CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » SecOps » Page 2

Medical Devices Cybersecurity Risk

by | Aug 16, 2023 | Improve Network Security, Micro-segmentation, Remote Network Management, SecOps, Security Service Edge (SSE), User Management, Zero Trust Security

A hacker’s laptop connects to a stethoscope to represent medical devices cybersecurity risk

The healthcare industry is one of the largest adopters of “Internet of Things” (IoT) technology, using internet-enabled devices to monitor patient health, dispense lifesaving medication, perform medical procedures, and more. Some examples of IoT devices used in healthcare include insulin pumps, pacemakers, heart rate monitors, and intracardiac defibrillators. These devices allow healthcare teams to provide advanced care in bustling urban centers as well as remote or rural areas where frequent in-person visits are impossible.

However, these devices often run outdated software due to the difficulty of patch management and the time-intensive nature of updates, which end up getting bumped from the schedules of busy metropolitan teams. In addition, healthcare organizations and patients alike often sacrifice security hygiene for convenience, increasing the likelihood of stolen credentials and compromised devices. Plus, since these devices often operate in patient homes and other locations outside the organization’s network, security teams may not even know if an IoT device is stolen or compromised until it’s too late.

Many cybercriminals target IoT medical devices to harvest sensitive health data, but in the process could cause a pacemaker to crash and severely injure the patient. To address the growing threat of ransomware and other cyberattacks on patient health devices, the FDA recently issued a set of guidelines for securing medical devices. In this post, we’ll discuss the factors that make medical devices a cybersecurity risk before providing mitigation strategies to help healthcare organizations meet FDA requirements.

Table of Contents:

What makes medical devices a cybersecurity risk?

Every internet-enabled device expands an organization’s attack surface, giving cybercriminals something new to compromise and gain access to data and other resources. Medical devices are particularly risky for three reasons.

  • Outdated software – It’s difficult to update software on remote, wearable, or implanted medical devices without causing a (potentially dangerous) disruption to the patient. A recent FBI report showed that 53% of IoT medical devices had known, unpatched vulnerabilities in their software, making them more susceptible to cyberattacks.
  • Poor security hygiene – Teams often deploy medical devices with easy, insecure passwords for ease of use. While this may make operating and troubleshooting these devices easier for busy healthcare practitioners, it also significantly increases the cybersecurity risk.
  • Inadequate monitoring – Once medical devices leave the central network, it can be difficult for admins to monitor software versioning, account activity, device location, and other critical security metrics. That means they may not be aware of breaches or failures that put patient health at risk.

Medical device cybersecurity risk mitigation strategies

Due to the increased frequency of attacks and the potential to cause patient harm, the FDA released guidance earlier this year to address medical device cybersecurity risks. For the FDA to consider a medical device “secure,” there must be plans and processes in place to monitor, identify, and patch vulnerabilities, both on a routine schedule and as soon as possible in response to specific threats. There are also additional requirements to demonstrate that reasonable security measures are in place, including strong authentication.

This guidance is intentionally broad, giving general rules without detailing exactly how to achieve compliance. Let’s discuss three specific risk mitigation strategies that address the above mentioned risk factors and meet FDA guidelines.

Automated patch management

Medical device manufacturers and service providers must continuously monitor for vulnerabilities and release software patches on a regular schedule to comply with the FDA’s ruling. Automated monitoring, configuration management, and software delivery tools can all help teams stay on top of demanding patch schedules. On the consumer side, healthcare teams can use automated patch management solutions to ensure updates are installed as soon as they’re available, reducing manual workloads and improving device security.

Zero trust security

Zero trust security is a methodology that involves applying highly specific security policies and building checkpoints of security controls around individual network resources. Zero trust requires strong passwords and uses technology like multi-factor authentication (MFA) to prevent compromised accounts from accessing devices or data. Zero trust is difficult to achieve, and it can be challenging to get overworked healthcare providers or elderly patients to follow stricter password guidelines, but it’s quickly becoming standard practice for new medical devices and cloud services. Teams can help smooth the transition by providing additional training and support when deploying new healthcare technology.

Vendor-neutral monitoring

Administrators need to track device metrics to ensure the equipment functions correctly and identify any signs of compromise. Often, devices come with software monitoring solutions that are specific to a particular vendor, but most healthcare teams deploy a wide variety of equipment from multiple vendors. As a result, admins must log in to several different dashboards, all of which provide varying degrees of coverage and granularity. A vendor-neutral monitoring platform can unify all these disparate systems, making it easier to track device health and spot potential problems.

