It feels like every day there’s another headline about a breach, and as security leaders, we’re often left feeling like we’re pushing rope uphill. We spend our days convincing organizations to implement the basics—solid security hygiene that will genuinely make a difference. Meanwhile, we’re fighting for budget, being asked to do more with less, and constantly pressured to reduce costs while remediating threats and improving the security posture.
Here’s the kicker: over 80% of breaches are tied back to compromised identities or vulnerable user devices. So why not double down on strengthening those areas? If we can get identity and device hygiene right, we can dramatically reduce risk.
Thinking Ahead: Remediating Threats with Forethought
If you’ve read the Verizon Data Breach Investigations Report (DBIR), you already know the landscape is messy. Threat actors, risks, and attack outcomes shift depending on industry, geography, and a host of other variables. But if we simplify the noise, we can focus on where to make meaningful investments. These are the areas where CISOs and security leaders are allocating budget—not because of fear, uncertainty, and doubt, but because they deliver real results.
At 909 Cyber, we use a simple framework to think about threats and remediation. It’s vendor-agnostic and designed to help leaders prioritize and act. I call it the 4x4x4 Threat Framework:
4 Threat Actors
- Naive Insider – The employee who clicks that phishing link without thinking twice.
- Malicious Insider – The disgruntled contractor or rogue employee looking to settle a score.
- Outsider Posing as Insider – The attacker who bought your credentials on the dark web.
- Outsider – The hacker using brute force or exploiting an accidental misconfiguration.
4 Risky Activities
- Phishing for Credentials – Gathers the goods needed to impersonate legitimate users.
- Installing Malware – Compromises devices to enable ransomware, spyware, or worse.
- Introducing Vulnerabilities – Tampering with the supply chain or misconfiguring systems.
- Unauthorized Access – Logging into systems they shouldn’t even know exist.
4 Likely Outcomes
- Denial of Service (DoS) – Shuts down your systems and services.
- Lateral Movement – Spreads compromise across your environment, escalating privileges.
- Exfiltration of Keys – Admin credentials, encryption keys… game over if these are stolen.
- Exfiltration of Data – Sensitive data walks out the door.
Take a look at the recent tactics from groups like LAPSUS$. They’re not reinventing the wheel—they’re buying credentials or bribing insiders to hand them over. Once they’re in, it’s smash and grab. And with the rise of ransomware, we’ve seen how fragile availability—the “A” in the CIA triad—really is.
Traditional Defense-in-Depth Isn’t Enough
For years, we relied on defense-in-depth strategies:
- Phishing awareness training
- Email filtering
- Network choke points to funnel traffic and block bad URLs
- VPNs to “secure” remote access
- MFA and least-privilege access
These remain foundational—but they’re no longer enough. Everyone’s working remotely, apps are in the cloud, and traffic doesn’t need to route back to HQ just to be protected. Forcing traffic through traditional network controls increases complexity, cost, and frankly, user frustration.
These legacy strategies are now table stakes. You need something more. You need what I call the “whizbang”—the extra layer of intelligence and control that makes your defense strategy actually work in today’s threat landscape.
The New Table Stakes: Modern Strategies That Work
So, what’s this whizbang I’m talking about? (And yes, I’m Scottish. Go look up Craig Ferguson if you don’t already know him—watch, laugh, and thank me later.)
Here’s where modern security teams need to focus:
1. Device Registration
Let’s say a bad actor gets your username and password, and maybe you even get hit with an MFA fatigue attack. But if they’re not on a registered device, they’re dead in the water. Device registration ensures that only trusted devices can access your systems and data. No device registration? No access. Simple.
2. Enforcing Device Posture
Device trust isn’t just about who owns the hardware—it’s about what shape it’s in. Is the OS patched? Is disk encryption on? Is EDR installed? This is especially critical for BYOD and third-party contractors where you don’t control the endpoint. If a device doesn’t meet your standards, it doesn’t get access. Period.
3. Ditch the VPN
Sorry, network security folks, but VPNs just aren’t cutting it. They create a flat network where anyone with access can move laterally—bad actors included. VPNs also increase operational complexity (ever tried to manage IP tables for every scenario?). Instead, expose only what’s necessary: publish apps securely to the web using modern identity-based access controls. No network-level access, no lateral movement.
4. DNS and URL Filtering
Every time a user clicks a link, it’s like a round of Russian roulette. Stop the madness. Use threat intelligence to block malicious URLs and DNS queries right at the endpoint. You’ll transform every device into an edge security control, preventing malware downloads and command-and-control callbacks before they start.
Cut Through the Noise—Focus on What Works
Here’s the reality: We’re all under constant attack. Identity and device security are the new front lines. The network isn’t the trust boundary anymore—identity is. If you want to protect your workforce and data, the controls need to be simple, strong, and scalable.
Authentication should be at the core of everything, and it should be tightly coupled with device trust. That’s where the real whizbang comes in.
And if you’re still figuring out how to put all the pieces together, drop us a line at 909 Cyber. We’re here to help you navigate these challenges and build a security strategy that actually works.
.svg)
.svg){kind=icon}
