Under the prevailing circumstances of the pandemic, IT assets are no longer present behind the safe confines of corporate firewalls. Rather, they are dispersed and extend into the homes of employees. And organizations use a blend of cloud environments and on-premise with enterprise applications spread across multiple clouds. To complicate matters, users are bypassing IT and deploying their own applications without following processes and policies to secure these applications. The merger of operational technology and information technology also poses a threat to enterprise networks as there is poor visibility and security with OT systems. In this scenario, an identity-based approach and zero-trust are some of the most effective approaches to secure endpoint devices, networks and IT infrastructure.
Kartik Shahani, Country Manager for Tenable in India met Brian Pereira, Editor-in-Chief, CISO MAG to discuss how Active Directory can help establish a zero-trust policy for organizations. Shahani offers advice and tips for zero-trust security.
VIDEO: What exactly is Zero-trust?
Based in Mumbai, India, Shahani has over 30 years of experience in the IT industry, driving momentum for enterprises. He spearheads initiatives for Tenable in the enterprise security market, manages operations and continues efforts towards channel activities in India.
He has extensive experience in the telecommunications, finance and government sectors. Along with his innovative sales strategies, he is instrumental in driving growth in India. Shahani previously worked in RSA Security, a division of Dell EMC, where he was Director for Channel in the Asia Pacific and Japan. Prior to this, he was the Executive Director of Integrated Security for India and South Asia at IBM.
According to Tenable’s 2020 Threat Landscape Retrospective, there were 29 zero-day vulnerabilities disclosed in 2020. And 35.7% were browser-related vulnerabilities. The next highest at 28.8% is OS-related vulnerabilities. What would you suggest as ways to mitigate browser-related and OS-related vulnerabilities? What should vendors and end-users do?
Zero-days may garner most of the attention but known yet unpatched vulnerabilities enable most breaches and have become favored by advanced attackers. Considering that web browsers are the gateway to the internet, patching these assets is an essential part of securing the enterprise network. Users of Apple devices should regularly update to the latest version to protect themselves against threats.
Why should Trust be treated as a vulnerability today?
Just as software vulnerabilities are often exploited in cyberattacks, trust is no different in perimeter-based defenses. Cybercriminals exploit privileges and trust to perform the lateral movement as part of the attack path. With a zero-trust approach, security teams can identify where trust is built into systems and networks and harden those systems. Multi-factor authentication, encryption software, identity and access management tools will also help secure critical business assets. A cybersecurity strategy that removes trust entirely from digital systems is, in fact, a great equalizer, one that any proponent of “flat” corporate hierarchies ought to be more than happy to embrace.
Can you explain how Active Directory (AD) is at the center of enabling trust?
Most organizations grant user access and privileges based on the notion that some users are more trustworthy than others based on their role. A never trust, always verify approach, derails anyone who sees themselves as “trustier than thou” because zero-trust relies on the systematic and continuous evaluation of users and their permissions. By viewing trust as a vulnerability, organizations can ensure users can only access the information they need to. Continuously monitoring the AD, allows security teams to detect unusual activity, monitor rights abuses and even stop lateral movement.
How do cyber hygiene fundamentals make zero-trust security possible?
Great security starts with a complete and continuous understanding of the attack surface, from on-premises to cloud infrastructure and from a growing remote workforce to all users connected to the network. The fundamentals of cyber hygiene include identifying systems that could potentially compromise the environment, identifying the roles of users who have access to those systems, and identifying cybersecurity vulnerabilities that could arise. With full visibility, organizations can determine who needs access to what assets and grant permission to access them on a need-to-know basis.
This is where AD plays a pivotal role. It is critical for organizations to mitigate AD misconfigurations, evaluate user rights and continuously monitor AD for suspicious activity. Once vulnerabilities arising out of trust are addressed, organizations can focus on monitoring the entire attack surface and regularly patch vulnerabilities that pose the greatest threat to critical business assets.
Can you share some tips for accelerating your zero-trust journey?
Zero-trust is not a product or solution that can be installed. It’s a strategy for implementing cybersecurity in a business world without perimeters. It’s built upon cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring. Identifying each and every user in the network provides full visibility into the attack surface including IT, OT and IoT. Once security teams know how data flows within the organization, identifying critical assets that need to be secured becomes easier. Limiting access to these assets reduces the attack pathways and allows ease in monitoring the attack surface, identifying end-point vulnerabilities and patching them regularly.
What are the potential risks that you see with the confluence of OT and IT?
In modern industrial and critical infrastructure environments, an increasing number of operational technology (OT) devices are now connected to the outside world. While this convergence presents many opportunities, it also introduces new risks. Many of the systems within the OT world are unpatched or unsupported making them especially vulnerable to malicious activity. Since IT and OT environments are often interconnected, an attack that originates on an IT network can move laterally to the OT environment and vice versa.
Therefore, having complete visibility is of utmost importance. OT operators need to take a full inventory of all assets, firmware version, patch level, state, configuration and vulnerability positions of everything that is present within the OT infrastructure.
About the Interviewer
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).