March 8th, 2021 |
On March 2nd, 2021 Microsoft informed the world of a vulnerability in Microsoft Exchange. This vulnerability is active in the wild and has already been exploited by malicious actors from China and beyond. This well documented attack found by the security researchers at Volexity in Reston VA, exploits four different vulnerabilities in Exchange to gain access to emails without authentication.
Fact is, software teams are always under pressure to continuously release new features at breakneck pace. This is driven by the urgent need to keep up with market demands and competitive pressures.
This means that the vulnerability posture of all software continuously deviates with every update and upgrade. Software that at some point was free from vulnerabilities, may be riddled with them after updates. Even if the update includes security patches, the patches themselves along with new features may introduce new vulnerabilities.
So how can you defend against these popup vulnerabilities?
The traditional recommendations have been to implement “defense in depth” — the layering of multiple security products. However, not only is this model expensive, it also does not address the challenges new exploits introduce. In most cases, it creates complexity that further weakens security. This is especially true for hybrid infrastructure, where many different tools have to be implemented across offices, clouds, SaaS, data centers and remote users.
So “defense in depth” is not a viable security approach moving forward. It costs a lot of money and burns a lot of resources to actually make security worse. There is more information here: 5 Reasons Security Products Make You Less Secure.
Lots of attention and budget is going to the hip new security model “Detection and Response” (xDR). But what does xDR really buy you? It tells you when something bad has happened and that you should do something about it — patch all systems, find the compromise and inform customers.
If there was ever a whack-a-mole approach to security, it is xDR. This is often referred to as the “you’re screwed” approach to security. Not particularly proactive, resource efficient or preventative, is it?
The key to prevention is reduction of the attack surface. Today, many applications have to be exposed to the Internet at-large so users can access applications before being authenticated. This is called “Access before Auth”.
Acreto however, uses a very different approach where there is a transparent authentication before users can gain any access to applications. This is called “Auth before Access”. This approach completely shields the application from exposure to the Internet at-large.
The Acreto approach altogether eliminates the threats and exposures from Internet connected systems. And if authorized users mis-behave, the bad behavior is automatically mitigated.
Limiting access to the attack surface avoids mass exposure. In the case of the Exchange vulnerabilities, it would limit access of the Exchange server to authorized users only, no matter where they are located or what network or networks they operate on.
Reducing your attack surface in this case basically means that the Exchange servers — or any other system, server or application for that matter — will not be exposed on the Internet.
Access is allowed only after authenticating to Acreto and going through a set of controls, as well as ongoing threat and validation checks. This ensures that 1) the user is authorized, 2) the device is authorized, and 3) they never behave maliciously.
This is the default model with Acreto SASE+, where all customer systems benefit from a reduced attack surface — without any special effort, architecture or consideration.
Remote users connect to Acreto, and are transparently authenticated before access to systems, servers, applications, SaaS, clouds or networks including Exchange or Office365. Acreto protects against Internet or internal attacks, even if the Exchange server or other application is left unpatched.
Get more detail on this best practice approach to reduce your exposure to Internet-born, Ransomware or zero-day attacks. Contact us at firstname.lastname@example.org