IPv6 and HTTP/2. Dynamic, risk-based access policies: Future-proof your defenses and stop active attacks with risk-based dynamic policies that continuously analyze content, domains/URLs, users, devices, and applications. Correlated threat insights: Drastically improve response times with contextualized, correlated alerts that provide insight into threat scores, affected assets, severity, and more. Cyber risk assessment: Automatically identify your organization’s risk based on configuration with integrated best practice recommendations to improve security posture. HTTP/2 inspection: Gain end-to-end performance improvements and maintain granular policy enforcement for all HTTP/2 traffic at scale. A proven cloud native SWG is a key part of an adaptive security service edge (SSE) that provides multiple security capabilities. Zscaler customers can take advantage of our AI-powered SWG that is included with all editions of Zscaler Internet Access™. Zscaler was named a Leader in SSE for the third consecutive year in the Gartner Magic Quadrant for Security Service Edge report. To further understand the capabilities of a leading SSE solution that includes a cloud native SWG, download your copy now. Wed, 08 May 2024 16:11:07 -0700 Brendon Macaraeg Level Up Your Digital Experience at Zenith Live '24 With Top Experts and Innovators In today's hybrid workforce, ensuring seamless productivity for users regardless of their location is crucial. However, troubleshooting can become challenging when users are not consistently in the same place. Many organizations resort to using multiple tools to address hybrid workforce issues, resulting in time-consuming efforts to correlate information, especially when network operations and service desk teams rely on different tools. It's time to take charge of your monitoring silos and optimize overall costs. Exciting news! Are you interested in discovering how to reduce costs and enhance end user experience through the power of AI, APIs, and industry best practices? Well, the highly anticipated Zenith Live '24 is just around the corner, offering a comprehensive agenda packed with valuable insights. Join us for this exceptional event! Attend Zenith Live to: Learn from industry experts and thought leaders about the latest trends and best practices Network with your peers and build valuable relationships to advance your career Join hands-on labs to enhance your technical skills and knowledge Be inspired to think creatively about the industry as a whole Zscaler Digital Experience Sessions at Zenith LiveZenith Live '24 presents a comprehensive array of sessions led by experts, aimed at assisting you in bolstering user productivity through Zscaler Digital Experience (ZDX). These sessions encompass best practices, live training and discussion, as well as hands-on demos, equipping you with the knowledge and skills to fully leverage the capabilities of the platform. Here are some ZDX sessions to look forward to: Trust Your Zero Trust Environment with Comprehensive Performance MonitoringZero trust architectures often shut out existing monitoring tools. When performance lags, the network often takes the blame. Learn how you can continuously monitor performance to get insights, detect issues, and expose root cause for faster resolutions. ZDX unifies monitoring silos Boosting Efficiency and Collaboration of IT Teams Using ZDX CopilotGenAI has amplified IT productivity. See how Copilot, your AI assistant, can help IT support and operations teams generate digital experience insights, troubleshoot performance issues, and even explore domain-specific topics by asking simple questions. Get instant answers with ZDX Copilot Ensuring 24/7 Availability of Your Apps Using Zscaler Hosted MonitoringCustomer-facing apps are an essential part of your business. See how to continuously monitor performance of these apps and services from Zscaler-hosted, globally distributed locations to optimize performance and ensure SLA compliance. Monitor web apps from Zscaler locations Successfully Deploying and Implementing Zscaler Digital ExperienceGain expert insights on the essential practices when deploying and operationalizing ZDX. This includes how to activate ZDX, configure policies, and alerts to unlock its full potential, enabling you to derive maximum value. Detect developing global and regional issues with ZDX Incidents dashboard Automate ITSM Workflows and Accelerate IT Resolutions Using AISee how AI can detect issues early and initiate IT tickets with root cause analysis to help IT support teams more quickly triage, escalate, and close tickets. Learn how ZDX can enable end users to fix Wi-Fi and device issues without submitting tickets. ServiceNow integration with ZDX APIs What's New: Innovations with Zscaler Digital ExperienceZscaler is revolutionizing user experience insights for customers. Join this session to gain a competitive edge by preemptively resolving potential issues with our latest advancements. Sign up now!Learn directly from our experts how to improve digital experiences while keeping your environment secure. Don’t miss your opportunity—seats fill up fast! Register for Zenith Live ’24 and sign up for the Zscaler Digital Experience (ZDX) sessions so you can hear it first! Zenith Live ’24 at the Bellagio | Las Vegas, NevadaJune 10-13Register now Zenith Live ’24 at the World Forum | Hague, NetherlandsJune 17-20Register now Fri, 10 May 2024 13:14:07 -0700 Rohit Goyal Introducing ZIdentity: Migrating Admins to a Centralized Identity Experience We are excited to announce upcoming customer migration for admins from the existing login experience across ZIA, ZPA, and ZDX portals to a centralized identity experience called ZIdentity. This migration marks a significant advancement in streamlining identity management and providing a seamless user experience for our valued customers. ZIdentity (formerly ZSLogin), our newly introduced centralized identity service, offers a range of benefits that enhance administrative efficiency and security. Let's explore some of these key benefits: Automated Identity Management: Identities can be managed using SCIM to automate the creation, entitlement assignment, and revocation of admins/users based on the identity data from identity providers. This automation reduces manual effort and ensures accurate, up-to-date user information. Centralized Entitlement Management: ZIdentity provides a centralized platform for managing admin roles and entitlements across all Zscaler services. Administrators can easily assign roles, control access based on source IP addresses, and streamline entitlement management. This centralized approach simplifies administrative tasks and ensures consistent access control policies. Streamlined Authentication: ZIdentity offers a unified authentication experience for administrators accessing Zscaler services. With a single set of credentials, administrators can seamlessly authenticate and access all admin consoles, eliminating the need for multiple login credentials. This centralized authentication enhances productivity and user convenience. Included Multifactor Authentication (MFA): ZIdentity includes built-in support for multifactor authentication for hosted users and SAML and OpenID Connect single sign-on for users that authenticate at external IdPs. By centralizing authentication and providing enhanced security features like MFA, ZIdentity enhances user productivity while ensuring the protection of your Zscaler zero trust environment. MFA for enhanced security is required by default and we strongly encourage customers to keep it enabled.In the absence of MFA, a compromised admin account could provide attackers with unfettered access, leading to data breaches and network infiltration that can impact your organization. Protecting access to Zscaler with centralized identity management that includes MFA is a proactive step toward enhancing overall security and maintaining the integrity of your critical systems and data. By migrating to ZIdentity, administrators can leverage these benefits to streamline their identity management processes, enhance security, and improve overall administrative efficiency. We have designed a more seamless solution that avoids disruption to admins. We will automatically upgrade some customers and for others we will provide a staging environment, depending on whether or not you use an external SAML identity provider for your admins. We understand that change can sometimes be challenging, but we are here to support you throughout the migration process. Our dedicated support team is available to address any questions or concerns you may have, ensuring a smooth transition to the centralized identity experience of ZIdentity. We are excited about the future of ZIdentity and the benefits it will bring to our administrators and users. Stay tuned for more updates and announcements as we continue to enhance our centralized identity solution. If you have any questions or would like more information about ZIdentity, please reach out to our support team. Mon, 06 May 2024 15:49:20 -0700 Eric Fazendin Zscaler Selects Red Hat Enterprise Linux 9 (RHEL 9) as Next-Gen Private Access Operating System What’s new?On June 30, CentOS 7 will reach end of life, requiring migrations in many software stacks and server environments. In advance of this, Zscaler has selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private AccessTM (ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA’s proven stability and resiliency on open source Linux platforms and builds on 10 years of maturity on Red Hat Enterprise Linux-based derivatives. What’s more, this transition can be done with no impact to operations or user access. When will it be released?Pre-built images for all ZPA-supported platforms are targeted for release in May 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, will be replaced with RHEL 9. This is the recommended deployment for all future App Connector and Private Service Edge components, and customers should begin migration immediately on release. For customers that manage their own Red Hat base images, Zscaler is targeting the end of April 2024 for release of RHEL 9 Red Hat Package Manager (RPM) software packages and repositories. New Enterprise OS Without Licensing FeesTo ensure an excellent experience for our customers, Zscaler will provide operating system licenses for all RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers. We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are bring-your-own-license (BYOL) and won’t conflict with any existing Red Hat enterprise license agreements you may hold. CentOS 7 End of LifeThe CentOS Project and Red Hat will be ending the final extended support for CentOS 7 and RHEL 7 on June 30, 2024. While we aim to provide RHEL 9 support in advance of this date (and do currently support RHEL 8 with RPMs), we recognize that the transition is a large undertaking, affecting all enterprise data centers, and operations and will take time to transition over to new operating systems and software. In light of this, we want to provide ample time to migrate while considering the security implications of continuing to support an obsolete operating system. Zscaler will support existing CentOS 7 deployments, RPMs, and distribution servers until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x for more details on CentOS EOL and the ZPA white paper for architecture and security design. While we have ample controls in place and the utmost confidence, there is always inherent risk in using an unsupported server operating system. Zscaler will not provide backported operating system patches during this transition, but will maintain the ZPA software and supporting security libraries. Lightweight and Container Orchestration ReadyFollowing Zscaler’s cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths. For these reasons, the migration best practice is to deploy new App Connectors and Private Service Edges. Zscaler does not provide direct operating system upgrade paths for currently deployed infrastructure components. In further support of this, we offer Open Container Initiative (OCI) compatible images for Docker CE, Podman, and Red Hat OpenShift Platform. These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick scale up and scale down. Migration and Support ExcellenceZscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address all concerns related to migration. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs. Below are the steps to help you replace CentOS 7 instances with RHEL 9. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further. App Connector Migration Steps:Prerequisites: A fresh install should be used for all deployments The EL9 repository must be used with RHEL 9 base OS. Older platform binaries (EL7/EL8) are not supported The /opt/zscaler/var folder needs to be empty before install Yum upgrades from EL7/EL8 to RHEL 9 are not supported Requires ESXi version 7.0 Update 2 or newer, including ESXi 8.x Create new App Connector Groups and provisioning keys for each location(Note: Do not reuse existing provisioning keys as it will add the new RHEL 9 App Connectors to the old App Connector Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.) Make sure the Default version profile is inherited from the tenant default or set manually to the Default profile if using “Persist Local Version Profile” (Optional) If you have old App Connectors (el7/el8), please use the following commands before clearing contents of /opt/zscaler/var/ # systemctl stop zpa-connector # yum remove zpa-connector # rm -rf /opt/zscaler/var/* Follow the step-by-step guide to deploy new VMs using the upcoming RHEL 9 images and newly created provisioning keys. Ensure the yum repository is pointing to RHEL 9 Only RHEL 9 repositories and RPMs are supported on RHEL 9.) Add the new App Connector Groups to each respective Server Group (Optional) In the UI, disable the app connector groups five minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down During regional off-hours, remove the CentOS 7 App Connector Groups Private Service Edge Migration Steps:Prerequisites: A fresh install should be used for all deployments The EL9 repository must be used with RHEL 9 base OS. Older platform binaries (EL7/EL8) are not supported The /opt/zscaler/var folder needs to be empty before install Yum upgrades from EL7/EL8 to RHEL9 are not supported Requires ESXi version 7.0 Update 2 or newer, including ESXi 8.x Create new Service Edge Groups and provisioning keys for each location(Note: Do not reuse existing provisioning keys as it will add the new RHEL 9 Private Service Edges to the old Service Edge Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.) Make sure the Default version profile is inherited from the tenant default or set manually to the Default profile if using “Persist Local Version Profile” (Optional) If you have old Private Service Edges (el7/el8), please use the following commands before clearing contents of /opt/zscaler/var/ # systemctl stop zpa-service-edge # yum remove zpa-service-edge # rm -rf /opt/zscaler/var/* Follow the step-by-step guide to deploy new VMs using the upcoming RHEL 9 images and newly created provisioning keys. Ensure the yum repository is pointing to RHEL 9. (Note: Only RHEL 9 repositories and RPMs are supported on RHEL 9.) Add trusted networks and enable “publicly accessible” (if applicable) on the new Service Edge Groups (Optional) In the UI, disable the Service Edge Groups 15 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down During regional off hours, remove trusted networks and disable public access (if applicable) on CentOS 7 Service Edge Groups Please reach out to your respective support representatives for further assistance and information as needed. For more information: Zscaler Private Access Website Zscaler Private Access | Zero Trust Network Access (ZTNA) End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x ZPA App Connector Software by Platform ZPA Private Service Edge Software by Platform Fri, 03 May 2024 00:14:43 -0700 Shefali Chinni Zscaler: The Digital Trail Guide to Moving Applications to the Cloud In the grand, often mazelike halls of healthcare IT, there exists a tale as old as time—or at least as old as the first digital patient record. A tale of valiant healthcare institutions, battling the dragons of legacy systems. Armed only with their wits and an arsenal of outdated hardware, they dream of a future where cloud applications reign supreme, data flows freely, and cyberthreats are but a whisper on the wind. Enter Zscaler, the digital trail guide ready to usher healthcare institutions from the treacherous slopes of legacy environments to the summit of modern, cloud-based nirvana. Zscaler is the Gandalf to your Frodo, minus the fireworks but with all the magic needed to secure your journey. Imagine, if you will, a realm where trust is as scarce as a straightforward EHR system. That's the principle behind Zero Trust Exchange. In the healthcare sector, where patient data is more precious than the One Ring, Zero Trust Exchange ensures that only the right people (and applications) can access the right resources at the right time, all while keeping the orcs (cyberthreats) at bay. Zscaler Internet Access: The Swiss Army KnifeVenturing into the vast wilderness of the internet without protection? Not on Zscaler's watch! ZIA is like your all-in-one cybersecurity Swiss Army knife, equipped with blades of content filtering, phishing protection, and malware defense. It ensures that when your healthcare institution reaches out to the vast digital beyond, you don't accidentally invite any internet gremlins back into your pristine digital environment. Instead of backhauling your security stack through your data center that you are trying to reduce, instead use Zscaler as your proxy architecture to get all these great security benefits without the latency of an on-prem stack. Zscaler Private Access: The Invisible Cloak for Your ApplicationsIn a world where applications yearn to be free (yet secure), ZPA acts as an invisibility cloak, allowing seamless and secure access to internal applications without exposing them to the dark sorcery of the internet. It's like having a secret passage in your digital castle that only your trusted knights and ladies know about, making sure your healthcare applications stay as protected as the Chamber of Secrets. This means no more connecting users to networks and having them get routed out to cloud services. Instead, connect them directly to their cloud applications, not the network! This means whether your users are in Helms Deep or flying in a plane, they will get to their application with the most direct path, creating a better experience. Zscaler Digital Experience: The Crystal Ball of ITWhat if you could predict IT issues before they impact patient care? ZDX is your crystal ball, offering insights into the health and performance of your digital ecosystem. It ensures that when a doctor video calls a patient, the only freeze they experience is in their smoothie, not the screen. With ZDX, IT headaches are diagnosed and treated faster than a case of the sniffles. This is especially important for all of those times that users will say, “that new security product is slowing things down, can’t we just disable it?!” Data Protection and CASB: The Gatekeepers of the CloudAs healthcare organizations embrace cloud platforms like O365 like a warm fire in the dead of winter, CASB stands guard at the gates, ensuring that only safe and compliant cloud applications are used. It's the discerning bouncer at the entrance of your digital nightclub, keeping an eye on shadow IT and making sure your cloud party doesn't get crashed by data breaches. Pesky sharing public links keeping you up at night? Not with Zscaler’s Data Protection platform. How about that weird S3 bucket that has access to much sensitive data in it? Not anymore! Conclusion: Your Journey AwaitsTransitioning from legacy systems to a modern, cloud-based healthcare IT environment is no small feat. It requires courage, determination, and a bit of digital magic—precisely what Zscaler brings to the table. With Zscaler's suite of solutions, healthcare providers can embark on their cloud journey with confidence, knowing they're equipped to tackle whatever cyberthreats or IT challenges lie ahead. Wed, 01 May 2024 20:52:04 -0700 Steven Hajny Zscaler for Users - Essentials Learning Path: Your Gateway to Mastering Zero Trust Security Tired of accidental misconfigurations leaving your cloud security vulnerable? A recent CIO magazine article rings the alarm bell: 99% of cloud security failures will be linked to human error by 2025, largely due to misconfigurations. The culprit? A growing skills gap between security professionals and the ever-evolving cloud landscape. Zscaler steps in to bridge the gap with the groundbreaking Zscaler for Users - Essentials learning path! This skills gap between security professionals and the tools they use is why Zscaler, a leader in the Gartner®️ Magic Quadrant™️ for Security Service Edge (SSE), announced the Zscaler for Users- Essentials learning path. This comprehensive training program equips network and security professionals with the expertise to configure the industry-leading Zscaler Zero Trust Exchange™️ flawlessly, fortifying your organization's security posture. A clear step-by-step approach was adopted when designing the training for students learning how to implement the Zscaler Zero Trust Exchange. This starts with the configuration of user identity and verification, then moves up the stack with basic platform services, cyber threat prevention services, and data loss prevention services. Finally, it completes the picture with Digital Experience Management and monitoring services. Developed to be relevant for today’s learning environment, the curriculum features digital self-paced e-learning. This is followed by instructor-led, hands-on labs, ending with a proctored certification exam to validate the knowledge, skills and abilities required to deploy the Zscaler Zero Trust Exchange. Set yourself up for success on exam day with our free downloadable ZDTA Study Guide, your go-to resource to prepare for your exam! This industry-leading certification equips network and security professionals with the expertise to confidently deploy the Zscaler Zero Trust Exchange™️. Ready to take your skills to the next level? Register here for the Zscaler for Users - Essentials Learning Path, and start the journey to your Zscaler Digital Transformation Administrator (ZDTA) Certification. For our first hundred readers, please use the following code to get a 50% discount on the ZDTA exam registration: 319x63cm9m3ju Fri, 03 May 2024 03:00:01 -0700 Prameet Chhabra How Zscaler is taking our partner marketing commitment to the next level Introducing the All-New Partner Demand Center, your launchpad for marketing with ZscalerFor the past 12 months, Zscaler has transformed our partner program, empowering our partners to thrive in the cloud security market and establish themselves as trusted advisors. As our partners continue to select and invest in Zscaler as the leading Zero Trust and AI vendor in their portfolio, we too continue to invest in better tools and resources for our partners. Today, May 1st, that investment continues as Zscaler goes live with an upgraded Partner Demand Center (PDC), our marketing platform exclusively for Zscaler partners. The new PDC will make it easier than ever to build awareness, attract prospects, and generate sales pipeline with Zscaler. Accelerate your marketing impact with turnkey Zscaler campaigns that drive outcomes for your business We continuously collect feedback from partners on what you need to better improve your marketing with Zscaler. With the launch of the new PDC, we’re excited to bring you: An all-new platform experience, tailored to your needs, with multi-language support and AI capabilities to help you execute faster New campaigns aligned to customer use cases that are relevant and important for your customers, so you can uncover more opportunities Choose your own tools – You can execute campaigns in the platform using the built in automation tools, download the campaign materials to use on your own, or leverage our Concierge team to run campaigns for you Launch from your own platform – Integrate the PDC with your tech stack, including Zoom, Webex, Eloqua, and Salesforce/Pardot More personalized collateral – Instantly add your brand and contact info to Zscaler collateral, including images and video! Assign leads for sales follow-up – Got a hot lead from a marketing campaign? Assign it to your sales rep right from the platform Enhanced social reach – Post social to both your corporate and personal social accounts for more impressions and brand reach Create your own events – Stand up a registration page and email invitations in minutes Marketing tactic execution guidance – Executing activities is easier than ever with wizards that guide you through each step And more! White Glove Support from our Concierge Team Although the platform is easy to use, we recognize that your time and resources are often in short supply. Our Concierge team is available to give you additional support navigating the platform and executing marketing activities and tracking. It’s like having an extra headcount, at no cost to you! Located in North America, Latin America, EMEA and APJ, our Concierge team offers multi-language support in English, Spanish, Italian, and Portuguese. Contact your Concierge for a guided tour of the new platform, personalized to your needs, and even help executing your first activity or campaign. Get Prizes for Marketing on the PDC – Including a Chance to Win $2,500 in Marketing Funds! To help you get started, we are offering prizes to all partners who onboard and execute marketing activities on the PDC in Zscaler’s fiscal Q4 (May 1-July 31, 2024). Do each of the following items to win a prize pack of premium Zscaler swag and be entered to win $2,500 towards a marketing program with Zscaler! Post a social post Customize a Zscaler showcase page Execute an email campaign to at least 250 recipients Find out more about this incentive Join our Upcoming Webinar for PDC Best Practices Whether you are a value-added reseller or a global service provider, we have tools that can make your job easier. Join our webinar on May 23, 11:00 AM — 12:00 PM EDT to get tips and tricks on how to get the most out of the new platform. Register for this webinar: Register for AMER/EMEA Register for APAC Start Using the New PDC! To log in, visit and click “Login via SSO” to use your Zscaler Okta credentials. If you do not already have Okta credentials, you can apply for them on the partner portal here: It’s a new era of partnership and growth at Zscaler, and we continue to invest in bringing you the best tools and resources in the market. With the new Partner Demand Center, we are furthering our efforts to help our partners reach their maximum potential with Zscaler. Wed, 01 May 2024 05:28:32 -0700 Sarah Peters Enabling the Secure use of AI in Government Artificial intelligence (AI) and machine learning (ML) tools hold the potential to transform governmental and public-sector organizations. Indeed, such technologies promise to reshape how public sector entities deliver services, drive innovation, and even address societal challenges at large. For many governmental organizations, the initial AI charge has centered around popular tools like ChatGPT, which itself is the most-leveraged AI application by the public sector. At the same time, generative AI has become something of a double-edged sword: even as AI/ML tools enable rapid innovation and increase productivity, they also come with several key risks. For public-sector organizations, these risks typically fall into two categories: the internal risks of leaking sensitive data, securely enabling generative AI tools, and providing high-quality training data; and the external risks posed by threat actors and nation-state-backed groups who are leveraging AI tools to launch cyber attacks at unprecedented speed, sophistication, and scale. To get a pulse on these opportunities and challenges with GenAI, Zscaler recently published the Zscaler ThreatLabz 2024 AI Security Report, which examined more than 18 billion AL/ML transactions across the Zscaler Zero Trust Exchange™, the world’s largest inline security cloud. The report details key AI usage trends among large organizations, provides best-practice guidance on security AI adoption, and dives into the AI threat landscape, with real-world AI attack case studies. AI tool usage is surging across the board Across every sector, ThreatLabz saw AI/ML transactions grow by nearly 600% from April 2023 to January 2024. Here, ChatGPT led the charge, representing more than half of all AI/ML transactions over this period. Paired with this surge in AI adoption, organizations are taking proactive measures to protect their critical data and secure the use of generative AI. Most often, enterprises take the critical first step of blocking risky transactions to particular AI applications and domains. Indeed, ThreatLabz observed a 577% rise in blocked transactions over nine months, indicative of growing data security concerns. Overall, ChatGPT was the most-blocked application — despite, or perhaps because of its high level of visibility and deep market penetration. Key Public Sector AI TrendsAmid this AI surge, government entities across the world are integrating AI and ML tools into their operations to improve service delivery and policymaking. Overall, applications like ChatGPT and Drift are witnessing the highest adoption by the government. These applications, in particular, can help public entities ‌engage more effectively with citizens and deliver more impactful programs. For instance, AI chatbots and virtual assistance can make it significantly easier for citizens of all walks to access essential information and services. Yet, in some ways, government AI adoption reveals a security contradiction: despite being a top 10 driver of AI/ML transactions in the Zscaler cloud, this vertical blocks just 6.75% of AI transactions. In other words, the government sector has been significantly more permissive around AI tool use than other verticals. The global average for blocked AI/ML transactions is 18.5%, for instance, while the finance and insurance sector blocks a full 37.2% of transactions. It will be essential for governments worldwide to establish AI regulatory frameworks and governance mechanisms to help organizations navigate these challenges while enabling responsible AI development. Indeed, many policymakers across the globe are already taking concrete steps to address these concerns. At the same time, the education sector has rapidly adopted AI as a valuable learning tool. In similar fashion as the government sector, however, education institutions block a comparatively low 2.98% of AI/ML transactions. In both sectors, as AI adoption grows, data privacy concerns are likely to escalate, prompting organizations to implement more robust, technology-based data protection measures. AI is driving public sector innovation… and new cyber threats As public-sector organizations align around the transformative value of AI, new use cases abound: AI chatbots can ‌provide public citizens with faster, more intuitive access to critical services and information, particularly across sectors like public transportation, public health, and education. Meanwhile, AI-driven data analysis can help governmental employees, researchers, and policymakers alike to make better data-driven decisions and glean faster insights from data at scale. At the same time, cybercriminals and state-sponsored threat groups are leveraging AI-driven techniques to orchestrate highly sophisticated attacks at an unprecedented speed and scale. As AI-driven threats like deepfakes and vishing attacks make international headlines, the proliferation of many kinds of AI-powered cyberthreats pose particular cybersecurity challenges for the public sector. These range from end-to-end phishing campaigns, to AI reconnaissance and automated code exploitation, to polymorphic ransomware, and more. To avoid the substantial economic ramifications and supply chain risks of these attacks, public sector organizations must take proactive measures to safeguard critical infrastructure and sensitive information while enabling the safe usage of AI. Governments and enterprises alike are responding accordingly: Policymakers worldwide are actively developing regulatory frameworks to govern the responsible and secure use of AI. The U.S. Justice Department, meanwhile, appointed its first Chief AI Officer, in light of these trends. At the same time, AI is becoming a cornerstone of cybersecurity strategies and spending, empowering organizations to deliver greater protection and improve their ability to adapt to a dynamic threat landscape. Enabling the secure use of AI in governmentAs public-sector organizations harness the transformative power of generative AI, it will be essential to prioritize the protection of critical infrastructure, sensitive data, citizens' information, and students' privacy. Here, institutions will need to follow established best practices to secure the use of generative AI with robust data protection measures. Meanwhile, the government sector must also work to leverage AI as part of cyber defense strategies, as nation-backed threat groups and cybercriminals use these same technologies to launch more targeted attacks at scale. For the complete findings and best practices to securely embrace AI transformation, download the ThreatLabz 2024 AI Security Report today. Mon, 29 Apr 2024 12:42:15 -0700 Adam Ford Cisco ASA Firewall Vulnerability: What to Do When Security Is a Target The Year of the Dragon has seen some notable events so far: a total eclipse, Facebook’s 20th anniversary, and another Taylor Swift streaming record. But 2024 has also become the Year of the Hardware Vulnerability, with multiple VPNs and firewalls suffering zero-day vulnerabilities that bad actors are actively exploiting. On April 24, Cisco issued a warning that a nation-state supported threat actor had compromised its Adaptive Security Appliances (ASA). ASA integrates a firewall and VPN with other security features. This campaign, known as ArcaneDoor, involved the exploitation of two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) that targeted government networks worldwide. The threat actor deployed two backdoors: Line Dancer allowed them to run custom malware in the memory of network appliances, spy on network traffic, and steal data. Line Runner gave them persistent access to target devices, even after reboots or updates. As of this writing, the initial attack vector is unknown. This hacking campaign may be targeting devices other than the ASA, exploiting other unknown flaws to access and exploit the Cisco ASA vulnerability. Another day, another CVECisco’s disclosure and warning about the ArcaneDoor hacking campaign comes at a time when critical CVEs have been identified for Ivanti, SonicWall, Fortinet, Palo Alto Networks, and other Cisco VPN solutions. This recurring pattern highlights a concerning trend: threat actors are specifically targeting security appliances like firewalls and VPNs, exploiting their vulnerabilities in an attempt to gain access to the very environments