Limit Impact of Data Breaches with SD-WAN Segmentation

The 2018 Data Breach Investigations Report (DBIR) compiled by Verizon is loaded with cloak and dagger cyber events conducted by both known and unknown bad actors and mechanisms. Verizon identified 53,000-plus incidents and 2,200 breaches in only 12 months, suggesting an information parallel universe in which an uneven playing field exists whereby the bad guys and rouge bots consistently probe from the outside.

Here are some of the key findings in terms of actual breaches:

  • 73 percent were perpetrated by external forces
  • 50 percent were carried out by organized crime groups
  • 48 percent were due to hacking; 30 percent from malware
  • 76 percent were financially motivated
  • 68 percent took months or longer to discover

According to the report: “Phishing individuals (Social) and installing keyloggers (Malware) to steal credentials (Hacking) is still a common path even after sub-setting the botnet breaches from the rest of the data. Moreover, we are talking about confirmed data breaches and it is important to keep in mind that attacks that we see on the rise, such as ransomware and some financial pretexting, do not require a breach of confidentiality for the attacker to meet their goal.”

Ransomware was a major thrust of the report findings. While ransomware was the fifth most common type of malware associated with security incidents in the 2017 report, this year ransomware was in first place. Even more striking, ransomware is no longer an attack targeted to desktop computers, rather hackers are increasingly going after business-critical systems, leading to bigger ransom demands and higher revenues for criminals.

Verizon reported that the growth of the ransomware threat shouldn’t be much of a surprise because the attack requires “little risk or cost to the adversary involved,” doesn’t require monetizing stolen data and is flexible enough to be deployed across many devices or in targeted attacks.

During a heightened attack, hackers are looking to exploit legacy systems left vulnerable so that the attack can mutate and replicate the volume of messages sent to victims. Verizon cites the example of companies that expose web applications with known vulnerabilities. Another common vector that DDoS attackers take advantage of includes exploiting DNS and NTP services (i.e., hackers convert your infrastructure into their infrastructure and hijack your equipment to compromise other enterprise systems).

The speed of attacks was another startling data-point: It takes cybercriminals just minutes, or even seconds, to compromise a system – but only three percent are discovered as quickly.

“When breaches are successful, the time to compromise continues to be very short. While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months,” Verizon wrote in the report. “The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop, which is discovered when the victim realizes they have been burglarized.”

While no one IT solution can address all of the challenges confronted in the report, one significant preventive measure Verizon recommends is segmenting of networks, which “reduces the impact of a compromised user device by segmenting clients from critical assets, and using strong authentication (i.e., more than a keylogger is needed to compromise) to access other security zones within your network.”

One of the most effective means of reducing the attack surface of an enterprise is the capability provided by an SD-WAN solution to segment the network by class of traffic and segmentation of duties, i.e., CEO vs CFO vs CIO. The four-square challenge that many enterprises face is that they lack full integration of security and networking services in the same edge device or image, and their perimeter networking architecture does not allow for multi-tenancy everywhere in the enterprise.

The ability to provide true multi-tenancy intra-enterprise to segment traffic and privileged communications, and segment every sub-net on the corporate network, is a significant preventive maneuver to reduce the windows of vulnerability within the global enterprise.

A good example would be how to segment guest WiFi or personal WiFi traffic from business-critical branch traffic or traffic segmented by user-employee Active Directory profiles. In this scenario, Versa can seamlessly interoperate with zScaler to send Personal WiFi traffic through secure web gateway processing.  Versa can also segment Personal WiFi data so that it is not allowed to traverse the main enterprise infrastructure (route traffic from a stated zone directly to zScaler from the branch). 

The DBIR draws its findings from an analysis of real-world data breaches investigated by Verizon and an extensive range of third-party contributors that included CERT-EU, US-CERT, Carnegie Mellon University CERT, the U.S. Secret Service, and the Irish Reporting and Information Security Service (IRISS CERT).

For a complimentary download of the report, visit: