TL;DR
- Network segmentation using VLANs creates isolated zones that prevent broad access if edge devices are compromised by threat actors.
- Implementing least privilege access ensures users only access systems required for their specific job functions, reducing potential attack vectors.
- Shifting security validation from edge devices to user endpoints makes credential theft and phishing significantly more difficult for attackers.
Summary
Mike Riemer, Field CISO at Ivanti, outlines a comprehensive security strategy for protecting edge devices and IoT infrastructure from threat actors. The approach emphasizes network segmentation through VLANs to create isolated zones that limit lateral movement if a device is compromised. Riemer advocates for implementing least privilege access controls to ensure users only access systems necessary for their roles. Continuous monitoring for suspicious activity is essential for detecting circumvention attempts. A key strategic shift involves pushing security validation to user endpoints rather than relying on edge devices themselves, making credential theft and phishing attacks significantly more difficult. This endpoint-centric approach validates user identity at the point of network entry, reducing the attack surface and improving overall security posture for organizations managing unmanaged edge infrastructure.
Chapters
0:00 - Multi-Faceted Security Strategy
0:16 - Network Segmentation with VLANs
0:38 - Least Privilege Access
1:05 - Endpoint-Based Security Validation
Key Quotes
0:18 "By utilizing VLANs, you can Segment networks and you can put restrictions firewalls in place so that kind of siloing the data so that you don't have broad brush access across the network if one of these edge devices become infiltrated by a threat actor."
1:11 "We can also push security from these edge devices and push that security all the way to the endpoint. Make it the user endpoint where users are actually logging into the network from and do the validation and the checking at that point."
1:36 "By moving that out to the endpoint versus having the edge, it makes it much more difficult for threat actors to be somebody else, to steal credentials or be able to use phishing or other types of services in order to get somebody's credentials in order to come in."