Medical device security, recovery, and resilience

Medical devices pose a significant cybersecurity risk, and the consequences of successful breaches could be deadly. The FDA urges medical device providers to follow guidelines for vulnerability monitoring, patch management, and overall cybersecurity. In addition, healthcare organizations can use automated patch management, zero trust security, and vendor-neutral monitoring platforms to improve their security posture.

It’s also vital that organizations have a plan for how to recover remote medical devices that are compromised by ransomware or other cyberattacks. The faster teams can restore, rebuild, or replace the device, the better the patient’s health outcomes. This combination of security and recovery planning makes healthcare networks more resilient to cyberattacks and failures.

For example, the Nodegrid platform from ZPE Systems allows healthcare teams to deploy automation, zero trust security, monitoring, recovery tools, and more from one unified system. Nodegrid’s out-of-band management solutions can also be used to build an isolated recovery environment where teams can rebuild and restore compromised systems with the risk of reinfection.

To learn more about recovering from ransomware and other medical device cybersecurity risks, download our whitepaper, 3 Steps to Ransomware Recovery.

Download the Whitepaper

Learn more about recovering from ransomware and other medical device cybersecurity risks!

Nodegrid allows healthcare teams to deploy automation, zero trust security, monitoring, recovery tools, and more from one unified system. 

Contact Us

Zero Trust Security Architecture

by | Aug 4, 2023 | Improve Network Security, Micro-segmentation, SecOps, Security Service Edge (SSE), User Management, Zero Trust Security

The words zero trust in a circle with simulated computer architecture as the background.

In today’s economy, businesses can’t afford to neglect their cybersecurity architecture. According to a recent report, cybercrime damages are expected to reach $10.5 trillion annually by 2025. Attacks are more frequent and damaging, thanks partly to the difficulty in establishing a solid security perimeter around a modern enterprise network. With Internet of Things (IoT) device usage on the rise and networks expanding to include remote branch offices and edge data centers, it can be impossible to clearly define the boundaries of a network, let alone effectively defend those boundaries. For example, many organizations use tools like Citrix to enable secure remote access to enterprise resources, but recently, high-risk vulnerabilities were discovered in several Citrix gateway products. The very tools we rely on to defend our expanding perimeter may leave us the most exposed to attacks.

The zero trust security methodology was created to address the challenges involved in traditional, perimeter-based defense strategies. This post defines a zero trust security architecture, discusses some of the gaps typically left in such an architecture and provides tips for avoiding these pitfalls.

Table of Contents:

What is a zero trust security architecture?

A zero trust security architecture is designed around the principle of “never trust, always verify.” Traditional security architectures assume that every user and device should be implicitly trusted as long as they’re inside the organization’s network perimeter. That assumption leaves compromised accounts and malicious insiders free to move laterally around the network, accessing and exfiltrating data or executing ransomware in the process.

On the other hand, a zero trust security architecture assumes that every account and device is already compromised unless trust is continuously established. The zero trust methodology was founded by Forrester analyst John Kindervag in 2009; the same year, Google’s BeyondCorp project launched with the sole purpose of defining and developing a zero trust security architecture.

Zero trust uses network micro-segmentation, advanced authentication, Layer 7 (application-level) threat monitoring, and highly-granular security policies to verify trust and prevent lateral movement. Risk is calculated for each resource on the network, and then micro-perimeters of specific security controls are built around the resource micro-segment. Users and devices must establish trust each time they hit a micro-perimeter no matter how elevated their accounts are or where they’re accessing the network from, making it easier to spot and disable a compromised account. This is how a zero trust architecture limits the blast radius and duration – and thus the cost – of cyberattacks.
.

Tips for building a zero trust security architecture

Tips for implementing zero trust without gaps

Zero trust is not a single solution to purchase and deploy in your enterprise – it’s a combination of tools, policies, and proccesses that contribute to a more resilient network. The complexity of a zero trust architecture makes it prone to gaps. For example, manually configuring and managing so many moving parts increases the risk of human error. Additionally, zero trust doesn’t prevent 100% of attacks, but many organizations lack a comprehensive recovery plan. Plus, you can’t have a zero trust environment unless you isolate all administrative interfaces for infrastructure.

During the planning stage of your zero trust security implementation, you should keep the following three questions in mind:

  1. How will you manage so many different policies and solutions?
  2. Do you have tools to aid you in recovering from a successful attack?
  3. How will you protect your control plane from malicious actors on your network?

Addressing these challenges with the following best practices will help you build a successful zero trust security architecture.

Reduce human error with centralized orchestration

A zero trust security architecture includes hundreds or thousands of individual security policies and solutions. Configuring and managing this architecture is a monumental task prone to human error, leading to potential vulnerabilities. According to Microsoft, configuration errors cause 80% of ransomware attacks, making human error a major threat to network resilience. The best way to reduce complexity and prevent mistakes is to be able to see and manage all your solutions from one place, with the ability to automate regardless of skill level.

