External Cybersecurity: Zero Trust from the Outside-In
Across all industries, digital transformation created new challenges for cybersecurity teams – starting more than a decade ago. Digital transformation isn’t new, but it remains a common topic because today, transformation is perpetual. Because of this perpetual change, Zero Trust has, in large part, become a necessity. Businesses are engaging with customers outside the company’s traditional infrastructure every day. However, the gray space – the infrastructure between your perimeter and where adversaries and your business operate – has been disproportionately overlooked, creating security weaknesses for opportunistic threat actors. Social media, online forums, the Metaverse, and other emerging technologies have become popular targets for threat actors, who notoriously seek the path of least resistance.
These technologies, while important, also introduce new risks. The expansive attack surface introduces new vulnerabilities and exposures that continue to attract malicious actors operating in the digital underground. These malicious actors use new tools of their own, including large botnets to launch phishing attacks, manipulate social media, commit fraud, and harm the trust customers have in brands. With these threats in play, the last few years have seen a rapid breakdown of the old corporate perimeter that once consisted of data centers and firewalls and have pushed security teams to look beyond and into the greater threat horizon.
For all organizations, regardless of industry or size, there is an urgent need to find a better strategy to preserve customer trust, reduce risk across public attack surfaces, and mitigate the effects of data breaches – all while recognizing that the traditional corporate perimeter has evolved. That’s where external cybersecurity comes in.
What is External Cybersecurity?
Despite evolving tools, frameworks, and standards – for example, the NIST Cybersecurity Framework, PCI DSS, MITRE ATT&CK, etc. – security solutions often focus solely on what is inside of the traditional perimeter, leaving their organizations vulnerable to attacks and breaches. Enterprises use, and get abused on, a plethora of externally owned and operated platforms, including job boards, mobile app stores, auction sites, digital stores, and of course, social media. Thus, multi- and hybrid-cloud architectures are porous, and the rate and cost of data breaches have increased with cloud and social media use. External cybersecurity, however, is a critical component that helps protect your people and property (including virtual and intellectual) in the digital Wild West.
External cybersecurity is defined as the orchestration of humans and machine intelligence to discover and disrupt threats beyond the corporate perimeter.
To gain control over their expanding attack surface, as well as mitigate any concerns, security teams can, and should, leverage external cybersecurity experts and tools to hunt in cyberspace to protect corporate brands and VIPs, track criminal and state threat actors, and disrupt malicious activities before, during, and after intrusions.
It is important to note, however, that external cybersecurity tools are oriented away from your corporate perimeter, not inside your data centers, to provide visibility into your external attack surface, public digital platforms, cyber threat infrastructures, and criminal conversations in the underground. As such, external cybersecurity does not include firewalls or security controls that safeguard external, removable media, like CDs.
The purpose of external cybersecurity is not to replace internal people or tools. Rather, the goal is to fill in visibility gaps and enrich existing tools and processes with a complete platform that monitors the gray space between threats and customers. Internal and edge security are both critical to a Zero Trust approach; they just should not be your first lines of defense.
Furthermore, an external cybersecurity program contributes to increased resilience for an organization and also supports Zero Trust strategies. Zero Trust is an increasingly popular security framework used to limit privileged access based on context and identity-based trust. Acknowledging there is no longer a traditional perimeter, the United States government is mandating Zero Trust architectures and strategies for all federal agencies to reduce the risks of digital transformation and cloud-first application development. A Zero Trust strategy will fail without continuous discovery, identification, and inventory of the organization’s attack surface.
3 Examples of External Cybersecurity in Action
External cybersecurity provides value for organizations looking to mitigate vulnerabilities. While a full list, including examples, of external cybersecurity in action can be found in the ZeroFox report, below are a few examples.
Disrupting Brand Impersonators
Brand impersonation is when bad actors, from the lowest level domain squatters all the way to state threat actors, impersonate people and brands to violate the trust placed in an organization by its customers and users. These impersonations occur in mobile applications, social media profiles and ads, typosquatting domains, fraudulent storefronts, phishing pages, email, and more. Impersonations cause ongoing harm because they degrade customer trust and steal revenue from the brand.
Detecting impersonations of brands, executives, and domains is required to help ensure customer trust outside your organization. But, enumerating imitations is just a first, and very complex, step. Organizations need to protect their customers and partners from falling victim to impersonations and fraud by disrupting the threat actor's infrastructure or social media profiles as quickly as possible. This includes both taking down and disrupting any branded collateral, and stopping the issue at the source by reporting them to both social media networks and ISPs. In particular, disruption is a comprehensive approach that works with hosting providers, social media platforms, browsers, network security vendors, content delivery networks, and more to quickly place as many barriers between victims and criminals as possible.
Threat Intelligence
Threat intelligence involves monitoring various sources, including the hidden corners of the dark web, to uncover and assess relevant threats to your organization. Ultimately, it supplements any internal data and provides a timely and accurate window into the threat landscape by collecting raw technical, open, and human intelligence from all areas of cyberspace.
Threat intelligence serves a variety of business functions and people.. At the technical and tactical levels of defending an organization, threat intelligence improves decision making for analysts and individuals in the SOC, incident response team, physical security team, vulnerability risk, insider risk program, and more by enriching internal telemetry, adding context, and providing historical observations to make better, faster decisions. At the operational level, threat intelligence serves security architects, CISOs, CIOs, IT and security leaders by providing robust profiles and models of known threats and forward-looking assessments to better manage attack surfaces and reduce risks.
In other words, Threat Intelligence takes thousands of raw data points and adds context that enables organizations to take meaningful actions to protect their valuable assets.
Data Breach Response and Compliance
Data breaches are crises for organizations. They threaten the existence and viability of a company and the relationship with its customers. In a large-scale incident, the breach can tie up resources for years in litigation and negotiations with regulators over fines and penalties.
Once forensic experts have determined a data breach has occurred and the breached organization has identified all the data stolen and names of victims, the breach notification process and identity theft monitoring begins within the necessary compliance framework. This can be accomplished with internal resources but is time consuming and drains internal resources. However, external partners have the scale and expertise to more efficiently and effectively reduce the impact of a data breach to your organization, customers, and partners.
Because the majority of data breaches begin with threat actors reusing compromised credentials, it is vitally important to have people and technology continuously monitoring the gray space for your employee, partner, and customer credentials. As Forrester’s Allie Mellen recently observed, “Identity is the new endpoint.” For a Zero Trust strategy to succeed – to establish and maintain trust – compromised account credential remediation must be automated and orchestrated with the other components of the framework. An external cybersecurity program with automation capabilities and threat detection streamlines these components as a whole, from breach detection to response and account credential remediation, and aids in the compliance of Zero Trust policies.
Forward Look
Security staffing and budgets are unlikely to meet every need in the near future, which shifts the responsibility to external cybersecurity companies who can provide the expertise (e.g., intelligence RFIs, incident response, penetration testing), information (e.g., social media, threat intelligence, shadow IT), and tools (e.g., disruption, data breach response) at the right time and place to surge for crises. External cybersecurity achieves broader situational awareness by fusing the massive amount of data from the gray space to track more threats, add more value, reduce inefficiencies, and drive down more risks for a security organization than a collection of niche solutions.
To learn more about external cybersecurity, including a full list of impact areas and ZeroFox’s approach, get your copy of the ZeroFox Guide to External Cybersecurity.
Tags: Cyber Trends, Cybersecurity, Digital Risk Protection, External Cybersecurity