they are designed to protect. These attacks indicate that the issue is not limited to any one vendor. Rather, it is the underlying legacy architecture of the devices that makes them lucrative targets. Decoding the architectural flawsThe big question on security and network architects’ minds today: why are perimeter-based security and hub-and-spoke network architecture susceptible to attacks? Decades ago, firewalls and VPNs were vital parts of an organization’s security. Employees mainly worked in offices, there were no smart lights or smart printers, and sophisticated cyberattacks on employees were more fiction than reality. Today’s complex, advanced cyberattacks weren’t yet widespread. Today's organizations are highly distributed and dynamic. The internet is the corporate network, with users, workloads, and IoT/OT devices connecting from various locations. By design, firewalls and VPNs have public-facing IP addresses that sit on the public internet so authorized users can traverse the web and find the entry points into the organization’s environment. This architectural flaw is where the problem lies: anyone, including threat actors, can discover these entry points. Even more concerning, everything within a traditional network is considered "trusted." This enables threat actors to establish a foothold in the network and move laterally, compromising the entire environment. How to protect yourself with zero trust securityThe best defense against zero-day attacks is to embrace zero trust security. Zero trust architecture is inherently different from traditional architectures that rely on firewalls and VPNs. Based on the principle of least privilege, it minimizes the internal and external attack surface, terminates and fully inspects all connections, and establishes one-to-one connectivity between authenticated users and applications without exposing the enterprise network. An effective zero trust approach drastically reduces the risk of successful exploits as well as the impact of a compromise. A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange: Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses. It allows no inbound connections and hides applications behind a zero trust cloud. Stops compromise by inspecting all traffic, including encrypted traffic, at scale. This enables policy enforcement and real-time threat prevention. Eliminates lateral threat movement by connecting entities to individual IT resources instead of the entire network. Blocks data loss by enforcing policies across all potential leakage paths, including encrypted traffic. This ensures the protection of data in motion, at rest, and in use. Best practices to protect against zero-day attacksThe Zscaler ThreatLabz research team recommends these best practices to protect your organization against exploits: Minimize the attack surface. Make applications (including vulnerable VPNs) invisible to the internet, ensuring that attackers cannot gain initial access. Prevent initial compromise. Inspect all traffic inline to automatically stop zero-day exploits, malware, or other sophisticated threats. Enforce least-privileged access. Restrict permissions for users, traffic, systems, and applications with identity and context, ensuring only authorized users can access named resources. Block unauthorized access. Use strong multifactor authentication (MFA) to validate user access requests. Eliminate lateral movement. Connect users directly to applications, not the network, to limit the blast radius of a potential incident. Shut down compromised users and insider threats. Enable inline inspection and monitoring to detect compromised users with access to your network, private apps, and data. Stop data loss. Inspect data in motion and at rest to prevent active data theft during an attack. Deploy active defenses. Use deception technology with decoys, and perform daily threat hunting to derail and stop attacks in real time. Test your security posture. Obtain regular third-party risk assessments and conduct purple team activities to identify and fix gaps in your security. Ask your service providers and technology partners to do the same, and share findings with your security team. The road aheadThe increased targeting of VPNs and firewalls by threat actors highlights the flaws of traditional perimeter-based architectures. With lucrative gains to be had, these attacks will continue. Organizations must prioritize patching critical vulnerabilities as soon as possible. However, to truly stay ahead of zero-day attacks, adopting zero trust is the most effective approach. A zero trust architecture will enable organizations to minimize the attack surface, enforce strict access controls, and continuously monitor and authenticate users and devices. This proactive approach to security will help mitigate zero-day risks and ensure a more robust, resilient defense in the future. References If you’re concerned about how these vulnerabilities could affect your organization, contact us at [email protected] for a free external attack surface assessment as well as an expert consultation on how you can migrate from legacy architectures to zero trust. Fri, 26 Apr 2024 10:16:35 -0700 Apoorva Ravikrishnan Step Into the Future of ZDX with 3 Exciting New Features: ZDX Copilot, Data Explorer, and Hosted Monitoring! Many organizations face challenges supporting a distributed workforce, and pressure on IT resources continues to increase. Zscaler is relentlessly focused on enhancing our Digital Experience platform to empower IT operations and service desk teams to deliver the best end user experiences for their distributed workforces. Not long ago, we announced an ML-based Root Cause Analysis feature that helps IT teams quickly discover the root cause of issues. Using AI and ML for precise issue detection and root-cause analysis helps teams swiftly resolve support tickets by reducing mean time to resolution (MTTR) and mean time to detection (MTTD). We’re very excited to introduce three new advancements that will further assist IT teams in improving efficiency, visibility, and collaboration across IT operations, service desk, and security teams. ZDX Copilot: Revolutionizing IT Operations with AI The ZDX Copilot is an AI-driven virtual assistant designed to simplify and enhance IT operations through an advanced conversational interface. By integrating AI into the core of our network operations tools, ZDX Copilot allows users to interact with their systems using natural language. ZDX Copilot taps into the power of pre-trained LLMs to provide a conversational interface and interpret questions within the context of ZDX. “Show me the user experience for Hiren” Copilot links symptoms (e.g., network drops) to potential causes (Wi-Fi issues, network latency, etc.) and leverages historical data to enable accurate diagnostics. The large language model (LLM) uses input from time series data like the web probes, CloudPath probes, device events, process stats, and hundreds of other time-series metrics to help with the analysis. How It Works The IT admin initiates the conversation with the Copilot: "Could you please look at this user and find out the root cause of the bad score?" The LLM then collaboratively examines the data from various angles, asks clarifying questions if needed, and provides its analysis. Copilot Workflow Initiated Query: An IT admin starts the analysis by asking the LLM (in natural language) to analyze a particular data point. For instance, "Why is John Doe having poor sharepoint experience?" Automated Data Retrieval: The system fetches the data pertaining to the query (in this case for the specific user John Doe) and presents it to the LLM. Analysis by LLM: The LLM processes the data and provides the output/analysis to the ZDX admin. Drill Down: The admin can further ask the LLM to drill down into specifics. For example, "Tell me more about the network slowness observed.” Here are a few examples of the types of questions an ZDX admin could ask the Copilot: "Which users are having a poor Wi-Fi experience?" "Show me John Doe’s CPU utilization" “Troubleshoot the user experience for Linda Lucas” Let’s go through an example: I am asking ZDX Copilot to troubleshoot my user experience: “Troubleshoot Vikas Srivastava’s experience for the last 24 hours” Since in this case I have two devices; Copilot asks me about the device I would like to run the troubleshooting for. After that, it fetches the data from ZDX and provides a detailed analysis of the user experience for me and outlines possible causes that could be impacting my ZDX score. From here, I went to the ZDX user details page to search for the issue impacting my Wi-Fi. In doing so, I can validate what Copilot told me about my Wi-Fi and take remediative actions. Now take a step back and think about how much time it took me to merely ask a question in a conversational manner to Copilot and get to the root cause of the problem. The amount of time ZDX could save for your IT teams and helpdesk is substantial. Take a look at this analysis we did on the financial savings it could provide to you. ZDX Hosted Monitoring: Continuous Network Performance Monitoring Expanding on our robust monitoring solutions, Zscaler Hosted Monitoring offers a service that operates continuously across multiple vantage points worldwide. This feature is designed to monitor and benchmark network performance, providing a seamless, comprehensive overview of your network's health and activity. Zscaler Hosted Monitoring The Zscaler Zero Trust exchange is distributed across more than 150 data centers on six continents, enabling users to access services securely from any device, any location, and over any network. You can now monitor the performance of your business-critical and customer-facing services 24/7 from these locations. With this continuous monitoring, you can apply: Application availability monitoring: Ensure that your external applications perform at their best, no matter where your customers are located Circuit monitoring: Ensure SLAs for applications and services you purchase from SaaS, cloud, data center, or network providers Performance monitoring: Confidently roll out new applications or expand into new regions as your business grows organically or by M&A Vantage PointA geographical location from where monitoring probes originate from. At launch, the available vantage points locations include::San Jose Washington DC Chicago Frankfurt Zurich Amsterdam With more to be added in the future, these strategic locations ensure that Zscaler Hosted Monitoring covers a broad spectrum of the network landscape, offering diverse insights into global network performance. Getting started with Hosted Monitoring is straight-forward Collections: Under the Configuration section of ZDX Hosted Probes, we have Collections, a grouping mechanism for the probes you would configure for the monitored destinations. For example, you could have a collection dedicated to mission-critical applications, one for HR, another one for Finance, etc. Hosted Monitoring Configuration Looking at the Metrics From the Zscaler Hosted Monitoring dashboard, you can analyze the time-series data collected from various vantage points. You can even select a specific vantage point of interest and see the metrics from that vantage point’s perspective. Zscaler Hosted Monitoring Dashboard Once you select a data point on the scatter plot, you get detailed insights like DNS response times, TCP connect times, SSL handshake times, server response time, time to last byte (TTLB), page fetch time (PFT), the time series data for the web, and CloudPath along with specifics for the probe data like DNS response times. From the waterfall details below; you can exactly see the time distribution of the different measured metrics (page fetch time, SSL handshake time, etc.) and easily understand the attribute of the page load which is taking the most time. Zscaler Hosted Monitoring Metrics Now let's look at the CloudPath data. Below are all the ISP paths detected to the configured destination (on different DNS resolutions). You can see the ISP information; latency between different hops to quickly pinpoint bottlenecks (highlighted in yellow). ZDX Data Explorer: Advanced Data Querying and Reporting ZDX Data Explorer is a sophisticated tool that enables detailed data analysis and reporting. Users can customize queries and generate reports based on various selectable fields such as applications, metrics, and grouping or aggregation preferences. This flexibility supports a detailed examination of data to uncover operational insights and trends. While building your query, you can select the Applications you are interested in and the specific metrics you would like to report on, such as: ZDX Score Device Count User Count DNS Time Page Fetch Time Web Request Availability Latency Packet Count Packet Loss Number of Hops You can group these by Applications, Zscaler Locations, Geolocations, Departments Data Explorer is valuable for engineers and managers: Engineers can troubleshoot problems by comparing similar services or applications to expose differences and anomalies across time managers and leaders can analyze trends that show how the team has achieved their KPIs, or uncover areas for optimization. Conclusion With these new capabilities, your teams can rely on Copilot as their AI assistant to ask and get answers to all your app, network, and device performance questions; use Hosted Monitoring to ensure that no customer or employee suffers from a poor digital experience; visualize trends with Data Explorer to troubleshoot issues, or to quantify IT’s contributions to optimizing digital experience, and, thereby, improve business results. To learn more about these innovations, watch our webinar, sign up for a demo, and review the latest features today! Thu, 25 Apr 2024 04:26:01 -0700 Vikas Srivastava How the Zscaler SaaS Security and Data Discovery Reports Are Healthcare’s Superheroes SaaS Security Report: A Not-So-Secret Identity Imagine a world where the heroes don't wear capes, but wield reports. And not just any reports: we're talking about the Zscaler SaaS Security Report, a document powerful enough to illuminate the darkest corners of healthcare organizations’ IT environments. Picture shadow IT as a quirky sidekick who means well but always ends up downloading rogue software that promises to “make work easier” or “automatically order pizza on Fridays.” Shadow IT is like the friendly custodian who “helps” organize your supply closet, and then you suddenly can't find your gloves or the superhero bandages for the pediatric patients. They’re there somewhere, hidden behind the paper towel rolls on the top shelf. Enter Zscaler, swinging in to reveal these well-intentioned but potentially hazardous endeavors. By identifying unsanctioned apps and services, the SaaS Security Report helps healthcare organizations wrangle the chaos, securing the network while still allowing for innovation (and maybe the occasional pizza). Data Discovery Report: The Unsung HeroOn the other side, we have the Data Discovery Report. This is our answer to the eternal question: “Where did I leave that incredibly sensitive patient data?” Think of it as the healthcare organization's memory enhancer, ensuring that no piece of critical information ends up in the wrong hands or, worse, on a USB stick in the washing machine. This report is like an organizational expert for data, categorizing and securing it in ways that would make any mom proud. It tells you exactly where your data lives, breathes, and occasionally goes out for a walk, making sure it's always safe and sound. It's particularly adept at flagging data that's decided to take an unscheduled vacation outside the secure confines of the healthcare network—like when your staff decide “Print to PDF” isn’t working, so they use a free converter they find on the internet. With the Data Discovery Report, you can see exactly who did that and which files they uploaded. The Dynamic Duo's AdventuresTogether, the SaaS Security Report and the Data Discovery Report are the dynamic duo of the healthcare IT world, fighting data breaches and compliance issues with the power of insight and analysis. They roam the digital corridors of hospitals and clinics, doing their part to keep patient data as secure as the pharmacy. Episode 1: The Case of the Vanishing Patient RecordsIn this thrilling adventure, our heroes face mysteriously disappearing patient records. The SaaS Security Report, with its keen eye for detail, finds that a well-meaning staff member has been using an unsanctioned cloud storage service to make their work “more efficient.” Meanwhile, the Data Discovery Report, always the detective, pinpoints exactly which files went on this unauthorized excursion. Episode 2: The Saga of the Shadowy SoftwareThis time, a shadowy figure has infiltrated the network with software promising to “revolutionize patient care.” Spoiler alert: it created a gaping security hole instead. But fear not! With the help of the SaaS Security Report and Data Discovery Report, IT staff quickly unmask the rogue application. The Moral of the StoryIn the end, the Data Discovery Report and SaaS Security Report don't just increase a healthcare organization's security posture—they do it with flair, bringing a smile to even the most overworked IT professional's face. You can now see exactly which apps your users are using so that you can create policy, or see if someone is taking data they shouldn’t and uploading it to a mysterious source. With these two reports, your IT team can perform even greater feats of heroism. Want to know more? Visit our Healthcare page! Tue, 16 Apr 2024 13:59:17 -0700 Steven Hajny Why You Need a Proven Platform for Zero Trust Organizations need a proven platform for zero trust. But before we dive into why that is the case, we must first answer two important questions. What is zero trust? Zero trust is a distinct architecture that provides secure connectivity based on the principle of least-privileged access. It inherently prevents excessive permissions, and gives users and entities access only to the specific IT resources they need in order to do their jobs. On top of that, zero trust means analyzing context to assess risk and determine whether or not to grant access, rather than using identity alone to do so. This is all achieved through a cloud platform that delivers zero trust connectivity as a service at the edge—meaning from as close to the end user as possible. In short, think of a zero trust platform as an intelligent switchboard. Figure 1: Zero trust architecture with Zscaler What is zero trust not? Yesterday’s perimeter-based architectures are built on firewalls and VPNs, which connect users to the networks that house resources rather than connecting them directly to the resources themselves. A commonly used name for such an architecture—castle-and-moat—illustrates the way that it is designed to function. That is, establishing a moat (perimeter) around a castle (network) in order to keep bad things out and good things in. However, if a threat makes it past the moat, there’s no second line of defense to prevent the threat from entering the castle and having free rein to move about within it. In security terms, we call this lateral movement—when a threat moves across network resources unrestricted. To read more about lateral threat movement and other shortcomings of perimeter-based architecture, you can read this ebook. Figure 2: Perimeter-based architecture Now that we understand zero trust as a distinct, cloud-delivered architecture, let’s return to our original point that organizations need a proven platform for zero trust. Namely, a vendor’s zero trust offering must be proven across the three key areas described below. Scalability When all of an organizations’ traffic is routed through a zero trust vendor’s cloud for security and connectivity, that cloud platform becomes a mission-critical service that must have the scalability necessary to ramp up with customers’ evolving traffic volumes in real time. Without it, organizations’ security and connectivity grind to a halt, taking productivity down with them. Additionally, a lack of scalability means that encrypted traffic typically goes at least partially (and sometimes completely) uninspected. This is because inspecting encrypted traffic is a resource-intensive process that requires a high level of performance. With 95% of web traffic now encrypted—and cybercriminals hiding 86% of their attacks within it—organizations must be able to inspect encrypted traffic at scale if they are to stop threats and data loss. One may assume that these scalability challenges only arise for larger organizations, but that is untrue. Without a proven zero trust platform that can scale, smaller organizations can also face these challenges, particularly as their businesses grow and their vendors need to ramp up services seamlessly. In other words, organizations of all sizes need a zero trust platform built on a cloud with proven scalability. Something you may not know about Zscaler is that our name stands for “zenith of scalability.” Since our company was founded, we’ve been committed to delivering unrivaled performance. The Zero Trust Exchange, the name of Zscaler’s zero trust platform, is the world’s largest inline security cloud. It boasts a variety of statistics and proof points that demonstrate its massive capacity for scale: 150 data centers worldwide (not merely on-ramps or vPoPs) 400 billion requests processed each day 500 trillion telemetry signals analyzed daily 9 billion incidents and policy violations prevented each day 150 million cyberthreats blocked daily 250,000 unique security updates implemented each day So, when it comes to choosing a zero trust platform, why settle for anything less than the zenith of scalability? Figure 3: A snapshot of some of Zscaler’s data centers around the world Resilience Business continuity planning for mission-critical services is a board-level priority for IT leaders. As mentioned previously, a zero trust platform’s strategic inline position between users, workloads, apps, and more, makes it a mission-critical service. As such, organizations need to know that unforeseen events won’t disrupt their vendor’s services; otherwise, security, connectivity, and productivity will all suffer. Zscaler Resilience is a core component of the Zero Trust Exchange. It is a complete set of resilience capabilities that offers high availability and serviceability at all times. Customer-controlled disaster recovery features and other robust failover options ensure uninterrupted business continuity, even during catastrophic events. Zscaler offers the following capabilities for the following scenarios: For minor failures, such as node crashes or software bugs, Zscaler can effectively handle the issues with minimal customer interaction. In the event of brownouts or service degradation issues, Zscaler Resilience offers dynamic, performance-based service edge selection, customer-controlled data center exclusion, and other failover mechanisms to maintain seamless experiences for users. For blackouts or severe connectivity issues, Zscaler provides failover options to redirect traffic to secondary Zscaler data centers nearby, ensuring that users can continue to access mission-critical applications. If there are catastrophic events, Zscaler Resilience provides customer-controlled disaster recovery capabilities, allowing organizations to keep their operations running by routing traffic to private service edges and restricting access to critical applications. Figure 4: Zscaler Resilience functionality A history of customer success In addition to scalability and resilience, zero trust platforms must have demonstrated success with actual customers using their services. Organizations need to see the success stories of customers that are similar to them in terms of size, industry, and their security and connectivity challenges—only then should they trust their vendor of choice. This is particularly true for bigger organizations because they need evidence that a zero trust platform can handle larger volumes of traffic and more rigorous performance requirements. At Zscaler, we have a litany of customer success stories available on our website in the form of videos, blogs, case studies, and press releases. Our company has demonstrated success with organizations of all sizes and in all geographies—from small, 100-user organizations like the Commonwealth Grants Commission in Australia, to those with hundreds of thousands of users, like Siemens in Germany, and beyond, to the New York City Department of Education and the 1 million users it secures with the Zero Trust Exchange. Here are some more facts and figures that demonstrate our customers’ trust and belief in our platform: Nearly 8,000 customers of all sizes, industries, and geographies Over 41 million users secured by the Zero Trust Exchange A Net Promoter Score of more than 70 (the average SaaS company’s is 30) More than 40% of the Fortune 500 are customers More than 30% of the Global 2,000 are customers Below are some of our customers across a variety of industries. Each logo is associated with a public-facing customer success story that can be found on our website by typing the customer’s name into the search feature. Figure 5: A snapshot of some Zscaler customers Where to go from here If you are still getting your feet wet with zero trust and would like to listen to an entry-level discussion on the subject, register for our monthly webinar, Start Here: An Introduction to Zero Trust. You may also want to read our ebook, 4 Reasons Firewalls and VPNs Are Exposing Organizations to Breaches. Or, if you would like to learn more about Zscaler Resilience and how the Zero Trust Exchange provides uninterrupted business continuity to customers, read our solution brief. Tue, 16 Apr 2024 07:30:01 -0700 Jacob Serpa Join Zscaler for the Future of Digital Experience Monitoring Event It's time to register for the Future of Digital Experience Monitoring event. Here are a few reasons why you can’t miss it! See what it takes to keep end users productive no matter the device, network, or application.Zscaler Digital Experience (ZDX) is built on a foundation that goes beyond siloed monitoring solutions to provide full end-to-end visibility across devices (CPU, memory, Wi-Fi), networks (corporate or public internet), and applications (public or private). Zscaler Digital Experience end-to-end data path Find out what’s behind the high-confidence results delivered by advanced machine learning models.Machine learning models that provide high-confidence results require an immense amount of data and training, which can't be built overnight. ZDX is powered by the industry’s largest inline security cloud, with 500 trillion daily signals feeding high-quality data to sophisticated AI models. Zscaler Zero Trust Exchange Learn about key ZDX AI capabilities already making an impact for many service desk and network operations teams.Incident Dashboard includes machine learning models to detect issues across last mile and intermediate ISPs, application, Wi-Fi, Zscaler data center, and endpoints with correlation. This enables Network Operations to quickly and efficiently find root cause and focus on restoring reliable connectivity. ZDX Incidents Dashboard ZDX Self Service empowers users to fix problems that impact their digital experience, if the causes are under their control. A lightweight AI engine runs in Zscaler Client Connector and notifies the user of issues such as poor Wi-Fi or high CPU utilization, and then offers ways to resolve the issue, reducing help tickets. ZDX Self Service Notifications Automated Root Cause Analysis reduces strain on service desk and operations teams by identifying root causes of issues—such as high CPU usage, Wi-Fi latency spikes on local routers, slow application response times, and more—that would typically require expert IT knowledge and multiple dashboards. Users can get back to work more quickly and with fewer IT tickets, which tend to spike as users increasingly connect from anywhere using various devices, Wi-Fi access points, ISPs, zero trust environments, and applications. ZDX Automated Root Cause Analysis Join our upcoming webinar eventAs organizations strive to optimize digital experiences and ensure secure access to applications and data, the future of digital experience monitoring lies in leveraging advanced AI capabilities. With consolidated digital experience monitoring integrated in a zero trust architecture, IT teams can resolve issues more quickly to enhance performance, reduce costs, and deliver exceptional user experiences. Join our upcoming webinar to discover how ZDX can transform your organization's digital experience monitoring strategy and drive superior business results. Register now Dates and times: Americas: Thursday, April 25 | 11 a.m. PT EMEA: Tuesday, April 30 | 10 a.m. BST APAC: Tuesday, April 30 | 10 a.m. IST Featured speakers: Dhawal Sharma, SVP & GM, Product Management, Zscaler Javier Rodriguez, Sr. Director., Product Management, Zscaler Wed, 03 Apr 2024 08:03:01 -0700 Rohit Goyal Betrayal in the Cloud: Unmasking Insider Threats and Halting Data Exfiltration from Public Cloud Workloads Introduction In today’s digital world, safeguarding sensitive data, such as source code, is crucial. Insider threats are a worthy adversary, posing significant risk, especially with trusted employees having access to valuable repositories. This article explores how a fictitious software development company could use Zscaler security solutions to stop insider attempts to upload source code. By using Zscaler Workload Communications, the fictitious company detects and prevents unauthorized uploads, ensuring the security of its intellectual property. Insider Threat in the Cloud and How to Stop Them A fictitious software development company relies on its source code repository as the lifeblood of its operations. Trusted employees have access to this repository to facilitate collaboration and innovation. To mitigate the risk of insider threats, the fictitious company implements Zscaler security solutions. Let’s explore how our products thwart an insider’s attempt to upload source code to an unauthorized destination. Attack Chain Use Case StepsTrusted employee access: A trusted employee (insider) has access to the source code repository, enabling them to complete their job responsibilities. A simplified example of source code is shown below: Insider threat incident: The trusted employee with legitimate access decides to misuse their privileges by attempting to upload source code files to an unauthorized destination—an AWS S3 bucket, with the intention of unauthorized sharing. or user:~$ aws s3 cp sourcecode.c s3://bucket/uploads/sourcecode.c Figure 1: This diagram depicts how Zscaler blocks insider threats Integration with Zscaler Workload Communications: The fictitious company’s source code repository is configured to route all outbound traffic through Zscaler Workload Communications, ensuring that data transmissions undergo rigorous inspection and security policies are enforced. ZIA DLP engine implementation: ZIA leverages its powerful inline data loss protection (DLP) engine to analyze data traffic in real time. ZIA’s DLP policies are designed to identify and and prevent unauthorized attempts to upload source code files to external storage spaces. An example of DLP configuration options is shown below. Figure 2: An example of DLP configuration options. Detection and prevention of file upload attempts: As an insider attempts to upload source code files to the unauthorized AWS S3 bucket, ZIA’s DLP engine detects it as a violation of security policies. Leveraging advanced pattern recognition and behavior analysis, ZIA blocks the upload attempt in real time, preventing the exfiltration of company data. The figure below shows the source code file upload attempt failing in real time. Figure 2: The source code file upload command receives an error when executed The upload attempt, which was in violation of company policy, appears in descriptive log records, as shown below. Figure 3: A log showing the failed source code file upload, along with important details like user, location, and destination Alerting and response: The Zscaler security platform generates immediate alerts upon detecting the unauthorized upload attempt. How Zscaler Can HelpZscaler’s security products offer effective solutions against insider threats aimed at source code repositories: Outbound Data Violation TriggerBy routing through Zscaler’s Cloud Connector, organizations can enforce security policies on all outbound data transmissions, including those from source code repositories. This integration ensures that every upload attempt undergoes through security checks, regardless of the destination. Data Breach PreventionZscaler Internet Access (ZIA) features a powerful data loss prevention (DLP) engine that analyzes data in real time. Leveraging advanced DLP policies, ZIA can detect patterns indicative of unauthorized source code uploads. This approach enables organizations to prevent data breaches before they occur. Instant Alerts The Zscaler platform provides real-time monitoring of all network activity, including access to source code repositories. Any suspicious behavior, such as attempts to upload source code to unauthorized destinations, triggers immediate alerts. This allows security teams to respond promptly and prevent potential data exfiltration. ConclusionWith cybersecurity threats on the rise, organizations must combat insider risks effectively. Zscaler solutions offer proactive measures against insider threats, as demonstrated by the hypothetical use case outlined above. By implementing robust DLP policies and real-time monitoring, organizations can protect their critical data unauthorized access and maintain data integrity. The Zscaler platform equips organizations to tackle insider threats confidently, securing their digital assets effectively. Tue, 02 Apr 2024 13:31:17 -0700 Sakthi Chandra Exposing the Dark Side of Public Clouds - Combating Malicious Attacks on Workloads IntroductionThis article compares the cybersecurity strategies of a company that does not use Zscaler solutions with one that has implemented Zscaler's offerings. By exploring two different scenarios, we will highlight the advantages of Zscaler zero trust for workload communications and its specific use of data loss prevention. Threat Propagation Without Zscaler IntegrationLateral Movement Between WorkloadsIn the following scenario, you’ll see that without Zscaler’s integration, the organization is unable to detect or prevent threats effectively. This allows attackers to move laterally and exfiltrate data undetected, leading to significant security risks. Workload 1 in Azure West sends an HTTP GET request to GitHub for a patch update: Workload 1, deployed in Azure West, initiates an outbound connection to GitHub to fetch a required patch update. This HTTP GET request is sent to Github to download the patch: An HTTP response containing malware from GitHub: Unbeknownst to the organization, the HTTP response received from GitHub contains embedded malware. Attacker’s lateral movement to Workload 2: By exploiting the malware present in the HTTP response, an attacker gains access to Workload 1 and subsequently moves laterally to Workload 2 within the Azure West environment. From here, the attacker exploits vulnerabilities or misconfigurations in Workload 2 to achieve a network foothold and establish persistence in Workload 2 that further their malicious objectives. Data Exfiltration to a command-and-control (C2) server: With access to Workload 2, the attacker exfiltrates sensitive data from the organization’s environment to a remote C2 server. Threat Containment with Zscaler IntegrationIn the following scenario, Zscaler’s integrated security platform provides comprehensive protection against various stages of the attack life cycle. Organizations can use Zscaler Internet Access (ZIA), coupled with Zscaler Data Loss Prevention (DLP) and Zscaler Workload Communications to implement: Strict access controls Malware detection and prevention measures Workload segmentation Enhanced outbound security measures to GitHub (internet): With Zscaler integrated into the organization’s infrastructure, outbound traffic from Workload 1 to GitHub is subjected to stringent access control policies. Only approved URIs are permitted, which ensures communications are limited to trusted destinations. Any attempt to access unauthorized URIs is blocked. Malware detection and prevention: Zscaler’s security layers, including content inspection and advanced cloud sandbox features, intercept and inspect the HTTP response from GitHub in real time. Upon detecting malware, Zscaler halts transmission, preventing Workload 1 from being compromised. Workload segmentation to prevent lateral movement: Zscaler enforces strict segmentation policies ensuring that Workload 1 and Workload 2, which are deployed across two different regions, are treated as private applications with no direct communication allowed between them. Such segmentation effectively isolates these workloads, preventing any lateral threat movement between them. Egress traffic security from Workload 2 with advanced data protection: Egress traffic from Workload 2 is safeguarded using ZIA advanced protection capabilities. Zscaler ensures that sensitive data is not exfiltrated from the organization's environment. By enforcing DLP policies, Zscaler prevents unauthorized data transfers. ConclusionThe deployment of Zscaler’s solutions significantly enhanced the organization’s ability to combat cyberthreats and safeguard public cloud workloads. Without Zscaler, companies face unmonitored outbound traffic, susceptibility to malware infiltration, and the risk of lateral movement and data exfiltration. With Zscaler zero trust for workloads, organizations enjoy comprehensive protection, including access control policies, malware detection and prevention, segmentation to prevent lateral movement, and advanced data protection measures. Implementing Zscaler solutions enables organizations to bolster their cybersecurity defenses, mitigate risks, and protect their intellectual property from evolving threats in an interconnected digital environment. Tue, 02 Apr 2024 19:14:07 -0700 Sakthi Chandra The Best Medicine for Healthcare Data Is Integrated DLP You could argue that the challenges of securing medical data are more imposing than those of securing any other form of data. Electronic health records (EHR) are often transferred and shared between providers on a regular basis, and these records contain personal, in-depth patient data. These transfers put protected health information (PHI) at high risk as it moves from location to location. Additionally, the stringent regulations and compliance requirements for PHI force providers to learn how to construct the best data protection strategy for their needs—although this has been a necessary evil for some time now. To this end, our friends within the Health Information Management Working Group at CSA have put together a great discussion on the task of securing patient data and development of best practices. For providers looking for guidance from an expert that’s made the data protection journey, this content can be extremely valuable: Cloud Security Alliance Working Group: Health Information ManagementResearch Publication: Data Loss Prevention in healthcare One of the main topics of this publication is the architecture from which you should deliver data loss prevention (DLP) and data protection. While it’s important to understand best practices on how to implement data protection in the healthcare industry, it’s also valuable to know what the right architecture for a unified data protection platform should look like. With that, let's read a few paragraphs on how Gartner defines Security Service Edge and how it can help providers deliver better protection for data in motion and at rest. Securing Data In Motion In the medical and health industries, protecting sensitive data during transit is crucial. With the increasing reliance on digital platforms and the internet, organizations often face the challenge of safeguarding data over untrusted networks. The core building block for securing this sensitive data is DLP. Inline DLP combined with SSL inspection enables sensitive data in transit to be identified and classified. This ensures that data leaks to the internet or via email are prevented, maintaining the confidentiality of patient information. To this end, inline visibility into cloud apps such as electronic health record systems is also essential. By leveraging inline CASB technology, organizations can detect shadow IT and block risky apps, ensuring data security without hindering the use of critical cloud applications. In the healthcare industry, the use of personal devices by medical professionals and contractors poses a unique challenge. Implementing browser isolation technology allows for seamless data access on personal devices that doesn’t compromise their security. By hosting browser sessions in a secure cloud environment, sensitive data remains protected, even on unmanaged devices. Better yet, users get the specialized power of a purpose-built enterprise browser, only when needed, without having to change which browser they use. Perhaps the biggest benefit of SSE is that all of these unique features are integrated into a centralized, cloud-delivered platform. When hosted via the cloud, DLP is not only easier to deploy, but also more accurate in detection. Rather than dealing with multiple policies that could trigger differently and at different times, SSE gives you a singular view across your landscape, so decisions can be made on a holistic basis. Securing Data at Rest In the Medical Industry When it comes to securing medical data at rest, it’s worth learning and remembering a few key capabilities that have helped healthcare organizations do so with greater ease: SaaS Data Security lets you prioritize securing sensitive data in SaaS platforms, as it can be easily shared in risky ways. To prevent this, providers often consider adding CASB to their data protection strategy. By using a CASB that leverages the same DLP policy used for data at rest as that in motion, you can reduce alert fatigue and streamline response times. Since DLP engines will trigger the same to data inline and at rest in SaaS, visibility becomes consistent across channels. This is one of the main advantages of standardizing across a Security Service Edge architecture. SaaS Security Posture Management (SSPM) helps to identify and address misconfigurations in SaaS platforms, such as enabling multifactor authentication and closing risky open shares. Look for SSPM platforms that align with compliance frameworks like NIST or HIPAA to establish and maintain the required security posture. SaaS Supply Chain Security helps address the risks associated with third-party applications that may connect into your SaaS Platforms. You can scan SaaS platforms for risky connections from third-party applications that may have known vulnerabilities or allow unauthorized access to sensitive medical data. You’ll then get guidance on how to revoke these connections to ensure data hygiene and maintain a strong posture overall. . Endpoint DLP protects sensitive data stored on endpoints such as removable media or employee devices. Implement endpoint DLP with a unified agent that works alongside an SSE platform and enforces a unified DLP policy through inline inspection. This helps prevent data leaks and ensures the security of patient information. A word on Zscaler and shared workstation security: Securing data on shared workstations can sometimes be a challenge as implementing and managing user-level policy controls across multiple logins on a single device is often difficult to do. Zscaler integrates with the Imprivata Digital Identity platform allowing providers to easily support these multi-user workstation environments. Clinicians can easily and securely authenticate in and out of devices and only access applications for which they’ve been authorized. Bringing it All Together Unifying data protection into one platform is extremely powerful and can drastically simplify how you secure data. When delivered from an always-on cloud, you get one single DLP policy that follows users everywhere as well as consistent alerting, no matter where data is located. It’s helpful to gain a variety of perspectives on how to secure data, especially when it comes to a task as tricky as protecting medical data. While there are a multitude of different approaches to this task, understanding best practices can make all the difference for providers looking to begin their journey. All of this said, building the right architecture is equally important. If you’re interested in learning more about Security Service Edge and how Zscaler can help you secure your patient data, we’re here to chat or show you a demo. Photo Credit: Image by Tue, 26 Mar 2024 05:33:13 -0700 Tamer Baker Protecting Identity Becomes Pivotal in Stopping Cyberattacks As today’s workplace transforms, data is no longer centralised and is spread across cloud, increasing the attack surface. Attackers are constantly looking for vulnerabilities to exploit and searching for the Achilles heel in identity systems that could deliver them entry into your IT environment. Cyber actors are now using sophisticated methods to target Identity and access management infrastructure. Credential misuse is the most common attack method. According to Gartner, “Modern attacks have shown that identity hygiene is not enough to prevent breaches. Multifactor authentication and entitlement management can be circumvented, and they lack mechanisms for detection and response if something goes wrong.” Prioritize securing identity infrastructure with tools to monitor identity attack techniques, protect identity and access controls, detect when attacks are occurring, and enable fast remediation. Zscaler ITDR detects credential theft and privilege misuse, attacks on Active Directory, and risky entitlements that create attack paths With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities. Identifying and detecting identity-based threats is now crucial due to attackers' propensity of using credentials and Active Directory (AD) exploitation techniques for privilege escalations and for lateral movement across your environment. Zscaler ITDR helps you to thwart identity-based AD attacks in real-time and help you to gain actionable insight into gaps in your identity attack surface. The solution enables you to continuously monitor identities, provides visibility on misconfigurations/ risky permissions and detect identity-based attacks such as credential theft, multifactor authentication bypass, and privilege escalation. Gain Full Visibility Uncover blind spots and understand hidden vulnerabilities that leave your environment susceptible to identity-based attacks such as exposed surfaces, dormant credentials, and policy violations. Real-Time Identity Threat Detection and Response Zscaler Identity Protection uses identity threat detections and decoys that rise high fidelity alerts to help your security teams to swiftly remediate with targeted response. The same endpoint agent that runs deception also detects identity attacks on the endpoint. These include advanced attacks like DCSync, DCShadow, LDAP enumeration, session enumeration, Kerberoast attacks, and more. Reduce Identity Risk With deep visibility on identity context, Zscaler Identity Protection helps your security teams to identify, address, and purge compromised systems and exposed credentials quickly. Often, security teams struggle to collect context and correlations to investigate threats. Zscaler ITDR solves this problem by consolidating all risk signals, threats detected, failed posture checks , Okta metadata, and policy blocks (ZIA/ZPA) into a single view for each identity. You can now quickly investigate risky identities for indicators of compromise and potential exploitation. Prevent Credential Misuse/Theft Attackers use stolen credentials and attack Active Directory to escalate privileges to move laterally. Zscaler Identity Protection helps to detect credential exploits and prevent credential theft or misuse. Spot Lateral Movement Stop attackers who have gotten past perimeter-based defenses and are attempting to move laterally through your environment. Zscaler Deception ITDR enhances security by identifying misconfigurations and credential exposures that create attack paths for attackers to use for lateral movement. Zscaler ITDR: Beyond just prevention – Monitor, detect, & respond to identity threats Monitor: Identity systems are in constant flux with configuration and permissions changes. Get alerts when configuration changes introduce new risks. Organizations lack visibility into credential sprawl across their endpoint footprint, leaving them vulnerable to attackers who exploit these credentials to access sensitive data and apps. The solution is Zscaler ITDR, which audits all endpoints to identify credentials and other sensitive material in various sources such as files, registry, memory, cache, configuration files, credential managers, and browsers and gains visibility into endpoint credential exposure to identify lateral movement paths, enforcing policies, and cleaning up credentials to reduce the internal attack surface. Detect: ITDR automatically surfaces hidden risks that might otherwise slip through the cracks. Zscaler ITDR pulls together all risk signals, threats detected, posture checks failed, metadata from Okta, and policy blocks from ZIA/ZPA into a single unified view to provide a complete picture of risk for an identity. This helps to identify & detect unmanaged identities, misconfigured settings, and even credential misuse. Respond: ITDR spots attacks targeting your identity store, you can take immediate action. Restrict or terminate those identities causing trouble and shut down threats before they have a chance to wreak havoc. Zscaler ITDR Benefits Minimize the Attack Surface Reduce attack surface by gaining continuous visibility into the attack vectors and identity misconfigurations. Identify to stop adversarial advances—including ransomware attacks—in their tracks with traps set. Real-Time Identity Threat Detection Thwart sophisticated attacks on Active Directory using identity threat detections on endpoints. Accelerate Incident Response Built-in threat detection and response speeds up threat detections and expands coverage to significantly reduce mean time to response (MTTR). ITDR helps security teams drive down their mean time to respond and prioritize what matters most by risk scoring. Conclusion No matter what – Breaches are inevitable, and preventative security measures aren’t sufficient to thwart them. Though staying upbeat while fighting cyberthreats, shrinking budgets, and staff turnover is a tall task, how we respond today dictates how we perform tomorrow. Choosing and adopting identity protection solutions like ITDR helps your company evolve its zero trust security and compliance posture in response to the changing threat landscape. Zscaler ITDR strengthens your zero trust posture by mitigating the risks of user compromise and privilege exploitation. Fri, 22 Mar 2024 02:39:16 -0700 Nagesh Swamy Eliminate Risky Attack Surfaces Many moons ago, when the world wide web was young and the nerd in me was strong, I remember building a PC and setting it up as a web server. In those exciting, pioneering days, it was quite something to be able to have my very own IP address on the internet and serve my own web pages directly from my Apache server to the world. Great fun. I also remember looking at the server logs in horror as I scrolled through pages upon pages of failed login, and presumably hacking, attempts. I’d buttoned things up pretty nicely from a security standpoint, but even so, it would only have taken a vulnerability in an unpatched piece of software for a breach to occur, and from there, all bets would have been off. Even today, many internet service providers will let you provision your own server, should you feel brave enough. Of course, the stakes were not high for me at home, but knowing what we know now about the growth of ransomware attacks and how AI is facilitating them, no organization would dare do such a thing in 2024. Back then, I’d created an obvious and open attack surface. Tools were (and still are) readily available to scan IP address ranges on any network and identify open ports. In my case, ports 22, 80 and 443 were open to serve web pages and enable me to administer my server remotely. Every open port is a potential conduit into the heart of the hosting device, and so these should be eliminated where possible. Open ports, VPNs, and business Since online remote working became a real possibility in the early 2000s, organizations have tried to protect themselves and their employees by adopting VPN technology to encrypt traffic between a remote device and a VPN concentrator at the head office, allowing employees access to services like email, file and print servers. Even when these services became cloud-based solutions like Gmail and DropBox, many organizations pulled that traffic across a VPN to apply IT access policies. Not only did this often lead to an inefficient path from a remote worker to their applications, it also presented a serious security risk. As the performance and dependability of the internet grew, we also saw the advent of site-to-site VPNs, which made for an attractive alternative to far more expensive circuit-based connections that had been so prevalent such as MPLS. A vast number of organizations continue to rely on a virtual wide area network (WAN) built on top of VPNs. Unfortunately, as the old saying goes, there’s no such thing as a free lunch. Every VPN client or site using the internet as its backbone needs an IP address to connect to, an open port to connect through, and, well, you can see where this is going. Not every VPN solution has an active flaw, just as—luckily—my Apache server didn’t at the time I was running it. That said, software is fallible, and history has demonstrated this fact in numerous instances in which vulnerabilities are discovered and exploited in VPN products. Just last month, a fatal flaw was discovered in Ivanti’s VPN services, leaving thousands of users and organizations open to attack. Hackers are scouring day and night for vulnerabilities like these to exploit—and AI is only making their lives easier. “without proper configuration, patch management, and hardening, VPNs are vulnerable to attack” from Securing IPsec Virtual Private Networks by the National Security Agency (NSA) Zscaler is different The Zscaler Zero Trust Exchange™ works in a fundamentally different way—no VPN is required to securely connect. Instead, connections via the internet (or even from within a managed network) are policed on multiple levels. An agent on your device creates a TLS tunnel to the Zscaler cloud, which accepts connections only from known tenants (or Zscaler customers). This tunnel is mutually authenticated and encrypted between the agent and the Zscaler cloud. The individual and their device(s) must additionally be identified as part of the process. In short, it’s not possible to simply make a TLS connection to Zscaler. Once an approved user from a known customer with a recognized device connects to Zscaler, they’re still prevented from moving laterally over the network, as is the case with VPNs. With Zscaler, there is no IP range to which the user has access. Instead, every connection attempt has to be authorized, following the principles of zero trust. A user has access only to the applications for which they’ve been authorized. With this framework, even if an organization were to be successfully attacked, the blast radius would be limited. The same cannot be said for network-based security. Here’s the bottom line: VPNs and the firewalls behind them served us well for a long time, but the challenges that come with maintaining a security posture built on these legacy technologies are so great that it’s now a material business risk to use them. You need only to turn the news on for a few minutes to be reminded of this. Networks were built fundamentally to enable connectivity, and adding security to these networks is an uphill battle of putting the right obstacles in the way of that connectivity. This is why more and more public bodies and private organizations are turning this idea on its head and embracing a zero trust architecture that provides access for only an approved entity, on an approved device, to the applications to which they are entitled. At Zscaler we have built tools to help you assess the potential risk your own organization faces, some of which are free to access. Test your own defenses by visiting and when you’re ready to learn more, get in touch! Tue, 02 Apr 2024 01:00:01 -0700 Simon Tompson Break Free from Appliance-Based Secure Web Gateway (SWG) The way we work today is vastly different from a few years ago. McKinsey & Company’s State of Organization 2023 report identified that before the COVID-19 pandemic, most organizations expected employees to spend more than 80% of their time in-office. But as of 2023, says the report, 90% of employees have embraced hybrid models, allowing them to work from home or other locations some (if not most) of the time. On a similar note, applications previously hosted in on-premises data centers are increasingly moving to the cloud. Gartner predicted that SaaS application spending would grow 17.9% to total $197 billion in 2023. With employees and apps both migrating off-premises, security controls logically must do the same. It’s no exaggeration to state that cloud and mobility have broken the legacy way of approaching security—so why should the castle-and-moat security approach, heavily reliant on hardware such as appliance-based proxies/SWGs, still exist? Users need fast, reliable, secure connectivity to the internet and cloud apps, with the flexibility to connect and work from anywhere. However, traditional SWGs have certain limitations, leading to security challenges, poor user experience, constant maintenance, and scalability issues. Let’s take a look at why it’s time to break free from appliance-based SWG. Security challengesIn December 2013, the Google Transparency Report showed just 48% of World Wide Web traffic was encrypted. Today, the same report shows at least 95% of traffic is encrypted. So, it’s no surprise that the Zscaler ThreatLabz 2023 State of Encrypted Attacks report showed 85.9% of threats—malware payloads, phishing scams, ad spyware sites, sensitive data leaks, and more—are now delivered over encrypted channels. While most organizations have some form of protection against malware, attackers are evolving their techniques, creating new variants able to bypass reputation-based detection technologies. As threat actors increasingly rely on encrypted channels, it’s more crucial than ever to inspect 100% of TLS/SSL traffic. This is the biggest way appliance-based proxies weigh down organizations: most SWG appliances lack the capacity to perform 100% inspection. Our 2023 State of Encrypted Attacks report surveyed 284 IT, security, and networking professionals and found that they mainly use legacy tools like web application firewalls and network-layer firewalls to scan traffic. However, respondents agreed that complexity, cost, and performance degradation are the biggest barriers to inspecting all TLS/SSL traffic. Furthermore, certain regulations require different policies for distinct data types, making inspection an arduous task. Poor user experienceCompared to only a few years ago, the meaning of “fast” is very different for today’s internet users. Instant access and connectivity has become the norm at home. Employees juxtapose the great digital experience in their personal lives with poor connectivity and performance issues that plague their digital work lives. Appliance-based SWGs are among the main culprits of poor user experience because they can’t scale quickly to handle traffic surges, and they require traffic to be backhauled to a central data center, leading to high latency and lost productivity for users trying to access the internet or SaaS applications. And all this inevitably affects revenue. Maintenance and scalability issuesApart from complexity and tedious management, other challenges of appliance-based SWGs are maintenance and scalability issues. To account for traffic surges and future growth, security teams are forced to overprovision, leading to expensive appliances sitting unused. At other times, they may need to wait multiple months for appliances/upgrades to arrive. With appliance-based SWG, security teams are always spread too thin, having to constantly update SWGs to account for changes to the organization and/or the threat landscape. The Zscaler differenceOvercome the limitations of appliance-based SWG with Zscaler. Better security: Inspect 100% of TLS/SSL traffic to find and stop threats—86% of which are delivered over encrypted channels. Better user experience: Stop backhauling internet/SaaS traffic with AI-powered Zscaler SWG, delivered from 150+ points of presence worldwide–close to your users and their cloud destinations for lower latency. No hardware to maintain: Move to a cloud native proxy architecture and eliminate the hardware headaches of maintenance, updates, patches, and upgrades. Platform approach: Extend comprehensive security functions, such as cloud firewall, sandbox, CASB, and data loss prevention, as well as end-to-end experience monitoring from a single unified platform and agent. If you’d like to know more about the reasons to break free from appliance-based proxies, check out this on-demand webinar. Wed, 20 Mar 2024 07:04:23 -0700 Apoorva Ravikrishnan 2024 Zscaler Public Sector Summit in Washington DC In March 2023 Zscaler held its inaugural Public Sector Summit, bringing together over 500 government and industry leaders to separate zero trust fact from fiction. The exchange last year was enlightening and energizing! We captured highlights from the event in an eBook, The Power of Zero Trust, including the challenges agencies are facing, some of our best practices for developing a robust zero trust architecture, and a use case demonstrating how zero trust can integrate into every part of your agency’s operations. As we prepare for the 2024 Public Sector Summit on April 4th, I am excited that this year’s line up will be bigger and even more engaging. With more than 22 guest speakers from across government, education and private sector, the audience will hear top of mind topics and discuss current threats and challenges facing agencies and the supporting community such as AI, funding zero trust initiatives, safeguarding critical infrastructure, SD-WAN and much more. Distinguished Speakers The power of the public sector community is in the forward-thinking individuals across agencies who have dedicated their careers to transforming our nation securely. We’ve built a program for the day with a stellar lineup of speakers including: Dr. Kelly Fletcher, CIO Department of State, Luis Coronado, CIO State Consular Affairs, and Eric Hysen, CIO/Chief AI Officer Department of Homeland Security will join Zscaler CEO Jay Chaudhry during his keynote. Chris DeRusha, Federal CISO and Deputy National Cyber Director, OMB. Panel on resources to fuel government modernization with Jessie Posilkin, Technical Lead at Technology Modernization Fund, Maria Roat of MA Consulting and Eric Mill of GSA. Suneel Cherukuri, CISO, DC Government Zach Benz, Sr. Mgr for Cyber Operations/DCISO with Sandia National Laboratories to talk about AI/ML. Panel discussing zero trust implementations with Gerald Caron, CIO, ITA/Commerce, Dan Han, CISO of VCU, Bob Costello, CISO of CISA and Dr. Gregory Edwards, CISO of FEMA. DoD leaders including Winston Beauchamp, DCISO with the Department of Air Force and General Les Call, Director of Zero Trust portfolio management office. Systems Integrator panel with Justin DePalmo, CISO and VP of IT at GDIT and Bob Ritchie, SVP & CTO at SAIC. Nelson Sims, Cyber Architect, DC Water and Dustin Glover, Chief Cyber Officer, State of Louisiana to discuss securing critical infrastructure. From Revolution to Evolution Our CEO and founder, Jay Chaudhry, will keynote the event setting the stage with his perspective on the zero trust revolution that began over a decade ago, and how that has now surpassed the tipping point in adoption thanks to the dedication of IT leaders across government.. He will be joined on stage by Dr. Fletcher, Luis Coronado and Eric Hysen and followed by many more innovators within the public sector speaking to a number of current cybersecurity issues including: Using AI to combat AI-based threats OMB’s perspective on the state of zero trust Unlocking resources to continue modernizing How agency leaders are taking the next steps in their zero trust implementations New innovations in predictive cybersecurity to identify and resolve vulnerabilities View the full agenda here to see the range of topics to be addressed during this year’s summit. Hands-On Zero Trust In addition to the informative sessions, we will also have hands-on solution stations this year for attendees to dive deeper into areas including: From Zero Access to Zero Trust in 10 Minutes: A joint solution with our integration partners AWS, Okta, and CrowdStrike Your Network Transformed: Zero trust for cloud and branch TheatLabz: Global Internet threat insights from Zscaler's research team CMMC: Empowered by zero trust Customer Success Center Zscaler Digital Experience We’re excited to welcome the public sector community in-person for a full day of learning, networking and experiences from the most forward-thinking Government IT leaders. Register today to learn more on how you can Simply, Secure and Transform your agency. Space is limited for this live event so we’ll be in touch to confirm your invitation. There is no charge for the event. Tue, 19 Mar 2024 08:03:31 -0700 Peter Amirkhan Outpace Attackers with AI-Powered Advanced Threat Protection Securing access to the internet and applications for any user, device, or workload connecting from anywhere in the world means preventing attacks before they start. Zscaler Advanced Threat Protection (ATP) is a suite of AI-powered cyberthreat and data protection services included with all editions of Zscaler Internet Access (ZIA) that provides always-on defense against complex cyberattacks, including malware, phishing campaigns, and more. Leveraging real-time AI risk assessments informed by threat intelligence that Zscaler harvests from more than 500 trillion daily signals, ATP stops advanced phishing, command-and-control (C2) attacks, and other tactics before they can impact your organization. In aggregate, Zscaler operates the largest global security cloud across 150 data centers and blocks more than 9 billion threats per day. Additionally, our platform consumes more than 40 industry threat intelligence feeds for further analysis and threat prevention. With ATP you can: Allow, block, isolate, or alert on web pages based on AI-determined risk scores Block malicious content, files, botnet, and C2 traffic Stop phishing, spyware, cryptomining, adware, and webspam Prevent data loss via IRC or SSH tunneling and C2 traffic Block cross-site scripting (XSS) and P2P communications to prevent malicious code injection and file downloads To provide this protection, Zscaler inspects traffic—encrypted or unencrypted—to block attackers’ attempts to compromise your organization. Zscaler ThreatLabz found in 2023 that 86% of threats are now delivered over encrypted channels, underscoring the need to thoroughly inspect all traffic. Enabling protection against these threats takes just a few minutes in ATP in the Zscaler Internet Access management console. This blog will help you better understand the attack tactics ATP prevents on a continuous basis. We recommend you select “Block” for all policy options and set the "Suspicious Content Protection" risk tolerance setting to "Low" in the ATP configuration panel of the ZIA management console. Prevent web content from compromising your environmentThreat actors routinely embed malicious scripts and applications on legitimate websites they’ve hacked. ATP policy protects your traffic from fraud, unauthorized communication, and other malicious objects and scripts. To bolster your organization's web security, the Zscaler ATP service identifies these objects and prevents them from downloading unwanted files or scripts onto an endpoint device via the user’s browser. Using multidimensional machine learning models, the ZIA service applies inline AI analysis to examine both a web page URL and its domain to create Page Risk and Domain Risk scores. Given the magnitude of Zscaler’s dataset and threat intelligence inputs, risk scoring is not dependent on specific indicators of compromise (IOCs) or patterns. Using AI/ML to analyze web pages reveals malicious content including injected scripts, vulnerable ActiveX, and zero-pixel iFrames. The Domain Risk score results from analysis of the contextual data of a domain, including hosting country, domain age, and links to high-risk top-level domains. The Page Risk and Domain Risk scores are then combined to produce a single Page Risk score in real time, which is displayed on a sliding scale. This risk score is then evaluated against the Page Risk value you set in the ATP configuration setting (as shown below). Zscaler will block users from accessing all web pages with a Page Risk score higher than the value you set. You can set the Page Risk value based on your organization’s risk tolerance. Disrupt automated botnet communicationA botnet is a group of internet-connected devices, each of which runs one or more bots, or small programs, that are collectively used for service disruption, financial or sensitive information theft via distributed denial-of-service (DDoS) attacks, spam campaigns, or brute-forcing systems. The threat actor controls the botnet using command-and-control software. Command & Control Servers An attacker uses a C2 server to send instructions to systems compromised by malware and retrieve stolen data from victim devices. Enabling this ATP policy blocks communication to known C2 servers, which is key to preventing attackers from communicating with malicious software deployed on victims’ devices. Command & Control Traffic This refers to botnet traffic that sends or receives commands to and from unknown servers. The Zscaler service examines the content of requests and responses to unknown servers. Enabling this control