How to protect unmanaged devices in today’s zero-trust world

All it takes is a single hijacked browser session or unprotected third-party device on a network to shut a business down, costing millions in lost productivity and revenue. Regarding browser attacks, many CISOs can’t forget how the CNA Financial breach started with a phishing email telling an admin to perform a browser update. Attackers infiltrated the CNA network, infecting 15,000 systems with ransomware while destroying backups and disabling monitoring and security tools. 

The growing risk of unmanaged endpoints 

Enterprises are overwhelmed with more work than their teams can handle. Department leaders turn to contractors to complete more work and expect employees to be available on any web-enabled device. Organizations find hundreds of new unmanaged endpoints on their networks, with every contractor and employee relying on their laptops, tablets and phones to get work done.

Asking every contractor to load a series of special software or applications on their devices isn’t practical and gets limited adoption. It also burdens already stretched IT staff, who are called on to help. The paradox gets more challenging when organizations need contractor help to get up and running fast to keep up with workloads yet need a security solution that scales across thousands of device types. 

Onboarding contractors quickly sometimes leads to as many as 40% of new endpoints needing to be traced or even discoverable on the network. 

When a contractor is onboarded, they often get access to shared productivity apps. As many organizations don’t have a process to delete a contractor’s access by cloud app or resource, credentials can live on for years – even decades – and lead to intrusion and breach attempts.  

Identifying the new wave of web-based attacks

Fake browser update scams are on the rise today. These attacks rely on websites that tell users to update their browsers to see the content. Brian Krebs, a cybersecurity investigative reporter and blogger, writes, “New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.”

Earlier this year, security researcher Randy McEoin discovered and wrote about a web browser attack strategy he called ClearFake. The attack strategy starts with WordPress sites that provide victims with a webpage that tells the user to update their browser before they can view the content. Sekoia.io’s Quentin Bourgue and the Threat & Detection Research Team provide a comprehensive technical analysis of how ClearFake works and insights into its installation flow.  

Source: Sekoia blog

Start by securing unmanaged endpoints at the browser 

CISOs are challenged with managing hundreds or thousands of endpoints that often change as contractors are onboarded or let go when their contracts expire. IT and security teams rely on web application isolation because it’s been proven to protect from web-based threats that target an organization’s most valuable apps and resources. Leading cybersecurity vendors who provide web application integration solutions include Broadcom/Symantec, Cloudflare, Cradlepoint, Forcepoint, Iboss, Menlo Security, McAfee, NetSkope and Zscaler.

The technology behind web application isolation is the same for remote browser isolation (RBI), only used in reverse. Instead of preventing hackers from targeting and breaching a network through endpoint web browsers, it prevents hackers from being able to target and breach corporate web or cloud applications. Cradlepoint is differentiated in its support and delivery of comprehensive, two-way protection for the application and its users. 

How remote browser isolation works

RBI uses a zero-trust approach to secure every endpoint and the apps and resources it has access to, treating all active code from a website as a threat, whether malicious or not. It takes a zero-trust approach to protect any device from the latest, unknown web-based threats. Zero-day threats can often evade detection by traditional solutions, such as antivirus solutions, which rely on a database of known signatures to detect threats. Since zero-days are, by definition, unknown, traditional solutions cannot detect them.

RBI assumes that all websites may contain malicious code and isolates all content from endpoints to prevent malware, ransomware and malicious scripts or code from impacting an organization’s systems. All sessions are run in a secure, isolated cloud environment, enforcing least-privilege application access at the browser session-level. 

Like RBI, a web application isolation solution doesn’t affect the user experience. The secure web application is still completely functional and interactive. Behind the scenes, web isolation technology is keeping the application secure. Like a web application firewall (WAF), RBI protects applications from Layer 7 attacks. RBI differs from WAF because it isn’t designed to deliver zero trust security to every browser session. WAFs have signatures that can catch threats, but zero-day attacks have been known to breach them. 

Combining authorization and isolation technologies blocks attackers from breaching applications and embedding malicious code. That’s essential for protecting end-users from phishing attempts, malware infections and other application-based attacks. The goal is to protect internal systems, networks and data accessible or linked to applications that risk being compromised. Relying on the OWASP Top 10 framework is table stakes for designing an RBI architecture resilient to risks.  

Of the RBI solutions available, Cradlepoint’s Ericom is differentiated in its combining a secure web gateway (SWG) with built-in remote browser isolation (RBI) to provide zero-trust security for web browsing. Security teams use web application isolation to apply granular user-level policies to control which apps every user can access, regardless of location and role. Those granular controls define which actions they can complete in each app. 

It’s common for (WAI) platforms to support policies controlling file upload/download permissions, malware scanning, DLP scanning, and limit cut-and-paste functions (clip-boarding) and users’ ability to enter data into text fields. The solution also “masks” the application’s attack surfaces from would-be attackers, protecting against the OWASP Top 10 Web Application Security Risks.

Cradlepoint’s Ericom bases web application isolation (WAI) on their remote browser isolation (RBI) expertise and years of helping SMBs with zero-trust initiatives and frameworks. Source: Ericom 

Getting it done 

Remote work and the widespread use of personal devices create entirely new threat surfaces that organizations aren’t staffed or funded with enough budget to provide endpoint software agents. That’s why browser-based approaches are catching on. 

The following are table stakes for securing unmanaged devices in today’s zero-trust world: 

Identification and Categorization of Assets: Begin by thoroughly identifying all enterprise applications, data, and resources. Categorize them based on their sensitivity and the level of access required.

Deployment of Web Application Isolation Techniques: To combat the risk of unmanaged devices causing a breach,  get familiar with web application isolation techniques. Even if an attacker reaches the device, installing web application isolation will protect applications. 

Enforcing Least Privilege Access: First, audit and then identify what resources each role or identity needs and restrict access to other apps, resources, or databases. This alone can reduce the potential for an insider threat and reduce any accidental access to sensitive data.

Continuous Monitoring and Adaptive Policies: A core concept of zero trust is monitoring every resource request and transaction over a network. Getting this right provides the data to identify threats and track breach attempts. 

Multi-Factor Authentication (MFA): This needs to be table stakes for every contractor and employee on the network using any app or resource. Require it for access to the network and also for any app, database or collaborative app.  

Encrypt Sensitive Data: Ensure that all sensitive data, both at rest and in transit, is encrypted. This protects data integrity and confidentiality, even if attackers gain access. 

Data Loss Prevention (DLP): Essential for enforcing safeguards against exposure of confidential and personally identifiable information (PII), data loss prevention (DLP) is essential for an organization to have a hardened security posture. It’s increasingly considered core to zero-trust security frameworks.  

Segment Networks: Getting network segmentation right is worth it. Shutting down the lateral movement of attackers by segmenting the network pays dividends the first time an intrusion attempt goes nowhere.

Implement Endpoint Security Solutions: Use advanced endpoint security tools to monitor and manage devices accessing the network. This includes ensuring that all devices are updated with the latest security patches.

Regular Security Training and Awareness Programs: Training can help raise awareness of the most blatant phishing attempts, malicious links, and other common threats. See it as a support strategy, not the core of any cybersecurity program.  

Get vendors and partners onboard early: Extend RBI to third-party vendors and partners immediately to protect supply chains and partner networks. Ensure they adhere to similar security standards to protect shared networks and data.

These are just a start to getting unmanaged devices secured. Using these suggestions as a baseline to get started will help reduce the risk of a breach starting on a third-party device. Having RBI running when there’s a large influx of contractors globally working on projects is essential for protecting infrastructure.