The increasing frequency and severity of cyber attacks show that using a software-only approach to secure the endpoints in a distributed organization is failing. Devices still connect to networks you don't own or control, and the threats that live and spread throughout these networks are infecting your exposed endpoints. The problem is really: How do you secure the ingress/egress traffic to the endpoint without owning the network?
These are the three primary reasons CISOs choose Byos to accomplish just that.
Jump to a section...
Prevention, detection, and remediation of lateral movement
Protection against stealth and bypass attacks
Protection and management of insecure legacy devices
Securing BYO and third-party devices
Prevention, detection, and remediation of lateral movement
When it comes to lateral movement, these are the three main attack progressions and vulnerabilities worth paying attention to:
- When a computer connects to a Wi-Fi network that is beyond the corporate IT team’s control, its exposure to the network causes infections to spread inbound.
- Later, when that computer returns to the office, the threat then spreads outbound to the rest of the corporate network.
- Because typical network segments are too large and unwieldy, the spread of infections cannot be contained.
In addition to strengthening security with a layer of protection outside the host, Byos also makes it easier to detect any attacks that do find a way through the barrier. Using Byos, IT administrators have complete visibility into and control over all network traffic. And because it sits at the physical edge of the computer, the Byos device is able to protect and remediate lateral movement at the click of a button.
Back to topProtection against stealth and bypass attacks
The first step after an initial compromise in any attack is to disable the security mechanisms running on the infected hosts in order to evade detection. Disabling AV products or EDR tools, clearing event logs, and disabling Windows audit logging are examples from recent malware attacks, where these stealth and bypass attacks corrupted the security software by unhooking, allowing the attacker to live inside of the infected endpoint undetected. The fundamental reasoning for this is that security software resides inside the endpoint and is dependent on the machine’s operating system.
To effectively prevent these types of attacks, the security should be independent from the host and unable to be corrupted by the attackers. The Byos µGateway does so by sitting at the edge, securing the ingress and egress network traffic, without reliance on the endpoint. This is the concept coined hardware-enforced isolation, where any attack that lives inside of an infected endpoint must go through Byos before reaching the rest of the network, and vice-versa on the way in.
Back to topProtection and management of insecure legacy devices
Legacy devices are inevitable parts of a diverse, distributed device fleet, but they also usually run on old and unsupported operating systems. Their unpatched vulnerabilities present major security risks, and their incompatibility with modern security software leaves few options for protection. Introducing hardware-based microsegmentation is one of the only effective strategies to protect legacy devices. Byos makes this possible by microsegmenting devices to remove the exposure of their vulnerabilities, obviating the need to change network perimeter configurations.
When you own networking and security at the edge, you are in full control of the communications. Byos enables a secure channel with each microsegment without exposing it to the rest of the local network, while facilitating direct remote control of each endpoint inside as if you were physically beside it. This unlocks many operational productivity gains like secure remote updating, patching, or troubleshooting.
Back to topSecuring BYO and third-party devices
When employees supply their own devices and use them for both work and personal purposes, that typically means administrators are unable to install security software and manage those machines. Introducing an external layer of security through the Byos device provides protection, visibility, and control, effectively adding a dimension of security to BYOD policies without being overbearing on personal devices.
Byos is the only solution that provides network security through edge microsegmentation to protect devices when they connect to any network, regardless of device type, location, generation, or origin. The patented Byos µGateway isolates each individual endpoint as a dedicated microsegment to protect against:
- Wi-Fi attacks
- Eavesdropping
- DNS poisoning
- Route alteration
- DDOS attacks
- Lateral movement.
Computers were built to communicate, so our devices are exposed to the networks they connect to by design. Security software solutions cannot truly isolate devices, only hardware-enforced edge microsegmentation can do that. Security software works like a vaccine, protecting from within the system to detect any pathogens that have compromised the host. However, they’re only as effective against the infections they’re programmed to detect. On the other hand, using Byos is like wearing a mask; wearing a mask in public helps prevent the infection from getting in and out of your body in the first place.
In that sense, edge microsegmentation is a highly effective way to isolate your endpoints from the potential risks of public and private networks. The Byos µGateway offers a modern approach to security architecture that is both network- and endpoint-agnostic, protecting the endpoint no matter what device an employee is using and no matter what network they connect to. Ready to learn more?