.png)
Little-Known Features of Illumio Core: Vulnerability Maps
In this ongoing series, Illumio security experts highlight the lesser known (but no less powerful) features of Illumio Core.
The modern compute landscape is a very tempting target for cybercriminals, with the potential for significant profit from ransomware, financial theft via breaches, the exfiltration of intellectual property, and infrastructure disruption.
With traditional security controls often falling far behind as a priority in hybrid, multi-cloud architectures, the opportunities for cybercriminals only keep increasing. Many organizations are using vulnerability scanners to get real-time updates on vulnerable ports, but these scanners only provide insights – not fixes.
In this blog post, learn how you can combine your vulnerability scanner data with the power of Illumio’s Vulnerability Map to immediately secure vulnerabilities and reduce your risk exposure.
Network complexity makes securing against zero-day threats difficult
Today, data resides everywhere. Data can move around dynamically within and between clouds, to and from distributed data centers, and to and from endpoints which can connect to cloud services from anywhere on the planet, with dependencies on data hosted on SaaS platforms.
While this modern dynamic architecture is convenient, the tradeoff is that there is an explosion of possible entry points into your environment. All of those clouds, data centers, and endpoints rely on a dynamic range of external dependencies, each one serving as a potential open door which can be breached.
.webp)
The modern cybercriminal can easily scan all of these entry points for an opportunity, and despite the reliance on endpoint identity controls, cloud-perimeter tools such as virtual firewalls, SASE, and ZTNA enforcement points, most breaches through these tools occur due to human configuration errors or vendor bugs.
Many of the great breaches of the past years have been due to the weakest link in any security architecture: the person between the keyboard and the chair. Organizations need to assume that a breach will eventually occur and organizations need a way to clearly quantify the risk of workloads against the constant onslaught of zero-day malware.
Vulnerability scanners alone aren't enough to protect against newly detected threats
Vulnerability scanners provide real-time updates on vulnerable ports being used by the latest malware to propagate malicious payloads. Common examples of such scanners are Qualys, Rapid7, and Tenable. Vulnerability information received from these scanners can help identify workloads in your environment which may be using these at-risk ports and will need to be patched to protect against reported vulnerabilities.
These scanners provide a Common Vulnerability Scoring System (CVSS) to quantify risks by ranking vulnerable exposures against a numeric scale. Vulnerability scores from scanners are one-dimensional, applied to a port or range of ports which are used by a given OS. This leaves it up to the security operations center to determine which workloads and dependencies will need to be patched and how much downtime critical workloads can tolerate to upgrade them in a timely manner.
This often results in real-time information on exposures – but with delays in remediating them. Why? Since these scanners have no visibility inside your environment, they don’t consider a workload’s connectivity or dependencies between other workloads across your environment and can’t offer immediate protection against newly detected threats.
Pair vulnerability scanners with Illumio for fast breach containment
To make vulnerability scanners more effective, you need a way to automate security in response to scanners’ findings. That’s where Illumio’s Vulnerability Maps come into play. Combine data from your vulnerability scanner with Illumio's real-time map to measure and reduce risk exposure.
This feature combines the CVSS scores received from these scanners along with the information Illumio Core continuously discovers across your environment to calculate a Vulnerability Exposure Score (VES). Also sometimes called a V-E Score, this is a number along a scale of risk: higher scores mean higher risk while lower scores mean lower risk. This V-E score calculates how many workloads across your environment are able to use these vulnerable ports between hosted applications and will then recommend modified policy to prevent these ports from being used between workloads.
This means that if you aren’t able to currently patch a vulnerable host, Illumio essentially patches the network for you. Since it needs to be assumed that one unpatched host in your environment will inevitably be compromised by malware using this vulnerable port, Illumio will prevent that unpatched host from spreading malware laterally to any other hosts.
Illumio isolates attacks and stops them from spreading throughout your network without needing to understand the attack’s configuration or intentions. While it’s still important to patch vulnerable workloads, Illumio enables immediate security while your remediation steps might follow a slower workflow.
How Vulnerability Maps quantify security risk in 3 steps
Illumio Core enables security teams to quantity risk, build segmentation policy, and then model and test the policy prior to deploying it. By being able to test and monitor expected network behavior once policy gets deployed, teams can ensure new deployments won’t break application workflows.
If Illumio Core sees traffic trying to connect to a port with a known vulnerability, it will send a traffic alert informing the SOC, including vulnerability and severity context, and immediately block that traffic from establishing.
This process follows these three steps:
1. End-to-end visibility highlights where risks exist
The Vulnerability Map visualizes all workloads and network flows which are vulnerable to risks received from scanners, calculating a V-E Score for each app group and all workloads contained within app groups using colors mapped to risk levels of specific ports.
2. Tightened policy recommendations
In response to new threats, Illumio Core will then recommend modified policy which will reduce workload risk against the reported vulnerability. This includes several levels of increasing segmentation that will reduce the exposure of workloads mapped to different labels to stop and contain any potential breaches.
3. Stop the spread of new threats through the network
The map will show the same colors used to identify exposure risks, and security teams can choose to include or exclude the recommended policy. If the recommended segmentation policy is put in place, the map will show lower exposure scores.
The ability to clearly quantify risk before and after deploying modified workload policy is a valuable tool to demonstrate risk and remediation to SOC operations, application owners, and security auditors. Application owners often don’t have a comprehensive picture of how their applications behave across all dependencies. Illumio ensures that even undetected threats are prevented from propagating by blocking their ability to spoof open ports.
Illumio Core’s agentless approach to workload security
Network security tools deployed at the cloud and data center perimeter will never be 100 percent effective. Because of that, it’s important that organizations implement a Zero Trust breach containment technology like the Illumio Zero Trust Segmentation Platform.
With Illumio, you can secure all sessions between all workloads at any scale. Illumio Vulnerability Maps expands vulnerability scores across your entire hybrid, multi-cloud infrastructure, not just to individual hosts, to prevent malware from spreading through the network using ports from unpatched workloads.
To learn more about Illumio ZTS, contact us today for a free consultation and demo.