A centralized security orchestration platform allows administrators to configure, monitor, deploy, and automation all their zero trust solutions from a single place. The best practice is to use a vendor-neutral platform that integrates with third-party zero trust vendors for identity and access management (IAM), next-generation firewalls (NGFWs), and more. Such a platform allows organizations to build bespoke micro-perimeters using the preferred solutions, regardless of vendor, and still manage the entire architecture from a single pane of glass. Plus, with a holistic view of the security architecture, organizations gain a more accurate perspective on their overall security posture and have the context needed to spot systemic issues or subtle indicators of a breach.

Prioritize incident response and recovery planning

According to a recent report from Check Point Research, the global volume of cyberattacks reached an average of 1168 per week per organization in Q4 of 2022. That means there’s no question of “if” a breach will occur, only “when” it will happen. It’s essential to consider incident response and recovery when you build your zero trust security architecture to reduce the cost of an attack.

Research from Sophos found that 70% of organizations hit by ransomware took longer than two weeks to recover, implying they didn’t have the right recovery architecture in place. Downtime gets more expensive the longer it goes on, so organizations must improve their recovery capabilities. For example, data backups are critical to recovery efforts, so they must be protected by zero trust authentication and policies to prevent compromise or corruption. In addition, backup data, systems, and infrastructure must be validated with security scans before they’re restored to ensure they don’t reinfect the network with malware. Getting business back up and running as soon as possible will decrease the cost of cyberattacks, which means a recovery toolkit is an essential component of a zero trust architecture.

Secure the control plane on a dedicated OOB network

The management interfaces used by administrators to control network infrastructure are often excluded from cybersecurity planning because because end users don’t access them. Only admins have usernames and passwords, and they trust their own security hygiene, so they (incorrectly) assume these interfaces are safe. If zero trust policies aren’t applied to the control plane, a compromised administrator account could completely wipe out your infrastructure and gain unfettered access to sensitive data and backups. The blast radius of such an attack would be devastating and severely hamper recovery efforts.

A recent CISA directive provides guidance for reducing the risk of open management ports. The best practice for a zero trust security architecture is to keep the control plane on a separate, out-of-band (OOB) network. An OOB network uses dedicated infrastructure that’s isolated from the production LAN, preventing lateral movement by attackers. This also allows administrators to perform recovery operations even when ransomware or hardware compromises bring down the production network. In addition, zero trust policies and controls must be applied to the OOB control plane to prevent a compromised administrator account from gaining too much access.

Tips for building a zero trust security architecture
  • A vendor-neutral security orchestration platform reduces management complexity and mitigates the risk of human error
  • Integrating a recovery toolkit in the architecture will help limit the cost and business disruption of successful attacks
  • Keeping the control plane on an OOB network and applying zero trust policies and controls will limit the blast radius of a breach

The zero trust methodology asks us to assume that devices and accounts are already compromised, and attackers have breached the network, requiring everyone to continuously prove trustworthiness before accessing enterprise resources. A successful zero trust architecture is unified by a vendor-neutral orchestration platform, prioritizes business resilience and recovery, and secures management interfaces with the same strict policies and controls as the production network.

Build your zero trust security architecture with Nodegrid

Building such an architecture is easier with the Nodegrid solution from ZPE Systems. Nodegrid is a vendor-neutral security orchestration platform that delivers unified control of the entire architecture of zero-trust policies and controls to reduce complexity and mitigate the risk of human error. Nodegrid branch gateway routers and serial console servers provide secure OOB management, so you get an isolated control plane without deploying an entire secondary network. You can even use Nodegrid to build an isolated recovery environment (IRE) to streamline ransomware recovery and reduce the business impact of attacks.

Learn how Nodegrid delivers unified orchestration and out-of-band management!

Nodegrid delivers unified orchestration and out-of-band management to help you build your zero trust security architecture. Contact ZPE Systems today to learn more.

Contact Us

The Biggest Ransomware Attack You Haven’t Heard of…Yet

by | Jul 6, 2023 | Data Logging, Improve Network Security, Micro-segmentation, Minimize Impact of Disruptions, Network Automation, Out of Band Management, SD-WAN, SecOps, Secure Access Service Edge (SASE), Security Service Edge (SSE), User Management, Zero Trust Security

James Cabe CISSP

This article was written by James Cabe, CISSP, whose cybersecurity expertise has helped major companies including Microsoft and Fortinet.

MOVEit over SolarWinds — The largest and most successful ransomware attack ever recorded is happening. Right now. It’s attacking healthcare and financial institutions with high rates of success, and recently stole sensitive data of 4 million more healthcare patients. It uses something called CL0P ransomware, and the threat actor is a well-known criminal group with the name FIN11. Many organizations are finding it difficult to stop the attack because they have no way to access infected devices, take them offline, patch, or even replace them. So, what exactly is going on?

The group responsible for the attack

FIN11 is a cybercriminal group that has been active since 2016 or before, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, their focus has shifted towards other initial access vectors. FIN11 often runs high-volume operations targeting industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP).

FIN11 is responsible for multiple widespread, high-profile intrusion campaigns leveraging zero-day vulnerabilities, and the group likely has access to the networks of many more organizations than it is able to successfully monetize. Despite this, they’re currently attacking MOVEit, a well-known SaaS provider who relies on a file transfer appliance called Accellion lFile Transfer Appliance (FTA). This legacy product remains unpatched, which has led to the breach of many Fortune 100 companies and state and federal agencies.

FIN11

How did the ransomware attack start?

The ransomware attack began with several Accellion FTA customers, including those in industries like healthcare, legal, finance, retail, and telecom. Companies such as Jones Day Law, Kroger, Singtel, and many others had no idea that they had been attacked, because the initial breach was quiet and headless.

Their only indication came after receiving a threatening email aimed at extortion. 

In this email, the group threatened to publish stolen data on the “CL0P^_- LEAKS” .onion website, according to an investigation from Accellion. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to the investigation, four zero-day security holes were exploited in the attacks:

  • CVE-2021-27101 – SQL injection via a crafted Host header
  • CVE-2021-27102 – OS command execution via a local web service call
  • CVE-2021-27103 – SSRF via a crafted POST request
  • CVE-2021-27104 – OS command execution via a crafted POST request

And, the published victim data appears to have been stolen using a “WEB SHELL”. These web shells give remote administrative access to the web server and create a jumping off point to attack the rest of the internal network. Mandiant, a well-known cyber investigation arm of Google, added, “The exfiltration activity has affected entities in a wide range of sectors and countries” (Threatpost). Exfiltration is the unauthorized removal of important or damaging data from an organization.

However the biggest problem is that these web shells are what researchers call “PERSISTENCE”. This means that an attacker can remain in your network indefinitely to continue damaging and attacking your resources. Researchers call these “APTs,” or Advanced Persistent Threats.

Why is the ransomware attack still going strong?

The ransomware attack is still going strong because there’s no patch available. According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Accelion’s appliance that is the backbone of a solution known as Progress Software’s MOVEit Transfer service. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505, which is the group responsible for the Dridex trojan and Locky ransomware, conducted zero-day-exploit-driven campaigns against Accellion FTA devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

What most organizations want to know is: How do you quickly respond to issues like these? How can you be properly prepared to respond to an issue you didn’t cause or didn’t expect?

Patching is a good response. However, it takes an average of 205 days to patch a recently known zero-day exploit like the MOVEit vulnerability. While patching alone is typically the ideal response, it isn’t automatic nor can it be done quickly.

Another approach involves removing the offending software or appliance, or cutting off access to the software or appliance. But once you remove this access, how do you continue normal operations, and how can you easily bring the software/appliance back online? Without adequate infrastructure in place, physically deploying to each site is not practical, especially for distributed organizations.

CISA and the FBI encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents. The Mitigations section describes many approaches, including patching, removing software/appliance access, and implementing a recovery plan. But all of these take too much time and too many resources, which leaves organizations vulnerable as they scramble to create an adequate response.

The great news is, organizations can cover all their bases without having to reinvent the wheel. This approach is recommended in one of CISA’s recent directives, and gives organizations somewhat of a silver bullet that allows them to quickly defeat ransomware and remain prepared for any future attack.

What approach does CISA recommend to address ransomware attacks?

CISA’s recent directive (23-02), which addresses the vulnerability of Internet-exposed management interfaces, calls for organizations to create an isolated management infrastructure (IMI) via out-of-band connectivity. This is a drop-in solution that the military, telcos, and hyperscalers/cloud companies use to respond to widespread ransomware and other issues impacting security and resilience. This approach — which ZPE Systems has perfected in the last decade with the help of Big Tech — gives organizations a completely separate control plane through which they can monitor and manage their entire IT infrastructure in a safe and dedicated fashion.

What is isolated management infrastructure?

Isolated management infrastructure consists of the hardware and software that create a management network that’s fully separate from other production and management networks. The key to this is in out-of-band connectivity, which is defined as connectivity other than TCP/IP. Out-of-band can include direct USB, serial, or even non-routed zero-trust connections to crown-jewel assets.

Essentially, the IMI gives an organization complete oversight and control of their widespread IT infrastructure, in a way that is secure and accessible only to their IT teams.

In this diagram, the production infrastructure (blue ring) sits at each distributed location. The out-of-band infrastructure for LAN (OOBI-LAN) is the green ring and surrounds the production infrastructure with one layer of isolated management. The OOBI-WAN (orange ring) is what provides a second layer of isolated management, which teams can access from a central or remote location, to gain access to the OOBI-LAN and ultimately the production infrastructure.

ZPE Automation

Knowing these assets and providing access across the organization can be easy and does not have to disrupt current operations. 

How can IMI stop the FIN11 ransomware attack?

In the ongoing FIN11 ransomware attack, Internet-facing applications are targets of the zero-day exploit. This means that no amount of security solutions can pre-mitigate the attack (i.e., there’s nothing you can do to stop it). This is where IMI shines.

Isolated Management Network diagram sitting beside production infrastructure

Remember the OOBI-LAN/OOBI-WAN diagram? Here’s a zoomed-in view of the isolated management infrastructure sitting beside the production infrastructure. The IMI connects via serial, Ethernet, and USB to production gear, and provides the necessary functions (routing, storing golden images, hosting jumpbox tools, etc.) to recover from attack. But how?

IT teams can use OOBI-WAN to remotely access their OOBI-LAN and production gear. They can pull affected devices offline and bring them in for forensics, which takes place in an Isolated Recovery Environment (IRE). This means these assets and networks are still reachable by analysts and responders, but isolated from other vulnerable assets. This allows an organization to quickly and even automatically deploy tools and resources inside of this environment through devices like ZPE Systems’ Nodegrid.

To combat the FIN11 attack, organizations don’t need to unplug cables or shut their devices off. They can instead deploy their IMI as the framework for closing the attack surface while maintaining access and critical data to aid in recovery.

Get the blueprint for isolated management infrastructure

Don’t wait until the next attack to shore up your defenses. ZPE Systems has worked with Big Tech for ten years developing the isolated management infrastructure. It’s now available inside the Network Automation Blueprint, and walks you through how to implement your own IMI. Download the blueprint now to stay ready for any attack.

Download blueprint

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

Atsign: Why Choose ZPE Systems to Host IoT Security?

by | Jun 22, 2023 | Application Hosting, Data Logging, Edge Computing, Improve Network Security, Increase Productivity, Network Automation, Out of Band Management, Remote Network Management, SecOps, Virtualization, Zero Touch Provisioning (ZTP), Zero Trust Security

Colin

A Conversation with Atsign CTO & Co-Founder, Colin Constable

This is a guest post composed by Atsign, creators of zero-attack-surface solutions including atProtocol.

We recently sat down with our CTO and Mariposa Rotary Club extraordinaire, Colin Constable, to discuss our partnership with our friends over at ZPE Systems. Let’s explore the driving force behind this powerful partnership, and how together we’re securing IoT devices and the data shared between them.

Why is this partnership strategically important?

We are a software company that helps people connect beyond the edge of the Internet. And as a software company, we need to have hardware to run our software on. After looking at a number of hardware platforms, ZPE stood out as an organization that provides a strong array of network connectivity options. Our software running on ZPE’s hardware serves as an edge platform that gives customers reliable access to edge-generated data.

What are some of the synergies between Atsign and ZPE?

First and foremost, ZPE’s hardware was designed from scratch to provide the openness and flexibility that we were looking for in a hardware platform. If I were going to design something like this myself, it would look very much like a ZPE box! It is incredibly easy to drop our Docker containers straight onto the platform, and they just simply work, which is quite a joy. To have a Docker container environment on an edge box is really the thing that makes ZPE stand out as a platform. Combine that with the fact that ZPE boxes are running x86, which makes things easy–plus actually having dual SIM cards–we can work with our MVNO partners to provide constant connectivity; even if hardlines go down, there’s cellular backup. The thing we can offer ZPE and their customers is if the box can see the Internet, then you’ll be able to address it, get data to and from it, and actually even log into it, and get hold of the built-in UI on the box.

Tell us about ZPE’s Docker Container support

Our docker containers literally just ran perfectly on the ZPE hardware. I went into the UI, selected my docker container, and it just ran. It doesn’t get much easier than that. Plus, there’s the promise of being able to have the docker container talk to connected devices like V.24 cables to provide connectivity to IoT devices.

Once IoT devices become directly addressable, then it opens up all kinds of opportunities for more efficient delivery or sharing of information that can save customers tons of money by eliminating a lot of the current infrastructure they currently use to do that job.

