*This is a guest post written by Aviram Jenik, full bio at the end of this article.
What do you do if a small infected minority is threatening to infect the rest? By now, there probably isn’t a human being on the planet that doesn’t know the answer to this question: you place the infected in quarantine, separating them from the healthy. Collectively, throughout the world, we are distancing ourselves from the threat of the infected and hoping for the best possible outcome to survive the great pandemic. This concept of quarantine is not unique just to mankind but is also a vital security practice within our technological world as well.
In the enterprise security world, we face a similar problem. Most of the machines in the enterprise network are healthy and safe, but some are weak and if as little as a single machine gets infected, this may affect the entire network. We used to put guards – in the form of firewalls – to separate the network between secure enterprise machines and insecure devices. But as people work from home or bring their own devices to work, the chances of a single machine compromising the entire enterprise network rise significantly. Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks – those seemingly remain the chessboard that is used to play the permanent arms-race game between the “white hats” and the “black hats”.
The solution, as mentioned, is isolation – or to use today’s terminology: forced-quarantine. Fortunately, we do not need to re-invent the wheel. The technology to do all of this already exists, although it may need minor re-purposing. Also, most enterprises will not need to buy any new products to get this done, they just need to ask their current vendors to work together and integrate. Testing tools already exist in the form of Vulnerability Assessment and Management. Isolation tools also exist and are widely popular – Network Access Control devices.
To explain how the process needs to work as soon as a problematic device is identified the Network Access Control product can easily cut that device off the network and place it in quarantine. The key, as we know from the physical world, is testing, and as mentioned we already have that – Vulnerability Scanning products can instantly detect a weak or infected device on the network. The missing piece is the integration between those two technologies, which often exists but is overlooked: many Vulnerability Assessment tools and Network Access Control products are happy to work together. This gives the outcome we were looking for: identify weak or infected devices using Vulnerability Assessment, and via integration with the Network Access Control product you get instant detection and quarantine.
The IT security world has borrowed concepts and ideas from the physical world since the days of the first computer Virus through the recent days of ransomware. Let us learn some defense from common-sense defense mechanisms in the real world; we cannot teach computers to socially-distance, but we can teach them to test, detect, and automatically quarantine. Having Vulnerability Assessment vendors collaborating with Network Access Control products is a must, to provide testing and force-quarantining in the enterprise environment, all this can be done automatically, instantly, and with zero additional spending – using already prevalent technologies in the Enterprise.
About the Author: Aviram Jenik is the co-founder and CEO of Beyond Security (www.beyondsecurity.com) a leading developer of automated security testing tools for networks and applications. He is also the co-founder of SecuriTeam.com, one of the largest security portals and vulnerability databases. Aviram holds a computer science degree from the Israeli Technion Institute of Technology, and an MBA from Tel Aviv University. Aviram’s technical background includes a degree in cryptography, development of military-grade network attack and defense processes, contribution to several open-source security projects, and active research in the fields of vulnerability assessment, full disclosure, and protocol fuzzing. He frequently lectures and writes about advanced aspects of the security field and is the co-author of several information security related books. Aviram splits in time between the US head office in Sacramento, CA, and the global headquarters in Israel.