Cyberattacks: Prevention to Containment

0

Written by Gary Barlet, Field CTO, Illumio.

Historically, cybersecurity in both the public and private sectors has followed one consistent theme: prevention and detection. The problem? Prevention and detection aren’t enough. Breaches are still happening.

After decades of trying to prevent and detect direct attacks by adversaries – and failing – it’s time to shift the focus to containment. Whether Einstein actually said it or not, the truism is still accurate: “The definition of insanity is doing the same thing over and over and expecting different results.”

Traditional security methods aren’t enough to fight modern adversaries

Most security teams’ efforts have focused on trying to keep threats from entering the data centre or cloud.

The boundary between the untrusted outside and the trusted inside is where the majority of security tools have been placed. This is where next-generation firewalls, anti-virus scanners, proxies, and other security tools are deployed which attempt to inspect all incoming traffic to ensure that nothing bad slips through.

However, all of the security breaches of the past years have had at least one of these tools deployed and most have been in compliance with security requirements. Yet, adversaries have successfully entered the network.

And once inside the network, all adversaries have one thing in common: They like to move. They spread laterally, east-west, moving from host to host to seek out their intended target for data exfiltration.

Many of these breaches have been discovered long after they entered the network, sometimes months later. Even with the shift from prevention to detection, today’s tools are no match to modern adversaries who are very good at avoiding detection until after the damage is done.

Once compromised, most networks are wide open to east-west propagation

A traditional approach to cybersecurity defines everything outside of the perimeter as untrusted and everything inside of the perimeter as trusted. The result is that there is often very little to prevent adversaries from spreading laterally once inside of the trusted core.

Spreading host to host, application to application, across network segments means that most workloads are sitting ducks to fast-moving adversaries. And network segments are usually very ineffective at preventing them from spreading between hosts.

Network devices look at packet headers, but discovering adversaries requires looking deep into the data payload of packets, and this requires deploying firewalls between all hosts. This quickly becomes expensive and a potential network bottleneck, with every packet needing to be ‘cracked open’ and inspected, relying on either signatures, ‘sandboxes,’ AI, Machine Learning, or other complex methods without slowing down the network.

Even when this approach is tried, it is quickly abandoned or pared down – and delivers no ROI on hard-won budget dollars. This leaves very little to prevent east-west propagation and hosts remain wide open.

When the inevitable breach occurs, people start pointing fingers.

Organisations without Zero Trust Segmentation are fighting a war they can’t win

All perimeters are porous. Even a 99 percent effective perimeter security boundary will eventually be breached. Or a security breach will enter from the inside, either accidentally or intentionally.

Those who are still trying to deploy even more expensive security tools at the perimeter – and who continue to trust that their hosts are not propagating any kind of threats, will find themselves in the media the next day as the latest victim of a direct attack.

Zero Trust Segmentation, also known as microsegmentation, is a major part of a Zero Trust architecture in which every resource is a trust boundary, decoupled from network boundaries.

Illumio ensures every single workload is segmented from every other workload, enforcing a least-privilege access model between them, with hosts identified using a metadata-driven model and not their network addresses. This means that workloads deployed on hosts are identified via their function and not their location, enabling the clear visualisation of network behaviour between hosts.

Gain visibility of how applications are talking on your network

Visibility into network traffic between applications, from an application-centric perspective, is challenging using network devices, either physical devices in a data centre or virtual devices in a public cloud.

This is because visualising application behaviour and dependencies from switches, routers, firewalls, or monitoring tools usually requires translating network behaviour into application behaviour and discovering ‘who is doing what to whom’ between applications and hosts. Usually, this quickly becomes more confusing than revealing.

Visualising how applications talk to each other across a network requires a solution deployed directly on the hosts which those applications reside on. Having a clear and precise dependency map between all applications in your data centre and cloud enables very quick discoveries of compliance violations and how hosts are communicating with each other without having to touch the network or touch the cloud.

Always assume breach

The modern security model needs to assume a breach either will or already has occurred. Whether the breach comes from a state-sponsored adversary or a criminal gang, with the right technology, like Zero Trust Segmentation, that threat can be isolated and prevented from spreading.

Share.