What are some real-world use cases for Atsign and ZPE Systems?

Because ZPE boxes have lots of connectivity options (e.g. serial ports, 4/5G backhaul, and ethernet–with more coming!) for connecting IoT devices, then you can have always-on devices at the edge, and be able to address and get data to and from them. For example, a radio station that has DSL connectivity, and cellular backup would be able to just automatically move over to cellular backup, notify the radio station that it’s on cellular backup, but use that connectivity until the ADSL line comes back online and at all times be able to get information from the equipment at the radio station. This is critical for radio stations, as it eliminates “dead air,” that moment when the transmitter is not transmitting. Sponsors rely on radio stations to put out notifications for what their businesses are doing, so having constant, uninterrupted connectivity is essential.

Do Atsign & ZPE Systems improve sustainability?

Traditional solutions would have you installing many different boxes. What we really like about the ZPE platform is that although the hardware provides lots of connectivity options–that reduces the footprint for starters–there’s no need to have different modems and firewalls, and any other services can be added via docker containers, so you actually have an environment where you have a single box, and it can do multiple functions at the edge.

What are your final thoughts on the partnership between Atsign and ZPE Systems?

As a software company, we need hardware to deploy on. We especially need hardware that can sit on the edge with all the right connectivity points. Atsign and ZPE Systems is really a perfect combination of great software and great hardware at the edge.

Bonus: What is Colin’s favorite firewall configuration for a ZPE box?

My favorite firewall rule is the one that costs the least money, and is ultimately the most secure firewall ruleset: Deny All. If you’ve got Deny All, that means that you don’t have to deal with the pain and complexities of firewall rules in order to address devices, which is what the real cost of networking is these days; it’s not necessarily the hardware, it’s actually having people to administer firewall rulesets. Having zero network attack surfaces, having a Deny All ruleset, just means you don’t have to have people changing rulesets all the time, which is a good thing.

Learn more about IoT Security & our partnership with Atsign

What is Security as a Service?

by | May 5, 2023 | Improve Network Security, Remote Network Management, SD-WAN, SecOps, Secure Access Service Edge (SASE), Security Service Edge (SSE), Zero Trust Security

Security as a Service is visualized as a cloud with a variety of security concepts emanating out from it.
Enterprise network security continues to grow more complex. Business networks keep expanding to include branch offices, internet of things (IoT) deployments, work-from-home employees, and other remote sites, making it difficult to establish a secure perimeter. Cyberattacks are also increasing in frequency and severity, forcing IT teams to continuously upgrade their security capabilities. A recent report estimates that organizations will spend $219 billion on cybersecurity solutions in 2023 to try to keep pace with emerging threats.

The typical enterprise network includes dozens or even hundreds of these security solutions cobbled together from a variety of vendors. Each solution needs dedicated hardware and operating systems to run on, deployed at every single edge, branch, and data center site. Plus, there’s typically little-to-no interoperability between security solutions, so network teams must learn, manage, and troubleshoot each one individually.

One approach to curbing this complexity is known as Security as a Service, which follows the SaaS model of delivering technology solutions as a subscription-based service. This blog defines Security as a Service, discusses the pros and cons of this approach, and provides an alternative solution for streamlined and scalable cybersecurity management.

Quick Links:

 

What is Security as a Service?

Security as a Service (sometimes referred to as SECaaS) delivers cybersecurity as a subscription-based service. An organization outsources some or all of their security management to a third-party company, with varying levels of in-house involvement. For example, an organization may outsource their security monitoring to a SECaaS solution, but their own network admins will have access to customize the settings and monitor the dashboards.

Security as a Service may be an on-premises solution that’s installed on hardware in your data center, but it’s usually based in the cloud. SECaaS solutions are nominally vendor-neutral in that they’re typically capable of securing network infrastructure hardware from any vendor. However, they don’t usually integrate with other security solutions or monitoring platforms.

Security as a Service pros and cons

Pros Cons
Reduces the workload on in-house network admins and security analysts. Reduces the control an org has over their security operations.
Makes it easier to upgrade to new security technologies. Exposes organizations to shared vulnerabilities.
Scales easier than on-premises network security architectures There’s little interoperability with other security solutions and platforms.

Security as a Service outsources cybersecurity to a third-party, which frees up smaller network teams to focus on more profitable technology initiatives. However, that also means organizations have less control over their security operations, which makes things like data privacy compliance more challenging.

The SECaaS model allows companies to take advantage of new security technologies with fewer up-front costs, so they can stay at the forefront of cybersecurity and potentially avoid emerging threats. For example, an org could deploy Okta for single sign-on management and Proofpoint for advanced email security without purchasing additional hardware or committing to a fixed number of software licenses. On the other hand, SECaaS can also potentially expose organizations to shared vulnerabilities if one of their other customers or applications is breached.

