Why Cyber Disasters Are Still Happening — And How to Fix It

Historically, cybersecurity in both the public and private sectors has followed one consistent theme: prevention and detection.

The problem? Prevention and detection aren't enough. Breaches are still happening.

After decades of trying to prevent and detect direct attacks by adversaries — and failing — it's time to shift the focus to containment. Whether Einstein actually said it or not, the truism is still accurate: The definition of insanity is doing the same thing over and over and expecting different results.

Traditional security methods aren't enough to fight modern adversaries

Most security teams' efforts have focused on trying to keep threats from entering the data center or cloud.

The north-south perimeter, the boundary between the untrusted outside and the trusted inside, is where the majority of security tools have been placed. This is where next-generation firewalls, anti-virus scanners, proxies, and other security tools are deployed which attempt to inspect all incoming traffic to ensure that nothing bad slips through.

However, all of the great security breaches of the past years have had at least one of these tools deployed and most have been in compliance with security requirements. Yet, adversaries have successfully entered the network.

And once inside the network, all adversaries have one thing in common: They like to move. They spread laterally, east-west, moving from host to host to seek out their intended target for data exfiltration.

Many of these breaches have been discovered long after they entered the network, sometimes months later. Even with the shift from prevention to detection, today's tools are no match to modern adversaries who are very good at avoiding detection until after the damage is done.

Once compromised, most networks are wide open to east-west propagation

A traditional approach to cybersecurity defines everything outside of the perimeter as untrusted and everything inside of the perimeter as trusted. The result is that there is often very little to prevent adversaries from spreading laterally once it is inside of the trusted core.

Spreading host to host, application to application, across network segments means that most workloads are sitting ducks to fast-moving adversaries. And network segments are usually very ineffective at preventing them from spreading between hosts.

Network segments are designed to prevent network problems, such as DDoS or ARP spoofing. VLANs, IP subnets, routing peering points, and SDN overlay networks are created to control these problems and to enable traffic engineering in the network. But adversaries easily traverse these network segments since they usually propagate between hosts over ports which look like legitimate traffic.

Network devices look at packet headers, and they will block or allow traffic based on what ports are found in these headers. But discovering adversaries requires looking deep into the data payload of packets, and this requires deploying firewalls between all hosts in the path of all east-west traffic.

This quickly becomes expensive and a potential network bottleneck, with every packet needing to be "cracked open" and inspected, relying on either signatures, "sandboxes," AI, Machine Learning, or other complex methods to try to discover adversaries without slowing down the network.

Even when this approach is tried, it is quickly abandoned or pared down -— and delivers no ROI on hard-won budget dollars. This leaves very little to prevent east-west propagation and hosts remain wide open.

When the inevitable breach occurs, people start pointing fingers.

Organizations without Zero Trust Segmentation are fighting a war they can't win

All perimeters are porous. Even a 99 percent effective perimeter security boundary will eventually be breached. Or a security breach will enter from the inside, either accidentally or intentionally.

Those who are still trying to deploy even more expensive security tools at the perimeter — and who continue to trust that their hosts are not propagating any kind of threats east-west across their network — will find themselves in the news the next day as the latest victim of a direct attack.

Anyone who ignores implementing security across their entire east-west fabric will be fighting a losing battle.

Microsegmentation is a major part of a Zero Trust architecture in which every resource is a trust boundary, decoupled from network boundaries.

Illumio secures the east-west threat vectors inside of the data center and cloud at high scale.

Every single workload is microsegmented from every other workload, enforcing a least-privilege access model between them, with hosts identified using a metadata-driven model and not their network addresses. This means that workloads deployed on hosts are identified via their function and not their location, enabling the clear visualization of network behavior between hosts.

Learn more about microsegmentation here.

Gain visibility of how applications are talking on your network

Visibility into network traffic between applications, from an application-centric perspective, is challenging using network devices, either physical devices in a data center or virtual devices in a public cloud.

This is because visualizing application behavior and dependencies from switches, routers, firewalls, or monitoring tools usually requires translating network behavior into application behavior and discovering "who is doing what to whom" between applications and hosts. Oftentimes, this quickly becomes more confusing than revealing.

Visualizing how applications talk to each other across a network requires a solution deployed directly on the hosts which those applications reside on.

Illumio enables a very clear and precise dependency map between all applications in your data center and cloud. Hosts are grouped together based on metadata, such as function or ownership, and traffic flows between them all are clearly displayed.

This enables very quick discoveries of compliance violations and how hosts are communicating with each other without having to touch the network or touch the cloud.

Illumio reveals who is doing what to whom at high scale across your entire environment to help you quantify risk between hosts and show which risky ports are exposed to potential compromise.

Implement Illumio Zero Trust Segmentation to stop adversaries' east-west movement

The prevention security model is outdated, and the detection security model is never quick enough to prevent lateral propagation.

The modern security model needs to assume a breach either will or already has occurred. This mindset doesn't focus on trying to preserve the health of a compromised host, but instead quickly isolates adversaries and prevents them from spreading, all without needing to understand exactly who the adversary is.

The east-west threat vectors can be enforced and visualized using Illumio's solution for application-centric security from the perspective of the application.

Whether the breach comes from a state-sponsored adversary or a criminal gang, that threat is isolated and prevented from spreading.

The insanity should — and can — be stopped.

Want to learn more about Illumio Zero Trust Segmentation? Contact us today.