CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Endpoint Security

Micro-Segmentation for Endpoints Shows Promising Defense Against Lateral Movement

Micro-segmentation combined with zero-trust access control between the segments is recommended as one of the best approaches to breach containment. This principle is now extended from the network infrastructure to the endpoint, whether that device is local in the office, portable, or remote at home.

Micro-segmentation combined with zero-trust access control between the segments is recommended as one of the best approaches to breach containment. This principle is now extended from the network infrastructure to the endpoint, whether that device is local in the office, portable, or remote at home.

Segmentation does not prevent compromise, but it contains it to minimize damage. It prevents attackers’ lateral movement from server to server across the network infrastructure by allowing only known good connections and denying all else. But there is one weakness in this scenario — the endpoint. The endpoint is the primary route of initial incursion. If a compromise is not contained within the endpoint, it can rapidly spread to other endpoints and across the network.

Segmentation firm Illumio is closing this gap with the release of Illumio Edge — segmentation for the endpoint. In a research report (PDF) supporting the release, the firm uses WannaCry and NotPetya as extreme but valid examples of the danger of uncontrolled endpoint to endpoint lateral movement. “It has been reported,” says Illumio, “that a large bank in Ukraine saw its network locked up in (drumroll) 45 seconds with NotPetya. Maersk, a global logistics company, saw its global IT infrastructure crumble in 7 minutes.” This was possible because there were no barriers, such as endpoint segmentation, to prevent unfettered — and in this case, automated — lateral movement of the malware from endpoint to endpoint.

Although there has been a huge improvement in anti-malware and EDR products over the last decade with machine learning and next generation AV products, the number of corporate breaches continues to rise. In the Illumio survey of 461 IT and security professionals, the majority of respondents admitted that their endpoint security does not catch all malware, and even where it does detect malicious files, that detection may not be immediate. There is a time gap here for lateral movement before detection.

Illumio Edge is designed to work in conjunction with endpoint protection. It starts from the assumption that not all infections will be detected and blocked, and therefore the inevitable compromises need to be constrained to the single compromised endpoint. Since segmentation does not prevent initial compromise — it simply stops that compromise from spreading to other devices — some form of EDR protection is still necessary. For this purpose, Illumio has partnered (PDF) with CrowdStrike. The Edge agent can be obtained either from Illumio or from a CrowdStrike Falcon provider and integrated into Falcon.

“Illumio Edge combined with CrowdStrike’s instant visibility and protection across the enterprise,” said Michael Sentonas, chief technology officer at CrowdStrike, “will bring Zero Trust to every endpoint regardless of location and will offer our customers the most complete threat prevention capabilities, all seamlessly accessible through the CrowdStrike Falcon platform.”

Implementation of Illumio micro-segmentation throughout a large corporation is not a ten-minute job. All existing connections between endpoints must first be discovered, followed by a largely manual decision on whether each connection is valid. The time taken for implementation will consequently depend on the size of the estate and the complexity of the infrastructure. Illumio CEO Andrew Rubin told SecurityWeek that this could take up to three months for large enterprises, but that benefits could start to accrue within weeks.

Edge is not like this. All that is required is the creation of ‘allow’ lists for peer to peer traffic between endpoints. Implementation times will still vary based on the size, scale and desktop administration processes at different organizations, but value can be realized in just a few days.

Advertisement. Scroll to continue reading.

However, once successfully implemented, endpoint micro-segmentation will drastically reduce the growing threat of large-scale corporate ransomware. Attackers are gaining access through a single endpoint — using phishing or misconfigured services such as RDP — and moving laterally to infect as many other endpoints as possible. (With worms, the lateral movement can go faster and further than manually targeted attacks.)

When the time comes and encryption is enacted, dozens, hundreds or even thousands of endpoints can be simultaneously locked up. With effective endpoint micro-segmentation, this can no longer happen. Earlier this month — in Mitigating Ransomware with Zero Trust — Forrester Research suggested, “Worms such as WannaCry and NotPetya rely on lateral movement to escalate a containable nuisance to a cataclysmic attack. Microsegmentation and focused granular internal controls mitigate this problem and must be deployed as part of a Zero Trust strategy.”

Rubin would not be drawn by SecurityWeek on future expansions of the Edge platform, stressing that his firm is totally focused on containing malware through micro-segmenting the endpoints. However, the fact remains that if you can block access from other endpoints, it is not a great stretch to consider blocking access from other sources. The potential for expanding the platform to be able to control shadow IT must exist.

For now, Illumio Edge provides a valuable capability in constraining attackers’ lateral movement from one device to another. In the months and years ahead, it could possibly do even more.

Silicon Valley-based Illumio was founded in 2013 by Andrew Rubin (CEO), and PJ Kirner (CTO). It raised $65 million in a Series E funding round in February 2019, bringing the total venture funding to $332.5 million.

Related: Why Segmentation-in-Depth is Foundational Cyber Security 

Related: The Truth About Micro-Segmentation: It’s Not About the Network (Part 1) 

Related: Illumio, Qualys Partner on Vulnerability-based Micro-Segmentation 

Related: Hackers Using RDP Are Increasingly Using Network Tunneling to Bypass Protections 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.