When a malicious insider wants to steal your data, they start with the systems they are permitted to use and then move laterally to reach higher value targets. Similarly, most external hacks breach the perimeter at a low-value system, such as a contractor portal, and then use that opening to reach a high value asset. The common denominator of all of these threats is lateral movement.
The Office of Personnel Management (OPM) breach, the breaches of the White House and the State Department, as well as recent breaches of the intelligence community demonstrate that lateral movement is foundational and an enabler to data theft.
Stopping lateral movement is especially challenging for federal security teams, because many federal systems rely on:
Many organizations turn to detection to catch intruders and malicious insiders. Unfortunately, detection solutions increasingly swamp security teams with alerts, raising the risk that threats are buried under the sheer volume.
The percentage of data invisible to perimeter firewalls
Average dwell time for an attacker despite existing security solutions
Reported number of security alerts federal IT departments receive per day
Average percentage of alerts that security teams can analyze
If you want to control lateral movement and stop the spread of threats, you have to segment your environments. This is why the NIST Cybersecurity Framework recommends network segregation (NIST PR.AC-5), and the FTC recommends that organizations segment their networks.
But when most security teams think about segmentation, they think that network segmentation is the only option. Unfortunately, network segmentation -- which was originally designed for efficiency, rather than security -- is not well-suited to working effectively in complex federal environments.
A common approach for implementing segmentation is to use the network layer. Unfortunately, for today’s increasingly complex, hybrid, and dynamic federal computing environments, implementing segmentation in the network using VLANs, SDN, and firewalls is incredibly difficult.
Challenge #1: Lack Of Visibility
Network segmentation rarely includes visualization tools – security teams are forced to operate blind inside complex and changing environments. This can be particularly challenging for federal agencies, because government infrastructure is often divided into multiple systems under different management.
Challenge #2: Firewall Rule Proliferation
Network-based approaches to segmentation require you to manage tens of thousands of firewall wall rules. This process is time consuming, complex, and error-prone.
What federal organizations need is a way to visualize and understand their networks, and then use that understanding to isolate high-value enclaves and segment environments. This stops lateral movement, and helps catch malicious outsiders and insiders before they can cause serious damage.
Security segmentation is the process of deploying different types of segmentation throughout your environment to increase your security without impacting your business process. Because it's not tied to the network, you can segment across hybrid environments and customize your segmentation to fit your needs.
Illumio ASP enables your team to implement security segmentation across your environments with two key capabilites:
#1 Live Application Dependency Mapping
Illumio visualizes the applications in your environment, including AWS GovCloud and Azure Government. It can visualize modern applications as well as legacy systems. This helps your team understand how your applications connect and communicate.
#2 Adaptive Segmentation
Illumio’s adaptive segmentation technology lets you choose the level of segmentation that is right for your environment. We offer the widest range of segmentation options available without all the manual work normally associated with traditional segmentation.This enables security policy to be written in the language of your applications, not your network, allowing you to:
Illumio enables you to rapidly segment your environment, manage your security without excessive overhead, and identify and stop threats before they reach high-value targets.