The sensible security posture for Barrett Steel: Zero Trust
For Ainscow, a Zero Trust posture is central to making information security a business enabler. As he points out, “We live in a world today where attackers, even without much skill, can be quite menacing. You have to operate in a state of assumed breach. Therefore, it makes sense for everyone to embrace Zero Trust. If you’re an IT manager or security engineer and think your network is clean, you’re living in fantasy land. You just can’t trust anything.”
Ainscow’s approach to Zero Trust at Barrett starts at the subnet level, meaning all traffic routed on the network passes through the company’s core Palo Alto Networks NGFWs for inspection. It’s an “all doors closed” policy for internet traffic, and servers can only communicate if there is a business need. Traffic flow is controlled using App-ID™ and User-ID™ technology on the NGFWs. This applies Layer 7 rules to filter traffic at the packet level, and users are restricted to accessing servers based on their role and level of authority.
With the NGFWs deployed in the network core and at the edge, Barrett has multiple layers of protection against cyberattacks. Ainscow considers this another important part of enabling the business.
“One of the jobs of information security is to keep the company functioning without disruption,” he says. “From a business perspective, our biggest issue is people clicking links in emails. We had a recent incident where a customer’s email system was breached and the attackers were sending us legitimate-looking emails with a link to a supposed sales order. Of course, the links were malicious, but the emails made it through our cloud-based email filters and Microsoft Office 365 ATP. However, our Palo Alto Networks edge firewalls caught them.”
All phishing attacks depend on some kind of external communication, either to download malware or enable command and control. With the full portfolio of security offerings enabled and constantly updated by Palo Alto Networks, when Barrett users clicked on the link, the NGFWs detected that it was malicious and prevented it from executing.
Ainscow notes, “When we got the alert, we just jumped into Panorama and saw that the firewall reset both the server and the client connection, so there was no immediate danger being posed by that endpoint. Palo Alto Networks did what was needed.”