One of the biggest benefits of Security as a Service is scalability – organizations can easily add new branches without needing to deploy additional hardware. However, since Security as a Service doesn’t typically integrate with other solutions for security, monitoring, and orchestration, complexity still becomes a major issue as organizations scale up and out.

While Security as a Service can be helpful for smaller organizations looking to simplify their network security operations, vendor lock-in prevents it from completely solving the problem being faced by enterprise network teams. What’s really needed is a single, streamlined platform from which to orchestrate every aspect of network security and management.

Security with ZPE’s Services Delivery Platform

ZPE Systems takes a platform-based approach to security management. ZPE’s powerful, vendor-neutral Nodegrid hardware and software serve as the platform to host all the apps and services required to manage and secure a complex enterprise network. That means organizations don’t have to give up control in order to streamline their operations.

An example deployment diagram of ZPE’s Services Delivery Platform.

A single Nodegrid serial console server or integrated branch router can replace an entire stack of networking solutions. In addition to out-of-the-box features like OOB management, cellular failover, and gateway routing, Nodegrid boxes can run VMs, containers, and any choice of third-party or custom applications.

For example, Cloudflare provides a great SECaaS SASE and ZTNA solution, but the problem is that many devices (such as printers, cameras, and IoT sensors) can’t run the Cloudflare agent. To solve this problem, you can deploy a Nodegrid Net Services Router (NSR) at each site to directly host the Cloudflare agent. The NSR can then extend the Cloudflare One SASE/ZTNA solution to any connected devices, overcoming vendor lock-in and eliminating the need for additional servers and OS licenses.

The hardware components of the Services Delivery Platform hook into ZPE’s vendor-neutral management software, which you can host on-premises or access through ZPE’s cloud. This software serves as the orchestrator for the entire architecture of connected solutions. In addition to managing the apps deployed to Nodegrid devices, you can use ZPE’s platform to integrate tools hosted elsewhere. This creates a unified platform that streamlines security, network, and infrastructure orchestration and provides truly holistic coverage.

Security as a Service attempts to simplify network security management, but it fails to provide a truly streamlined environment. Contact ZPE Systems today to learn more about overcoming those limitations with the Services Delivery Platform.

Want to learn how to simplify network security management?

Contact us today or visit our products page to discuss how ZPE Systems Nodegrid can simplify your enterprise networking needs.

Contact Us

What Is a Zero Trust Gateway?

by | Apr 25, 2023 | Micro-segmentation, Network Automation, Remote Network Management, SecOps, Vendor Neutral Platform, Virtualization, Zero Touch Provisioning (ZTP), Zero Trust Security

What Is a Zero Trust Gateway(2)
The constant threat of cyberattacks has made network security a top priority for companies in every sector, with Gartner predicting that global cybersecurity spending will reach $188 billion in 2023. However, security continues to get more challenging due to factors like a rise in remote work, an increasing reliance on touchless internet of things (IoT) devices, and the overall decentralization of enterprise networks. It’s hard to create a secure perimeter around the enterprise when its users, devices, applications, and data could be anywhere in the world.

The zero trust security methodology addresses this challenge by shrinking the focus from one large security perimeter and instead creating smaller “micro-perimeters” around each individual resource that needs defending. It’s called zero trust because it follows the principle of “never trust, always verify.” That means each user and device needs to verify its identity and prove its trustworthiness before it can penetrate the micro-perimeter. So, for example, if a cybercriminal uses stolen credentials to log into the enterprise network, they have to pass through many different security checkpoints to see or access any sensitive resources, which increases the likelihood they’ll get caught before excessive damage is done.

One way to implement micro-perimeters and apply zero trust security policies is with a device called a zero trust gateway. This post discusses the technologies that make up a zero trust gateway and explains how they work together to defend enterprise networks.

Table of contents:

What is a zero trust gateway?

A zero trust gateway is a device that sits at the edge of the network – or at the top of the rack – and applies zero trust security policies and controls to traffic flowing in either direction. The gateway can be a dedicated security appliance, but it’s often more cost- and space-effective to use a multi-functional device that combines security, networking, and infrastructure management in a single box.

Some of the key features used in an all-in-one zero trust gateway include network micro-segmentation, identity and access management, context-aware monitoring, and secure out-of-band management. There are a small number of mature solutions that deliver all of these features off-the-shelf, but they lock you into their small solution ecosystem and limited feature roadmap. A better approach is to start with a vendor-neutral platform that lets you host and integrate your choice of security applications to create a fully customized zero trust gateway. Let’s walk through how each of these security technologies works and how to combine them into a bespoke zero trust gateway solution.

