Micro-segmentation combined with zero-trust access control between the segments is recommended as one of the best approaches to breach containment. This principle is now extended from the network infrastructure to the endpoint, whether that device is local in the office, portable, or remote at home.
Segmentation does not prevent compromise, but it contains it to minimize damage. It prevents attackers’ lateral movement from server to server across the network infrastructure by allowing only known good connections and denying all else. But there is one weakness in this scenario — the endpoint. The endpoint is the primary route of initial incursion. If a compromise is not contained within the endpoint, it can rapidly spread to other endpoints and across the network.
Segmentation firm Illumio is closing this gap with the release of Illumio Edge — segmentation for the endpoint. In a research report (PDF) supporting the release, the firm uses WannaCry and NotPetya as extreme but valid examples of the danger of uncontrolled endpoint to endpoint lateral movement. “It has been reported,” says Illumio, “that a large bank in Ukraine saw its network locked up in (drumroll) 45 seconds with NotPetya. Maersk, a global logistics company, saw its global IT infrastructure crumble in 7 minutes.” This was possible because there were no barriers, such as endpoint segmentation, to prevent unfettered — and in this case, automated — lateral movement of the malware from endpoint to endpoint.
Although there has been a huge improvement in anti-malware and EDR products over the last decade with machine learning and next generation AV products, the number of corporate breaches continues to rise. In the Illumio survey of 461 IT and security professionals, the majority of respondents admitted that their endpoint security does not catch all malware, and even where it does detect malicious files, that detection may not be immediate. There is a time gap here for lateral movement before detection.
Illumio Edge is designed to work in conjunction with endpoint protection. It starts from the assumption that not all infections will be detected and blocked, and therefore the inevitable compromises need to be constrained to the single compromised endpoint. Since segmentation does not prevent initial compromise — it simply stops that compromise from spreading to other devices — some form of EDR protection is still necessary. For this purpose, Illumio has partnered (PDF) with CrowdStrike. The Edge agent can be obtained either from Illumio or from a CrowdStrike Falcon provider and integrated into Falcon.
“Illumio Edge combined with CrowdStrike’s instant visibility and protection across the enterprise,” said Michael Sentonas, chief technology officer at CrowdStrike, “will bring Zero Trust to every endpoint regardless of location and will offer our customers the most complete threat prevention capabilities, all seamlessly accessible through the CrowdStrike Falcon platform.”
Implementation of Illumio micro-segmentation throughout a large corporation is not a ten-minute job. All existing connections between endpoints must first be discovered, followed by a largely manual decision on whether each connection is valid. The time taken for implementation will consequently depend on the size of the estate and the complexity of the infrastructure. Illumio CEO Andrew Rubin told SecurityWeek that this could take up to three months for large enterprises, but that benefits could start to accrue within weeks.
Edge is not like this. All that is required is the creation of ‘allow’ lists for peer to peer traffic between endpoints. Implementation times will still vary based on the size, scale and desktop administration processes at different organizations, but value can be realized in just a few days.
However, once successfully implemented, endpoint micro-segmentation will drastically reduce the growing threat of large-scale corporate ransomware. Attackers are gaining access through a single endpoint — using phishing or misconfigured services such as RDP — and moving laterally to infect as many other endpoints as possible. (With worms, the lateral movement can go faster and further than manually targeted attacks.)
When the time comes and encryption is enacted, dozens, hundreds or even thousands of endpoints can be simultaneously locked up. With effective endpoint micro-segmentation, this can no longer happen. Earlier this month — in Mitigating Ransomware with Zero Trust — Forrester Research suggested, “Worms such as WannaCry and NotPetya rely on lateral movement to escalate a containable nuisance to a cataclysmic attack. Microsegmentation and focused granular internal controls mitigate this problem and must be deployed as part of a Zero Trust strategy.”
Rubin would not be drawn by SecurityWeek on future expansions of the Edge platform, stressing that his firm is totally focused on containing malware through micro-segmenting the endpoints. However, the fact remains that if you can block access from other endpoints, it is not a great stretch to consider blocking access from other sources. The potential for expanding the platform to be able to control shadow IT must exist.
For now, Illumio Edge provides a valuable capability in constraining attackers’ lateral movement from one device to another. In the months and years ahead, it could possibly do even more.
Silicon Valley-based Illumio was founded in 2013 by Andrew Rubin (CEO), and PJ Kirner (CTO). It raised $65 million in a Series E funding round in February 2019, bringing the total venture funding to $332.5 million.