Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Learning from Hackers: The Benefits of Microsegmentation

“A bruise is a lesson”- Arya Stark, A Game of Thrones

“A bruise is a lesson”- Arya Stark, A Game of Thrones

If we can learn one thing from the notable string of beaches that have been reported publicly in the past few years, the widespread movement of bad actors across the data center – and the “dwell time” hackers have gained in these environments – has been a principal contributor to the degree of damage organizations have suffered.  More dwell time (weeks, months, years) and more access translates to more damage.

The ability of bad actors to not only access critical assets, but to move nearly freely across the data center undetected remains somewhat mind-boggling as we forecast cybersecurity expenditures to approach close to $100 Billion in the next few years.  In the next few years, we will be spending a virtual Ecuador on cybersecurity without being able to stop bad actors from free access to the interior of networks and applications.

Organizations of any size can do one important thing to help address this challenge: better segment their interior networks and data center operations.  This is the critical strategy most IT and Security teams have not undertaken to date.  Even today, the vast bulk of network security spend and attention is still focused on the perimeter.  Indeed, earlier this year, Rob Joyce, the Chief of Tailored Access Operations of the NSA, gave a stunning talk at the USENIX Enigma conference with one simple message: segment everything that is critical.

So why haven’t organizations moved to address this?  Why not think like a hacker and take actions that counter their moves?

It turns out microsegmentation based on traditional network technology – switches, routers, firewalls, etc., –  while highly valuable, adds additional complexity and risk to data center operations.  It’s hard to do.   Several large organizations I have worked with over the past few years have – literally – millions of firewall rules based on IP addresses, making their security policy only second to the federal tax code in terms of complexity and fragility.  How can that translate into the interior of the data center?

So, can’t we take a lesson from the hackers?  The bad guys do not go after your data center all at once.  They tend to look for a single vulnerability and then move out from there.  This means broad-based segmentation will be limited in its effectiveness.  Alternative, complementary approaches which drive segmentation closer to the application, even closer to a (physical or virtual) server can play a critical role in reducing the explosion of insider threats and spread of lateral attacks.  If one workload/app is comprised and your other applications are not well segmented, the bad actor can spread rapidly (Target, OPM, and Sony breaches all started this way).  Only segmentation down to the workload/application can prevent/reduce this risk.

Advertisement. Scroll to continue reading.

This is particularly true now that applications have become more distributed, dynamic, heterogeneous, and hybrid.  Said simply, many n-tier modern applications are no longer constructed to run a single rack on a single server.  I have seen a single application span dozens of data centers.  A single application.  How can you protect that with a firewall?

Internal segmentation approaches must adapt to changes in environments (spin up, down, move) and increase the dynamic nature of new compute formats such as Linux containers that can literally run for only a few seconds to complete a process.   And they must work in hybrid environments, where IT takes advantage of physical infrastructure they do not truly control.

The benefits of microsegmentation in the data center is a reduction in the attack surface for bad actors to communicate and move.  By locking down all unauthorized communications, much of the probing that goes on can be similarly restricted, making it more difficult for a bad actor to spread laterally throughout the data center.

Alan has been a successful entre­pre­neur, technology executive, and board member for over 25 years for a range of iconic companies, including DCVC-backed Illumio, Nicira (acquired by VMware), Airespace (acquired by Cisco), Cisco (where he led the $25 billion enterprise marketing and solutions orga­ni­za­tion), General Growth Properties, and IBM. He has authored over 200 articles, undertaken over 1,000 press interviews, and delivered over 100 keynotes at industry conferences. He received a bachelor’s degree in English from SUNY Buffalo, a master’s degree in English from the University of Vermont, a master’s degree in inter­na­tional affairs and economics from the American University School of Inter­na­tional Service, and an MBA from New York University.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.