To see an example of a vendor-neutral zero trust gateway at work, request a demo of the Nodegrid solution from ZPE Systems.

Request a Demo

Network micro-segmentation

A zero trust micro-perimeter is made up of granular access control policies and security controls that are custom-tailored to the specific vulnerabilities and requirements of resources they’re defending. For example, an on-premises database containing sensitive financial records needs different policies than a cloud-based application that doesn’t process any personal information. To implement micro-perimeters, resources first need to be logically organized based on their sensitivity level, who needs access to them, and what their interdependencies are.

Network micro-segmentation is used to separate resources based on these criteria so that micro-perimeters can then be applied. For a device to be considered a zero trust gateway, it must support VLAN micro-segmentation and be able to apply access control rules consistently across all micro-segments.

Identity and access management

In a zero trust architecture, user and device permissions should be limited to only what’s necessary to perform their job role. For example, an HR account used to manage employee records shouldn’t have access to customer financial data, and vice versa. Access policies should be specific to individual micro-segments and resources and need to be applied to all users and devices consistently, no matter where they’re logging in from. That means a remote user should follow the same authentication steps and have the same permissions as they would if they logged in at the office.

For a large enterprise network, this is only achievable with a centralized identity and access management (IAM) solution. An IAM provides a single platform from which to create, manage, and apply security policies. A zero trust IAM also enables best practices like single sign-on (SSO) and two-factor authentication (2FA).

A zero trust gateway needs to integrate with your chosen IAM provider to ensure that policies are applied to both production traffic and management traffic. Some vendor-neutral gateway solutions can even directly host and run third-party IAM solutions, providing a more integrated experience and saving rack space.

Context-aware monitoring

Many successful cyberattacks use stolen credentials gained through phishing schemes and other social engineering tactics. For example, Mailchimp was recently attacked by malicious actors using credentials stolen from employees through social engineering. It’s difficult to detect and contain such an attack because the criminal looks like an authorized user. However, careful monitoring often reveals suspicious behavior, such as logging in from an unusual IP address or time zone, making multiple access requests to areas of the network they don’t usually visit, or transferring abnormally large quantities of data.

User and entity behavior analytics, or UEBA, uses machine learning technology to monitor and analyze account activity on the enterprise network. UEBA creates a baseline of “normal” behavior for individual accounts so it can detect any anomalous activity. UEBA integrates with other security and monitoring solutions, such as IAM and firewalls, so it can compare data from various sources to make more informed decisions. This is one of the ways that zero trust security verifies the trustworthiness of accounts trying to access sensitive resources, making UEBA a critical component of zero trust gateways.

Secure out-of-band (OOB) management

Admins need a fast and reliable way to access remote infrastructure for management, troubleshooting, and recovery. For example, it’s common for a single data center management team to be responsible for customer equipment in multiple DCs distributed around the world for redundancy. These admins can’t physically go on-site every time a firmware update fails or a device loses its IP address. That’s why they rely on remote out-of-band (OOB) management; remote OOB management creates a separate network just for management traffic that doesn’t rely on the production LAN. Admins access the OOB network using a dedicated management device, like a jump box or a serial console server.

This management device is a tempting target for cybercriminals, as gaining control of that device will give them complete control over the connected infrastructure. One way to protect the OOB network is by using a zero trust gateway with integrated management ports. For example, the Nodegrid Net Services Router (NSR) is a modular zero trust gateway that can be customized to connect to any type of device that needs to be managed or secured. The NSR comes with gateway routing and switching capabilities, an embedded firewall, and hardware security features like secure boot and a self-encrypted disk. Nodegrid is also completely vendor-neutral, which means it can directly host or integrate with your choice of third-party security solutions, including next-generation firewalls (NGFWs) and zero trust technologies like identity and access management and UEBA.

The NSR is a modular, open platform upon which to build a fully customized zero trust gateway for large data center deployments. The Nodegrid product line from ZPE Systems also includes a variety of serial console solutions and integrated all-in-one gateway routers to support other use cases, such as edge computing sites, branches, and automated IoT deployments.

A zero trust gateway helps organizations implement micro-perimeters of specific policies and controls to defend sensitive data and other valuable resources. A vendor-neutral, integrated solution like the Nodegrid Serial Console Plus from ZPE Systems makes it possible to combine zero trust security with networking and management functionality to create a streamlined, cost-effective zero trust gateway deployment.

Ready to learn more about Zero Trust Gateway?

To learn more about deploying Nodegrid as a zero trust gateway in your enterprise, contact ZPE Systems today.

Contact Us