CISO Perspectives: Protecting Legacy Network Devices with ZTNA

As we look at the speed and scope of technology’s evolution, we must be aware of two things: 1) not all tech advances at the same pace; and 2) attention to cybersecurity varies across different areas of an organization. Tech innovations are made in response to demand, whether from customers, regulation, employees, partners, or competition. This means that solutions and applications with the biggest user base will likely lead modernization efforts. Back-office functions, network infrastructure, databases and other capabilities that are less dynamic, or aren’t user-facing, tend to lag in modernization until it becomes an imperative.

This highlights two significant areas of concern. First, innovation doesn’t always start with a secure foundation. It often begins in a wide-open environment that caters to non-secure starting points. For instance, DevOps is usually ahead of DevSecOps. Second, yet much more critical, is the legacy infrastructure left behind when forward-facing components are modernized. If not proactively protected, these legacy systems are vulnerable to cyberattacks. Network devices are particularly attractive targets because they are the path into infrastructure and all the crown jewels.

Most organizations have technical debt ... components that you can’t afford to do without but also can’t be updated or patched. Technical debt exists for many reasons, all typically related to scarce resources. And, while older components aren’t always a high replacement priority, the whole system should be updated to truly work properly and securely. But that’s not the reality we live in.

Security gaps created by tech debt are an ongoing concern. In fact, they are exploitable attack vectors routinely discovered by the highly skilled penetration testers on the Threat Advisory Services team I lead here at Appgate. And our customers are kept busy with the burden of continually protecting the broad range of internet-facing resources by remediating, patching and updating. Not to mention that each patch and update requires extensive testing to make sure systems continue to work properly.

Bridging the tech debt security gap with ZTNA

According to CrowdStrike’s latest Global Threat Report, last year 75% of attacks used to gain initial access were malware-free, which means threat actors are directly attacking infrastructure. While not new, this malicious focus on infrastructure is growing, with attacks on edge gateway devices identified as the most routinely observed initial access vectors for exploitation.

How do we address this concern? As former CISO of the FBI, I unapologetically advocate for Zero Trust Network Access because it limits network access to only authorized people and devices. ZTNA changes the network security focus from static perimeters to individual “segments of one” and dynamic secure access policies to protect each user-to-resource and resource-to-resource connection. This approach takes the issue of protecting access to legacy network devices off the table.

For example, one of our Fortune 50 customers uses Appgate SDP universal ZTNA to protect over 99% of its 18,000-plus servers equaling approximately 1.2 billion ports by making them invisible. The remaining <1% of its ports can be aggressively defended because the global company is immediately alerted to any change in port status via an Appgate SDP protocol that ensures shifts aren’t lost in the noise.

Thwarting widespread incursions with ZTNA

Let’s go back to legacy infrastructure and technical debt and ways it can be exploited at the perimeter and inside a network. Successful perimeter breaches pave the way for attackers to surreptitiously move to internal network targets by masquerading as legitimate users and escalating privileges throughout. This occurs by compromising a user and device to gain seemingly authorized access and typically means failures at the identity management and extended detection and response (XDR) levels.

But if you deploy universal ZTNA, cyber infiltrations are thwarted before lateral movement can occur. That’s because ZTNA is built on default deny, so even if a hacker gains initial foothold on one user device, they can’t move beyond the compromised user’s authorized permissions. This limits widespread incursions and reduces the blast radius of a breach.

In stark contrast, the security industry norm is “allow access, but monitor the traffic, establish a baseline, detect anomalies and react to anomalies as fast as you can” ... which is the basic premise of any XDR tool. Open port VPNs also feed right into this scenario by granting access, then relying on some other MDR/XDR/IPS/IDS solution to make sure nothing nefarious is happening.

Appgate SDP mitigates risk for legacy infrastructure, particularly unpatchable systems, by restricting user access for exploitable ports to "as needed only” and implementing extra user and device conditions to access vulnerable ports. For example, a specific condition might be: enforce that an XDR client must be running and healthy before granting access to a susceptible legacy port/service. So Appgate SDP makes the role of XDR more limited and targeted while increasing overall security.

Making infrastructure invisible with ZTNA

Another success story from our Fortune 50 customer is that in the past year they used Appgate SDP universal ZTNA to block approximately 202 million SMB ports and control access to their file servers, printers and systems. These SMB ports are invisible, which eliminates a threat actor’s ability to look around for interesting network targets. And our customer did this without any reported disruption for users. So, the “default deny” premise of ZTNA works, enabling users to do their jobs effectively without adding unnecessary risk to the business.

Also of note, this same customer used Appgate SDP to block traffic to high-risk ports approximately 75 million times over the course of year. This kind of service denial is core to keeping an organization safe from unknown sources and malicious actors seeking to steal data and infect the network.

Blocking and cloaking is core to Appgate SDP’s ZTNA capabilities built to align with NIST’s Zero Trust architecture framework. We flip the script to prevention first and detection second. Building cloaking in as a core architecture function enables security teams and developers to work together to achieve common goals. Additionally, this preventative measure, backed by our proprietary single packet authorization (SPA) formula, dramatically reduces the number of detected events, because the best defense is to make sure resources aren’t visible at all.

Changing the cybersecurity game with ZTNA

A CISO’s job is never done. Hardening security postures across disparate enterprise infrastructure isn’t easy and no organization is exempt from being a target of cyberattacks that seemingly grow and morph overnight. Isn’t it time to change the game?

Zero Trust Network Access transforms the dynamic at the architecture level so organizations can protect their legacy network devices, plus every other component that comes along, by making the network and all resources invisible. Universal ZTNA is the uncompromising way to “define access that’s allowed and block everything else” ... ultimately solving the problem of how to bridge the security gap between legacy and new tech.

Want to learn more? Watch this ZTNA Table Talks session to get my additional perspectives on how to thwart shifting cyberthreats, shield internet-facing infrastructure and shrink attack surfaces.

Additional universal ZTNA resources

White paper: An ROI Analysis on Universal ZTNA
Blog: Making the Case for Universal Zero Trust Network Access
eBook: What’s the Difference Between Cloud-routed vs. Direct-routed ZTNA
Analyst report: 2023 Nemertes Real Economic Value of Appgate SDP