in the ATP configuration blocks this traffic. Block malicious downloads and browser exploits Malicious Content & Sites Websites that attempt to download dangerous content to the user's browser upon loading a page introduce considerable risk: this content can be downloaded silently, without the user's knowledge or awareness. Malicious content could include exploit kits, compromised websites, and malicious advertising. Vulnerable ActiveX Controls An ActiveX control is a software program for Internet Explorer, often referred to as an add-on, that performs specific functionality after a web page loads. Threat actors can use ActiveX controls to masquerade as legitimate software when, in reality, they use them to infiltrate an organization’s environment. Browser Exploits Known web browser vulnerabilities can be exploited, including exploits targeting Internet Explorer and Adobe Flash. Despite Adobe sunsetting the browser-based add-on in January 2021, Flash components are still found embedded in systems, some of which may be critical for infrastructure or data center operations. Foil digital fraud and cryptomining attempts AI-Powered Phishing Detection Phishing is becoming harder to stop with new tactics, including phishing kits sold on the black market—these kits enable attackers to spin up phishing campaigns and malicious web pages that can be updated in a matter of hours. Phishing pages trick users into submitting their credentials, which attackers use in turn to compromise victims’ accounts. Phishing attacks remain problematic because even unsophisticated criminals can simply buy kits on the dark web. Threat actors can also update phishing pages more quickly than most security solutions meant to detect and prevent phishing can keep up with. But with Zscaler ATP, you can prevent compromises from patient zero phishing pages inline with advanced AI-based detection. Known Phishing Sites Phishing websites mimic legitimate banking and financial sites to fool users into thinking they can safely submit account numbers, passwords, and other personal information, which criminals can then use to steal their money. Enable this policy to prevent users from visiting known phishing sites. Suspected Phishing Sites Zscaler can inspect a website’s content for indications that it is a phishing site, and then use AI to stop phishing attack vectors. As part of a highly commoditized attack method, phishing pages can have a lifespan of a few hours, yet most phishing URL feeds lag 24 hours behind—that gap can only be addressed by a capability able to stop both new and unknown phishing attacks. Spyware Callback Adware and spyware sites gather users’ information without their knowledge and sell it to advertisers or criminals. When “Spyware Callback” blocking is enabled, Zscaler ATP prevents spyware from calling home and transmitting sensitive user data such as address, date of birth, and credit card information. Cryptomining Most organizations block cryptomining traffic to prevent cryptojacking, where malicious scripts or programs secretly use a device to mine cryptocurrency—but this malware also consumes resources and impacts performance of infected machines. Enabling “Block” in ATP’s configuration settings prevents cryptomining entering your environment via user devices. Known Adware & Spyware Sites Threat actors stage legitimate-looking websites designed to distribute potentially unwanted applications (PUA). These web requests can be denied based on the reputation of the destination IP or domain name. Choose “Block” in ATP policy configuration to prevent your users from accessing known adware and spyware sites. Shut down unauthorized communication Unauthorized communication refers to the tactics and tools attackers use to bypass firewalls and proxies, such as IRC tunneling applications and "anonymizer" websites. IRC Tunneling Internet Relay Chat (IRC) protocol was created in 1988 to allow real-time text messaging between internet-connected computers. Primarily used in chat rooms (or “channels”), the IRC protocol also supports data transfer as well as server- and client-side commands. While most firewalls block the IRC protocol, they may allow SSH connections. Hackers take advantage of this to tunnel their IRC connections via SSH, bypass firewalls, and exfiltrate data. Enabling this policy option will block IRC traffic from being tunneled over HTTP/S. SSH Tunneling SSH tunneling enables sending data with an existing SSH connection, with the traffic tunneled over HTTP/S. While there are legitimate uses for SSH tunnels, bad actors can use them as an evasion technique to exfiltrate data. Zscaler ATP can block this activity. Anonymizers Attackers use anonymizer applications to obscure the destination and content they want to access. Anonymizers enable the user to bypass policies that control access to websites and internet resources. Enabling this policy option blocks access to anonymizer sites. Block cross-site scripting (XSS) and other malicious web requestsCross-site scripting (XSS) is an attack tactic wherein bad actors inject malicious scripts into otherwise trusted websites. XSS attacks occur when a threat actor uses a web app to send malicious code, usually in the form of a client-side script, to a different end user. Cookie Stealing Cookie stealing, or session hijacking, occurs when bad actors harvest session cookies from users’ web browsers so they can gain access to sensitive data including valuable personal and financial details they in turn sell on the dark web or use for identity theft. Attackers also use cookies to impersonate a user and log in to their social media accounts. Potentially Malicious Requests Variants of XSS requests enable attackers to exploit vulnerabilities in a web application so they can inject malicious code into a website. When other users load a page from the target web server in their browser, the malicious code executes, expanding the attack exponentially. Prevent compromise via peer-to-peer file sharing P2P programs enable users to easily share files with each other over the internet. While there are legitimate uses of P2P file sharing, these tools are also frequently used to illegally acquire copyrighted or protected content—and the same content files can contain malware embedded within legitimate data or programs. BitTorrent The Zscaler service can block the usage of BitTorrent, a communication protocol for decentralized file transfers supported by various client applications. While its usage was once pervasive, global torrent traffic has decreased from a high of 35% in the mid-2000s to just 3% of all global internet traffic in 2022. Tor Tor is a P2P anonymizer protocol that obscures the destination and content accessed by a user, enabling them to bypass policies controlling what websites or internet resources they can access. With Zscaler ATP, you can block the usage of the Tor protocol. Avoid VOIP bandwidth overutilizationWhile convenient for online meetings, video conferencing tools can be bandwidth-intensive. They may also be used to transfer files or other sensitive data. Depending on both your organization's risk tolerance level and overall network performance, you may want to curtail employee or contractor use of Google Hangouts. Google Hangouts While VOIP application usage may be encouraged for cost savings over traditional landline-based communications, it’s often associated with high bandwidth usage. Google Hangouts (a.k.a. Google Meet) requires a single video call participant to meet a 3.2 Mbps outbound bandwidth threshold. Inbound bandwidth required starts at 2.6Mbps for two users and expands with additional participants. In Zscaler ATP, you can block Google Hangout usage to conserve bandwidth for other business-critical applications. Comprehensive, always-on, real-time protection Clearly, there’s a wide swath of protection modern organizations need to fortify their security posture on an ongoing basis. Zscaler Advanced Threat Protection delivers always-on protection against ransomware, zero-day threats, and unknown malware as part of the most comprehensive suite of security capabilities, powered by the world's largest security cloud—all at no extra cost to ZIA customers. ATP filters and blocks threats directed at ZIA customers and, in combination with Zscaler Firewall and Zscaler Sandbox, provides superior threat prevention thanks to: A fully integrated suite of AI-powered security services that closes security gaps and reduces risks left by other vendors’ security tools. Zscaler Sandbox detects zero-day malware for future-proof protection while Zscaler Firewall provides IPS and DNS control and filtering of the latest non-web threats. Real-time threat visibility to stay several steps ahead of threat actors. You can’t wait for another vendor’s tool to finish scheduled scans to determine if you’re secure—that puts your organization at risk. Effective advanced threat protection from Zscaler monitors all your traffic at all times. Centralized context and correlation that provides the full picture for faster threat detection and prevention. Real-time, predictive cybersecurity measures powered by advanced AI continuously give your IT or security team the ability to outpace attackers. The ability to inspect 100% of traffic with Zscaler’s security cloud distributed across 150 points of presence worldwide. Operating as a cloud-native proxy, the Zscaler Zero Trust Exchange ensures that every packet from every user, on or off-network, is fully inspected with unlimited capacity—including all TLS/SSL encrypted traffic. Learn more about how Zscaler prevents encrypted attacks and best practices to stop encrypted threats by securing TLS/SSL traffic: download a copy of the Zscaler ThreatLabz 2023 State of Encrypted Attacks Report. Mon, 11 Mar 2024 07:00:01 -0700 Brendon Macaraeg LinkedIn Outage Detected by Zscaler Digital Experience (ZDX) At 3:40 p.m. EST on March 6, 2024, Zscaler Digital Experience (ZDX) saw a substantial, unexpected drop in the ZDX score for LinkedIn services around the globe. Upon analysis, we noticed HTTP 503 errors highlighting a LinkedIn outage, with the ZDX heatmap clearly detailing the impact at a global scale. ZDX dashboard indicating widespread LinkedIn outage ZDX enables customers to proactively identify and quickly isolate service issues, giving IT teams confidence in the root cause, reducing mean time to resolve (MTTR) and first response time (MTTD). ZDX dashboard showing LinkedIn global issues ZDX Score highlights LinkedIn outageVisible on the ZDX admin portal dashboard, the ZDX Score represents all users in an organization across all applications, locations, and cities on a scale of 0 to 100, with the low end indicating a poor user experience. Depending on the time period and filters selected in the dashboard, the score will adjust accordingly. The dashboard shows that the ZDX Score for the LinkedIn probes dropped to ZERO during the outage window of approximately 1 hour. From within ZDX, service desk teams can easily see that the service degradation isn’t limited to a single location or user and quickly begin analyzing the root cause. ZDX Score indicating LinkedIn outage and recovery (times in EST) Also in the ZDX dashboard, “Web Probe Metrics” highlight the user impact of reaching LinkedIn applications across a timeline with response times. In this case, the server responded with 503 errors, indicating the server was not ready to handle requests. ZDX Web Probe Metrics indicating 503 errors (times in EST) ZDX can quickly identify the root cause of user experience issues with its new AI-powered root cause analysis capability. This spares IT teams the labor of sifting through fragmented data and troubleshooting, thereby accelerating resolution and keeping employees productive. With a simple click in the ZDX dashboard, you can analyze a score, and ZDX will provide insight into potential issues. As you can see, in the case of this LinkedIn outage, ZDX highlights that the application is impacted while the network itself is fine. ZDX AI-powered root cause analysis indicates the reason for the outage When there’s an application outage, many IT teams turn to the network as the root cause. However, as you can see above, ZDX AI-powered root cause analysis verified that the network transport wasn’t the issue; it was actually at the application level. You can verify this by looking at the CloudPath metrics from the user to the destination. ZDX CloudPath showing full end-to-end data path ZDX CloudPath detailed hops between the nodes With AI-powered analysis and dynamic alerts, IT teams can quickly compare optimal vs. degraded user experiences and set intelligent alerts based on deviations in observed metrics. ZDX allows you to compare two points in time to understand the differences between them. This function determines a good vs. poor user experience, visually highlighting the differences between application, network, and device metrics. The end user comparison during the LinkedIn outage vs. a known good score indicates the ZDX Score difference, highlighting the unexpected performance drop for the end user. ZDX comparison mode identifies the change in user experience According to the LinkedIn status page, the outage was reported at 12:50 PST until 14:05 PST, which correlates to the ZDX data above. However, LinkedIn services started to recover pretty quickly, by 13:40 PST, and LinkedIn reported the issue resolved by 14:05 PST. Source: LinkedIn With ZDX alerting, our customers were proactively notified about end user problems, and incidents were opened automatically with our service desk integration (e.g., ServiceNow) long before users started to report it. From a single dashboard, customers were able to quickly identify this as a LinkedIn issue, not an internal network outage, saving precious IT time. Zscaler Digital Experience successfully detected a LinkedIn outage along with its root cause, giving our customers the confidence that it was not a single location, their networks, or devices, averting critical impact to their business. Try Zscaler Digital Experience today ZDX helps IT teams monitor digital experiences from the end user perspective to optimize performance and rapidly fix offending application, network, and device issues. To see how ZDX can help your organization, please contact us. Thu, 07 Mar 2024 19:14:07 -0800 Rohit Goyal From VDI replacement to complementary use: Part 2 In the first part of this VDI blog series, we discussed the two major use cases of access granularity and traffic inspection and how Zscaler can support these with the help of the Zero Trust Exchange platform. In this blog, we will focus on more use cases and ways to integrate Zscaler as complementary solution to VDI to cover security related aspects. Data residency restriction This use case deserves a deeper investigation, because although we can say that it is supported, there could be specific instances in which Zscaler cannot replace the VDI environment. Zscaler Cloud Browser Isolation (CBI) prevents data to leave the corporate boundary. We can define what level of restriction applies to the data exchange between the actual application and the isolated container. The recent introduction of Endpoint DLP capabilities could further help our conversation when stricter security requirements are required. Zscaler Cloud Browser Isolation is inherently non-persistent; the virtual machine is terminated after each session. Now, imagine the scenario of a developer working remotely on a virtual desktop where he has his own environment and data can’t leave the company area. This individual would need a persistent desktop to work, and the user environment shouldn’t be destroyed when he closes the working session. This use case could be challenging for a VDI replacement. This use case could be addressed by leveraging the Private Remote Access (PRA) and RDP. In the above example, an RDP session could be launched toward a machine where the developer can work and log in, where their development environment sits and where communication is local, and data won't leave the company boundary. Obviously, the organisation’s environment must be assessed carefully to validate the pros and cons of the proposed alternative. Traffic localization In this scenario, the goal is to keep the communication local to the data centre due to performance issues. From a Zscaler point of view, the area of potential replacement exists once we validated the possibility to leverage Private Remote Access (PRA) and RDP with the customer, where a remote session is launched toward a machine that interacts locally with the server. Desktop or software license management / reduction The discussion about this scenario under the assumption to keep the VDI environment up and running needs a preamble. ZCC does not support multiple, simultaneous user sessions from a single host operating system. The main problem to address is supporting ZIA and ZPA services on multi-user VDI environments. Zscaler now offers the ability to inspect all ports and protocols for multi-session, non-persistent VDI deployments in the public cloud and on-prem data centers through the use of a VDI agent. Enterprises can apply granular threat and data protection policies per individual user session, enabling enterprises to maintain common security policies across all environments. Multi-user VDI can be hosted on a public cloud (Azure, AWS, etc.) or private data centers (VMWare or KVM, etc.). Cloud/Branch Connector can be used to direct traffic from the VDI users to the Zscaler cloud and extend ZIA and ZPA services to the VDI users. However, Cloud/Branch Connector does not have any user/VM context to the traffic and will enforce a single security policy to all the VDI users. To fix this issue, we leverage a VDI agent, that is a lightweight software package running in the user space of the VDI session. It is responsible for authenticating users, establishing a tunnel to Branch or Cloud Connector (Control and Data) and exchanging user context with the Branch or Cloud Connector (see below diagram). The VDI Agent maintains proprietary, lightweight tunnels (UDP encapsulation) to the local Cloud or Branch Connector. These tunnels carry both user session data in the payload, as well as user context information in the UDP header. These tunnels are stateless, which ensures that - in the event of a Branch or Cloud Connector failure - they can failover to other active appliances. With that said, we have now the possibility to extend Zscaler services to multi-user VDI environments. Legacy app support Although this scenario is becoming more and more niche due to applications and architecture evolution, that’s an area where VDI could help customers. The Zscaler Client Connector supports the latest software version and the two previous versions for each software product. See more details on the Zscaler Help page. At a higher level - digging into why organisations use VDI in the first place is important. Walking through their use cases and applications to explore the scope is important to move customers beyond the assumptions that flow from the on-premises/on-network mindset. In some cases, Zscaler can be integrated in the existing environment to simply provide the appropriate level of security. There are two main aspects to consider: Most applications are now web-based and could be securely made available to users regardless of VDI. Even if VDI is not replaced for all users, there are multiple reasons to integrate with ZIA/ ZPA. Just think about users like financial advisors and insurance agents. Many firms have moved to web-based apps, DocuSign, etc. There may no longer be a hard requirement for those thousands of users to have VDI. This requires going beyond what the network team may see, and engaging architects, app owners, etc. If we focus on the second aspect; rather than replacing the VDI infrastructure, another approach is to complement it. If we think about those use cases, organisations could still have security concerns around the user’s connectivity to the VDI environment (e.g. VMware Knowledge Base). In these scenarios, ZPA could protect that user traffic: it can secure access “to” the VDI environment and access “from” the VDI environment like shown in the below diagram. The protection of traffic aimed to Internet/SaaS is addressed by ZIA services. Connectivity to the VDI environment: Organisations may either put the VDI on the edge with its own DMZ infrastructure, firewall, security gateway, load balancer, etc. and have users connect directly or leverage a VPN-like technology to put the user on the network to access the VDI. ZPA, with Client Connector, enables a customer to either replace their internet-facing components or replace their VPN that is putting users onto the network. Connectivity from the VDI environment: Organisations want to further segment what users have access to from their trusted device. ZPA with Client Connector can assist with setting up granular access on an application level. Complete alternative to VDI: Organisations can leverage alternatives to VDI such as Zscaler Browser Isolation to replace their traditional VDI architecture. The benefits remain the same if a user has a browser managed by the enterprise which is isolated from the endpoint, the organisations admin remains in control of what can be egressed. Benefits of such an approach is the significantly lowered overhead to manage such a capability. The Zscaler Client Connector can be installed on the user’s device along with the VDI client, and ZPA carries the VDI traffic as a private application. Another option is installing ZCC on the virtual desktop instance (Citrix XenDesktop, Azure WVD, Amazon WorkSpaces) to control what the user has access to internally. Existing customers are deploying this model with WVD and Amazon Workspaces using ZCC for both ZIA and ZPA. Benefits in such a scenario are centralized visibility and control, single access control policy config for VDI, and other forms of access, creating a consistent user experience. Finally, a hybrid approach is feasible. In this case, organisations want to offer direct ZPA access to employees, but VDI-only access to third parties, and want to extend ZPA’s centralized visibility and control for VDI users accessing private applications. All these examples show that there are multiple ways to either completely exchange or complement the existing VDI installation. Fri, 08 Mar 2024 00:59:22 -0800 Stefano Alei Positioning Zscaler Private Access Relative to VDI: Part 1 What are some of the most common concerns heard from customers about virtual desktop infrastructure (VDI)? They are often related to cost, complexity, management, upkeep, and security. How can Zscaler solve these challenges? VDI is an undoubtedly complex environment, and having a clear picture of the organization’s needs, and positioning the right solution to improve security, reduce complexity, and improve the user experience is not always easy. Zscaler Private Access (ZPA) has evolved in the past few years and become a direct replacement of VDI, whether on-premises or cloud-delivered. It is, however, not yet possible to map all the use cases supported by a VDI implementation and, in general, is not a trivial task. Sometimes Zscaler can play a role by simply integrating solutions and providing the right level of security. To be able to understand which role ZPA can play to replace VDI, it is crucial to first understand why the customer is using a VDI. Organisations leverage VDI for various reasons. The most common use cases are: 1. Access granularity – restrict users’ access to only authorized applications 2. Traffic inspection – VDI as a choke point to run all traffic through on-premises security stacks 3. Data residency restriction a) Ensure data stays within corporate boundary and/or b) Ensure data is never stored on an end user's device 4. Traffic localization – minimize latency for heavyweight client-server interactions (e.g. database calls) 5. Desktop or software license management / reduction a) Clean desktop experience b) Persistent desktop that the user can access from multiple devices c) Software deployed to a limited pool of virtual desktops, rather than to all user devices 6. Legacy app support – enable access to apps that require an older OS VDIs are expensive, cumbersome to manage, and often hinder user experience. But there is much more to think about: we are witnessing profound changes in the EUC (End User Computing) market. Considering most applications are now web-based, you could potentially replace a VDI with an isolated browser access and provide secure access to these web applications. Applications requiring access via protocols, such as SSH and RDP, can be easily addressed using the Zscaler Privileged Remote Access (PRA). However, organisations probably still need to depend on VDIs in certain scenarios, like if they have applications requiring thick clients. In this case, they would be able to significantly reduce the size of their VDI deployment by using browser isolation. Whenever Zscaler can’t replace VDI, it can still be integrated. Zscaler can secure Internet/SaaS access of VDI instances, and additionally can protect access to VDI infrastructure. Whenever there is a VDI environment, ZIA and ZPA capabilities can play a role and improve an environment. Major use cases in detail 1. Access granularity This use case is fully supported and can be deployed by leveraging multiple capabilities of the Zscaler Zero Trust Exchange platform, like Browser Isolation. It allows you to leverage a web browser for user authentication and application access over ZPA, without requiring users to install Zscaler Client Connector on their devices. In certain cases, it might not be feasible or desirable to install Client Connector on all devices. For example, you might want to provide third-party access to applications on devices that might not be owned or managed by your company (e.g., contractor or partner-owned devices) or control user access to applications on devices with operating systems that are not currently supported by Zscaler Client Connector. Browser Isolation (BI) enhances the ZPA experience by making applications accessible for users from any web browser without requiring Zscaler Client Connector or browser plugins and configurations. Additionally, the existing Identity Provider (IdP) can be used to provide access to current users, contractors, and other third-party users without managing an internet footprint. BI is a feature that addresses needs in both cyberthreat protection and data loss prevention and can be leveraged for both internet/SaaS apps and private apps. BI policies can dictate if a site should be run within isolation, and if so, whether you allow cut/paste and download capabilities for the user. An isolation container is instantiated for each user in the cloud and only pixels are transmitted to the user’s browser. Sites may be isolated due to a configured URL category, cloud app control policy, or suspicious destinations (if Smart Browser Isolation is enabled). Last, but not least, is worthwhile to mention the recent capabilities introduced by the User Portal 2.0, that allows unmanaged devices to SaaS & private web apps. With this feature enabled, unmanaged devices will be able to use ZPA user portal to access both sanctioned SaaS/private web apps AND have their internet facing traffic routed through ZIA while in Isolation mode. Organisations can provide access to sanctioned SaaS applications from unmanaged devices to enforce policies using the isolation policies defined on ZPA. The isolation containers that are created as a result of a ZPA Isolation Policy can forward non-ZPA defined application traffic and internet traffic generated to ZIA for further processing and enforcement of necessary policies. Any traffic generated for applications defined on ZPA will continue to be forwarded via ZPA’s ZTNA service. 2. Traffic inspection Although this use case is rare, traffic inspection is still fully supported, leveraging the inspection capability provided by the Zero Trust Exchange platform. We can use Zscaler Private Access (ZPA) AppProtection (formerly Inspection), that provides high-performance, inline security inspection of the entire application payload to expose threats. It identifies and blocks known web security risks, such as the OWASP Top 10, and emerging zero-day vulnerabilities that can bypass traditional network security controls. It can help to protect internal applications from all types of attacks in the OWASP predefined controls with SQL injection, cross-site scripting (XSS), and more. Additionally, it helps to understand the severity, description, and recommended default action for each type of attack related to OWASP predefined controls. Each OWASP predefined control is identified with a unique number, defining how the control operates, and is associated with the level of concern. The predefined controls are organized into various categories: - Preprocessors - Environment and Port Scanners - Protocol Issues - Request Smuggling or Response Split or Header Injection - Local File Inclusion - Remote File Inclusion - Remote Code Execution - PHP Injection - Cross-Site Scripting (XSS) - SQL Injection - Session Fixation - Deserialization - Issues Anomalies Additionally, Zscaler recently introduced support for inspecting ZPA application segment traffic. A predefined forwarding rule, ZIA Inspected ZPA Apps, is available on the Policy > Forwarding Control page to inspect the Microtunnel traffic of a ZPA application segment using ZIA. This rule is applied automatically to the traffic from ZPA application segments with the Inspect Traffic with ZIA field enabled in the ZPA Admin Portal. As part of this feature, a predefined Auto ZPA Gateway is available on the Administration > Zscaler Private Access Gateway page. This new gateway is the default for the predefined ZIA Inspected ZPA Apps forwarding rule. We can minimize data exfiltration concerns with ZPA AppProtection, by utilizing Cloud Browser Isolation (CBI) where unmanaged devices are prevented from downloading sensitive content to the local host. For corporately managed devices, organisations can leverage DLP with Source IP Anchoring (SIPA) utilizing the ZIA cloud. AppProtection customers can craft custom signatures to detect and block bulk data downloads and use those in conjunction with other validation methods such as ZPA posture control. Organisations can rely on Zscaler Internet Access (ZIA) SSL Inspection best practices for configuring and deploying in an organization's network environment, for example, while accessing SaaS applications. Encrypting communications helps maintain the privacy and security of information passed between sender and receiver communications. