Hybrid Network Security: Illumio vs. CSPM and CWPP Vendors

You've finally gotten promoted as the CISO of your organization. Congratulations! All those years of building certifications and working on-call shifts have paid off.

After you've selected which corner office you want, the choice of wood grain for your desk, and given keys to the executive parking garage (I can dream, can't I?), the big day has come where you present in front of the executive team on all the great plans you have to reduce risk of your company.

You've got your strategic, tactical, and operational plans all buzzing around in your head, ready to respond to any objections they may throw in front of you. And at the end of your presentation, they all agree to let you move forward!

And as part of the list of approved projects, they say you can only pick two of the three initiatives:

1. Patch all software vulnerabilities 
2. Stop lateral movement inside the network 
3. Resolve critical alerts from SIEM 

Only two?? But you thought you'd be given an unlimited budget and headcount! Now what? 

3 ways to secure your hybrid network

In the words of a famous economist, "There are no solutions, only trade-offs." And this is always the dilemma – how to make best use of the time and resources available.

How can you choose between 845 sev-1 alerts in your SIEM, 1,342 “critical” CVEs that need patching, or discovering that your entire network is exposed to ransomware? 

So, you begin the long, arduous process of drafting project plans, sending out RFIs, and hoping you can hire competent staff to run it all.

Soon enough, vendors start calling and offering solutions to all your problems. Contractors tell you they can do it in half the time for two-thirds the cost. Management wants it done before the next network moratorium.  

First up: The cloud security posture management (CSPM) vendors you’ve used before. You bring in two or three of them, and they tell you all about their great features that will help you with things like compliance monitoring or asset inventory tools.

They tell you how your “AWS identity and access management (IAM) roles are the new network perimeter.” They inform you that your storage buckets are exposed to the Internet. They provide you with an exposure map that shows you how all your devices can talk to each other and over what ports.

You agree that these are all worthy and noble causes that need to be addressed.  

Next up: The cloud workload protection platforms (CWPP) vendors. These folks will tell you that you need to go deeper into the workloads themselves to make any real progress.

They can point out software vulnerabilities, malware, misplaced keys and other sensitive data in your cloud workloads. They introduce you to the world of artificial intelligence, machine analytics, and other behavioral analysis tools to “get into the mind of the criminal” who desperately wants to expose your intellectual property.

Again, these are all worthy goals, some of which you hadn’t thought of before. But you’re starting to pine for that pager-duty job you had back in 2004.  

Then, you decide to meet with this vendor you ran into at RSA Conference called Illumio. You couldn’t miss them after all, with their giant 20-foot, bright orange LED display. (All their employees had a solid tan by Friday from the luminescence).

Illumio suggests a different approach: Why don’t we start with something basic that can be implemented quickly and can avert 5 cyber disasters each year.   

That caught your attention. 

Their sales engineer said that a layered approach is needed for security, and that you should consider Zero Trust Segmentation as the base of the pyramid. Because, at the end of the day, somewhere, somehow one of your assets is going to be breached.

What’s important is what happens next: that you prevent it from spreading anywhere else in your network.

This avoids a catastrophic event due to an individual system being compromised. The sales engineer went on to describe that the majority of ransomware attacks utilize remote desktop protocol (RDP) as their primary vector (which you have open everywhere).

Illumio provides Zero Trust Segmentation for both on-premises, agent-based systems and cloud applications.

• Illumio Core offers a simple agent-based approach that uses labels as the mechanism to identify, organize, and apply security policy across your data center environment.
• And Illumio CloudSecure complements this by expanding segmentation tools into your cloud-native environments to manage serverless compute functions and other cloud-native services.  

The Illumio option: See and secure all environments in one

After the vendor parade ends and you’re back in your staff meeting, it’s time to discuss which option is the best.

You talk to your Ops teams about how they handle critical alerts today and what it would take to “clear the alert window” of medium and high-risk notifications.

“That’s easy!” says one of the night-shift workers, “I just highlight all the alerts and click delete. There are too many of them to pay attention to, honestly. And if something bad really happens, I’ll get a phone call.” 

That wasn’t exactly the answer you wanted to hear, but good information, nonetheless.

You next talk to your software management team. They describe how the common vulnerabilities and exposures (CVE) list isn’t terribly useful because they don’t provide much context: “A lot of them don’t apply to us because they’re not on systems exposed to the Internet. We’re working our way through patching the others, but it’s going to take some time to test them all before rolling out into production.” 

The Illumio option is starting to sound better as you remember the sales engineer mentioning a few things about Illumio CloudSecure for agentless, cloud-native applications: 

• Most of these CSPM/CWPP vendors don’t really look at the actual traffic flows in your network. Illumio CloudSecure looks at real-time traffic flows and compares them to your cloud-native security rules to provide an analysis of how over-exposed your rulesets are.
  
  (For example, there's no need to have a security rule allowing the entire Internet, or even a /16 address block, from accessing your Lambda functions if it’s only ever talking to an internal /24.)
  
  While they may be able to tell you who “can” talk, Illumio CloudSecure shows you who “did” talk and to what. Knowing the “can” is only beneficial if you already know what’s considered normal traffic. That requires real traffic flows.  
   
• In the Illumio CloudSecure demo, the sales engineer showed your cloud-native applications on one map, from your Azure development team subscription to your production ordering apps in AWS.
  
  But what was most interesting were the other systems in AWS that you didn’t know existed.
  
  (Who knew that the HR team had hired an intern to build a new payroll reporting app? And WHY is it sending traffic to my production ordering system?)
  
  You realize you can’t secure it if you don’t know it’s out there.
   
• You also realized none of those CSPP or CWPP vendors you brought in mentioned anything about your on-premise data center. While cloud may be the shiny new toy, you still have critical systems on-site that need the same level of protection. 

Start with Illumio, the Zero Trust Segmentation company

Your deadline is quickly approaching. So what do you decide to do? The “Pick Two” dilemma keeps you up at night. Time is ticking.

A lightbulb flickers above your head, a solution! 

You return to the executive team and announce, “Look, there’s no perfect solution here. Only trade-offs. But here is what I propose we can do before the web lockdown so you can report significant progress to the board."

You explain your plan: Start with Illumio, the Zero Trust Segmentation company.

Illumio can:

• Avert 5 cyber disasters annually and save $20.1M in application downtime.
• Help security teams identify all the rogue applications in the cloud so they can start to tighten security rules.
• Provide more time to implement a CNAPP tool which provides the “next layer” of protection against more sophisticated threats. (You cleverly smirk at your slight-of-hand there, combining projects #1 and #3 under Gartner's latest acronym, CNAPP, which combines CSPP and CWPP into one umbrella.)

“Pick two” is achieved – and you were able to get all three.

To learn more about Illumio and Zero Trust Segmentation:

• See how Illumio helped a global law firm stop the spread of ransomware.
• Learn why Illumio is a Leader in Forrester Wave reports on Zero Trust and microsegmentation.
• Read this guide on how Illumio makes Zero Trust Segmentation fast, simple and scalable.
• Contact us to find out how Illumio can help strengthen your organization's defenses against cybersecurity threats.