Burlington, MA-based Edgewise Networks has emerged from stealth mode with a product designed to implement a zero-trust approach to network security.
Founded by Peter Smith and Harry Sverdlove in Spring 2016; backed by venture capital firms .406 Ventures, Accomplice, and Pillar; and supported by Patrick Morley (CEO of Carbon Black), Omar Hussain (CEO of Imprivata), Brian Ahern (CEO of Threat Stack), and Bob Brennan (CEO of Veracode), Edgewise seeks to augment perimeter firewalls and improve on microsegmentation.
Edgewise believes that there is a fundamental flaw in defense-by-firewall. While firewalls can detect and block known bad addresses, they cannot detect bad use of good addresses. This means that any compromise of a ‘good’ address can allow an attacker straight through the firewall, by policy, and into an attack position.
“There are two commonalities in almost all publicized attacks,” comments co-founder Peter Smith. “Firstly, attackers rarely, if ever, enter a network directly on their ultimate target: they gain a foothold, surveil the attack surface and then move laterally to where they can conduct the final attack. Secondly, they invariably accomplish this by introducing malicious code at some stage — for C&C, for the next stage of the attack, and so on.”
Preventing the lateral movement is where firewalls fail. They can see where traffic is coming from, and they can see where it is going; but they cannot see who is in control of the software being used, or the server from which it comes. Consider NotPetya, he said. “The worm spread more or less unabated because the firewalls could not detect any maliciousness in the traffic.”
Microsegmentation is an improvement on perimeter firewalls alone; but is still not adequate. “Essentially, it forces all traffic through the firewall. Beside the complexity of installation and management, the firewalls still cannot prevent the attacks because they can still only protect what they can see; and despite the fact that they can see all of the network traffic, they can only look at the traffic to identify malicious behavior — they cannot look outside of the traffic, cannot look at the hosts to see what software is actually making those communications.”
Edgewise sees its product as being more effective than complex microsegmentation, and even easier to use than relatively simple next-gen firewalls.
Firewalls, he continued, can only attribute traffic to the address that sent it and the address that receives it. “They cannot see the actual software that created the connection; or the user controlling the application; or the host on which it is running. There is consequently no guarantee that the application you trust is controlled by the user you think should be controlling it. Most new technology just looks more closely at network packets — but however much you stare at the packet, it will not tell you the identity of the software producing the communication or the user controlling it on either side of the connection.”
Two primary aspects of Edgewise illustrate how it operates. Firstly, it ensures that only trusted applications communicate by mutually validating the identity of the underlying software, users and hosts before allowing the connection. “This approach,” says the company, “extends the zero-trust networking model that calls for validating application communications and not trusting addresses to secure internal networks.”
Secondly, it uses machine-learning to model application communication patterns and generate optimal protection policies automatically. This serves several purposes. It can be used to generate maximum protection from minimum policies, and to produce a policy map that can be used as a ‘what-if’ model even by non-experts. New policies can be tested on the map to see exactly what effect they will have on the overall network attack surface.
The result, said Smith, “is that we get rid of all of the unnecessary network attack surface that firewalls cannot see. We stop anything that is not trusted and we build the policies for the customer automatically. We have a machine-learning system that analyzes the communication patterns of the software we protect, and then creates the policies to protect the systems. No user intervention is necessary to build the policies — only to apply them.” Which, he added, can be a single click.
“The user sees a map of how the software communicates,” he continued. “He can select the software he particularly wishes to protect, and one click will protect it. Only trustworthy software will be allowed to communicate. We also measure the risk associated with the environment — the attack surface. We measure how much it is, and how much it would shrink if the customer applies our protection.”
Edgewise calls this ‘Trusted Application Networking’. “It’s what Forrester calls zero-trust networking, and what Gartner calls CARTA,” said Smith. “Essentially they boil down to the same thing: assert the identity of communicating software and the entities communicating; do not just blindly trust addresses.”