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols designed for the privacy and security of internet services. While these protocols do a great job of keeping information private from prying eyes, these security tools also conceal threats to the user, device, and organization. This is where the inspection of SSL and TLS encrypted traffic becomes a necessity. Inspecting encrypted SSL and TLS traffic via SSL Inspection is done by the Zero Trust Exchange at scale, allowing organizations to control risk and enforce policy. Enabling SSL Inspection is a required first step towards: - Controlling risk - Inspecting traffic (malware, data loss) - Adaptive control - Enforcing policy - Per-session policy decision and enforcement - Allowing, blocking, and restricting tenants environment. Use cases 3 to 6 will be covered in part two of this series. Fri, 01 Mar 2024 02:41:49 -0800 Stefano Alei Securing Government Workload Communications in the Public Cloud As government agencies continue their journey towards digital transformation, many are embracing hybrid cloud deployments to modernize their operations. A transition to a public or private cloud brings new challenges, especially when it comes to securing workload communications. In this blog, we will delve into the reality of hybrid cloud deployments and explore how Zscaler's zero trust architecture provides a comprehensive solution for securing government workloads in the public cloud. The Expanding Definition of Hybrid Cloud Hybrid cloud deployments have become increasingly complex as agencies expand their infrastructure across multiple regions and clouds. Rather than relying on a single cloud or region, agencies leverage different regional clouds to ensure availability and scalability. Additionally, within a specific region, agencies may need to consider availability zones to ensure business continuity. Figure 1 illustrates scenarios of hybrid cloud deployments. Workload Communications in the Public Cloud To illustrate the challenges of workload communications, let's consider the example of a Department of Motor Vehicles (DMV) application deployed in the AWS GovCloud. This application needs to interact with other workloads or applications, such as a CRM or ERP system in the data center, to access driver records. It may also need to communicate with scheduling applications in different regions or clouds, and even access vehicle registration information stored in a different cloud provider such as Azure. Additionally, the DMV application may require software updates and send logs to the Google Cloud Platform. Figure 2 shows Legacy Architecture Challenges Traditionally, agencies have extended their on-premises architecture to the cloud by deploying firewalls and VPNs. While this approach may provide initial security, it also amplifies lateral movement, increases cyberthreats, and exposes the infrastructure to data leaks. Moreover, deploying and managing multiple firewalls and VPNs across different cloud environments and regions adds complexity and operational costs. Introducing Zscaler's Zero Trust Approach Zscaler offers a cloud-delivered security platform based on zero trust principles to address the challenges faced by government agencies in securing workload communications. By adopting a zero trust proxy-based architecture, Zscaler eliminates the expanded attack surface and lateral movement risks associated with legacy architectures. Connectivity and Security Zscaler's platform provides both connectivity and security for workloads in the public cloud. It ensures secure connectivity by allowing access only to specific URLs or APIs, preventing open access to the internet. Workload-to-workload communications are based on least privileged access, ensuring that each workload can only communicate with authorized resources. Before any connection is established, zero trust-based authentication and authorization checks are performed, further enhancing security. Threat Prevention and Data Protection Zscaler's platform offers comprehensive threat prevention and data protection capabilities. It provides URL filtering, intrusion prevention, DNS protection, and behavior analysis, all backed by AI and ML-based risk analysis. Inline data protection ensures that sensitive data does not leak from workloads, with features such as regex-based checks, exact data management matching, OCR technology for file inspection, and AI/ML-based data classification. TLS Decryption at Cloud Scale With the increasing prevalence of encrypted traffic, TLS decryption at cloud scale becomes crucial. Zscaler's platform provides 100% inspection of traffic without compromising performance. This allows for effective threat prevention and data protection, ensuring the safety of data packets and preventing malicious intent. Granular App-to-App Segmentation Zscaler enables granular app-to-app segmentation, eliminating the need for expensive networking infrastructure or additional layers of segmentation software. This ensures that workloads can only access authorized resources, providing an additional layer of security. The Common Platform Advantage Zscaler's platform offers a common platform for securing workloads across multiple clouds. By installing lightweight cloud connectors in different clouds, agencies can benefit from standardized and consolidated security operations. This approach simplifies security management, reduces operational complexity and costs, and ensures consistent security policies across multiple clouds. It stops external threats, by protecting egress traffic from any malicious payload. It protects against insider threats by eliminating the threat of a bad actor within the agency who's got the credential to inflict harm, either by inserting a payload, a malicious payload, or trying to exfiltrate data sensitive data. The Zero Trust Exchange is designed to eliminate lateral movement and reduce the attack surface significantly. Moreover, Zscaler's platform is both FedRAMP and StateRAMP Authorized and GovCloud ready. For more information on Zscaler Workload Communications: Download the Datasheet Watch the Webinar: Ensuring Cloud Workload Security for Federal and State Government Request a Test Drive in AWS Wed, 28 Feb 2024 05:05:01 -0800 Sakthi Chandra Why Haven’t Firewalls and VPNs Stopped More Organizations from Being Breached? Reducing cyber risk is an increasingly important initiative for organizations today. Due to the fact that a single cyber breach can be financially fatal as well as disastrous for countless stakeholders, improving cybersecurity has become a board-level concern and drawn increased attention from regulatory bodies around the globe. As a result, organizations everywhere have poured massive amounts of time and money into security technologies that are supposed to protect them from cybercriminals’ malicious ends. Specifically, the go-to tools that are deployed in an effort to enhance security are firewalls and VPNs. Despite the above, breaches continue to occur (and increase in number) at an alarming rate every year. News headlines about particularly noteworthy breaches serve as continual reminders that improperly mitigating risk can be catastrophic, and that the standard tools for ensuring security are insufficient. One needs not look far for concrete examples—the security debacles at Maersk and Colonial Pipeline are powerful, salient illustrations of what can go wrong. With more and more organizations falling prey to our risk-riddled reality, an obvious question arises: Why haven’t firewalls and VPNs stopped more organizations from being breached? The weaknesses of perimeter-based architectures Firewalls and VPNs were designed for an era gone by; when users, apps, and data resided on premises; when remote work was the exception; when the cloud had not yet materialized. And in this age of yesteryear, their primary focus was on establishing a safe perimeter around the network in order to keep the bad things out and the good things in. Even for organizations with massive hub-and-spoke networks connecting various locations like branch sites, the standard methods of trying to achieve threat protection and data protection still inevitably involved securing the network as a whole. This architectural approach goes by multiple names, including perimeter-based, castle-and-moat, network-centric, and more. In other words, firewalls, VPNs, and the architecture that they presuppose are intended for an on-premises-only world that no longer exists. The cloud and remote work have changed things forever. With users, apps, and data all leaving the building en masse, the network perimeter has effectively inverted, meaning more activity now takes place outside the perimeter than within it. And when organizations undergoing digital transformation try to cling to the traditional way of doing security, it creates a variety of challenges. These problems include greater complexity, administrative burden, and cost, as well as decreased productivity and—of primary importance for our topic in this blog post—increased risk. How do firewalls and VPNs increase risk? There are four key ways that legacy tools like firewalls and VPNs increase the risk of breaches and their numerous, harmful side effects. Whether they are hardware appliances or virtual appliances makes little difference. They expand the attack surface. Deploying tools like firewalls and VPNs is supposed to protect the ever-growing network as it is extended to more locations, clouds, users, and devices. However, these tools have public IP addresses that can be found on the internet. This is by design so that the intended users can access the network via the web and do their jobs, but it also means that cybercriminals can find these entry points into the network and target them. As more of these tools are deployed, the attack surface is continually expanded, and the problem is worsened. They enable compromise. Organizations need to inspect all traffic and enforce real-time security policies if they are to stop compromise. But about 95% of traffic today is encrypted, and inspecting such traffic requires extensive compute power. Appliances have static capacities to handle a fixed volume of traffic and, consequently, struggle to scale as needed to inspect encrypted traffic as organizations grow. This means threats are able to pass through defenses via encrypted traffic and compromise organizations. They allow lateral threat movement. Firewalls and VPNs are what primarily compose the “moat” in a castle-and-moat security model. They are focused on establishing a network perimeter, as mentioned above. Relying on this strategy, however, means that there is little protection once a threat actor gets into the “castle,” i.e., the network. As a result, following compromise, attackers can move laterally across the network, from app to app, and do extensive damage. They fail to stop data loss. Once cybercriminals have scoured connected resources on the network for sensitive information, they steal it. This typically occurs via encrypted traffic to the internet, which, as explained above, legacy tools struggle to inspect and secure. Similarly, modern data leakage paths, such as sharing functionality inside of SaaS applications like Box, cannot be secured with tools designed for a time when SaaS apps did not exist. Why zero trust can stop organizations from being breached Zero trust is the solution to the above problems. It is a modern architecture that takes an inherently different approach to security in light of the fact that the cloud and remote work have changed things forever, as described earlier. In other words, zero trust leaves the weaknesses of perimeter-based, network-centric, firewall-and-VPN architectures in the past. With an inline, global security cloud serving as an intelligent switchboard to provide zero trust connectivity (along with a plethora of other functionality), organizations can: Minimize the attack surface: Hide applications behind a zero trust cloud, eliminate security tools with public IP addresses, and prevent inbound connections Stop compromise: Leverage a high performance cloud to inspect all traffic at scale, including encrypted traffic, and enforce real-time policies to stop threats Prevent lateral movement: Connect users, devices, and workloads directly to apps they are authorized to access instead of connecting them to the network as a whole Block data loss: Prevent malicious data exfiltration and accidental data loss across all data leakage paths, including encrypted traffic, cloud apps, and endpoints In addition to reducing risk, zero trust architecture solves problems related to complexity, cost, productivity, and more. If you would like to learn more about zero trust, join our upcoming webinar, “Start Here: An Introduction to Zero Trust.” Or, if you would like to dive deeper on the weaknesses of yesterday’s tools, read our new ebook, “4 Reasons Firewalls and VPNs Are Exposing Organizations to Breaches.” Tue, 27 Feb 2024 08:04:02 -0800 Jacob Serpa Microsoft, Midnight Blizzard, and the Scourge of Identity Attacks Summary On January 19, 2024, technology leader Microsoft disclosed that it had fallen victim to a Russian state-sponsored cyberattack that gave the threat actors access to senior management mailboxes and resulted in sensitive data leakage. While we will break down the attack step-by-step and explain what organizations can do to defend against similar attacks below, here’s a TL;DR. The threat actor Midnight Blizzard: State-sponsored Russian threat actor also known as Nobelium, CozyBear, and APT 29 Notable Midnight Blizzard breaches: Hewlett Packard Enterprise (December 12, 2023) and SolarWinds (December 14, 2020) The facts Attack target: Microsoft’s Entra ID environment Techniques used: Password spraying, exploiting identity and SaaS misconfigurations Impact: Compromised Entra ID environment, unauthorized access to email accounts of Microsoft’s senior leadership team, security team, legal, and more What’s unique about the attack? Using stealthy identity tactics that bypasses existing defenses to compromise users Exploiting misconfigurations in SaaS applications to gain privileges Exploiting identity misconfigurations in Entra ID to escalate privileges The attack sequence Found a legacy, non-production test tenant in Microsoft’s environment. Used password spraying via residential proxies to attack the test app tenant. Limited the number of attack attempts to stay under the threshold and evade blocking triggered by brute forcing heuristics. Guessed the right password and compromised the test tenant’s account. Generated a new secret key for the Test App that allowed the threat actor to control the app every where it was installed. Test App was also present in the corporate tenant. Threat actor used the app’s permissions to create an admin user in the corporate tenant. Used the new admin account to create malicious OAuth apps. Granted the malicious app the privilege to impersonate the users of the Exchange service. Used the malicious app to access Microsoft employee email accounts. Microsoft’s official guidance Defend against malicious OAuth applications Audit privileged identities and apps in your tenant Identify malicious OAuth apps Implement conditional access app control for unmanaged devices Protect against password spray attacks Eliminate insecure passwords Detect, investigate, and remediate identity-based attacks Enforce multi factor authentication and password protections Investigate any possible password spray activity Zscaler’s guidance Continuously assess SaaS applications for misconfigurations, excessive permissions, and malicious changes that open up attack paths. Continuously assess Active Directory and Entra ID (previously known as Azure AD) for misconfigurations, excessive permissions, and malicious changes that open up attack paths. Monitor users with risky permissions and misconfigurations for malicious activity like DCSync, DCShadow, kerberoasting, etc. that is typically associated with an identity attack. Implement containment and response rules to block app access, isolate the user, or quarantine the endpoint on an identity attack detection. Implement deception to detect password spraying, Entra ID exploitation, Active Directory exploitation, privilege escalation, and lateral movement for instances where stealthy attacks bypass existing detection and monitoring controls. Deconstructing the attack The threat actor Midnight Blizzard has had a long history of pulling off highly publicized breaches. It’s Microsoft this time around, but in the past, they’ve allegedly compromised Hewlett Packard Enterprise and SolarWinds. To people who analyze attacks for a living, the Microsoft breach should not come as a surprise. Midnight Blizzard is among a growing list of nation-state and organized threat actors that rely on identity compromise and exploiting misconfigurations/permissions in SaaS applications and identity stores to execute breaches that conventional security thinking cannot defend against. Other threat groups using these strategies and techniques include Evil Corp, Lapsus$, BlackMatter, and Vice Society. In case of the Microsoft breach, the attackers demonstrated a profound understanding of OAuth mechanics and attack techniques to evade detection controls. They created malicious applications to navigate Microsoft's corporate environment. And by manipulating the OAuth permissions, they granted themselves full access to Office 365 Exchange mailboxes, enabling them to easily exfiltrate sensitive emails. Security challenges Identity-centric tactics: Midnight Blizzard strategically targeted identities, exploiting the user's credentials as a gateway to sensitive data. Conventional detection controls like EDRs are not effective against such attacks. OAuth application abuse: The adversaries adeptly abused OAuth applications, a technique that complicates detection and enables prolonged persistence. Misconfiguration blind spots: Identifying misconfigurations within Active Directory/Entra ID and SaaS environments remains a complex task, often resulting in blind spots for defenders. Step-by-step breakdown Pre-breach Before the attack commenced, an admin within Microsoft's test tenant had created an OAuth app. For the purpose of this blog post, let’s call this app ‘TestApp.’ For reasons unknown, this app was subsequently installed in Microsoft's corporate environment with elevated permissions, likely encompassing the scope Directory.ReadWrite.all, granting it the capability to create users and assign roles. Notably, this app appeared to be dormant and possibly forgotten. ThreatLabz note: There is an unimaginable sprawl of applications, users, and associated misconfiguration and permissions that security teams often have no visibility into. More often than not, blind spots like these are what result in publicized breaches. Initial access In late November 2023, Midnight Blizzard initiated reconnaissance on Microsoft's SaaS environment. Discovering the test tenant, the attacker targeted its admin account, which, being a test account, had a weak, guessable password and lacked multi-factor authentication (MFA). Employing a password spraying attack, the attacker systematically attempted common passwords to gain access, leveraging residential proxies to obfuscate their origin and minimize suspicion. Eventually, the attacker successfully compromised the admin account. ThreatLabz note: Traditional threat detection and monitoring controls are ineffective against attacks that use valid credentials, MFA-prompt bombing, and other identity-centric techniques to compromise users. Persistence With control over the admin account, the attacker obtained the ability to generate a new secret key for TestApp, effectively commandeering it across all installations. This tactic mirrors techniques observed in the SolarWinds attack of 2020. ThreatLabz note: In the absence of continuous monitoring and high-confidence alerting for malicious changes being made to permissions in SaaS applications, attacks like these easily cross the initial access phase of the kill chain. Privilege escalation Given TestApp's permissions within Microsoft's corporate tenant, the attacker created a new user, likely an administrator, to further their access. Subsequently, the attacker deployed additional malicious OAuth apps within the tenant to evade detection and ensure persistence, leveraging TestApp to grant elevated roles, such as Exchange role EWS.full_access_as_app, facilitating mailbox access and bypassing MFA protection. ThreatLabz note: Configuration and permission based blindspots extend to identities themselves. As such, it is imperative that organizations have the ability to continuously assess their Active Directory/Entra ID for misconfigurations, excessively permissive policies, and other permissions that give attackers the ability to escalate privileges from a compromised identity. They should also continuously monitor for malicious changes in the identity store that might potentially be creating additional attack surfaces. Lateral movement Though specifics regarding the number and origin of installed apps remain unclear, the attacker's utilization of TestApp to confer privileges is evident. This culminated in unauthorized access to mailboxes belonging to Microsoft's senior leadership, security personnel, legal team, and other stakeholders. How zero trust can help A zero trust architecture provides a fundamentally secure approach that is better at protecting against stealthy attacks that are used by nation-state threat actors and organized adversaries. Zero trust fundamentally eliminates weaknesses in your environment that are core properties of hub and spoke network models. Below is a 10,000 foot reference architecture for zero trust that explains how and why it better protects against Midnight Blizzard-style attacks. Core zero trust capabilities This is the heart of a zero trust architecture consisting of Internet Access and Private Access. The Zero Trust Exchange acts as a switchboard brokering all connections between users and applications. This architecture makes your applications invisible to the Internet, thereby eliminating the external attack surface, replaces high-risk VPNs, and uses segmentation to reduce lateral threat movement and internal blast radius. To broker the connection, the Zero Trust Exchange verifies the identity, determines the destination, assesses risk, and enforces policy. ThreatLabz note: Zscaler extends core zero trust capabilities with SaaS supply chain security, Identity Posture Management, ITDR, Deception, and Identity Credential Exposure to eliminate application and identity misconfigurations, detect stealthy attacks, and provide visibility into exposed credentials on endpoints to remove lateral movement paths. Below, we breakdown what each of these capabilities can do. SaaS Security While the move to the cloud and SaaS applications has aided organizations to accelerate their digital transformation, it has also created a new set of security challenges. Among these, the lack of visibility into dangerous backdoor connections to SaaS applications is paramount as it creates supply chain risk — the kind that was exploited in the Microsoft breach. SaaS Security strengthens your security posture by providing visibility into third-party application connections, over-privileged access, risky permissions, and continuous monitoring for changes that can be malicious in nature. It is a core step in securing your SaaS environment. Identity Posture Management Nine in ten organizations are exposed to Active Directory attacks and there has been a 583% increase in Kerberoasting and similar identity attack techniques in 2023 alone. These are not isolated phenomena. Misconfigurations and excessive permissions in Active Directory and other identity providers are what enable these types of attacks. For example, an unprivileged account without MFA having the ability to control an application with privileged roles should be flagged, but most security teams do not have appropriate visibility into these types of misconfigurations. Identity Posture Management augments zero trust by providing security teams visibility into identity misconfigurations, policies, and permissions that open up potential attack paths. With periodic assessments, security teams can leverage remediation guidance to revoke permissions, limit policies, and remove misconfigurations. Identity Posture Management also alerts security teams to malicious changes in the Active Directory in real time. Deception and ITDR (Identity Threat Detection and Response) As evidenced in the Microsoft breach, attackers used password spraying from a residential proxy and limited the number of tries to evade detection. Traditional threat detection and monitoring approaches just do not work here. Deception, on the other hand, is a pragmatic approach that can detect these attacks with fairly high confidence. Decoy users created in Entra ID can detect such password spraying attacks without false positives or the need to write complex detection rules. ITDR can detect identity-specific attacks like DCSync, DCShadow, and Kerberoasting that would otherwise require detection engineering and significant triage to spot. Identity Credential Exposure While TTPs (Techniques, Tactics, and Procedures) were not reported for credential exploitation, credentials and other sensitive material (like username, passwords, authentication tokens, connection strings, etc.) on the endpoint in files, registry, and other caches are something that threat actors like Volt Typhoon, Scattered Spider, BlackBasta, BlackCat, and LockBit are known to have exploited in publicly reported breaches. Identity Credential Exposure provides security teams with visibility into credential exposure across their endpoint footprint, highlighting blind spots that open up lateral movement and data access paths from the endpoint. Zero trust creates multiple opportunities to detect and stop Midnight Blizzard-style attacks Problem Solution How does it work? MITRE ATT&CK Technique Password spraying Zscaler Deception Decoy user accounts in Entra ID can detect any attempts to sign in using the credentials of the decoy users. Any failed/successful attempts will be logged to detect attacks like password spraying T1110.003 - Brute Force: Password Spraying T1078.004 - Valid Accounts: Cloud Accounts Existence of apps/SPNs with high privilege Zscaler ITDR ITDR can surface unprivileged accounts that have a path (e.g., owner rights) to apps with privileged roles NA Creation of apps/SPNs with high privilege Zscaler SaaS Security Monitoring for and alerting when a risky app is added, app is created by an unverified publisher, and when an app hasn’t been used in a while There is no technique that maps to this but in terms of the nature of the technique, the ones listed below are a close approximation of how you think of the attack. T1136.003 - Create Account: Cloud Account T1098.003 - Account Manipulation: Additional Cloud Roles Creation/modification of users with high privileges Zscaler ITDR Monitoring of an alerting on unauthorized addition of privileged permissions to principals T1136.003 - Create Account: Cloud Account T1098.003 - Account Manipulation: Additional Cloud Roles Secret addition to apps Zscaler SaaS Security Flags applications with multiple Application Secrets T1098.001 - Account Manipulation: Additional Cloud Credentials Disabled MFA Zscaler ITDR Find accounts where MFA is disabled and get alerts when MFA is disabled for any account T1556.006 - Modify Authentication Process: Multi-Factor Authentication Consent grants Zscaler SaaS Security Monitors inclusion of high risk scopes like EWS.full_access_as_app or EWS.AccessAsUser.All to alert on the app’s risk level T1098.003 - Account Manipulation: Additional Cloud Roles T1098.002 - Account Manipulation: Additional Email Delegate Permissions What should I do next? Identity is the weakest link. Irrespective of whether you are running a zero trust architecture or not, start by getting visibility into identity misconfigurations and excessive permissions that can allow attackers to grant themselves privileges. We’re offering a complimentary Identity Posture Assessment with Zscaler ITDR. Gain visibility into your SaaS sprawl and find dangerous backdoor connections that can give attackers the ability to establish persistence. Request an assessment with Zscaler SaaS Security. Implement Deception irrespective of what other threat detection measures you have. It is one of the highest ROI threat detection controls that you can implement, augmenting controls like EDR. Zscaler Deception has a comprehensive set of decoys that can deceive and detect sophisticated attackers. If you are a Zscaler customer, contact your account manager for support on these assessments and Deception rollout. Tue, 13 Feb 2024 17:10:20 -0800 Amir Moin Start Your Journey in IT Support: A Beginner's Guide Navigating the nuances of IT troubleshooting can be challenging, especially if you're just starting out. Our ebook, A Beginner’s Guide to Troubleshooting Devices, Networks, and Applications for Service Desk Teams, breaks down the essentials of IT support in a clear, digestible format, making it a great resource for newcomers who are eager to become influential service desk team members. It’s a practical guide even for those with limited time. Whether you're dealing with device issues, network complexities, or application troubleshooting, you’ll find step-by-step instructions that are easy to follow even with minimal IT knowledge. We’ve designed this guide to help you enhance your troubleshooting skills, gain the confidence you need to master IT problem-solving, and become a valuable asset to any service desk team. In this ebook, you'll find: An overview of service desk challenges: Understand the evolving IT landscape and the pivotal role of IT support in maintaining productivity. Step-by-step ticket resolution processes: Learn how to handle and resolve IT issues, enhancing customer satisfaction efficiently. Categorization of IT issues: Familiarize yourself with common problems in devices, networks, and applications, along with strategies to tackle them. A focus on device, networking, and application issues: Gain insights into specific challenges in these areas and learn practical solutions. Strategies to enhance troubleshooting workflows: Discover how to streamline IT support processes and use advanced technologies for better problem-solving. It’s also an excellent tool for service desk managers to expedite team onboarding. By equipping your team with this resource, you’ll enable them to handle a wide range of IT issues independently. It reduces the need for escalations and empowers analysts to solve problems efficiently. Ultimately, it can help not only enhance your service desk team’s capabilities, but also significantly shorten the time it takes for new analysts to become proficient. Download the ebook today and transform your service desk team! Fri, 09 Feb 2024 19:14:07 -0800 Rohit Goyal IoT/OT Predictions for 2024 How many smart home devices are you running where you live? Smart speakers, thermostats, cameras, light bulbs, etc. Have you lost count yet? You could be forgiven, because Forbes projects there could be as many as 207 billion of these devices out in the world by the end of this year! By my calculation that works out to more than 25 devices for every human on the planet! In this blog, we’ll cover some of the top IoT/OT predictions for 2024, covering everything from AI at the edge to ransomware. Let’s jump in. IoT/OT devices will see a higher degree of proliferation than ever before Losing count of how many devices you have isn’t just a nuisance in the workplace; it’s a very real problem, particularly from a cybersecurity perspective. The challenge of keeping track of your IoT devices—not to mention keeping them secure—is only going to grow harder with the proliferation of sensors, monitors, point-of-sale, and myriad other devices that are feeding our hunger for data. Fortunately we’ve been working on that. Edge AI will make these devices smarter, faster No predictions blog post for 2024 would be complete without mention of the topic on everyone’s lips: artificial intelligence. Edge AI is already finding its way onto some smartphones, and as the technology advances, its inclusion in IoT/OT is inevitable. It will only improve as time passes, increasing the number of autonomous decisions being made without oversight. This can easily be positioned as a benefit, especially in remote locations where humans cannot or do not want to be, but it can also be a risk, if mishandled. 5G and other WAN connectivity will evolve to meet the needs of IoT/OT It seems we’ve been hearing about 5G forever, but it’s now starting to truly gain traction in the workplace as a new way to connect devices via the internet with minimal latency and without requiring a local network infrastructure. And it’s not alone—newer versions of the Wi-Fi standard, LPWAN, and even satellite connectivity are also coming to the forefront. This simply means we’re able to deploy sensors and other kinds of IoT devices into more locations, including remote and mobile ones, growing the number of potential use cases for the technology. Digital twins will still serve as proving grounds The accelerated growth in the number of sensors continues to cultivate the use of digital twins; virtual representations of the world around them that help us visualize and improve remote systems. Once again, the proliferation of IoT sensors will provide an even richer and more accurate view of what we’re monitoring. This will enable us to drive resource optimization and efficiency, and pave the way for the adoption of more sustainable systems. Taking all of these developments in aggregate, it’s plain to see that when it comes to IoT and OT growth, ‘we ain’t seen nothing yet’! As with all technological advances, there’s the potential that they will make our lives better and businesses more efficient and profitable. At the same time, it’s vital to ensure security is consideration number one when it comes to planning their deployment, especially when it comes to devices that talk to the internet. This brings us to the flip side of these predictions: the challenges they pose. Data privacy The combination of ubiquitous sensors and the rise of AI making use of the data they collect naturally leads us to consider data privacy. Regulations around the world, perhaps most famously the EU’s GDPR, ensure that privacy is a requirement rather than a consideration. The handling of potentially sensitive data is strictly controlled, and its misuse can significantly undermine public confidence, not to mention lead to potentially huge fines. Never is this a greater problem than when such data is leaked or exfiltrated from its owner for potentially nefarious uses. Ransomware on the (continued) rise As the Zscaler ThreatLabz team recently reminded us, ransomware attacks have risen sharply over the past year, over 37% in fact. At the same time, it’s becoming easier than ever to launch such attacks, aided by readily available AI and Ransomware-as-a-Service (RaaS) kits. The firmware problem Remember earlier when I asked you if you knew how many devices you have deployed? Here’s another one for you. Of those devices, how many of them have their firmware up to date? Do you even know what firmware they’re running to be able to establish this? An IoT device may have been secure on the day it shipped, but as our own computers and smartphones have taught us, regular updates are a fact of life in the cat-and-mouse game of vulnerability. A single compromised device could be all an attacker needs to begin their hunt for more damage to cause or data to steal. The ongoing risks presented by legacy security As the cybersecurity industry continues to incessantly point out, traditional security technology practices, many still employed by IT departments around the world, are fundamentally flawed. The ongoing use of firewalls and VPNs opens the door for lateral movement across networks and geographical boundaries, allowing bad actors the opportunity to reach the countless IoT/OT devices in use. Once the network is compromised, the bounty for an attacker grows ever larger. All of these challenges and more point to only one conclusion: Organizations must adopt a zero trust security architecture in order to protect the IoT and OT devices they will inevitably deploy this year. Conclusion On the one hand, the predictions for IoT/OT in 2024 are worth getting excited about. Our world is getting smarter, and advances in devices will no doubt help us drive improvements in our personal and professional lives. But to benefit positively we must put security first. This doesn’t mean adding more and more roadblocks on the network highways. It means reimagining security and building a framework based on the tenets of zero trust. If you’re new to zero trust and want to learn more, we’d like to welcome you to one of our monthly introductory live webinars where you can explore the many benefits of zero trust and why Zscaler delivers it better than anyone else. Click here and search ‘start here’ to find the next session to sign-up for. Tue, 06 Feb 2024 01:00:02 -0800 Simon Tompson Why Firewalls and VPNs Give You a False Sense of Security Firewalls and VPNs were once hailed as the ultimate solutions for robust enterprise security, but in today’s evolving threat landscape, organizations face a growing number of breaches and vulnerabilities that are outpacing these solutions. Today, the world we work in looks very different from the on-premises era as industries transform how and where work gets done. Firewalls and VPNs are crumbling pillars of a bygone era. They provide a false sense of security because they come with significant weaknesses that put companies at risk—weaknesses that are only realized when embracing digital transformation. Innovation in generative AI, automation, and IoT/OT technologies across industries is set to continue breaking barriers in 2024. This innovation also opens the door for attackers to automate phishing campaigns, craft evasive malware, reduce the development time of threats using AI, and even sell Ransomware-as-a-Service (RaaS). With the growing severity and number of breaches, there’s a heightened concern that VPN vulnerabilities will leave the door open for attackers. According to a Cybersecurity Insider survey, nearly 50% of organizations experienced VPN-related attacks from July 2022 to July 2023, and 90% of organizations are concerned about attackers exploiting third-party vendors to gain backdoor access into their networks through VPNs. It’s becoming clear that even the largest organizations with advanced firewalls still fall victim to breaches. Curious to know some of the reasons that firewalls and VPNs are letting organizations down? Read more below. A thinner sheet of protection across a larger attack surface VPNs and firewalls extend the network, increasing the attack surface with public IP addresses as they connect more users, devices, locations, and clouds. Users can now work from anywhere with an internet connection, further extending the network. The proliferation of IoT devices has also increased the number of Wi-Fi access points across this extended network, including that seemingly harmless Wi-Fi connected espresso machine needed for a post-lunch boost, creating new attack vectors to exploit. Perimeter-based architecture means more work for IT teams More doesn’t mean better when it comes to firewalls and VPNs. Expanding a perimeter-based security architecture rooted in firewalls and VPNs means more deployments, more overhead costs, more time wasted for IT teams - but less security and less peace of mind. Pain also comes in the form of degraded user experience and satisfaction with VPN technology for the entire organization due to backhauling traffic (72% of organizations are slightly to extremely dissatisfied with their VPN experience). Other challenges like the cost and complexity of patch management, security updates, software upgrades, and constantly refreshing aging equipment as an organization grows are enough to exhaust even the largest and most efficient IT teams. The bigger the network, the more operational complexity and time required. VPNs and firewalls can’t effectively guard against today’s threat landscape VPNs and firewalls deployed to protect and defend network access behave a lot like a security guard who sits at the front of a store in order to stop theft. Security Guards Firewalls and VPNs Stationed at the front door of a valuable store - tasked with identifying and stopping attacks. Can’t monitor all entrances at the same time. Deployed at key access points to an organization’s network. Can’t stop all the threats across every access point. Once an attacker gets in, they get access to the entire store. Permit lateral threat movement by placing users and entities onto the network. 