How the Federal Government is Revolutionizing Endpoint Security in a Zero Trust Environment

June 15, 2021

Thales TCT is a trusted provider of cybersecurity solutions for US federal defense, intelligence, and civilian agencies. In April 2020, TCT partnered with Votiro to bring the benefits of our Positive Selection technology and file-based security to the US government.  

In a recent webinar, Kirk Spring, Trusted Cyber Security Advisor at TCT, and Richard Hosgood, Director of Engineering North America at Votiro, discuss the challenges faced by the federal government, the need for a Zero Trust environment, and how the right technology can allow federal agencies to rest easy knowing their networks are safe.

Watch the webinar here.

The Federal Government’s Journey to Zero Trust

Zero Trust is a security concept based on the belief that companies must not automatically trust anyone or anything online, even those within its perimeters. Instead, every individual, account, or device attempting to connect to the company network or corporate systems must be verified before granting access. Given today’s breaches and growing complexities, the Zero Trust model is a means to allow businesses or organizations to function in a remote environment.

Kirk explained, “Someone might ask ‘Well, if the government networks are locked down, why do they need Zero Trust?’ I can give you two immediate examples. One is the SolarWinds breach and the other one is the latest Microsoft Exchange vulnerability. And government agencies are sharing more data today than ever before. The movement to the cloud by the government is one prime example where multiple agencies are sharing the same data.” The cloud has made the perimeter virtual, which in turn has made trust almost impossible to verify.

In addition, hackers are becoming more advanced. They are broadening their attack surface, even though companies are trying to lock their networks down more. One example is where hackers are embedding themselves within email conversations between two trusted parties. There is virtually no protection to stop the end user from receiving that data from that “trusted” hacker… other than Zero Trust.

Today, the work-from-home and remote work security challenges have accelerated the need for Zero Trust. 80% of government employees worked from home during the pandemic. TCT had 90% of its workforce working from home. This opens up the surface area for attacks as the endpoints are now outside the physical perimeter of the organization. Unfortunately, federal breaches have increased significantly. 60% of government agencies have reported that they’ve been breached, with half of all breaches occurring in the last year. 

These facts have resulted in the government moving towards a Zero Trust concept, with NIST and NSA each releasing guidelines on how to get there. Recent surveys say 93% of federal government agencies have implemented at least one Zero Trust solution in an effort to secure their networks from malicious activity. In fact, federal defense contractors are now required to transition to Zero Trust and Web Isolation architecture to meet evolving CMMC requirements. 

The Intersection of Zero Trust and Web Isolation

As an example, to meet this need, DISA has set up a secure network that can be accessed by all DOD departments. One of the services they offer is a cloud-based internet isolation (CBII) service, a main component of the Zero Trust model. Web Isolation can deliver a safe browsing experience by creating an air gap between the user and the actual internet. While traditional solutions allow or block the site based on specific criteria, such as the length of time the site has been in operation or reputation score, with web isolation, all browsers and websites are assumed to be malicious. And therefore, the 3.5 million DOD employees using this service receive a safe replica of the site and can safely browse their documents.  

Moreover, this technology is not limited to federal agencies. Large enterprises, commercial banks, insurance companies, financial institutions, and law firms all use browser isolation and benefit from it.

According to Kirk, “It’s great technology. Gartner estimates that 70% of all endpoint intrusions are done through a browser. So, web isolation right now is a key component to obtaining what we would call a good Zero Trust architecture or Zero Trust model.” 

Web Isolation Results in Less Downloads

Web isolation provides a 70% reduction in content downloaded to the endpoint. The user can view the documents in isolation on the browser without worrying about document security or where their documents originated from. So, that 70% meets the Zero Trust model. But the real challenge is, how do you trust the remaining 30% of the content that must be downloaded? How do you know where it came from?

Challenges of Web Isolation and File Downloads

According to Rich, a significant number of threats enter an organization’s networks through social engineering emails. Verizon’s 2020 Data Breach Investigations Report backs up this statement, indicating that 22% of data breaches involve phishing emails.  Having a Web Isolation solution to protect you against malicious  email-based links is an excellent way of implementing a proper Zero Trust model. But the remaining 30% that flows through traditional defenses needs to be dealt with.

Traditional defenses used by Web Isolation solutions such as hash checking, antivirus solutions, and sandboxing are just not enough. Standard antivirus catches only about 45% of malware. In addition, it takes 5, 10 or 15 minutes to process a single file in a sandbox. And you are still not protected from zero-day type attacks.

In addition, some solutions work by flattening the files into PDFs or images, a practice that keeps the company safe but also removes active content. This affects the usability of the files, reducing employee productivity when the data they need cannot be extracted or used (think: pivot tables in a financial analysis Excel). Sometimes employees need access to the actual file to do their jobs. And there, says Rich, is where advanced Content Disarm & Reconstruction (CDR) technology steps in to sanitize those files before they’re downloaded to the endpoint.

What to Look for in Safe File Downloads

When choosing a vendor that employs CDR technology, it’s essential to check which file types they support. The vendor must be capable of actually sanitizing every element and object inside the original file instead of blocking the file or converting the file to an image or a PDF wrapper, which renders the file unusable from a business standpoint. Also, make sure to choose a vendor that has been battle-tested because every single file that slips through their defenses represents a massive breach risk for your organization. “Accept nothing less than a Zero Breach track record,” says Rich.

The Votiro Advantage

Votiro’s Secure File Gateway prevents all hidden malware threats in files at a massive scale for enterprises and governments worldwide. Votiro can neutralize risky content instantly before it causes a breach to the endpoint. The technology doesn’t flatten any files or extract any content that’s meaningful to the end-users. Instead, the technology keeps the fidelity of the file intact through safe reconstruction of the known-good elements of the file onto a clean, safe template. Votiro protects against malicious files coming from email, web uploads, and web downloads – the lion’s share of the way the malware gets into your environment. “We don’t look for malware whatsoever. We clean and sanitize every single file, which enhances productivity, enabling the data to reach end users immediately, with no delay,” says Rich.

Votiro’s direct integration with Menlo Web Isolation means users are protected from browsing websites and downloading files. Votiro allows for safe files to be downloaded directly to end-users while ensuring that there is zero threat content inside them by sanitizing those files. This technology is called Positive Selection. Votiro selects only the positive elements of the file – text, graphics, executables, etc. – and leaves behind any malicious objects, so your document is 100% safe. 

Last year, TCT implemented Votiro in their infrastructure to strengthen their network against zero-day attacks in files and to help them meet CMMC and NIST-800-171 requirements. Kirk underlines the success. “After our review with Votiro’s product, we implemented it in our own network, and we look forward to that partnership continuing in the near future.”

If you would like to learn more about Votiro and Menlo Security web isolation solution, please visit the joint solution page here