5 Steps for Curbing Malware With Zero Trust Segmentation

Cyberattacks are increasing in frequency and sophistication, putting the security of organizations at risk. In the past year, over a third of companies worldwide have been hit with a ransomware attack or a data breach that blocked access to data.

According to a survey of 500+ security professionals by research firm IDC, companies reported that advanced malware was the most frequent contributor to security breaches.

To protect against advanced threats, IT organizations should make a variety of security investments. These include traditional security products, such as antivirus software for detecting malware. They should also invest in security training for employees.

But there’s another critical step: adopting a Zero Trust segmentation strategy.

To segment the network, you deploy “allow-list” policy controls on endpoints, only allowing specific types of traffic required for legitimate business operations. This approach recognizes that attacks are inevitable. In a large organization with thousands or even hundreds of thousands of endpoints, malware will get through, somewhere, somehow.

The best defense then becomes blocking the malware from traveling from endpoint to endpoint — a technique that’s known as “lateral movement.”

With Zero Trust segmentation applied to endpoints, malware and ransomware won’t be able to spread and cause material damage. It won’t sweep the company, or even a single department. Instead, it will be contained to a single laptop.

Taking a Five-Step Approach to Enforcing Zero Trust on Endpoints

In a recent IDC Technology Spotlight, Michael Suby, IDC’s head of security research, recommended the following five-step process for curbing the spread of malware and ransomware attacks by taking a Zero Trust (“allow-list”) approach.

Step 1: Visualize traffic flows

The goal of restricting endpoint traffic is to prevent malware from spreading easily across the network. To manage endpoint traffic, this strategy takes advantage of the firewalls built into host operating systems.

By controlling these firewalls with a lightweight agent, IT teams can restrict data access to just the access required for business. In other words, they can allow employees and their endpoints to access the applications and data they need—and to access nothing else.

To determine what access employees need, IDC says IT organizations should monitor traffic flows, preferably for about 30 days, to account for normal fluctuations in application and data usage. Monitoring should be comprehensive, tracking data flows on-premises, in remote locations, and to and from the cloud.

For best results, take advantage of host-based software and network infrastructure reporting, rather than trying to monitor all traffic across all locations for all devices from a single server.

Step 2: Group endpoints

Creating policies for allowing and disallowing traffic can quickly become complex. To streamline this work, group endpoints by their common characteristics and develop allow-list policies accordingly. Groupings of endpoints might include:

• Location (for example: NY office, remote, etc.)
• Device type (for example: laptop)
• Employee affiliations (for example: departments, roles, etc.)
• Operating hours (for example: standard work hours or non-work hours)

By assigning endpoints to these groupings, IT administrators can simplify the work of creating and fine-tuning policies in the following steps.

Step 3: Define and test allow-list policies

The next step is to define policies that allow traffic using specific network ports, addresses and protocols to those required to support daily business operations. It’s a good idea to start with the most restrictive policies and monitor how they would affect traffic if enforced. As a general principle, you want to limit traffic as much as possible to give malware as few openings for movement as possible.

Step 4: Enforce allow-list policies

The next step is to enforce the allow-list policies, permitting only traffic that is specifically identified by a policy. Theoretically, this step might require IT administrators to craft complex firewall rules by hand and deploy each ruleset on the appropriate endpoint groups.

But with a solution like Illumio Edge and Illumio Core, there’s no need for administrators to write or manage firewall rules directly. Instead, they can define the allow-list policies they want, and Illumio automatically translates those policies into detailed firewall rules that are easy to deploy across endpoints, as well as data center and cloud workloads.

Step 5: Refine allow-list policies

The final step in this process is to continue monitoring and refining allow-list policies as needed, curtailing access as much as possible without ever interfering with business operations.

Benefits of Curbing Malware With Zero Trust Segmentation

The benefits of this approach using solutions like Illumio Edge and Illumio Core are substantial:

• Improved visibility into endpoint traffic and potential threats.
• Reduced damage from malware, ransomware, and other cyberattacks.
• Automation that makes defining, deploying, and refining allow-list policies quick and easy.
• Scalability suitable for the largest enterprise networks.
• Integration with SIEM systems and other IT security tools, so that allow-list policies can work as part of a larger, multi-layered approach to IT security.
   

To learn more about these steps and IDC’s research, read the IDC Technology Spotlight, Curb Malware Spread with Comprehensive Visibility and Allow-List Policy Control.