1:few threat detection can’t scale unless you hire a lot of security guards to monitor all entrances. Can’t inspect encrypted traffic and enforce real-time security policies at scale. Can be slow, tired, expensive to hire, late for their shift and present a number of other issues that allow threats to go undetected and unanswered. Suffer from a variety of other challenges related to cost, complexity, operational inefficiency, poor user experiences, organizational rigidity, and more. Much like a lone security guard, VPNs and firewalls can help mitigate some risk, but they can’t keep up with the scale and complexity of the cybercrime of today. Your network is extending exponentially as you digitally transform your organization. With constant attacks on the horizon and a thinner cover of protection, how many million security guards can you hire? The Zero Trust Exchange delivers on the promise of security Unlike network-centric technologies like VPNs - zero trust architecture minimizes your attack surface and connects users to the apps they need directly—without putting anyone or anything on the network as a whole. Zscaler delivers zero trust with its cloud native platform: the Zscaler Zero Trust Exchange. The Zero Trust Exchange starts with the premise that no user, workload, or device is inherently trusted. The platform brokers a secure connection between a user, workload, or device and an application—over any network, from anywhere by looking at identity, app policies, and risk. As threats grow more dangerous, we can’t rely on a single security guard to keep everybody out anymore. VPNs and firewalls were designed to make organizations feel secure, but with all the evolving threats of today highlighting the cracks in these technologies, IT and security teams are left with a false sense of security. Truly secure digital transformation can only be delivered by implementing a zero trust architecture. The Zscaler Zero Trust Exchange is the comprehensive cloud platform designed to keep your users, workloads, IoT/OT, and B2B traffic safe in an environment where VPNs and firewalls can’t. If you’d like to learn more, join our webinar that serves as an introduction to zero trust and provides entry-level information about the topic. Or, if you’d like to go a level deeper, consider registering for one of our interactive whiteboard workshops for free Mon, 05 Feb 2024 14:26:59 -0800 Sid Bhatia AI Detections Across the Attack Chain Organizations face a constant barrage of cyberthreats. To combat these sophisticated attacks, Zscaler delivers layered security protections to deliver more effective security postures across the four key stages of an attack - attack surface discovery, compromise, lateral movement, and data exfiltration. Heading into 2024, with all the buzz surrounding artificial intelligence (AI) over the past year, we are asked daily by prospects and customers, "Zscaler, how do you use AI to keep us safer?" For more on where we see AI and security headed in 2024, please see the blog from our founder, Jay Chaudhry. In this blog, we will explore a handful of examples of Zscaler AI use across key stages of an attack—demonstrating how it can detect and stop threats, protect data, and make teams more efficient. Truth be told, we began to add AI detections into our portfolio some years ago to further bolster other detection methods, and it has paid off. Stage 1: Attack surface discovery While we will spend the better part of this blog discussing AI in other areas, the first stage of an attack involves attackers probing attack surfaces to identify potential weaknesses be exploited. These are often things like VPN/firewall misconfigurations or vulnerabilities, or unpatched servers. We wholeheartedly suggest considering ways to cloak your currently discoverable applications behind Zscaler to immediately reduce your attack surface and reduce your risk of successful attacks Stage 2: Risk of compromise During the compromise stage, attackers exploit vulnerabilities to gain unauthorized access to employee systems or applications. Zscaler's AI-powered products help reduce risk of compromise while prioritizing productivity. AI-powered phishing/C2 prevention: We better detect and stop credential theft and browser exploitation from phishing pages with real-time analytics on threat intelligence from 300 trillion daily signals, ThreatLabz research, and dynamic browser isolation. This means our AI makes us even more efficient in detecting new phishing or C2 domains. File-based attacks: We use AI in our cloud sandbox to ensure there is no tradeoff between security and productivity. Historically, in the case of the sandbox, a new file arrives and users must wait as it is analyzed, interrupting productivity. Our AI Instant Verdict in the sandbox prevents patient zero infections by instantly blocking high-confidence malicious files using AI, eliminated the need to wait for analysis on file we feel are very likely malicious. Our model fidelity is a result of years of ongoing training, analysis, and tuning interactions based on over 550 million file samples. AI to block web threats: Additionally, Zscaler's AI-powered browser isolation blocks zero day threats while ensuring employees can access the right sites to get their jobs done. URL filtering is effective in keeping users safe, but given that sites are either allowed or blocked, sometimes sites that are blocked are safe and needed for work. This is a productivity drain as users cannot access legitimate sites for work, resulting in unnecessary helpdesk tickets. AI Smart Isolation determines when a site might be risky and open it in isolation. This means organizations don't have to overblock sites to support productivity and can also maintain a strong web security posture. Stage 3: Lateral movement Once inside an organization, attackers attempt to move laterally to gain access to sensitive data. Zscaler's AI innovation reduces potential blast radius by employing automated app segmentation based on analysis of user access patterns to limit lateral movement risk. For instance, if we see only 250 of 4,500 employees accessing a finance application, we will use this data to automatically create an app segment that limits access to only those 250 employees, thus reducing potential blast radius and lateral movement opportunity by ~94 percent. Stage 4: Data exfiltration The final stage of an attack involves the unauthorized exfiltration of sensitive data from a company. Zscaler uses AI to allow companies to deploy data protections faster to protect sensitive data. With AI-driven data discovery, organizations no longer struggle with the time-consuming task of data fingerprinting and classification that delays deployment. Innovative data discovery automatically finds and classifies all data out of the box. This means data is classified as sensitive information immediately, so it can be protected right away from potential exfiltration and data breaches Zscaler's AI-driven security products provide organizations with robust protection across the four key stages of an attack. We also rely on AI to deliver cybersecurity maturity assessments as part of our Risk360 cyber risk management product. Rest assured, we are busy thinking, building, and adding new AI capabilities every day, so there is more to come, as AI-powered security is becoming indispensable in safeguarding organizations against cyberthreats. Fri, 26 Jan 2024 08:00:01 -0800 Dan Gould Cloud Workloads: Cybersecurity Predictions for 2024 The year 2023 witnessed explosive transitions in the cloud security market, with every aspect of the ecosystem—vendors, products, and infrastructure—undergoing significant change. Looking ahead to 2024, cybersecurity for workloads (VMs, containers, services) in the public cloud will continue to evolve as customers continue to strike a balance between aggressive cloud adoption and compliance with corporate security needs. Within this, CIOs and CISOs will challenge their teams to build a security platform that consolidates point products, supports multiple clouds (AWS, Azure, and GCP), and automates to scale security operations. As a result, we will see zero trust architecture leading the way in securing cloud workloads, real-time data protection, and centralized policy enforcement. Here are the top 5 trends we believe will unfold in 2024. 1. Lateral threat movement into clouds from on-premises environments will increase The cloud is where organizations' most valuable assets—applications and data—are heading. Attackers are employing innovative techniques that involve compromising an organization's on-premises network and laterally moving to its cloud domain. These techniques are seeing increased popularity with threat actors as inconsistencies persist between on-premises and public cloud environments. An attack detailed by the Microsoft Security research team (source: MERCURY and DEV-1084: Destructive attack on hybrid environment) exemplifies this trend. The threat actors first compromised two privileged accounts, then leveraged them to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks prior to deploying ransomware, the threat actors used a compromised, highly privileged account to gain access to the device where the Azure AD Connect agent was installed. We assess with high confidence that the threat actors then utilized the AADInternals tool to extract plaintext credentials of a privileged Azure AD account. These credentials were subsequently used to pivot from the targeted on-premises environment to the targeted Azure AD environment. Fig. On-premises compromise pivots to the public cloud 2. Serverless services will significantly widen the attack surface Serverless functions offer tremendous simplicity, allowing developers to focus solely on writing and deploying code without worrying about its underlying infrastructure. The adoption of microservices-based architectures will continue to drive the use of serverless functions due to their reusability as well as their ability to speed up application development. However, there is a significant security risk associated with serverless functions, as they interact with various input and event sources, often requiring HTTP or API calls to trigger actions. They also utilize cloud resources such as blob stores or block storage, employ queues to sequence interactions with other functions, and connect with devices. These touchpoints increase the attack surface, as many of them involve untrusted message formats and lack proper monitoring or auditing for standard application layer protection. Fig. Serverless functions can access the full stack of additional services, creating a wide attack surface 3. Identity-based security policies will be redefined as it pertains to public cloud protection As workloads start to mushroom in public clouds, each CSP will bring their own disparate identity capabilities. Unlike with users, there is no one ring (Active Directory) to rule them all. IT shops will continue to deal with disconnected identity profiles across on-premises, private cloud, and public cloud for workloads. That said, in 2024, security teams will continue to deal with multiple workload attributes to write their security policies, and higher level abstractions (like user defined tags) will start to gain wider adoption as such. This will drive consistency between cybersecurity and other resource management functions (billing, access controls, authentication, reporting) for cloud workloads. Fig. User Defined tags will be used to implement zero trust architecture to secure workloads in the cloud 4. Enterprises will evaluate and deploy cloud-delivered security platforms that support multiple public clouds Staffing people and building architectures specialized to secure each public cloud will place the onus on security teams to seek out the solutions that work best for them. Enterprises will evaluate tools from CSPs such as cloud firewall point solutions, but will increasingly look for architectures that can centralize their cloud security policy definitions, enforcements, and remediations. Only when cyber prevention is delivered from one central platform can cyber defense be applied to all workloads—not just a few selective ones. 5. CIOs' willingness to hedge their bets across AWS, Azure, and GCP will dictate the implementation of security tools that can span multiclouds. When it comes to vendor best practices, CIOs are looking to diversify their cloud infrastructure portfolios. Doing so allows them to reduce reliance on a single vendor, integrate infrastructure inherited from mergers and acquisitions, and leverage best of breed services from different public clouds such as Google Cloud BigQuery for data analytics, AWS for mobile apps, and Oracle Cloud for ERP. Fig. AWS shared responsibility framework for protecting cloud resources. [SOURCE] Every cloud vendor preaches the notion of “shared responsibility” when it comes to cybersecurity, placing the onus on the customer to implement a security infrastructure for their cloud resources. Savvy IT shops will ensure that they pick a cybersecurity platform that can support multiple public cloud environments. Customers can’t possibly entertain the idea of separate security tools for each public cloud—rather, they will standardize on one platform for all their needs. Deploying workloads in the public cloud is not a new trend in the corporate world, but the topic of cloud workload security continues to get hotter and hotter. While there are no clear answers yet, there are a few indications that customers will navigate towards in 2024. Namely, zero trust, as it provides immediate benefit in the near-term and a solid framework for cloud workload security into the future. Want to learn more about zero trust for cloud workloads? Click here for more Zscaler perspectives. This blog is part of a series of blogs that provide forward-facing statements into access and security in 2024. The next blog in this series covers Zero Trust predictions. Forward-Looking Statements This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024. Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at and on the SEC's website at Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law. Thu, 25 Jan 2024 08:00:02 -0800 Sakthi Chandra Zscaler Academy: Reflecting on 2023 and Soaring into 2024 2023 was a year of transformation and innovation for Zscaler Academy. We reimagined cybersecurity education, tailoring it to the evolving landscape of zero trust security. As we begin 2024, it's time to reflect on what we've achieved and show you what's on the horizon 2023: Building the Pillars of Zero Trust Learning New Training and Offerings: We revamped our curriculum, introducing the Zscaler for Users learning path and specializations in Data Protection, Cyberthreat Protection, and Workloads. Hands-on labs, live virtual training, and engaging workshops became the norm, bridging the gap between theory and practice. New Approach: We embraced a learner-centric approach, catering to diverse learning styles and preferences. Self-paced e-learning, interactive webinars, and immersive workshops offered flexibility and depth, empowering individuals at all levels. Certification: We evolved our certification program, aligning it with the latest zero trust advancements, and introduced an industry-standard third-party proctored certification exam. The Zscaler Digital Transformation Administrator (ZDTA) certification exam is the final step in the Zscaler for Users - Essentials learning path, and supports the journey of any security professional to validate their understanding of deploying and implementing the Zscaler Zero Trust Exchange platform. Roadshows and Virtual Training: We took Zscaler Academy on the road, hosting virtual and in-person events like Zscaler Training Roadshows and Virtual Training workshops around the globe. These interactive sessions fostered connections, knowledge sharing, and a sense of community among Zscaler users and partners A Year of Bridging the Cybersecurity Skills Gap Customers: We empowered customers to maximize the value of their Zscaler investments. Our training equipped administrators, security professionals, and end users with the skills to confidently navigate the Zero Trust Exchange. Partners: We supported our partners in their growth journey. The Partner Academy provided the knowledge and expertise needed to build successful Zscaler practices and deliver exceptional customer service. Workforce of the Future: We invested in the future by inspiring and equipping the next generation of cybersecurity professionals. Our initiatives are contributing to closing the cybersecurity skills gap, ensuring a talent pool prepared for the zero trust era through the Zscaler Academic Alliance Program. The New Charter Era: What Awaits in 2024 Micro-Learning and Micro-Credentials: We're embracing bite-sized learning, offering micro-credentials for specific skills. This agile approach will allow you to stay ahead of the curve and acquire targeted knowledge on the go. New Certifications: We'll be expanding our certification portfolio, introducing new paths that validate expertise in specific Zscaler solutions and emerging security domains. More Training Courses and Events: We'll continue to diversify our offerings, adding new training courses (like Ransomware Protection, Deception, Troubleshooting, and more), live workshops, and virtual events. Expect deeper dives into specific technologies, industry trends, and best practices. Personalized Learning: We're committed to personalization, utilizing data and insights to tailor learning recommendations and experiences to your individual needs and goals The Future Is Zero Trust, and Zscaler Academy Is Your Guide As we step into 2024, Zscaler Academy remains your trusted partner on your zero trust journey. We'll continue to innovate, adapt, and empower you with the knowledge and skills to thrive in the dynamic security landscape. Stay tuned for exciting announcements and updates! We're dedicated to making Zscaler Academy the leading destination for zero trust education, ensuring you're always prepared to secure your future in the age of zero trust. Join us in 2024! Let's keep learning, growing, and building a safer digital world together Wed, 24 Jan 2024 08:00:01 -0800 Prameet Chhabra Navigating the Intersection of Cybersecurity and AI: Key Predictions for 2024 This article also appeared in VentureBeat. Anticipating the future is a complex endeavor, however, I'm here to offer insights into potential trends that could shape the ever-evolving cybersecurity landscape in 2024. We engage with over 40% of Fortune 500 companies and I personally have conversations with thousands of CXOs each year which provides me a unique view into the possibilities that might impact the security landscape. Let's explore these potential trends and see what the future of cybersecurity might look like. 1. Generative AI will increase ransomware attacks: The utilization of GenAI technologies will expedite the identification of vulnerable targets, enabling cybercriminals to launch ransomware attacks with greater ease and sophistication. Before, when launching a cyberattack, hackers had to spend time to identify an organization's attack surface and potential vulnerabilities that can be exploited in internet-facing applications and services. However, with the advent of LLMs, the landscape has dramatically shifted. Now, a hacker can simply ask a straightforward question like, "Show me vulnerabilities for all firewalls for [a given organization] in a table format.” And the next command could be, “Build me exploit code for this firewall," and the task at hand becomes significantly easier. GenAI can also help identify vulnerabilities among your supply chain partners and optimal paths that are connected to your network. It's important to recognize that even if you strengthen your own estate, vulnerabilities may still exist through other entry points, potentially making them the easiest targets for attacks. The combination of social engineering exploits and GenAI technology will result in a surge of cyber breaches, characterized by enhanced quality, diversity, and quantity. This will create a feedback loop that facilitates iterative improvements, making these breaches even more sophisticated and challenging to mitigate. Defense Strategy: Using the Zscaler Zero Trust Exchange, customers can make their applications invisible to potential attackers, reducing the attack surface. If you can’t be reached, you can’t be breached. 2. AI will be used to fight AI: We will be witnessing a promising development where AI is being harnessed by security providers to combat the ever-evolving nature of AI-driven attacks. Enterprises generate a vast amount of logs containing signals that could indicate potential attacks. However, isolating these signals in a timely manner has been challenging due to signal-to-noise issues. With the advent of GenAI technologies, we now have the capability to identify potential avenues of attack more effectively. By leveraging GenAI, we can enhance triage and protection measures by understanding which vulnerabilities hackers are likely to exploit. Additionally, this technology enables us to detect attackers and exploits in near real-time. As a result, cloud security providers will develop AI-powered tools to proactively prevent potential areas of exploitation. In addition, with the advent of AI and ML tools, we have the capability to predict and identify potential vulnerabilities in an organization that are likely to be exploited. This will help reduce cyber breaches. Defense Strategy: Zscaler is building tools such as breach predictors that could predict and prevent breaches powered by communication logs. Before any breach happens there is always reconnaissance activity. Because Zscaler sits in the middle of all communications, we have visibility into potential threats. This allows us to understand if a hacker has infiltrated an enterprise, and if so, suggest steps to prevent a breach. 3. The rise of firewall-free enterprises: Organizations are coming to a realization that despite significant investments in firewalls and VPNs, their security posture remains vulnerable. They are understanding that a true Zero Trust architecture has to be implemented. Realizing the inherent security risks and false sense of security provided by firewall-based approaches, customers will move away from Firewall and VPN as their main security technology. Over the next few years, firewalls will become archaic like mainframes. Organizations are awakening to the need for a more comprehensive and effective cybersecurity strategy. The coming years will witness the significant acceleration in the adoption and implementation of Zero Trust architecture and the rise of "firewall-free enterprises.” This transformative shift represents a crucial inflection point in the cybersecurity landscape. Defense Strategy: This shift reflects a changing approach to cybersecurity, driven by the understanding that a firewall-centric approach is ineffective in safeguarding against evolving threats, prompting customers to seek true Zscaler Zero Trust solutions. 4. Broader adoption of Zero Trust segmentation: The number one cause of ransomware attacks is a flat network. Once hackers are on the network, they can easily move laterally and find high-value assets and encrypt them and ask for ransom. Organizations have been trying to implement network-based segmentation to eliminate lateral movement. I have talked to hundreds of CISOs but have yet to meet one who has successfully completed network-based segmentation or microsegmentation. It is too cumbersome to implement and operationalize. In 2023, hundreds of enterprises successfully implemented the initial phase of Zero Trust architecture. Moving into 2024, we anticipate a broader adoption of Zero Trust-based segmentation. This approach simplifies implementation so you don’t need to create network segments and you use Zero Trust technology to connect a certain group of applications to a certain group of applications. Defense Strategy: Zscaler offers Zero Trust segmentation in two areas: User-to-application segmentation Application-to-application segmentation 5. Zero Trust SD-WAN will start to replace traditional SD-WAN: SD-WAN has helped enterprises save money by using the internet—a cheaper transport. But SD-WANs have not improved security, as they allow lateral threat movement. Zero Trust SD-WAN doesn’t put users on the network, it simply makes a point-to-point connection between users and applications, hence eliminating lateral threat movement. This protects enterprises from ransomware attacks. Zero Trust SD-WAN will emerge as an important technology to provide highly reliable, highly secure and seamless connectivity. Zero Trust SD-WAN also reduces the overhead as enterprises no longer have to worry about managing route tables. Zero Trust SD-WAN makes every branch office like an internet cafe or a coffee shop, your employees can access any application without having to extend your network to every branch office. Defense Strategy: Zscaler offers a Zero Trust SD-WAN solution that is easy to implement with a Plug-n-Play appliance. 6. SEC regulations will drive far more active participation of Board members and CFOs for cyber risk reduction: Recognizing the damage that cyber breaches could cause to businesses, these key stakeholders will more actively engage in cybersecurity initiatives and decision-making processes. The increased involvement of CFOs and Boards of Directors in cybersecurity underscores the recognition that it is not solely a CIO or CISO’s responsibility, but a vital element of overall organizational resilience and risk management. Newly introduced SEC disclosure requirements will serve as a catalyst for boards to become more engaged in driving cybersecurity initiatives in their companies. More companies will require at least one board member with a strong background in cybersecurity. Defense Strategy: Through Zscaler Risk360, we provide a holistic risk score for an organization which highlights the contributing factors to your cyber risk and compares your risk score with your peers with trends over time. In addition, Zscaler has added SEC disclosure reports generated by GenAI, leveraging contributing factors that have been used to compute your company's risk score. Mon, 22 Jan 2024 15:31:59 -0800 Jay Chaudhry Bringing Zero Trust to Branches Over the past five years, the tech industry has undergone significant transformation. Among the myriad changes in how organizations approach technology to gain a competitive edge, three primary shifts have had profound impacts: Migration of apps from traditional data centers to the cloud (the rise of SaaS) Hybrid workforce models, where employees operate from both regional offices and remote locations Proliferation of IoT/OT devices in factories and branch offices Many enterprises are finding that limitations in their WAN infrastructure and gaps in network security impede their ability to deal with these three shifts. Traditional SD-WANs expand the attack surface and allow lateral threat movement. They connect various sites through site-to-site VPNs or routed overlays, establishing implicit trust that grants unrestricted access to critical business resources, even for compromised entities. Moreover, coarse-grained segmentation policies allow threats to move easily within the network. With the rising number of threats and the adoption of IoT/OT devices, which are often invisible to the network, organizations need to ensure their WAN infrastructure adheres to zero trust principles. Traditional WAN infrastructure consists of multiple point products such as routers, firewalls, and VPNs, which can add up to substantial management challenges. Hence, organizations undertaking branch transformation need a solution that follows a “thin branch, thick cloud” model to reduce management complexities. Zscaler Zero Trust SD-WAN securely connects branches, factories, and data centers without the complexity of VPNs, ensuring zero trust access for users, IoT/OT devices, and servers. Using Zero Trust SD-WAN, enterprises can build a thin branch that eliminates unnecessary devices with a simple plug-and-play appliance that can be deployed using only an internet connection. Figure 1: Traditional SD-WAN vs. Zero Trust SD-WAN Zero Trust SD-WAN eliminates business risk Unlike traditional SD-WANs that extend the network to remote sites, clouds, and third parties, Zero Trust SD-WAN connects users, IoT/OT devices, and applications to resources they are entitled to access, without using routed overlays. This creates a zero trust network that eliminates the attack surface and prevents lateral threat movement. Since all traffic is proxied through Zscaler Zero Trust Exchange, there are no publicly exposed IP addresses or VPN ports for hackers to compromise. A recent Zscaler ThreatLabz report revealed a 400% increase in IoT and OT-based malware attacks since 2022, underscoring the need for organizations to have greater visibility and security around IoT/OT devices deployed in their networks. Often overlooked and invisible, IoT/OT is not adequately addressed when administrators design security policies for branch users, but as the ThreatLabz report shows, these devices represent a significant threat vector. Zero Trust SD-WAN provides complete device visibility, giving organizations a detailed view of all their IoT/OT devices as well as insights into the applications with which they communicate. Moreover, administrators no longer need separate policies for users and devices since the same policies can be applied consistently to both. Figure 2: IoT device discovery and classification Many organizations have server-to-client communication use cases. For instance, a print server in a data center may need to issue a print command to a remote printer in branch location. With Zero Trust SD-WAN, organizations don’t have to worry about exposed service ports that a hacker could exploit to breach the network. All branch communication is proxied through Zero Trust Exchange, which stitches the connection between the print server and the remote printer. Extending zero trust security to all entities, such as users, IoT/OT devices, and servers, enhances overall security. Zero Trust SD-WAN replaces site-to-site VPNs Traditional SD-WANs connect sites (e.g., branches, factories, data centers) using IPsec VPN tunnels. Routed overlays allow any device to communicate with any other device, server, or app, ensuring reachability between users, devices, and apps—reachability that hackers can exploit to easily access other resources in the network. With Zero Trust SD-WAN, branch traffic is forwarded directly to the Zero Trust Exchange, where Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA) policies can be applied for full security inspection and identity-based access control. Zero Trust SD-WAN dramatically simplifies branch communication with a zero trust network overlay that allows for flexible forwarding and simple policy management. Figure 3: Site-to-site VPN replacement Zero Trust SD-WAN simplifies mergers and acquisitions Combining two separate businesses into one entity can provide enhanced efficiency, increased market presence, and other advantages. However, integrating new systems and routing domains into the existing environment can be a slow, painful process that takes many months to complete. With Zscaler, the entire M&A integration process can be far simpler and faster. Zero Trust SD-WAN communicates only to the Zero Trust Exchange, eliminating the need to merge routing domains between existing and acquired sites. By deploying Zero Trust SD-WAN at an acquired site, enterprises can steer traffic to Zero Trust Exchange, which brokers the connection from the other end for secure communication. This results in successful day-one operation and onboarding of new sites in a matter of just weeks, or even days. Figure 4: M&A integration How does this all work? Apps defined in the ZPA portal are assigned a synthetic IP address. Once a user initiates a connection to the new app using the synthetic IP, Zero Trust SD-WAN at that branch site sends traffic to the Zero Trust Exchange. In the acquired site, where the app is hosted, the App Connector (built into Zero Trust SD-WAN) initiates an inside-out connection to the Zero Trust Exchange. The Zero Trust Exchange brokers the connection from the user to the app. Conclusion Organizations need a networking solution that protects them from today’s growing cyberthreats, but traditional SD-WANs increase security risk and networking complexity. In contrast, Zero Trust SD-WAN brings zero trust principles to WANs by securely connecting users, IoT/OT devices, and servers. To enhance the security of branches, factories, and data centers, organizations must transition from traditional flat networks with implicit trust to zero trust networks. Adopting Zero Trust SD-WAN offers numerous benefits, such as mitigating cyber risk, lowering cost and complexity, enhancing business agility, and implementing a single-vendor SASE solution. For more information, please visit the Zscaler Zero Trust SD-WAN webpage. Mon, 22 Jan 2024 17:50:01 -0800 Karan Dagar Introducing Zero Trust SASE The evolution of work and IT Workplaces are rapidly evolving and hybrid work has become the new normal. Legacy network architectures were designed around a static model of work where users were in fixed locations. Today’s branches look very different — with hoteling desks, co-working spaces, a mobile workforce, and internet-centric connectivity. As branches evolve, so too must the networking infrastructure used to connect them — one size no longer fits all. Legacy networks introduce risk & complexity The traditional model of connectivity is very network-centric — users, devices and servers connect to a network, and the network assures access to every other device on the same network. This model has too much implicit trust — any device can talk to any other device or server by default, enabling the lateral movement of threats and attacks such as ransomware. Network-centric connectivity also requires extending the network into public clouds and third parties using VPN tunnels, which can expand your attack surface into infrastructure that you do not directly control. Along with the proliferation of IoT devices in organizations, attack surface management becomes increasingly complex. Relying on routed overlays and traditional routing protocols also