Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Ofer Amitai
Ofer Amitai
Connect Directly
E-Mail vvv

The Security Perimeter Is Dead; Long Live the New Endpoint Perimeter

The network no longer provides an air gap against external threats, but access devices can take up the slack.

Four potent forces have turned network security on its head: the decentralization of corporate networks; the proliferation of mobile devices; the evolution of the bring-your-own-device (BYOD) policies to include multiple devices; and the massively disruptive Internet of Things (IoT) phenomenon. One of these forces on its own is enough to weaken the best security defenses, but together they are wreaking havoc in enterprises in every industry.

The impact of these forces has essentially erased the enterprise perimeter, traditionally used to protect organizations from external attacks. The fall of this wall has created a new security landscape in which each endpoint, no matter from where it connects, has become its own perimeter — a weakness that can give adversaries access to the entire network.

The Fall of the Wall
Decentralization caused the first bricks to crumble. The final bricks were taken away by the widespread adoption of BYOD policies and the often chaotic infiltration of IoT devices.

Today, an enterprise might have multiple offices in cities across the country or across the globe, with each location potentially having different security protocols, products, and services. Meanwhile, employees connecting through public, unsecured Wi-Fi connections, as well as contractors and other third-parties using unmanaged BYOD devices all log in to the corporate network. 

The Lateral Threat
A significant challenge to network and information security is lateral movement of attacks such as malware or ransomware and hackers, once inside the network. Undetected, these threats can propagate from one compromised endpoint to others.

In recent years, adversaries have carried out large-scale attacks by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya, and Bad Rabbit malware all used lateral movement to spread on a global scale in 2017. Using a single entry point — generally, the most vulnerable device — hackers were able to quickly take down unpatched systems.

Often, the weakest points are unmanaged, unprotected IoT devices, especially those deployed on secure network segments used by important company assets. IoT devices aren’t transient and typically remain undetected by network scans. Therefore, security teams are often unaware of the attack surface they create.

Best Practices
Visibility: Having full visibility of all devices connected to the network is essential. This includes gathering information such as the location and type of device, the processes and applications it is running, and how many similar devices are connected across the enterprise. Full visibility should not be limited to headquarters and includes all branches and endpoints.

Use Historical Data: Historical data on endpoint usage — such as past processes, network connections, and other information — can be very useful in detecting compromised devices as well as in tracing the path of a threat once it has been identified. This data can also be invaluable for conducting rapid and accurate responses to incidents as well as preventing future attacks.

Keep It Simple: Simple security configurations and deployments can translate to painless ongoing maintenance and better security in a world of increasing threats. Simplicity is crucial because enterprises are shorthanded, manage dozens of security products, and have limited time to investigate and respond to threats.

Automate Monitoring and Mitigation: Continuous monitoring is the best way to prevent risks from escalating into security incidents. Organizations need the ability to automatically quarantine threats before they access crucial enterprise data or services. This allows the security teams to assess if a risk is a threat, and, if it is, to block affected endpoints.

Avoid Vendor Lock-in: In a dynamic world where organizations evolve through organic growth or through merger or acquisition, they should not tie their security to a specific vendor. To prevent vendor lock-in and future-proof security operations, adopt a vendor-agnostic approach when choosing security products or services.

Embrace the Cloud: A cloud service runs the latest version of software at any given moment, provides seamless upgrades, and delivers up to date capabilities. Additionally, it offers smooth scalability and distribution across the world, making it a must-have for decentralized enterprises.

Another advantage of a cloud-based approach: It handles threats both inside and outside the enterprise perimeter, allowing organizations to provide remote branches the same security as their corporate headquarters.

Ultimately, enterprises should consider a security approach that implements a perimeter on endpoints through continuous monitoring, risk assessment, policy enforcement, and automated containment/remediation of compromised devices. Following the previously mentioned best practices provides a good framework for re-establishing control over network security.

Related Content:


Ofer Amitai is CEO and co-founder of Portnox, where he is responsible for day-to-day operations and setting the company's strategic direction. He has over 20 years' experience in network security, during which time he established the first IT security team in the Israeli Air ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/21/2019 | 11:46:46 AM
Re: Good Idea
User Rank: Strategist
1/21/2019 | 12:58:54 AM
Paw-ke Mon Go!
"Now, we come here to play Paw-ke Mon Go!"
User Rank: Apprentice
1/20/2019 | 4:29:55 PM
Re: Good Idea
Articles like this just make me laugh. 

I've been consulting for 20 years and I still have yet to see a single organization allow BYOD devices on the corporate network.  If I ever see that, I will point it out as a huge security hole.  BYOD isn't common because the company can't transfer liability to the owner of that device.  If some end user puts corporate data on their personal laptop, which is then stolen, it's the company not the user that is liable.  Therefore, no BYOD. 

This author also said something about contractors putting BYOD devices on the corporate network.  This is also stupid and is not something that ever happens, and for the same reasons I described above.  In my experience, contractors are barely allowed to use the guest WiFi. 

The security perimeter is expanding, not disolving.  BYOD is not a threat if you don't allow them on the network.  Security comes before popularity. 

If you can't control it, don't allow it. 
User Rank: Author
1/18/2019 | 3:50:09 AM
No more one size fits all
Organizations need to be realistic that they will have different endpoints with different levels of security. That's fine provided that they're conscious of it - and that they restrict what their less secure endpoints can do (ie don't allow insecure endpoints to talk to your most sensitive systems!)
User Rank: Ninja
1/17/2019 | 3:11:35 PM
Good Idea
No bring your own devices.  At work you use a CORPORATE ASSET or not at all.  THAT is a good rule.  Eliminates alot of troubles.  Corp has rules for usage of assets, but bringing your own in voids all of that in a flash. SO DON'T BE STUPID about it.  Work is work and that is that.  No outside anything except IF you have a defended guest network maybe and even then test the hell out of it.  Segment that off your corp in-office network.  Tools exist for that.  But NOTHING OUTSIDE ever comes in the door.  Simple and effective. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.