Estimated Reading Time: 3 minutes
zvelo’s Cyber Threat Intelligence Data for Secure Access Service Edge (SASE)
The term “Secure Access Service Edge” or SASE (pronounced ‘sassy’) was originally coined by Gartner in 2019 to identify an approach that uses cloud-based services to protect people consistently regardless of endpoint location. In 2021, almost every security vendor has jumped into the market. While SASE is newly defined, the model has been in the works for some time but became more pressing due to remote working during the pandemic.
In the recent past, an enterprise’s internet access has gone through security devices and services including firewalls, intrusion prevention, phish-blocking, and malicious detection systems. Additionally, security has included cloud access security brokers, content delivery networks, distributed denial-of-service protection, and web application security.
Replicating this environment at each remote site is expensive and can be difficult to manage. This is where SASE shows great promise. SASE covers a broad range of network and security functions with the fundamental difference being that this movement is really about moving security systems/infrastructure into the cloud versus at the traditional network boundary. The SASE movement doesn’t change the requirements for which security capabilities need to be available to protect an organization that adopts this architecture.
For example, companies still require website classification and web filtering – it’s just that those capabilities are moved to a different location (cloud), and are accessed in different ways like zero trust architectures. These changes don’t remove the need for content classification, phishing protection, or malicious filtering of traffic. For the enterprise, systems that consume data feeds with protective information may be required to be cloud-based and accessible by an SDK. This is true for many companies who already deploy an SDK on cloud infrastructure.
Despite the current shift towards SASE, challenges continue to exist whether security monitoring solutions are on premise or in the cloud. One of the main challenges to overcome for many organizations is having the capability to see and block on full-path URLs rather than just base and subdomains. Organizations that lack this capability are bound to miss a substantial portion of threats and won’t be able to protect endpoints. If organizations resist the full-path protection requirement due to privacy concerns, malicious actors will go out of their way to host threats on shared infrastructure and make it extremely difficult for organizations to block.
Another challenge necessitating visibility and blocking capabilities for full-path URLs, is that many shared hosting sites use subdomains to delineate different users of shared infrastructure. If all shared hosting facilities did use subdomains, DNS filtering would be very effective. However, DNS filtering wouldn’t block the threats where legitimate hosts are compromised on specific paths down into the page or article level of a website. Particularly challenging are hosts like docs.google.com, sites.google.com, and other commonly whitelisted sites, that really need full-path URL visibility and blocking capabilities to keep them secure.
For organizations interested in boosting their SASE capabilities with full-path URL visibility and blocking, zveloCTI threat detection solutions can fill that need. A key feature zvelo developed within the CTI portfolio is the ability to tag a given row of threat data with information regarding at what level it can be blocked. For example, if a particular piece of threat intel comes in that says that host.com/page1/page2/page3 is malicious, zvelo stores that in a database as a single, full-path URL which can be blocked. This enables an organization to block on the specific malicious URL, rather than having to block an entire site at the base or subdomain level. Organizations that use zvelo’s threat intelligence data are able to adapt protections based upon the visibility of the malicious URLs at any level — base domain, subdomain, or full-path.
zvelo is ready right now to support a company’s existing architecture and ultimately SASE when the enterprise is ready to move in that direction. Contact us today for more information on how zvelo can support your SASE environment and improve your threat detection capabilities.