Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Ofer Amitai
Ofer Amitai
Connect Directly
E-Mail vvv

The Security Perimeter Is Dead; Long Live the New Endpoint Perimeter

The network no longer provides an air gap against external threats, but access devices can take up the slack.

Four potent forces have turned network security on its head: the decentralization of corporate networks; the proliferation of mobile devices; the evolution of the bring-your-own-device (BYOD) policies to include multiple devices; and the massively disruptive Internet of Things (IoT) phenomenon. One of these forces on its own is enough to weaken the best security defenses, but together they are wreaking havoc in enterprises in every industry.

The impact of these forces has essentially erased the enterprise perimeter, traditionally used to protect organizations from external attacks. The fall of this wall has created a new security landscape in which each endpoint, no matter from where it connects, has become its own perimeter — a weakness that can give adversaries access to the entire network.

The Fall of the Wall
Decentralization caused the first bricks to crumble. The final bricks were taken away by the widespread adoption of BYOD policies and the often chaotic infiltration of IoT devices.

Today, an enterprise might have multiple offices in cities across the country or across the globe, with each location potentially having different security protocols, products, and services. Meanwhile, employees connecting through public, unsecured Wi-Fi connections, as well as contractors and other third-parties using unmanaged BYOD devices all log in to the corporate network. 

The Lateral Threat
A significant challenge to network and information security is lateral movement of attacks such as malware or ransomware and hackers, once inside the network. Undetected, these threats can propagate from one compromised endpoint to others.

In recent years, adversaries have carried out large-scale attacks by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya, and Bad Rabbit malware all used lateral movement to spread on a global scale in 2017. Using a single entry point — generally, the most vulnerable device — hackers were able to quickly take down unpatched systems.

Often, the weakest points are unmanaged, unprotected IoT devices, especially those deployed on secure network segments used by important company assets. IoT devices aren’t transient and typically remain undetected by network scans. Therefore, security teams are often unaware of the attack surface they create.

Best Practices
Visibility: Having full visibility of all devices connected to the network is essential. This includes gathering information such as the location and type of device, the processes and applications it is running, and how many similar devices are connected across the enterprise. Full visibility should not be limited to headquarters and includes all branches and endpoints.

Use Historical Data: Historical data on endpoint usage — such as past processes, network connections, and other information — can be very useful in detecting compromised devices as well as in tracing the path of a threat once it has been identified. This data can also be invaluable for conducting rapid and accurate responses to incidents as well as preventing future attacks.

Keep It Simple: Simple security configurations and deployments can translate to painless ongoing maintenance and better security in a world of increasing threats. Simplicity is crucial because enterprises are shorthanded, manage dozens of security products, and have limited time to investigate and respond to threats.

Automate Monitoring and Mitigation: Continuous monitoring is the best way to prevent risks from escalating into security incidents. Organizations need the ability to automatically quarantine threats before they access crucial enterprise data or services. This allows the security teams to assess if a risk is a threat, and, if it is, to block affected endpoints.

Avoid Vendor Lock-in: In a dynamic world where organizations evolve through organic growth or through merger or acquisition, they should not tie their security to a specific vendor. To prevent vendor lock-in and future-proof security operations, adopt a vendor-agnostic approach when choosing security products or services.

Embrace the Cloud: A cloud service runs the latest version of software at any given moment, provides seamless upgrades, and delivers up to date capabilities. Additionally, it offers smooth scalability and distribution across the world, making it a must-have for decentralized enterprises.

Another advantage of a cloud-based approach: It handles threats both inside and outside the enterprise perimeter, allowing organizations to provide remote branches the same security as their corporate headquarters.

Ultimately, enterprises should consider a security approach that implements a perimeter on endpoints through continuous monitoring, risk assessment, policy enforcement, and automated containment/remediation of compromised devices. Following the previously mentioned best practices provides a good framework for re-establishing control over network security.

Related Content:


Ofer Amitai is CEO and co-founder of Portnox, where he is responsible for day-to-day operations and setting the company's strategic direction. He has over 20 years' experience in network security, during which time he established the first IT security team in the Israeli Air ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/21/2019 | 11:46:46 AM
Re: Good Idea
User Rank: Strategist
1/21/2019 | 12:58:54 AM
Paw-ke Mon Go!
"Now, we come here to play Paw-ke Mon Go!"
User Rank: Apprentice
1/20/2019 | 4:29:55 PM
Re: Good Idea
Articles like this just make me laugh. 

I've been consulting for 20 years and I still have yet to see a single organization allow BYOD devices on the corporate network.  If I ever see that, I will point it out as a huge security hole.  BYOD isn't common because the company can't transfer liability to the owner of that device.  If some end user puts corporate data on their personal laptop, which is then stolen, it's the company not the user that is liable.  Therefore, no BYOD. 

This author also said something about contractors putting BYOD devices on the corporate network.  This is also stupid and is not something that ever happens, and for the same reasons I described above.  In my experience, contractors are barely allowed to use the guest WiFi. 

The security perimeter is expanding, not disolving.  BYOD is not a threat if you don't allow them on the network.  Security comes before popularity. 

If you can't control it, don't allow it. 
User Rank: Author
1/18/2019 | 3:50:09 AM
No more one size fits all
Organizations need to be realistic that they will have different endpoints with different levels of security. That's fine provided that they're conscious of it - and that they restrict what their less secure endpoints can do (ie don't allow insecure endpoints to talk to your most sensitive systems!)
User Rank: Ninja
1/17/2019 | 3:11:35 PM
Good Idea
No bring your own devices.  At work you use a CORPORATE ASSET or not at all.  THAT is a good rule.  Eliminates alot of troubles.  Corp has rules for usage of assets, but bringing your own in voids all of that in a flash. SO DON'T BE STUPID about it.  Work is work and that is that.  No outside anything except IF you have a defended guest network maybe and even then test the hell out of it.  Segment that off your corp in-office network.  Tools exist for that.  But NOTHING OUTSIDE ever comes in the door.  Simple and effective. 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.