introduces additional complexity into networks. Traditional SD-WAN is not zero trust SD-WANs also take a network-centric approach and build routed overlays using site-to-site VPN tunnels and routing protocols. While they allow organizations to move away from expensive MPLS networks and solve many operational challenges, they introduce security risks by facilitating lateral movement. Controlling these risks requires network-based segmentation, which often necessitates additional firewall appliances at the branch and complex network-based security policies. Zero trust is a cybersecurity strategy that assumes every entity is untrusted by default — and only allows access to certain resources based on identity, context, and posture. This is fundamentally opposed to the way traditional networks work. We could limit the trust inherent in traditional networks through techniques like segmentation and admission control, but these approaches can dramatically increase complexity. It’s time for a new approach — built on zero trust principles. Introducing Zero Trust SD-WANI previously announced our Branch Connector appliances for connecting branches through the Zero Trust Exchange. Today I am excited to announce Zero Trust SD-WAN — an industry-first zero trust solution for securely connecting branches, factories, hospitals, retail locations, and data centers — that eliminates the security risks of traditional SD-WANs. Using lightweight virtual machines or plug & play appliances coupled with the Zscaler Zero Trust Exchange, Zero Trust SD-WAN provides secure inbound and outbound zero trust networking for locations, without overlay routing, additional firewall appliances or policy inconsistencies. Fully integrated with our industry-leading SSE platform, Zero Trust SD-WAN enables robust security and simplifies branch network management.We are also pleased to announce general availability of our Z-Connector plug & play appliances — ZT 400, ZT 600 and ZT 800. Along with a lightweight virtual machine form factor, these appliances can support a wide range of customer requirements, ranging from 200 Mbps to multi-gigabit. With pre-provisioned config templates and zero touch provisioning, deploying a new branch can be as simple as plugging in an internet connection. New gateway capabilities The Zero Trust SD-WAN solution can be deployed in two modes: as a Forwarder, or as a Gateway. The Forwarder mode enables customers with existing WAN solutions to implement a zero trust overlay by deploying Z-connector appliances next to their existing routers and switches. Relevant traffic can be directed to the Z-connector appliances through conditional DNS resolution or policy-based routing. The Gateway mode terminates the ISP connection directly on the Z-Connector appliance, eliminating the need for additional routers or firewalls. The Z-connector acts as the default gateway for the site, forwarding all traffic to the Zscaler Zero Trust Exchange which provides secure connectivity to internet, SaaS, and private applications. Gateway mode supports rich WAN and LAN management capabilities, including dual ISP termination, app-aware path selection with ISP monitoring, high availability (active-active, active-passive), multiple LAN subnets, local firewall, integrated DHCP server, and DNS gateway. Zero Trust SD-WAN gateway capabilities will be available starting February 2024. Zero Trust SD-WAN reduces complexity and risk Zero Trust SD-WAN solves many critical challenges for our customers. Here are a few key use cases: Replace site-to-site VPNs: Avoid complex VPN configurations and route table management and eliminate the risk of lateral threat movement. Accelerate M&A integrations: Connect users to apps across organizations without merging routing domains or deploying NAT gateways. Reduce integration time from months to days. Secure OT connectivity: Eliminate VPNs and exposed ports for vendor remote access to OT resources. IoT discovery & classification: Discover and secure IoT devices on the network with AI-powered classification engines To learn more about these use cases, read our blog on bringing zero trust to branches. Industry-first SASE platform built on zero trustSecure Access Service Edge (SASE) is a term coined by Gartner to describe the convergence of networking and security to align with modern IT infrastructure and working patterns. While SASE embraces zero trust principles, many SASE solutions in the market simply bolt on traditional SD-WAN to an SSE service, with zero trust principles limited to user-to-app access. This still leaves sites exposed with too much implicit trust.With the introduction of Zero Trust SD-WAN, Zscaler is proud to deliver the industry’s first single vendor SASE platform built on zero trust and AI. Zero Trust SASE enables organizations to extend zero trust beyond just users, to branches, factories and data centers. Building on the strengths of our SSE platform — the Zero Trust Exchange — Zero Trust SASE reduces cost and complexity by eliminating traditional security and networking solutions.Transform your branch networks Legacy WAN architectures no longer work. The industry-wise disruptions around hybrid work and zero trust security present a unique opportunity to rethink and transform your network architecture. Zero Trust SD-WAN and SASE take a radically different approach to connecting users, devices, and apps without the risk of lateral threat movement. Visit our SASE resources page for additional product information, white papers and videos and read more about our Zero Trust SD-WAN capabilities here. Mon, 22 Jan 2024 17:50:01 -0800 Naresh Kumar How Zscaler’s Dynamic User Risk Scoring Works Access control policies aim to balance security and end user productivity, yet often fall short due to their static nature and limited ability to adapt to evolving threats. But what if there was an easy way to automate access control per user, considering individual risk factors and staying up-to-date with the latest advanced attacks? Zscaler User Risk Scoring takes dynamic access control and risk visibility to the next level using records of previous behavior to determine future risk. Similar to how insurance companies use driving records to determine car insurance rates, or banks use credit scores to assess loan eligibility, user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence. User risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. By considering factors such as past victimization by cyberattacks, near-misses with malicious content, or engagement in behavior that could lead to a breach, organizations can ensure that access control policies are tailored to individual risk profiles. Organizations can set user risk thresholds to allow or deny access to both private and public application How does user risk scoring work? User risk scoring plays a crucial role across the Zscaler platform, driving policies for URL filtering, firewall rules, data loss prevention (DLP), browser isolation, and Zscaler Private Access (ZPA); and feeding into overall risk visibility in Zscaler Risk360. By leveraging user risk scores within each of these security controls, organizations can better protect all incoming and outgoing traffic from potential threats. URL filtering rules are one way that risk scoring can be applied to policies within Zscaler Internet Access (ZIA) The risk scoring process consists of two components: the static (baseline) risk score and the real-time risk score. The static risk score is established based on a one-week lookback at risky behavior and is updated every 24 hours. The real-time risk score modifies this baseline every 2 minutes throughout the day, updating whenever a user interacts with known or suspected malicious content. Each day at midnight, the real-time risk score is reset. Zscaler considers more than 65 indicators that influence the overall risk score. These indicators fall into three major categories: pre-infection behavior, post-infection behavior, and more general suspicious behavior. The model accounts for the fact that not all incidents are equal; each indicator has a variable contribution to the risk score based on the severity and frequency of the associated threat. Pre-infection behavior indicators encompass a range of blocked actions that would have led to user infection, such as blocked malware, known and suspected malicious URLs, phishing sites, pages with browser exploits, and more. Post-infection behavior indicators include things like detected botnet traffic or command-and-control traffic, which show that a user/device has already been compromised. Suspicious behavior indicators are similar to pre-infection indicators but are less severe (and less guaranteed to lead to infection), covering policy violations and risky activities like browsing deny-listed URLs, DLP compliance violations, anonymizing sites, and more. *A more detailed sampling of these indicators is included at the bottom of this article. How can Zscaler customers use risk scoring? User risk scores can be found in the the analytics and policy administration menus of both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). They are also woven together with a range of additional inputs in Zscaler Risk360, which allows security teams to delve deeper into their organization’s holistic risk. Organizations can monitor risk scores for individuals and for the overall organization Zscaler also has deep integrations with many leading security operations tools, allowing the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like SIEM, SOAR, and XDR via a REST API to streamline workflows. These scores can be used to: Drive access control policies User risk scoring gives network and security teams a powerful tool to use to drive low-maintenance zero trust access control policies, controlling both incoming and outgoing internet and application traffic. It can be combined with other dynamic rulesets (e.g., device posture profiles) and static rulesets (e.g., URL and DNS filtering and app control policy) to protect organizations from breaches without unnecessarily restricting user productivity. User risk, device posture, and other access policies work together seamlessly to optimize secure access Monitor overall organizational risk and key factors that can be improved Admins can monitor their company risk over time to assess the top areas of overall company risk and prioritize remediation efforts. They can see how risk scores are distributed across users and locations, and can benchmark their risk score against other companies in their industry. Company risk scores can be analyzed over time against industry benchmarks Monitor risky users on an individual basis and understand how (and why) their risk is trending If a user’s risk score spikes, admins can take action, whether that be isolating that user’s machine to deal with an active threat, or simply training a user that certain behaviors are posing an unacceptable risk. Admins can analyze individual users and double-click into specific incidents Overall, Zscaler User Risk Scoring, with its categorization of threats and aggregation of logs, offers valuable insights into an organization's security posture. By understanding the different types of risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. With risk scoring, organizations can navigate the ever-changing threat landscape with confidence. To learn about more of Zscaler’s unique inline security capabilities, check out our Cyberthreat Protection page. Sample Indicators for User Risk Scoring · Pre-infection behavior includes a range of blocked actions that would have likely led a user to be infected, such as: o Malware blocked by Zscaler’s Advanced Threat Protection or inline Sandbox o Blocked known and suspected malicious URLs o Blocked websites with known and suspected phishing content o Blocked pages with known browser exploits o Blocked known and suspected adware and spyware o Blocked pages with a high PageRisk score o Quarantined pages o Blocked files with known vulnerabilities o Blocked emails containing viruses o Detected mobile app vulnerabilities · Post-infection behavior includes a range of blocked actions that were attempted after a user was infected, such as: o Botnet traffic o Command-and-control traffic · Suspicious behavior includes policy violations and other risky sites, files, and conditions that could lead to infection, such as: o Deny-listed URLs o DLP compliance violations o Pages with known dangerous ActiveX controls o Pages vulnerable to cross-site scripting attacks o Possible browser cookie theft o Internet Relay Chat (IRC) tunneling use o Anonymizing sites o Blocks or warnings from secure browsing about an outdated/disallowed component o Peer-to-peer (P2P) site denials o Webspam sites o Attempts to browse blocked URL categories o Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers o Tunnel blocks o Fake proxy authentication o SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments o IPS blocks of cryptomining & blockchain traffic o Reputation-based blocks of suspected adware/spyware sites o Disallowed use of a DNS-over-HTTPS sit Fri, 19 Jan 2024 05:00:01 -0800 Mark Brozek It’s Time for Zero Trust SASE The workplace has changed for good. According to a recent Gallup poll, 50% of US employees are working in hybrid mode and only 20% are entirely on-site. Another forecast analysis from Gartner projected hybrid work being the norm for almost 40% of global knowledge workers by the end of 2023. Branch offices no longer look the same, and more and more organizations are moving to a cafe-like model for their workplaces. Combined with the shift to cloud and SaaS, this is driving fundamental shifts in IT infrastructure. The way we design, build, and secure our networks needs to evolve to support this new normal. One size does not fit all The old network-centric model of connectivity and security presents challenges when users and apps are everywhere. Trying to shoehorn traditional firewall/VPN-based security into an increasingly fuzzy and complex network environment has only resulted in more cost, complexity, and risk. Cyberattacks keep rising despite the increasing spend on firewalls, fueling threats such as ransomware. According to Zscaler ThreatLabz, ransomware attacks increased almost 40% between 2022 and 2023, with the average demand being $5.3M. The current generation of networking technologies was designed to solve problems from 30 years ago, when IT systems couldn’t talk to each other. It’s no surprise that we ended up with a networking stack designed to maximize connectivity and reachability between users and computing systems globally. While this has unlocked vast amounts of productivity gains and business value, it has come at the expense of cyber risk. An attacker needs to find just one entry point anywhere in the organization and can move laterally from there to access critical crown jewel applications and data. With an attack surface spanning branches, retail locations, clouds, remote users, and partners, securing traditional network infrastructure has become a complex and costly endeavor. Zero trust is disrupting networking Zero trust is a cybersecurity strategy that shifts the focus from networks to entities—users, devices, apps, and services. It asserts that no entity should be trusted by default and should only be explicitly allowed to access certain resources based on identity, context, and security posture, and then continuously reassessed for every new connection. Traditional networking does not lend itself to the zero trust model since it confers implicit trust—once you’re on the network, you can go anywhere and talk to any entity. Network architects can limit the amount of trust and the extent of lateral movement by segmenting the network, but this is complex and difficult to manage—it’s like building a superhighway system and adding checkpoints at every ramp and interchange. Zero trust networking is an opportunity to fundamentally rethink the way we build enterprise networks. Instead of starting with fully trusted routed overlays, we need to start with a zero trust foundation and then connect entities into an exchange that can broker connections as needed based on context and security posture. Figure: Zero Trust Architecture Traditional SD-WAN is not zero trust Traditional SD-WAN arrived on the scene over a decade ago and was meant to give organizations an alternative to expensive MPLS WAN services. Using multiple ISP connections and active path monitoring, SD-WANs drastically improved the overall reliability and performance of internet connections and offered organizations the confidence that mission-critical apps can work over the internet. Fast-forward a decade and through a global pandemic, and we no longer need to prove that the internet is fast and reliable enough to run enterprise apps. Gigabit fiber connections are readily available and most SaaS apps are optimized to be consumed over the internet. SD-WAN needs to solve different problems today—like ensuring a consistent experience and security for users between home and office, securing IoT device traffic and extending zero trust security to all sites, without the use of additional firewall/VPN appliances. Secure Access Service Edge (SASE) Gartner coined the term SASE in 2019 to describe the convergence of security and networking, delivered from a common cloud native platform that is better aligned with modern traffic flows. SASE is widely understood to be a combination of security services such as FWaaS, SWG, CASB, DLP, and connectivity services such as ZTNA and SD-WAN, delivered from the cloud. The shift to SASE represents an opportunity to rethink and rebuild security services from the ground up for cloud scale. Yet many SASE solutions simply extend the firewall/VPN model to the cloud and deliver a hosted version of the traditional security appliances. With bolted-on SD-WAN integrations, these solutions fail to deliver the promise of zero trust for anything beyond users. A better way Zscaler pioneered zero trust security for remote users and eliminated clunky remote-access VPNs, reducing cyber risk for thousands of organizations globally. We built an industry-leading AI-powered SSE platform that has been a leader in the Gartner Magic Quadrant for SSE two years in a row. Now, we’re excited to bring the same zero trust security to branches, factories, retail stores, and data centers. Join us on January 23 as we announce our industry-first SD-WAN innovations that help you transform your security and networking architecture with a Zero Trust SASE platform built on zero trust AI. Hear from your industry peers about their transformation journeys and the benefits they realized. Register now and save your spot! Tue, 16 Jan 2024 16:39:35 -0800 Ameet Naik The Mythical LLM-Month It’s clear: 2023 was the year of AI. Beginning with the release of ChatGPT, it was a technological revolution. What began as interacting agents quickly started moving to indexing documents (RAG), and now, indexing documents, connecting to data sources, and enabling data analysis with a simple sentence. With the success of ChatGPT, a lot of people promised last year to deliver large language models (LLMs) soon … and very few of those promises have been fulfilled. Some of the important reasons for that are: We are building AI agents, not LLMs People are treating the problem as a research problem, not an engineering problem Bad data In this blog, we’ll examine the role of AI agents as a way to link LLMs with backend systems. Then, we'll look at how the use of intuitive, interactive semantics to comprehend user intent is setting up AI agents as the next generation of user interface and user experience (UI/UX). Finally, with upcoming AI agents in software, we’ll talk about why we need to bring back some principles of software engineering that people seem to have forgotten in the past few months. I Want a Pizza in 20 Minutes LLMs offer a more intuitive, streamlined approach to UI/UX interactions compared to traditional point-and-click methods. To illustrate this, suppose you want to order a “gourmet margherita pizza delivered in 20 minutes” through a food delivery app. This seemingly straightforward request can trigger a series of complex interactions in the app, potentially spanning several minutes of interactions using normal UI/UX. For example, you would probably have to choose the "Pizza" category, search for a restaurant with appetizing pictures, check if they have margherita pizza, and then find out whether they can deliver quickly enough—as well as backtrack if any of your criteria aren’t met. This flowchart expresses the interaction with the app. We Need More than LLMs LLMs are AI models trained on vast amounts of textual data, enabling them to understand and generate remarkably accurate human-like language. Models such as OpenAI's GPT-3 have demonstrated exceptional abilities in natural language processing, text completion, and even generating coherent and contextually relevant responses. Although more recent LLMs can do data analysis, summary, and representation, the ability to connect external data sources, algorithms, and specialized interfaces to an LLM gives it even more flexibility. This can enable it to perform tasks that involve analysis of domain-specific real-time data, as well as open the door to tasks not yet possible with today’s LLMs. This “pizza” example illustrates the complexity of natural language processing (NLP) techniques. Even this relatively simple request necessitates connecting with multiple backend systems, such as databases of restaurants, inventory management systems, delivery tracking systems, and more. Each of these connections contributes to the successful execution of the order. Furthermore, the connections required may vary depending on the request. The more flexibility you want the system to understand and recognize, the more connections to different backend systems will need to be made. This flexibility and adaptability in establishing connections is crucial to accommodate diverse customer requests and ensure a seamless experience AI Agents LLMs serve as the foundation for AI agents. To respond to a diverse range of queries, an AI agent leverages an LLM in conjunction with several integral auxiliary components: The agent core uses the LLM and orchestrates the agent's overall functionality. The memory module enables the agent to make context-aware decisions. The planner formulates the agent’s course of action based on the tools at hand. Various tools and resources support specific domains, enabling the AI agent to effectively process data, reason, and generate appropriate responses. The set of tools include data sources, algorithms, and visualizations (or UI interactions). Agent core The agent core is the “brain” of the AI agent, managing decision-making, communication, and coordination of modules and subsystems to help the agent operate seamlessly and interact efficiently with its environment or tasks. The agent core receives inputs, processes them, and generates actions or responses. It also maintains a representation of the agent's knowledge, beliefs, and intentions to guide its reasoning and behavior. Finally, the core oversees the update and retrieval of information from the agent's memory to help it make relevant, context-based decisions Memory The memory module encompasses history memory and context memory components, which store and manage data the AI agent can use to simultaneously apply past experiences and current context to inform its decision-making. History memory stores records of previous inputs, outputs, and outcomes. These records let the agent learn from past interactions and gain insights into effective strategies and patterns that help it make better-informed decisions and avoid repeating mistakes. Context memory, meanwhile, enables the agent to interpret and respond appropriately to the specific, current circumstances using information about the environment, the user's preferences or intentions, and many other contextual factors Planner The planner component analyzes the state of the agent’s environment, constraints, and factors such as goals, objectives, resources, rules, and dependencies to determine the most effective steps to achieve the desired outcome. Here’s an example of a prompt template the planner could use, according to Nvidia: GENERAL INSTRUCTIONS You are a domain expert. Your task is to break down a complex question into simpler sub-parts. If you cannot answer the question, request a helper or use a tool. Fill with Nil where no tool or helper is required. AVAILABLE TOOLS - Search Tool - Math Tool CONTEXTUAL INFORMATION <information from Memory to help LLM to figure out the context around question> USER QUESTION “How to order a margherita pizza in 20 min in my app?” ANSWER FORMAT {"sub-questions":["<FILL>"]} Using this, the planner could generate a plan to serve as a roadmap for the agent's actions, enabling it to navigate complex problems and strategically accomplish its goals Tools Various other tools help the AI agent perform specific tasks or functions. For example: Retrieval-augmented generation (RAG) tools enable the agent to retrieve and use knowledge base content to generate coherent, contextually appropriate responses. Database connections allow the AI agent to query and retrieve relevant information from structured data sources to inform decisions or responses. Natural language processing (NLP) libraries offer text tokenization, named entity recognition, sentiment analysis, language modeling, and other functionality. Machine learning (ML) frameworks enable the agent to leverage ML techniques such as supervised, unsupervised, or reinforcement learning to enhance its capabilities. Visualization tools help the agent represent and interpret data or outputs visually, and can help the agent understand and analyze patterns, relationships, or trends in the data. Simulation environments provide a virtual environment where the agent can sharpen its skills, test strategies, and evaluate potential outcomes without affecting the real world. Monitoring and logging frameworks facilitate the tracking and recording of agent activities, performance metrics, or system events to help evaluate the agent's behavior, identify potential issues or anomalies, and support debugging and analysis. Data preprocessing tools use techniques like data cleaning, normalization, feature selection, and dimensionality reduction to ensure raw data is relevant and high-quality before the agent ingests it. Evaluation frameworks provide methodologies and metrics that enable the agent to measure its successes, compare approaches, and iterate on its capabilities. These and other tools empower AI agents with functionality and resources to perform specific tasks, process data, make informed decisions, and enhance their overall capabilities Adding LLM-based Intelligent Agents to Your Data Is an Engineering Problem, Not a Research Problem People realized that natural language can make it much easier and forgiving (not to say relaxed) to specify use cases required for software development. Because the English language can be ambiguous and imprecise, this is leading to a new problem in software development, where systems are not well specified or understood. Fred Brooks outlined many central software engineering principles in his 1975 book The Mythical Man-Month, some of which people seem to have forgotten during the LLM rush. For instance: No silver bullet. This is the first principle people have forgotten with LLMs. They believe LLMs are the silver bullet that will eliminate the need for proper software engineering practices. The second-system effect. LLM-based systems are being considered a second system because people treat LLMs as so powerful that they can forget LLM limitations. The tendency toward an irreducible number of errors. Even if you get the LLM implementation correct, LLMs can hallucinate or even expose additional errors that have been hidden because of lack of a way to exercise the backend in ways we have not been able to in the past. Progress tracking. I remember the first thing I heard from Brooks’ book was, “How does a project get to be a year late? One day at a time.” I have seen people assuming that if they sweep problems under the rug they will disappear. Machine learning models, and LLMs in particular, inherit the same problems of ill-designed systems with the addition of amplification of bad data, which we will describe later. Conceptual integrity. This problem has shifted from designing the use cases (or user stories) so that they show the conceptual integrity of the entire system to saying the LLM will bind any inconsistencies in the software magically. For example, if you want to have a user story that solves the order of a food app “I want to order a gourmet margherita pizza in 20 min”, by changing the question to: Can I get a gourmet margherita pizza delivered in 20 minutes? Show me all pizza places that can deliver a gourmet margherita pizza in 20 minutes. Show me all pizza places that can deliver a gourmet margherita pizza in 20 minutes ranked by user preference. We can easily see that different types of data, algorithms, and visualizations are required to address this problem. The manual and formal documents. Thanks to hype, this is probably the most forgotten principle in the age of LLMs. It’s not enough to say “develop a system that will tell me how to order things like a gourmet margherita pizza in 20 minutes.” This requires documentation of a whole array of other use cases, required backend systems, new types of visualizations to be created, and—crucially—specifications of what the system will not do. “Things like” seems to have become a norm in LLM software development, as if an LLM can magically connect to backend systems and visualize data it has never learned to understand. The pilot system. Because of these limitations, software systems with LLM based intelligent agents have not left the pilot stage in several companies simply because they are not able to reason beyond simple questions used as “example of use cases.” In a recent paper, we addressed the first issue of lack of proper specification of software systems, and showed a way we can create formal specifications for LLM-based intelligent systems, in a way that they can follow sound software engineering principles Bad Data In a recent post on LinkedIn, we described the importance of “librarians” to LLM-based intelligent agents. (Apparently, this post was misunderstood, as several teachers and actual librarians liked the post.) We were referring to the need to use more formal data organization and writing methodologies to ensure LLM-based intelligent agents work. The cloud fulfilled its promise of not requiring us to delete data, just letting us store it. With this came the pressure to quickly create user documentation. This created a “data dump,” where old data lives with new data, where old specifications that were never implemented are still alive, where outdated descriptions of system functionalities persist, having never been updated in the documentation. Finally, documents seem to have forgotten what a “topic sentence” is. LLM-based systems expect documentation to have well-written text, as recently shown when OpenAI stated that it is “impossible” to train AI without using copyrighted works. This alludes not only to the fact that we need a tremendous amount of text to train these models, but also that good quality text is required. This becomes even more important if you use RAG-based technologies. In RAG, we index document chunks (for example, using embedding technologies in vector databases), and whenever a user asks a question, we return the top ranking documents to a generator LLM that in turn composes the answer. Needless to say, RAG technology requires well-written indexed text to generate the answers. RAG pipeline, according to Conclusions We have shown that there is an explosion of LLM-based promises in the field. Very few are coming to fruition. It is time that in order to build AI intelligent systems we need to consider we are building complex software engineering systems, not prototypes. LLM-based intelligent systems bring another level of complexity to system design. We need to consider up to what extent we need to specify and test such systems properly, and we need to treat data as a first-class citizen, as these intelligent systems are much more susceptible to bad data than other systems Tue, 16 Jan 2024 19:14:07 -0800 Claudionor Coelho Jr. Unleashing the Power of Zscaler's Unparalleled SaaS Security Zscaler has made great strides in securing organizations across the board, solving real customer use cases such as protecting against ransomware, AI security, and securing data everywhere. One area that has received a lot of attention is SaaS security. Recently, Forresters released its latest Wave report for SaaS Security Posture Management, naming Zscaler as the only Leader in this category. The report puts a heavy emphasis on use cases that span beyond posture management such as app governance, shadow IT, identity access controls, advanced data protection, and more. Zscaler achieved the strongest position, achieving a perfect score in 7 out of the 12 categories. You can get your copy of the Forrester Wave here. As organizations increasingly adopt numerous SaaS-based services, there is a growing need for a comprehensive, fully integrated data security solution that covers all channels, including web, business and personal applications, public cloud data, endpoints, and email. Platforms provide multiple benefits, such as centralized policy creation, that reduces complexity and costs inherent in point vendor solutions. Solving Today’s Key SaaS Security Challenges Many organizations use multiple point solutions, which can create issues and headaches for IT and security teams. Here are some of the top use cases that are drive SaaS Security: Identity Management and Access Control To prevent leaks, data manipulation, and insider threats, users must be authenticated and authorized in line with zero trust principles for least-privileged access, including role-based access control and continuous monitoring. Effective anti-phishing measures are also critical. Identity and access issues mostly often stem from: Weak or compromised identity and access management (IAM) A lack of multifactor authentication (MFA) beyond single sign-on (SSO) Inadequate or misconfigured access controls Lack of Standardization Inconsistent security policies and procedures across SaaS providers can create challenges for security teams around consistent controls and enforcement, leading to a weaker posture, potential enforcement gaps, vulnerabilities, and even data corruption. Some of the major contributors to increased risk in this area include: Interoperability and integration issues between cloud providers Data transfers between environments Regulatory compliance challenges Data Residency and Governance Complying with industry and government data protection regulations can be complex when SaaS providers run widely distributed operations. It’s critical to understand how a given SaaS provider aligns with your organization’s compliance requirements, as well as to implement effective data encryption and access controls for data in transit and at rest. Common residency and governance issues arise from: Sovereignty and residency regulations (e.g., GDPR) Shared responsibilities between the customer and SaaS provider Unsanctioned apps (shadow IT) putting data outside the IT function’s purview To mitigate these risks, organizations should conduct thorough risk assessments, implement robust security policies and controls, regularly monitor SaaS applications for vulnerabilities, and stay up to date with security best practices. Furthermore, integrated solutions provide greater efficacy and context. Securing SaaS Platforms Requires Context The Power of Context In the realm of security, it’s essential to understand that it’s a matter of layers. These layers often converge, such as in the case of SSPM and data security. However, to truly grasp the significance of these layers, you need context. The ability to combine and analyze information from various security layers gives organizations a comprehensive understanding of their security posture and potential vulnerabilities. A Comprehensive, Unified Solution: Zscaler Data Protection brings together all the necessary components and functionality required for robust SaaS security. From access control and connectivity to SaaS and cloud integrations, our solution covers every aspect of securing your SaaS applications. Enhanced Data and Threat Security: With Zscaler, organizations can rest assured that their sensitive data is protected. Our platform offers robust data security measures, to ensure sensitive information remains secure and compliant with industry regulations. Furthermore, our threat security functionality helps identify and mitigate potential threats, safeguarding your SaaS applications from malicious attacks. Contextual Understanding for Effective Security: The power of our Advanced SSPM lies in its ability to combine and analyze information from various security layers. By providing a comprehensive context, organizations can make informed decisions and implement security measures that address their specific needs and vulnerabilities. Zscaler Advanced SSPM for SaaS Security We have invested substantial efforts in developing and expanding our solutions to meet the evolving landscape of SaaS security. For instance, our acquisition of Canonic in 2023, now known as AppTotal, lets Zscaler better help your organization detect and secure risky third-party app integrations into SaaS. This functionality was highlighted in this year’s Forrester SSPM Wave. Our Advanced SSPM incorporates access control, connectivity, SaaS integrations, cloud integrations, and data and threat security functionalities. Our comprehensive approach ensures that organizations can leverage the full spectrum of security measures required for safeguarding their SaaS applications Ready to secure your SaaS Platforms? Zscaler's Advanced SSPM stands out from the crowd due to its unique combination of components, capabilities, and reach. With a holistic approach encompassing access control, connectivity, SaaS integrations, cloud integrations, and robust data and threat security functionality, our solution empowers organizations to achieve unparalleled security for their SaaS applications. By leveraging the power of context, Zscaler's Advanced SSPM enables organizations to make informed decisions and implement effective security measures. Trust Zscaler to unlock the true potential of your SaaS security and elevate your organization's overall security posture. To learn more about Zscaler’s Advanced SSPM and Data Protection offering, visit our website, register for our webinar, or reach out to us for a demo. Wed, 17 Jan 2024 00:01:01 -0800 Salah Nassar 4 Ways Enterprises Can Stop Encrypted Cyber Threats Want to uncover the 86% of cyber threats lurking in the shadows? Join our January 18th live event with Zscaler CISO Deepen Desai to learn how enterprises can stop encrypted attacks, as well as explore key cyber threat trends from ThreatLabz. In today's digital world, we’ve come to trust HTTPS as the standard for encrypting and protecting data as it flows across the internet — the reassuring lock icon in a browser’s icon bar assures us our data is safe. Organizations worldwide have rightfully recognized this protocol as an imperative for data security and digital privacy, and overall, 95% of internet-bound traffic is secured with HTTPS. But encryption is a double-edged sword. In the same way that encryption prevents cybercriminals from intercepting sensitive data, it also prevents enterprises from detecting cyber threats. As we revealed in our ThreatLabz 2023 State of Encrypted Attacks Report, more than 85% of cyber threats hide behind encrypted channels, including malware, data stealers, and phishing attacks. What’s more, many encrypted attacks use legitimate, trusted SaaS storage providers to host malicious payloads, making detection even more challenging. Encrypted channels are a major blindspot for any organization that is not performing SSL inspection today, enabling threat actors to launch hidden threats and exfiltrate sensitive data under cover of darkness. As threats advance and the number of malicious actors grows, these types of attacks continue to increase. ThreatLabz analyzed more than 29 billion blocked threats over the Zscaler Zero Trust Exchange from September 2022 to October 2023, finding a 24.3% increase year over year, with a notable growth in phishing attacks and significant 297.1% and 290.5% growth for browser exploits and ad spyware sites, respectively. So, what can enterprises do to thwart encrypted attacks? The answer is simple: inspect all encrypted traffic. However, the reality of this task remains a huge challenge for most organizations. To fix the problem, we must first explore and understand why this is the case. A major enterprise blind spot: SSL/TLS Traffic As part of the 2023 State of Encrypted Attacks Report, ThreatLabz commissioned a separate third-party, vendor neutral survey of security, networking, and IT practitioners to better understand their challenges, goals, and experience with encrypted attacks. We found that 62% of organizations have experienced an uptick in encrypted threats — with the majority having experienced an attack, and 82% of those witnessing attacks over “trusted” channels. However, enterprises face numerous challenges that prevent them from scanning 100% of SSL/TLS traffic at scale — the antidote to encrypted threats. The most popular tools for SSL/TLS scanning include a mix of network firewalls (62%) and application-layer firewalls (59%). These tools come with challenges at scale, the survey found; the top barriers preventing enterprises from scanning 100% of encrypted traffic today include performance issues and poor user experience (42%), cost concerns (32%), and scalability issues with the current setup (31%). Notably, a further barrier for 20% of respondents is that traffic from trusted sites and applications is “assumed safe” — which, our research shows, is not the case. These issues point to challenges that are in contrast with enterprise inspection plans. While 65% of enterprises plan to increase rates of SSL/TLS inspection in the next year, 65% are also concerned that their current SSL/TLS inspection tools are not scalable or future-proofed to address advanced cyber threats. This finding echoes enterprises’ confidence in their security setups: just 30% of enterprises are "very" or "extremely" confident in their ability to stop advanced or sophisticated cyber threats. These findings suggest that while enterprises are well aware of the risk of encrypted attacks, encrypted channels remain a prominent blind spot to many organizations — and many attacks can simply pass through without detection. Shining a light on cyber threats lurking in encrypted traffic Threat actors are exploiting encrypted channels across multiple stages of the attack chain: from gaining initial entry through tools like VPN to establishing footholds with phishing attacks, to delivering malware and ransomware payloads, to moving laterally through domain controllers, to exfiltrating data, oftentimes using trusted SaaS storage providers and more. Knowing this, enterprises should include mechanisms in their security plans to stop encrypted threats and prevent data loss at each stage of the attack chain. Here are four approaches that enterprises can adopt to prevent encrypted attacks and keep their data, customers, and employees secured. Figure 1: stopping encrypted cyber threats across the attack chain 1. Inspect 100% of encrypted SSL/TLS traffic at scale with a zero trust, cloud-proxy architecture The key to an enterprise strategy to stop encrypted attacks starts with an ability to scan 100% of encrypted traffic and content at scale, with zero performance degradation — that’s step one. A zero trust architecture is an outstanding candidate for this task for a number of key reasons. Based on the principle of least privilege, this architecture brokers connections directly between users and applications — never the underlying network — based on identity, context, and business policies. Therefore, all encrypted traffic and content flows through this cloud-proxy architecture, with SSL/TLS inspection for every packet from every user on a per-user basis with infinite scale, regardless of how much bandwidth users consume. In addition to this, direct user-to-app and app-to-app connectivity make it substantially easier to segment application traffic to highly granular sets of users — eliminating lateral movement risk that is often the norm in traditional, flat networks. Meanwhile, a single policy set vastly simplifies the administrative process for enterprises. This is in contrast to application and network firewalls — themselves frequent targets of cyber attacks — which in practice translate to greater performance degradation, complexity, and cost at scale, while failing to achieve enterprise goals of 100% SSL/TLS inspection. In other words, stopping encrypted threats begins and ends with zero trust. 2. Minimize the enterprise attack surface All IP addresses, or internet-facing assets, are discoverable and vulnerable to threat actors — including enterprise applications and tools like VPNs and firewalls. Compromising these assets is the first step for cybercriminals to gain a foothold and move laterally across traditional networks to your valuable crown-jewel applications. Using a zero trust architecture, enterprises can hide these applications from the internet — placing them behind a cloud proxy so that they are only accessible to authenticated users who are authorized by business access policy. This simple fact empowers enterprises to immediately remove vast swaths of the external attack surface, prevent discovery by threat actors, and stop many encrypted attacks from ever happening in the first place. 3. Prevent initial compromise with inline threat prevention Enterprises have numerous tools at their disposal to stop encrypted threats, and here, a layered defense is the best one. Critically, these defenses should be inline — in the data path — so that security tools detect malicious payloads before delivery, rather than pass-through, out-of-band approaches as with many traditional technologies. There are a number of core technologies that should make up a best-practice defense. These include an inline sandbox with ML capabilities; in contrast, many traditional sandboxes assume patient-zero risk, an ML-driven sandbox at cloud scale allows companies to quarantine, block, and detonate suspicious files and zero-day threats immediately, in real time, without impacting business. Furthermore, technologies like cloud IPS, URL filtering, DNS filtering, and browser isolation — turning risky web content into a safe stream of pixels — combine to deliver enterprises what we would term advanced threat protection. While encrypted threats can pass by unnoticed by many enterprises, this type of layered, inline defense ensures that they won’t. 4. Stop data loss Stopping encrypted attacks doesn’t end with threat prevention; enterprises must also secure their data in motion to prevent cybercriminals from exfiltrating it. As mentioned, threat actors frequently use legitimate, trusted SaaS storage providers — and therefore “trusted” encrypted channels —to host malicious payloads and exfiltrated data. Without scanning their outbound SSL/TLS traffic and content inline, enterprises have little way to know this is happening. As with threat prevention, enterprises should also take a multi-layered approach to securing their data. As best practices, enterprises should look for functionality like inline DLP, which inspects SSL/TLS content across all data channels, like SaaS apps, endpoints, email, private apps, and even cloud posture. As a note, in addition to exact data match (EDM), Zscaler has taken an AI-driven approach to automatically discover and classify data across the enterprise, and these categories are used to inform DLP policy. Finally, CASB provides another critical layer of security, protecting inline data in motion and out-of-band data at rest. Diving deeper into encrypted attacks Of course, these best practices are the tip of the iceberg, when it comes to understanding and defending against the full range of encrypted attacks. For a deeper analysis of how enterprises can stop encrypted threats, as well as discover key trends in this dynamic landscape, be sure to register for our upcoming January 18th live webinar with CISO Deepen Desai. Moreover, to uncover our full findings, get your copy of the ThreatLabz 2023 State of Encrypted Attacks Report today. Fri, 12 Jan 2024 15:07:03 -0800 Will Seaton Hybrid Work and Zero Trust: Predictions for 2024 2023 was dubbed “the year of efficiency”. It saw many organizations work towards operational efficiencies in an effort to become nimbler. “More with less” was the mantra spoken by several C-level execs as they tightened their security posture while driving higher productivity. Moving into 2024, the proliferation of generative AI is expected to rapidly accelerate innovation, address inefficiencies, and boost productivity across the board. Such a focus on productivity has also kept the conversation around work-from-anywhere alive and well. From a productivity perspective, hybrid work continues to be the benchmark, allowing flexibility to hire talent from anywhere. Executives are finding the right balance between fully remote, in-office, and hybrid employees to maximize business efficiency. Irrespective of what every organization chooses to do going forward, finding the right balance between access and security is key for increasing and maintaining productivity. We at Zscaler have put together a list of the top predictions for 2024 when it comes to hybrid work trends: Return to office will peak Over the last few years, one question has echoed in everyone’s minds: What will the new workplace look like? 2023 saw many organizations test a hybrid work model, shifting away from a fully remote workforce. This trend is set to continue in 2024, with more and more companies fully embracing hybrid work, increasing the number of days to work from the office and collaborate. The KPMG CEO Outlook Survey found that 64% of leaders globally predict a full return to in-office work by 2026. Further research shows that in the US, 90% of companies intend to implement their return-to-office plans by the end of 2024, according to a report from Resume Builder. These trends will also see IT and security teams reaching for solutions that can support them while maintaining business growth Third party access requirements will grow With productivity and efficiency on the agenda for 2024, teams are extending their reach and skill sets beyond what’s available within the capacity of their full time employees. Namely, they’re hiring contractors to aid them in creating positive business outcomes. To do so, they need to adapt to working with remote contractors and have the tools and infrastructure in place to successfully manage staff along with the right level of security. Last year, a Linkedin study showed a higher growth in contract workers compared to full-time employees. This trend will continue into 2024 as organizations brace themselves for sudden changes in the market as well as their own bottom lines. These third-party users—contractors, vendors, or suppliers—will demand better access to business applications in order to be impactful. This level of fast, easy access to work will drive third-party productivity. Cyberattack risk will increase With workforces and applications becoming more dispersed, the attack surface has increased as well. Of course, bad actors have jumped on the opportunity, increasing their overall cyberattack output, including the recent social engineering attack in the entertainment and gaming industry. What’s more, generative AI has seen widespread organizational adoption, which, too, means more potential threat vectors. Bad actors are leveraging GenAI tools on their own time to discover vulnerabilities in critical sectors and add increased personalization to their attacks, resulting in a potential catastrophe for businesses of all industries through unwavering ransom demands. In addition, 2024 will see increased exploitation of legacy VPN and firewall infrastructure. The cost and complexity of maintaining physical devices that support VPNs, as well as patching their vulnerabilities, has left many IT teams in a rut of infrastructure maintenance rather than improvement. As such, IT teams are looking to amp up their security stack through the cloud to avoid and respond to threats. More mergers and acquisitions will take place Despite economic uncertainty and the current wave of geopolitical challenges, the outlook for M&A appears promising, per Nasdaq.The push to consolidate or divest in certain industries has driven M&A in the past year, and this momentum is expected to continue. Organizations will need to find ways to efficiently onboard new employees and give them application access to maximize productivity amid a merger or acquisition. Organizations that have implemented zero trust network access (ZTNA) have seen a 50% reduction in onboarding time for new employees. Additionally, they’re able to provide consistent access policies across both organizations without compromising security. VPNs will continue to lose fans Our 2023 VPN Risk report found that nearly 1 in 2 organizations experienced a VPN-related attack. This has been a strong reason to move away from legacy remote access solutions in favor of something more robust that can scale with the organization’s growth. With 92% of organizations considering, planning, or in the midst of a zero trust implementation in 2023, this trend will continue well into 2024. Reliance on VPNs will be reduced, and ZTNA will continue to gain traction due to its faster time to value. Indeed, a Zscaler customer reported a sub 48-hour implementation of Zscaler Private Access, effectively replacing their VPNs for remote employees. Organizations will adopt zero trust to better mitigate cyberattacks A zero trust architecture challenges threats by ensuring granular access control and multilayered network segmentation, delivering the best protection of organizations’ most critical data and communications. ZTNA is a ransomware deterrent, hiding crown jewel applications from the internet and making them virtually impossible to attack. n Gartner predicts that by 2025, at least 70% of new remote access deployments will be delivered predominantly via ZTNA as opposed to VPN services. Our 2023 VPN Risk Report suggests a continued growth in an understanding of risk by IT and security leaders as they continue their due diligence on effective zero trust solutions to replace legacy technologies Conclusion As workforces and applications become increasingly mobile, cloud security solutions offer the means of keeping them protected, without harming user experience. Amid a dynamic, evolving threat landscape, driven by artificial intelligence, the scale and agility offered through such solutions will help organizations better determine the right deployments for their needs.. Learn more about how you can protect your private apps and secure your hybrid workforce by leveraging Zscaler Private Access. This blog is part of a series of blogs that provide forward-facing statements into access and security in 2024. The next blog in this series covers SASE predictions. Forward-Looking Statements This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024. Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at and on the SEC's website at Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law. Thu, 11 Jan 2024 08:00:01 -0800 Kanishka Pandit Digital Experience Monitoring Predictions for 2024 In 2023, we’ve seen an increase in companies focused on maximizing growth as it relates to productivity and innovation. Employers were looking to optimize employee experiences and reduce costs in hopes of driving increased revenues. According to Great Place To Work, 2023 revenue per employee for Fortune 100 Best Companies increased by 7% YoY, up from 4% from 2022. Revenue per employee increased in 2023 To ensure great employee productivity, companies need secure and fast application and data access from home, hotels, airports, and the office. This is confirmed by Hyatt’s recent earnings where they saw a 2x increase as travel surged, compared to pandemic levels. These trends continue to push IT teams to support employees as they securely access SaaS, public, and private cloud applications, (e.g.,, SAP, Microsoft Office 365, ServiceNow) from anywhere. Globally distributed enterprise is today’s reality However, if organizations continue to leverage legacy network architectures that rely on VPNs and firewalls, they are more susceptible to attacks. These technologies expand an organization's attack surface as they place users directly on a routable network. In a recent VPN risk report, 45% of organizations confirmed experiencing at least one attack that exploited VPN vulnerabilities in the last year. Of those, one in three became victims of VPN-related ransomware attacks. Security does not have to be a tradeoff for fast and reliable access. In a recent post, we analyzed the last 12 months of conversations with hundreds of IT professionals about their employee experience and they reported similar findings; that they lack visibility into Wi-Fi and ISP networks. Their current tools struggle to consolidate device, network, and application details such as system processes, memory, CPU, network latencies, packet loss across network hops, and application response times (DNS, SSL handshake, HTTP/TCP connect). IT must secure and optimize experiences even when networks are out of their control. Businesses continue to rethink their digital transformation journey to ensure a flawless end user experience while securing users, workloads, and devices over any network, anywhere. As both travel and revenue per employee increases, employers are learning how to optimize costs and employee productivity across the board. As we kick off 2024, one thing is clear: understanding how employee experience can impact revenue as a driving force to increasing profits is key. To aid IT teams, organizations need a better path forward, one that is designed with security and optimized end user experience driven by actionable AI. As organizations look forward to 2024, three top digital experience monitoring trends emerge: Zero trust growth will require integrated digital experience monitoring (DEM) AIOps is a requirement, not a “nice to have,” to reduce mean time to resolution Reduce overall IT costs Zero trust growth will require integrated DEM As organizations look to secure their environments leveraging zero trust architectures, they need an integrated digital experience monitoring solution to ensure flawless end user experience no matter where they are located. As we found in our customer conversations, many organizations fail to gain insights into zero trust environments with existing monitoring solutions. They also lack full end-to-end visibility such as last-mile ISP and Wi-Fi insights. Adding to the complexity, managing and correlating data across multiple tools for device, network, and application is time-consuming and frustrating to the end user. Zero trust solutions must include DEM by simplifying deployment through a single agent that combines security and monitoring. Monitoring insights should include device metrics (CPU, memory, disk, network bandwidth), network metrics (hop-by-hop latencies, packet loss, jitter, MOS scores, DNS times), application response times (TCP Connect, SSL handshake, HTTP Connect, TTFB, TTLB times), with intuitive correlation to help service desk and network operations teams AIOps is a requirement, not a “nice to have,” to reduce mean time to resolution (MTTR) As we’ve seen in 2023, generative AI has completely changed the industry, and we’ve seen new applications emerge that create data at exponential rates. We are only scratching the surface of the potential with these apps. Much of this data may not be seen by humans. However, insights from this data could be critical for organizations. Organizations may access thousands of SaaS-based applications to create solutions (e.g., images, text, code) to increase productivity. As these applications become critical for organizations, they must ensure their availability. For example, talking to a manufacturing company, they shared how they leverage generative AI to decrease the time required to produce website content. They take hand-drawn images and upload them into a generative AI solution to create hundreds of images based on different scenarios. This typically takes months, but it now takes minutes and frees up their team to think more strategically. However, to gain efficiency, IT must play many roles regarding the security and availability of these applications. Beyond the guardrails required, IT must ensure employees have access to the tools the business needs, which adds to the cost and complexity. Monitoring these new SaaS applications wherever the user connects will keep employees productive. As organizations look to increase employee productivity, security, network, and service desk, teams must collaborate closely to ensure excellent end user experiences. Providing meaningful insights for all the IT teams requires relevant data. Zero trust monitoring solutions must have machine learning models based on years of data across millions of telemetry points to be effective. As data is collected, these models must adapt and learn based on end user feedback to efficiently identify the root cause of issues. There are three key areas IT teams need to consider: Proactively identify recurring issues before users are impacted. For example, if a certain Wi-Fi router shows repeated issues, network teams can work with service desk teams and end users to proactively replace Wi-Fi routers so end users continue to have great access. Empower service desk teams to either resolve issues or escalate with confidence. For example, if an end user complains about an SAP issue, the service desk team must know a potential root cause in seconds, and route it to the appropriate L3 team. They will need an intuitive AI solution to identify the issue in seconds and share those insights. Drive increased monitoring intelligence with continuous updates to machine learning models. Zero trust monitoring solutions must expand monitoring vantage points and collect new insights to aid IT teams. Reduce overall IT costs As we’ve seen in 2023, macroeconomics are forcing organizations to think about maximizing productivity and profits. In 2023, many organizations have started their journey to zero trust solutions, and are ready to embark on integrating their security and monitoring stacks. In 2024, we’ll see leaders at these organizations ask tough questions around monitoring zero trust environments without adding complexity to their IT architectures. This will set organizations apart, as ones that have the right zero trust architecture will have included monitoring as part of the journey. Not only will it provide better insights for network operations and service desk teams, it will lower overall IT costs. They will be able to retire siloed monitoring solutions to reduce costs and gain better insights. For example, if service desk, desktop, network, and application teams all leveraged the same monitoring solution, they could confidently provide IT leaders with key insights and remove finger pointing, which still occurs as teams hardly look at the same datasets. IT leaders will want a consolidated monitoring stack to answer the following questions: What’s the root cause of Zoom, Teams, and Webex call quality issues and how do I correlate it to the end user’s device, network, and application? We leverage VPNs for private applications and experience application slowness. How do I identify if it’s the device’s CPU or one of the hops in the network? My users blame security for application slowness. How can we quickly verify it’s not? As we saw in 2023, organizations want to leverage existing IT investments where possible. Apart from consolidating their monitoring silos, in 2024, organizations will want to leverage existing ticketing systems. To do so, zero trust monitoring solutions must take AI-powered insights and push them into where service desk and network operations teams live. For example, many organizations have ServiceNow workflows, and smart integrations will provide IT teams with key insights to resolve issues in minutes. Summary As IT teams start planning 2024, it's key to find digital experience monitoring solutions that effectively support the hybrid workforce, leverage AI-assistance, and drive overall IT lower costs. As you embark on your 2024 initiatives, consider Zscaler's Digital Experience monitoring solution. Please don't take our word for it. See what our customers are saying: “15 minutes to resolve user experience issues, down from 8 hours” Jeremy Bauer, Sr. Director Information Security, Molson Coors Beverage Company “Zscaler helps us identify the issues that need to be addressed before they cause disruption to AMN users, so we can ensure a seamless experience from anywhere.” Mani Masood, Head of Information Security, AMN Healthcare “When I open my computer, it doesn't matter if I'm in California, Arizona, Nevada, or across the globe, I get the same experience and the same level of protection.” David Petroski, Senior Infrastructure Architect, Southwest Gas Interested to learn more about ensuring great digital experiences in 2024? Click here for Zscaler’s perspectives. This blog is part of a series of blogs that look ahead to what 2024 will bring for key areas that organizations like yours will face. The next blog in this series covers hybrid work predictions for 2024. Forward-Looking Statements This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024. Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at and on the SEC's website at Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law. Tue, 09 Jan 2024 08:00:01 -0800 Rohit Goyal Data validation on production for unsupervised classification tasks using a golden dataset Abstract Have you ever been working on an unsupervised task and wondered, “How you I validate my algorithm at scale?” In unsupervised learning, in contrast to supervised learning, our validation set has to be manually created and checked by us, i.e. we will have to go through the classifications ourselves and measure the classification accuracy or some other scores. The problem with manual classification is the time, effort, and work that is required for classifications, but this is the easy part of the problem. Let’s assume that we developed an algorithm and tested it very well while manually passing on all the classifications, what about future changes to that algorithm? After every change we should check the classifications manually ourselves again. While the data classified might change with time, it might also grow to huge scales with the evolution of our product, and the growth of our customers, then our manual classification problem would of course be much more difficult. Have you started to worry about your production algorithms already? Well, you shouldn’t! After reading this, you will be familiar with our proposed method to validate your algorithm score easily, adaptively, and effectively against any change in the data or the model. So let's start detailing it from the beginning. Why is it needed? Algorithm continuous modifications always happen. For example, we are having: Runtime optimizations Model improvements Bug fixes Version upgrades How are we dealing with those modifications? We usually use QA tests to make sure the system keeps working. At the same time, the best among us might even develop some regression tests to make sure, for several constant scenarios, that the classifications would not be changed What about data integrity? But what about the real classifications on prod? Who verifies their change? We need to make sure that we won’t have any disasters on prod when deploying our new changes in the algorithm. For that, we have two optional solutions: Naive solution - pass through all the classifications on prod (which is of course not possible) Practical solution - use samples of each customer data on prod - using the margin of error equation. Margin of error To demonstrate, we are going to take a constant sample from each customer’s data, which would represent the real distribution of the data with minimal deviation, which we will do using the Margin of Error equation, sometimes known from election surveys, where the surveys are sometimes based on some equation derived from the Margin of Error equation. So, how does it work? We can use the first equation used for calculating the margin of error, to extract the needed sample size desired. We would like to have a maximum margin of error of 5%, while we should use a constant value of Z = 1.96 if we want the confidence of 95% (might be changed if we would like to have another confidence level) The extraction of the required sample size is demonstrated in the following equation: While this equation is an expansion of the equation above, it might be used when we have the full data size, to be more precise. Otherwise, we’ll be left only with the numerator of that equation - which is also fine if we don’t have the full data size. This is a code block demonstrating the implementation of this equation in Python: We can now freeze those samples, which we call a “golden dataset,” and use them as a supervised dataset that will be used by us in the future when making modifications, and serves us as a data integrity validator on real data from prod. We should mention that because optional changes on prod data might happen with time, we encourage you to update this golden dataset from time to time. The flow of work for end-to-end data integrity: Manual classification to create a golden dataset Maintaining a constant baseline of prod classifications Developing a suite of score comparison tests Integrating quality check into CI-process of the algorithm So, how will it all work together? You can see that in the following GIF: We may now push any change to our algorithm code, and remain protected, thanks to our data integrity shield! For further questions about data integrity checks, or data science in general, don’t hesitate to reach out to me at [email protected]. Fri, 05 Jan 2024 14:41:10 -0800 Eden Meyuhas