The Cymbel Approach is based on Forrester’s Zero Trust Model.
Zero Trust means there are no longer “trusted” subnets, devices, or users. Due to (1) the use of new technologies, (2) the increase in remote and mobile employees and contractors, (3) the increase in network connected business partners, and (4) the changes in the motives and methods of attackers, there is no such thing as 100% threat prevention, if there ever was.
While Prevention controls are still vital in order to reduce the organization’s attack surface, there is no way to absolutely prevent all devices from being compromised. In addition, we have seen an increase in malicious insider activity. Therefore you must assume that some devices are compromised and some users are malicious. This is Zero Trust.
Cymbel uses this Zero Trust approach to plus its understanding of (1) who the adversaries are, (2) their objectives, and (3) their attack processes to develop a set recommendations to reduce the risks of a confidential data breach. While all organizations have different risk profiles and priorities, all of our clients have benefited from one or more of these recommendations.
We continually research new technical and administrative controls to keep our recommendations up-to-date.
Zero Trust Guidelines
While all organizations have different priorities, over the years these guidelines have been helpful:
- Balance Budget across Prevention, Detection, and Response Controls
- Use a Kill Chain model to select technical controls
For more information please go to Cymbel’s Zero Trust Recommendations
Zero Trust Recommendations
Here are Cymbel’s specific Zero Trust Recommendations that can be implemented today.
1. Update Network Security with Next Generation Firewalls
2. Use a “sandbox” control to detect unknown threats in files
3. Use a specialized anti-phishing email protection service
4. Use behavioral analysis to detect compromised systems and malicious insiders
5. Deploy a Cloud Services Manager to discover, analyze, and control Shadow IT
6. Monitor your Supply Chain for breaches using a cloud-based service
7. Deploy an Enterprise Key & Certificate Management (EKCM) system
8. Deploy a backup, cloud-based DDoS Mitigation Service
The Forces of Change
- Business needs
- Increasing number of remote and mobile workers
- Increasing use of contractors
- New partners
- New services and applications
- Web 2.0 applications
- Social Networking
- Cloud computing
- Smartphones and tablets
- Converged video, voice, and data
- Zero day
- Regulatory requirements – PCI, MA 201 CMR 17, HIPAA/HITECH
- The Economy – Recession followed by sluggish top line growth
For more details see The Five Forces of Change.
With respect to Threats in particular, we have a well-researched understanding of:
- Who the attackers are
- The attackers’ objectives
- The attack vectors they use
- The target systems they use to gain entry
- The access control issues organizations face
- The best technical controls, both prevention and detection, which enable automatic and continuous monitoring
Next Generation Defense-in-Depth
We have rethought and reassembled our solution portfolio to provide a Zero Trust based, next generation defense-in-depth architecture focused on applications, users, and information. This enables the enterprise to better mitigate security risks and reduces the costs of compliance audits and security operations.
- Reduce the enterprise’s attack surface using a Positive Control Model at the application level.
- Mitigate threats with top rated Intrusion Prevention functionality.
- Enable internal network segmentation to:
- Control users’ access to internal applications and data
- Limit the damage when a system is compromised
- Consolidate network security devices to reduce costs
- Unifiy network security policies to improve infosec responsiveness to business needs
Overall, the benefits of the Cymbel Approach include:
- Reduced IT Security risks
- Reduced costs of meeting regulatory compliance requirements
- Reduced IT Operations costs
- Increased IT Service availability and performance
- Improved IT alignment with business needs.
More specifically, we help our clients achieve the following goals:
- Accelerate the shift in focus from protecting devices to protecting information – Until recently, security was focused on protecting devices from being compromised. While this still has relevance, a next-generation defense-in-depth architecture is focused on protecting information – Personally Identifiable Information, Protected Health Information, and Intellectual property (trade secrets). This means that users and applications that access information are also center stage.
- Improve visibility – Visibility must be the first step in any security improvement or compliance process. Without visibility, any changes in policies or controls are likely to have unanticipated negative side effects. Improvements in visibility go beyond (1) Vulnerability Assessments and (2) Penetration Testing and include (3) Device and Software Discovery, (4) Users’ web browsing, external web application usage, and internal application, database, and file usage, (5) Configuration changes, and (6) Incident detection.
- Integrate security needs and compliance requirements – The purpose of compliance standards like the Payment Card Industry’s Data Security Standards (PCI DSS) is to require organizations to deploy minimal security controls. However, lawyerly interpretations of regulatory requirements can leave an organization in an unnecessarily high risk situation. Better to leverage regulatory requirements to achieve meaningful protection.
- Improved situational understanding – As spending on information security and compliance continues to increase, frustrated executives and operations managers continue to wonder, are we better off today than we were yesterday? Meaningful security and compliance trending metrics, specifically designed for each level of the organization and presented in easy-to-understand dashboards and reports, are critical to situational understanding and decision-making.
- Reduce compliance costs by limiting scope – One important way to reduce the compliance costs is by limiting scope. For example, you can limit the scope of a PCI DSS audit by segmenting your internal network so as to isolate the servers involved in the audit.
- Reduce the costs of supporting multiple compliance regimes – Increasingly, organizations are required to meet multiple regulatory regimes which have overlapping requirements. The goal is to “test once, comply many.”
- Improve Information Security responsiveness to business needs– Too often organizations find themselves tied to obsolete information security architectures which leave them with two equally problematic choices: (1) slow down new business opportunity execution until information security can respond, or (2) move ahead without adequate information security controls. Here are some general examples:
- Enable secure Web 2.0 application usage and social networking
- Enable secure use of virtualization and cloud computing
- Enable secure use of smartphones and tablets
- Enable secure infrastructure convergence of data, voice, and video
- Secure access to high risk transactions and processes
- Manage Information Security from a IT/Business Service Management perspective – Organizations strive to apply metrics to information security to improve decision-making. The key metric though is business impact which can be calculated only when IT components are grouped by IT/Business Service.
- Break down security and performance/availability silos to reduce operational costs and improve incident detection and remediation – The separation of system management and security management functions limits the operational effectiveness of both groups. A unified information technology management system that can collect and correlate device and software inventory, configuration change information, logs, flows, performance, and availability data enables faster incident detection and remediation.
Links to Explore
- Details on the five forces of change
- Cymbel’s Practical Zero Trust Recommendations
- Cymbel’s Solutions to create a next-generation defense-in-depth architecture
- Next Generation Firewalls
- Web Application Firewalls
- Security Intelligence
- Cymbel’s solution Partners.
- Cymbel’s Blog.