Today's defenses must be creative in both isolating threats and segmenting environments to prevent attacks. Here's why.

PJ Kirner, CTO & Founder, Illumio

March 9, 2020

5 Min Read

As more applications move to the cloud and hybrid cloud environments, so too do the threats and bad actors that permeate today's businesses. Today, defending against such threats is only half the battle, and preventing against the vulnerabilities — specifically, complex chains of simple vulnerabilities — that we cannot see will separate thriving businesses from their counterparts. Organizations will be forced to either evolve their mentality — or lose out to evolving threats.  

Let's begin with how cloud computing placed new pressures on the firewall. The firewall, like many businesses of the late 21st century, has had to evolve as cloud environments became the norm.

Originally introduced in the late '80s, the first network firewalls were developed to protect private networks by securing gateway servers to external networks like the Internet. Generally speaking, firewalls were designed to block or allow "north/south" traffic according to rules that had been set up to define what was permissible and what's not, thereby defining the "perimeter" for the enterprise. To this day, firewalls still continue to excel at solving this specific problem where it exists.

But cloud computing introduced a new wave of complex cloud and hybrid environments that changed what the "perimeter" looks like, causing the firewall to evolve. We have seen the introduction of virtual firewalls, intended for the public cloud, that provide some visibility around where connections come from or where they are going. However, that is only a minor evolution, and still relies upon a traditional way of thinking about the world at its core.

Enter the Agile Cloud
Today, the same evolution is needed in cybersecurity defense-in-depth. Strong perimeter defenses are still foundational but now are complemented with an "assume breach" mentality. This is a mere acknowledgment of what we know — a security incident will happen thanks to an employee clicking on a phishing link, a misconfiguration exposing a container to the Internet, or stolen credentials. Practically, we will evolve defense-in-depth to complement perimeter defenses with zero-trust dynamic and adaptive controls. This will ensure small security incidents remain just that by stopping unauthorized access to networks and applications or malicious lateral movement in data centers and clouds. 

This breach mentality is founded on a risk-based view of protecting your highest-value assets. This means focusing on bolstering your perimeter defenses as much as defenses that detain attackers who get inside. They will get in eventually; however, with the right approach, damage can be minimal.

Obviously, the assume breach mentality builds upon the single objective of your traditional firewall — keeping the bad guys out. But in 2020, new entry points will continue to emerge, bad actors will continue to implement more creative attacks, and threats will continue to evolve. Evolving defenses must be both creative in isolating those threats as well as in segmenting environments to prevent attacks to exterior defenses.

Planning for the Inevitable
Start by turning your focus on investing in your cyber resiliency. Cyber resiliency is your company's ability to withstand a cyberattack and continue operations. It requires organizations to assume a breach will happen and also plan for what happens next. History shows that it's not a question of if but when a breach will happen, so organizations need to invest to protect their most important, valuable data and prepare to withstand attacks.

The best and most effective security strategy for enterprises is what has been coined zero trust, a strategy by which organizations don't trust anything inside or outside the network perimeters and instead verify anything and everything that's trying to connect to the network before giving it access. Zero trust has become a model for effective security by localizing and isolating threats through microsegmentation technology that applies policies to individual workloads for greater attack resistance.

I like to use a submarine analogy when it comes to microsegmentation: Picture two submarines — one built with bulkheads or walls that create airtight compartments connected to a solid hull, and the other just a hull with no walls segmenting the interior. Both submarines have been breached and water is pouring in, but when the first submarine starts leaking, you quickly seal the compartment with the leak to contain it, and although that specific compartment floods, the rest of the ship stays safe and dry.

Unlike the firewall, this is an architecture that is built specifically for breaches. It is designed both for the intruders, and forthe "assume breach" thinkers. Although unconventional, if we learned anything in 2019, it's that attackers are continuing to innovate, so our technology and our defense systems must do the same. In 2020, we can already assume that attacks will be plentiful and breaches will be many. But just because attackers get in doesn't mean they need to get what they're looking for.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Perfect Travel Security Policy for a Globe-Trotting Laptop."

About the Author(s)

PJ Kirner

CTO & Founder, Illumio

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also held several roles at Juniper Networks, including distinguished engineer focused on advancing Juniper's network security and layer 4-7 services plane. PJ graduated with honors from Cornell University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights