Reducing the “Blast Radius” of Breaches With a Zero-Trust Strategy

Many of the benefits of zero-trust strategies — like reducing unauthorized access risk, achieving compliance with regulations and simplifying complicated cybersecurity systems and practices often due to “tech debt” — have been well-documented recently, but one of the primary benefits of the design philosophy often goes overlooked. When used effectively, zero-trust strategies and associated architecture can reduce financial and reputational damage incurred from cybersecurity incidents and compromises.

Cybersecurity incidents have become so common and so damaging that the SEC issued a new disclosure rule in July 2023 for registrants; and in May 2024, amended a rule to Regulation S-P for covered financial institutions that hold consumer nonpublic personal information. According to these rules, companies may be required to disclose certain information to investors and consumers about cyber incidents. 

Under the July 2023 cyber disclosure rules, SEC registrants need to disclose to investors “material” incidents within four days of determination. Under the May 2024 Regulation S-P amendments, covered institutions are required to provide timely notification (i.e., not later than 30 days) after becoming aware that “unauthorized access to, or use of, customer information has occurred or is reasonably likely to occur.”

Zero-trust strategies benefit organizations by meticulously scrutinizing and verifying access requests across the technology stack. Even when an incident leading to breach occurs, the potential fallout can be contained by ensuring that sensitive data is protected with limited access that is complemented with appropriate network segmentation. 

One of the fundamental cybersecurity challenges we’ve seen across clients of all sizes is a lack of proper security controls. In many organizations, users have access to far more applications, data and systems than they should — usually because there are weak controls in place to dictate what users should or shouldn’t be able to access. Excessive access is compounded by organizations that have not segmented their networks. 

Why is this a problem? By stealing the credentials of just one user with unfettered access, a cyberattacker can turn a small breach into a much larger one by connecting to other systems, networks and servers, ultimately leading to full compromise of an organization’s data.

Using a simple analogy, think of it like this: If your organization is a kingdom, and each of your systems and networks are castles within that kingdom, zero-trust adoption creates fences between each door of every castle in the form of validations. Your accounts and credentials represent the keys to the kingdom — and accounts that can access all of the castles within it without restraint represent the “master keys.” These are the accounts that cyberattackers look for.

With super-access to all castles, bad actors have free rein to attack the kingdom in any way they choose — from exfiltrating data to performing ransomware attacks and more. Once they’re able to do this, a material breach is inevitable along with the negative consequences that follow.

No matter how mature your organization may believe your security posture is, attackers can almost always find a way in — and even the smallest gap can create a major impact. Take this recent example from a customer we helped after a compromise was detected.

One of this customer’s user accounts was compromised by a cyberattack. Once inside the system, the cyberattacker was able to move around the network until gaining access to a vulnerable Linux system within this customer’s data center. From there, the attacker was able to gain control of administrative accounts and took over the active directory domain, ultimately gaining control of the entire network and exfiltrating vast amounts of data.

In less than 24 minutes, this customer faced the costliest material breach that they had ever experienced — and all because one user had access rights to a vulnerable Linux system that they should never have been able to access.

Fortunately, a full-system compromise like this is not very common; however, the recovery time is substantial when it does occur, impacting all elements of an organization. Once a system has been fully compromised, it’s no longer trustworthy, meaning that it must be rebuilt from scratch. This is a costly undertaking that requires massive amounts of time, effort and dollars, all while dealing with the reputational damage that follows.

Since CDW experts rebuilt this customer’s system with a zero-trust design philosophy in mind, they have not experienced a material breach, and any security incident that they have experienced has been limited, leading to faster resolution.

When it comes to security, protecting “everything, everywhere, all of the time” is not a realistic strategy. But, with careful prioritization backed by a zero-trust design philosophy, reducing the damage incurred by breaches, or the “blast radius” is possible. It all comes down to the adage, “How do you eat an elephant? One bite at a time.”

Attempting to secure everything within your environment will invariably lead to unwarranted costs, resource misallocation and lack of prioritization leading to gaps within it. Even small gaps can have major consequences — like a single vulnerable system causing a material breach across the environment.

Effective prioritization, least-privilege access and segmentation are the keys to success. Effective implementation of zero-trust policies will also depend on a few additional strategies, including:

1. Risk and governance. First, understand and categorize the systems and information processed based on the likelihood of an incident and the magnitude of harm and then ensure alignment of the risk with your organization’s overall appetite for risk. Next, validate that the associated allocation of resources to address the identified cybersecurity risk and associated controls are consistently aligned with the right level of buy-in from both executive management and the board of directors.  

2. Visibility. Identify the security controls already in place. How does your organization access systems today? This may not mean starting from scratch. VPNs and single sign-on (SSO) systems, for example, are relatively common mechanisms of validating systems and user access. A zero-trust maturity assessment is a great way to gain insight and visibility into your current environment and will help provide a roadmap for prioritization going forward.

3. Identify your users, systems and networks. Next, take a close look at your users including system and service accounts. Do they have access to the right applications and networks in the proper systems to do their jobs effectively or excess access that may not be warranted? Do they have access to networks or systems that they don’t currently need? Your network is the enforcement point for access rights, so thorough identification is key here.

4. Application segmentation. Once your systems, users and access rights are identified, it’s time to determine which applications you’ll need to segment first. Prioritize your organization’s most-used applications since this will allow you to segment the largest number of users. The goal is to get your users used to the concept of restricted access, starting with their most commonly used applications.

5. Assume that anyone’s account can be compromised at any time. There are so many ways for attackers to compromise credentials and find their way into systems and networks that the best practice is to assume that at some point even your most privileged account will be compromised. Placing limits on every user’s access is the best way to ensure that when an account is compromised (not if), the attacker can’t get the “keys to the kingdom” and create a material breach.

6. Ensure proper alerts are in place. When incidents occur, proper teams must be alerted immediately. With the proper security controls in place and segmented networks, security teams will be able to assess and remediate issues more quickly, leading to faster outcomes like regulatory compliance. 

While zero trust is not the magic solution to a fully optimized cybersecurity posture, the design philosophy behind zero trust is the best defense your organization has against the cunning and well-funded cyberattackers whose primary focus is finding a way into your organization’s domain.

By taking a close look at your current environment, segmenting networks and restricting user access based on roles and need (vs. want), your organization can reduce the “blast radius” and limit the damage from a breach.