Despite record security spend, breaches are still commonplace. In their 2022 Cost of a Data Breach report, IBM interviewed hundreds of organizations who had been breached, and 83 percent revealed they have been breach victims more than once.
If you are breached, often one of the first calls to make is to your cyber insurance carrier who will typically pay for a Digital Forensics and Incident Response firm (DFIR) or a recovery firm to stop the attack, perform remediation, and conduct a forensic investigation.
The challenge for these firms is that they are asked to go into networks that they don't know, essentially blind. And then they are working against the clock to limit the impact and damage done to your business.
Your insurance carrier is also heavily invested in minimizing the impact of breaches because the more an attack spreads, the more devices are compromised, and that means more time and money spent needed to fix them. As a result, cyber insurance premiums have been rising due to the carriers’ financial losses from the increasing number of payouts from breaches.
Why Zero Trust Segmentation is effective for incident response
Illumio ZTS helps you see the environment, providing immediate network visibility for DFIR and recovery teams going into networks they’ve never seen before.
Illumio ZTS doesn’t touch the client's physical network which removes the need to create VLANs or use firewalls, a common part of IR engagements.
Illumio ZTS stops breach spread and enhance the speed of recovery by prioritizing the client's most critical business functions, even before the investigation or recovery process is complete — and even when the attacker is still in the environment.
Insurance carriers have been on the front lines responding to the increase in cyberattacks, and they recognize that segmentation can stop malware propagation in the first place by dramatically reducing the attack surface.
How segmentation works in active and post-breach engagements
In an active breach, Illumio is deployed alongside EDR tools, increasing EDR's allotted time to detect and remediate threats. The Illumio IR team manages the tenant on behalf of the DFIR or recovery partner and uses segmentation to restore downed business lines, stop breach spread, and intelligently separate the infected system in real-time.
In a post-breach engagement, Illumio is deployed after the DFIR engagement, and here segmentation is used to assist in the protection of critical applications for insurance requirements or emergency measures. The Illumio IR team can also proactively block common attack vectors against future threats.
In both types of engagements, Illumio partners get 24/7 access to Illumio experts with extensive backgrounds working in real-world, active breaches alongside leading DFIR and recovery firms. Because our team is an extension of our DFIR partners, we make sure to understand their tools and workflows aligned to how they approach live breaches. Our team creates Illumio tenants that are fully customized for IR and recovery project management and workflows — and tenants are provided at no cost to our partners.
Illumio’s IR team works in breaches alongside DFIR and recovery firms
In an active breach, one of the key things Illumio ZTS can do using segmentation is prevent reinfection by separating compromised environments into “clean” and “dirty” bubbles.
The dirty environment is segmented to only include infected devices which are contained and essentially quarantined across all the response and recovery work, yet still allowing the IR firm to access them. Illumio sets up a “recovery” bubble for the recovery firm to get access to the data they need.
Illumio then sets up a “clean” bubble which is where all the clean, remediated devices are brought back online. We do this so the IR or recovery team doesn’t need to create VLANs or separate networks before they can begin their work.
Finally, we start segmenting critical business applications to get them back online faster compared to traditional methods using legacy tools and re-architecting the physical network.
Segmentation changes how incident response can be done
In many cases, you can’t recover business lines while you’re uncertain if the attacker is active in the environment. This means you often must first deploy EDR everywhere and get a full clean bill of health — and only then you’re able to move ahead. That can consume a considerable amount of valuable time when a team is working against the clock.
Take for example a manufacturing company who has been hit by ransomware that has taken their production floor offline. They need to produce goods, but they’re not able to. The Illumio IR team goes into the active breach, segments the compromised environment into bubbles — even if the attacker is still active there in the environment — and helps bring the production environment back online and give access back to the manufacturer to get operations running again, with investigation and recovery work done in parallel.
The Illumio Incident Response Partner Program
Illumio is excited to announce our new Incident Response Partner Program, designed to work with leading DFIR and recovery firms to include ZTS as part of IR and forensic engagements. For clients who are experiencing the impact of a security breach, Illumio helps them recover faster by prioritizing remediation to get their business operational again, much faster than how things have been done traditionally.
For our DFIR and recovery partners, Illumio provides an experienced, on-demand support team, customized tenants on standby, and a program designed to integrate segmentation within existing workflows while delivering complete confidentiality in all engagements.
If you’d like to learn more about our Incident Response Partner Program, please contact Ben Harel, Illumio’s Head of Incident Response at [email protected].
Or, if you’re interested in becoming an Incident Response Partner, learn more here.