Hafnium attack a wakeup call to protect on-premises assets with true zero trust application access.
A Critical Problem To Address
On March 3, 2021 the US Government issued a rare directive to mitigate vulnerabilities with on-premises Microsoft Exchange servers because of a widespread hack by a state-sponsored group Microsoft calls Hafnium. With 43% of all Exchange mail accounts managed on-premises, and more than 30,000 servers in the United States alone, the risk of Chinese hackers obtaining invaluable data from these at-risk servers is the new info-pandemic
The underlying reason why this hack is so widespread is simple: Businesses have cracks in IT infrastructure that permit hackers to violate two key tenets of IT security:
- Protect the servers: Block bad-actors from access to the enterprise data center or private cloud where the apps and data reside
- Protect the data: Prevent end-users or malware on devices to exfiltrate data
Hackers have accessed Microsoft Exchange through publicly exposed paths, and back-door breaches have allowed them to access the server directly. To stop both risks, all access to the servers must be controlled. Specifically, unprotected access to these services must be stopped:
- Outlook Web Access (OWA)
- Microsoft Active Sync for mobile access
- Microsoft MAPI over HTTP access for Outlook to access Exchange
VPN: You are still at risk
The first answer that may come to mind is to use a VPN. That unfortunately just kicks the can down the road. The VPN limits access to the data center only. However, any infected end-user device then just needs to connect via the VPN to OWA or the Exchange server. At that point, malware will have unfettered access
ZTNA: You could still be exposed
Many zero trust access services have arisen to limit user devices to only access designated servers. Said differently, if a user device uses Zero-Trust Network Access (ZTNA) and their infected device is accessing an application other than Exchange, they will not be able to reach Exchange and infect the server. This is fine if the user is not using Outlook or OWA. If they are, once Outlook attempts to access Exchange, most ZTNA solutions will treat this as a legitimate access request and open the path to Exchange. Then, malware on the device will likewise have a clear path to Exchange!
TransientX: The only Zero Trust solution to prevent Microsoft Exchange Server infections
The only fool-proof way to protect enterprise-managed on-premises Microsoft Exchange servers is via TransientAccess, the next-generation Zero Trust Application Access solution from TransientX.
TransientAccess delivers three distinct capabilities to prevent malware from ever reaching the Exchange server, for all access methods:
- Hide the Exchange Server: The server IP addresses, and DNS names are never published or visible. The TransientAccess virtual network dynamically maps virtual addresses to the real address, with different mappings per user and per server. Malware looking for these servers cannot find them because they are camouflaged. By preventing this potential east-west traversal, malware is blocked from attacking the servers.
- Connect the app to the Exchange server: TransientAccess is unique in the market in its ability to securely wrap any application, including browsers and Outlook, in an isolated workspace to limit its available network destinations. Therefore, malware cannot reach the enterprise data center without infecting Outlook itself, or the browser directly.
- Secure the browser and Outlook from malware: The TransientAccess secure micro-container protects applications from malware. When the user activates their browser to reach OWA, or uses Outlook, the secure micro-container prevents malware from affecting the application. This means that as long as the browser or Outlook are protected by TransientAccess, malware cannot reach or infect Exchange servers.
Below is a comparison between VPN, basic ZTNA, and TransientAccess:
|VPN||Zero Trust Network Access||TransientX- Zero Trust Application Access|
|Protect Data Center and cloud|
|Prevent Malware from accessing Exchange|
|Prevent users from copying, downloading data|
Who doesn’t like free stuff?
Everyone does, right? Then good news. We’re making zero trust network access (ZTNA) zero cost (free!) for organizations with up to 20 users.
That’s right, we’re bundling all the core features and protections you want in true zero-trust network access solution – enterprise-grade end-to-end security coupled with Zoom-like ease of use. Free Zero Trust Network Access for up to 20 users with up to 5 devices each
Windows, Mac, Android or iOS – we’ve got you covered with the same cross-platform user experience on every device. We’re also including a connector for accessing legacy applications in your data center.
Go to our pricing page to get all the details of what’s included.
Still not convinced? Contact us for a demo first and we’ll show you why TransientAccess is a true next-generation Zero Trust Network Access (ZTNA) solution. It builds ephemeral zero trust application networks for every user. Instead of connecting devices to each other, TransientAccess connects apps on those devices to each other. It uses isolated overlay networks built for every user. Devices, managed or unmanaged, are never trusted or connected to corporate networks. Coupled with granular access control policies and full visibility into application and user activities, it provides true zero trust access by using microcontainers that isolate trusted apps and provide application-level connectivity independent of the underlying physical network topology.
Simple isn’t easy – we’ve done the hard work making ZTNA easy to deploy, integrate and use.
McAfee® MVISION Unified Cloud Edge (McAfee UCE) customers worldwide can now protect their private clouds with true zero-trust security from edge to cloud with TransientAccess zero-trust network access (ZTNA).
McAfee Security Innovation Alliance (SIA) is the security industry’s most open partner ecosystem empowering customers to deploy technologies that facilitate faster innovation cycles, build a coordinated, unified defense, and deliver security-based business outcomes. This drives a new era in security where all components come together to work as a single cohesive system, regardless of vendor or underlying architecture.
By integrating with McAfee UCE, TransientAccess delivers seamless ZTNA for UCE customers, rounding out a SASE solution from the endpoint to the Cloud. McAfee UCE customers can provision this powerful ZTNA solution from TransientX with a few clicks of a mouse from within the MVISION Marketplace
For joint customers the benefits are:
- Integrated, seamless security from the endpoint to the cloud.
