News
Build up business security this holiday season by layering a defence-in-depth strategy
January 2023 by David Higgins, Senior Director Field Technology Office, CyberArk
It’s the busiest time of the year for many businesses, with holiday browsing and shopping increasing digital foot traffic. Often, malicious actors see this as an opportunity to attack, with organisations working at max capacity and in turn more vulnerable. That’s why it’s so important to identify the key areas that represent a chink in your cybersecurity armour and implement specific defences.
Known as defence-in-depth, it’s a simple enough idea, similar in concept to the tightly ranked roman centuries of the ancient world, with the next line of soldiers awaiting any enemy that hacked their way through the front rank. By applying a similar approach to the digital world, we create a cybersecurity strategy designed to protect the most sensitive data critical to an organisation’s IT environment. However, unlike the Romans battlefield that featured a defined frontline, the cyber battlefield entails complex multi-dimensionality. Additionally, the average staff member has access to more than 30 business applications and accounts – any of which can be privileged, and thus a target. Hence, creating this in-depth cyber defence strategy may not be easy, but by understanding which of those specific areas of the workforce present the most risk, IT teams can design their layers of defence accordingly.
IT leaders should use the available data to inform their decisions when considering where to implement defence-in-depth layers. Available research offers insights into the areas of the workforce IT landscape that are most at risk. Importantly, it demonstrates that attackers have shifted away from targeting traditionally privileged IT admins to just targeting the wider workforce. When more than half of organisations’ workforces have direct access to sensitive corporate data it’s easy to understand why this shift has occurred.
The 5 Key Workforce Access Areas to defend
Strengthen up authentication mechanisms
Although Multifactor Authentication (MFA) is industry standard, it’s clearly not implemented often enough: 80% of breaches begin with compromised credentials. Unfortunately, attackers innovate at the same rate as we do, and have evolved their own ways to evade legacy MFA policies such as by tampering with QR codes, hijacking cookies, and MFA bombing.
Defend it in depth: avoid piling on the layers of authentication, instead aim to make them smarter and more autonomous instead. IT teams should use behavioural analytics and automation to gain clearer insights into individual users’ access habits to build context of what constitutes risk over time. This prevents creating multiple hoops for users to loathly jump through, instead allowing smart controls to take out a threat with extra layers of defence – such as extra MFA factors – when needed.
Vulnerable endpoints
Research shows that less than half of IT teams apply identity security controls to company supplied user machines. This leaves workstations, servers, and virtual machines open to ransomware, phishing, or other endpoint-focused attacks. It only takes one device left unguarded to be the start of a ransomware attack.
The defensive layer: Organisations can blend adaptive MFA with endpoint privilege controls to help address risks arising from a hybrid work environment in which any user’s workstation could be a target.
Business critical applications
Businesses have many valuable applications at their fingertips, with the average user having access to 5-10+ high-value business apps. These contain sensitive resources such as customer information, intellectual property, and financial data, making them a key target for attackers. Unfortunately, 80% of businesses have faced users misusing or abusing these apps in the last year. Simply requiring a login is not enough to keep them safe – the moment a user steps away from their screen while still logged in, all that valuable data is exposed.
Defend it in depth: a login only verifies a user’s identity at one point – so IT teams can implement effective security controls here to continue to monitor, record, and audit user actions after authentication. By enhancing the visibility available, revealing insights that create benefits such as being able to identify the source of a security incident (and therefore respond) much quicker.
Third party vendors
Almost all businesses benefit from using third party tools, but they offer risks too, as integration often requires creating super-user access to clients’ systems. Unfortunately, this is growing as a popular attack vector, with over 90% of organisations experiencing a security incident to an external partner.
Defend it in depth: it’s important to strike a careful balance between security and productivity, as it makes no sense to cripple the purpose of the third-party product with overbearing security. Finding a way to systematise third party privileged access vetting and monitoring will go a long way – especially if it can be done without relying on VPNs, passwords, or agents to do so.
Credentials that have escaped single sign-on
It’s widely accepted that the key to reducing identity compromise is to properly secure user credentials. Single sign on (SSO) has become a popular way to combat this, but with the variety of services used by each individual, there often ends up being numerous apps and logins left outside of that environment, and some apps simply don’t support modern context-based authentication. To make matters worse, those logins and passwords often are stored in insecure locations or shared among colleagues (often to the frustration of their IT departments!)
Defend it in depth: Where SSO can’t be implemented, it is essential that all users have access to strong, enterprise-level, vault-based password storage. We know that any user can become privileged in the right circumstances, so they should all be protected with the same importance as an IT admin, for example. Not only will a password vault increase overall visibility and control for cybersecurity teams, but it makes life easier for users to automatically capture and retrieve credentials as needed.
Layering defences builds resilience
Creating layers of defence is not a cookie-cutter process: each organisation has a unique attack surface, and therefore needs a unique combination of layers in a variety of places. Taking the time to approach this process holistically, taking into account the individual threats an organisation faces will go a long way in creating robust defences. Doing so with a Zero Trust attitude will encourage the implementation of a sturdier defence overall.