- With ZTNA, secure the “last mile” with user-to-app connectivity to the Cloud – no more VPN. Any app, anywhere.
- Secure Workspace Isolation – users can use any application, or browser to perform their enterprise roles, with secure, containerized sessions
- Full DLP – watermarking to prevent screen capture, no unauthorized copy/paste, or downloads of sensitive data
- Use any device – The containerized Workspace mitigates risks associated with compromised endpoints, enabling the use of even unmanaged devices
TransientX offers a next-generation ZTNA solution which builds ephemeral zero trust application networks for every user. Instead of connecting devices to each other, the TransientAccess service connects local apps on those devices to their servers, using isolated overlay networks built for every user. Devices, managed or unmanaged, are never trusted or given direct access to corporate networks. Coupled with granular access control policies and full visibility into application and user activities, the solution provides true zero trust access by using microcontainers that isolate trusted apps and provide application-level connectivity independent of the underlying physical network topology. Simple isn’t easy – we’ve done the hard work making ZTNA easy to deploy, integrate and use.
“McAfee believes security is best served by ‘together is power’,” said Javed Hasan, Global Head, Product Strategy and Alliances at McAfee. “We’ve invested in an open approach for our platform to deliver top quality integrations. Adding TransientX as a ZTNA provider, sharing posture information from our massive endpoint security base, provides customers with the best option for their environment, enhancing their deployment with valuable intelligence from the McAfee ecosystem. Together with SIA partners like TransientX, we are strengthening security for the critical apps that enterprises rely on every day.”
McAfee Security Innovation Alliance is the security industry’s most open partner ecosystem empowering customers to deploy technologies that facilitate faster innovation cycles, build a coordinated, unified defense, and deliver security-based business outcomes. This drives a new era in security where all components come together to work as a single cohesive system, regardless of vendor or underlying architecture.
“Our customers value the simplicity of our approach to ZTNA. Our partnership with McAfee continues to deliver on that approach – a fast and consistent user experience across platforms that provides true zero trust security by connecting users to apps, from any device or location. This distinct approach addresses key security concerns and will accelerate adoption of ZTNA, taking key steps toward network transformation”– Egemen Tas, TransientX founder and CEO.
Caglayanlar, a leading automotive parts distributor, stopped critical data leakage and secured remote access with McAfee® UCE & TransientAccess ZTNA
Caglayanlar, a Turkish automotive parts distributor, was struggling to provide secure remote access to employees and business partners, losing critical business data to competitors. We did a case study on how Caglanyar achieved true edge-to-cloud SASE security with McAfee UCE and TransientAccess ZTNA.
Collecting, analyzing and prioritizing logs consumed many hours that the IT team could ill afford to spare. The team had to constantly review the security status of devices such as mobile phones and personal computers connected to the company network. In addition, the company faced a problem of password sharing by its dealers, and by extension
information that was intended only for a specific dealer. This situation was a challenge for the company, bypassing many security measures and leading to data leakage to unrelated parties.
Preventing Data Leakage
To prevent data leakage, the IT team had to manually analyze the situation, identify the resellers who provided such access and restrict their access. At that stage, it was not possible for the IT team to provide a view through a common portal to review and manage security logs. In such situations, the logs on different devices and on different days had to be examined separately. These devices included remote access VPN devices, firewalls and hardware such as switches and routers. Such an approach both consumed a lot of time and required the technical expertise of the staff to cover all devices. This situation made it impossible to manage against such threats with limited resources and personnel for the company and left the company exposed.
Data Privacy and Compliance
Data privacy and protection regulations like GDPR and KVKK (Turkish regulations similar to GDPR) compelled Caglayanlar to review its information security practices and the importance of protecting employee and customer data. The automotive sector has become increasingly complex, and this was reflected in the security challenges faced by
Caglayanlar. They elected to find a trusted partner in Turkey, DemirBT. DemirBT brought their expertise to the table in a joint consultation to create a safe end-to-end computing environment for Caglayanlar.
“Easy-to-use TransientAccess integrated with McAfee UCE allows us to automate our defenses much more. We can do tasks automatically faster and easier, so we can use our team’s resources where they can add the most value.”
-Sinan Güner, Deputy general manager
McAfee MVISION UCE and TransientAccess:
Solving critical infrastructure and remote access challenges.
With DemirBT, they carried out POC studies with many product alternatives and decided on McAfee MVISION, McAfee’s Device-to-Cloud security platform, including McAfee Unified Cloud Edge (McAfee UCE) and TransientX’s TransientAccess Zero Trust Network Access (ZTNA) product. With its product range, McAfee MVISION solved the problem of data leakage on end user devices with McAfee DLP and disk encryption products, and provided solutions to manage them on a single pane of glass. Complementing the McAfee MVISION solution, TransientX’s TransientAccess product for remote access ensured employees, dealers and business partners could access their applications and related critical data remotely without having to expose them to the internet. They also made sure that the dealers could access their applications only from the devices defined for them by the TransientAccess policy.
This powerful and comprehensive suite replaced legacy manual efforts that Caglayanlar had used in the past. The combined solution used McAfee MVISION DLP with Disk Encryption and TransientAccess to defend against emerging and targeted attacks. This combination mitigates all data stealing and malware attempts as well as fraud attempts by rogue dealers.
Read the full case study here .
If you’re running McAfee UCE, TransientAccess is available on the MVISION Marketplace .
Or you can start for free here.