micro-segmentation and zero trust

 

We all roll our eyes when we see and hear the next buzz word wondering, will it change the world or just be another word that comes and goes.  Buzz words have so many meanings, depending on who is using them or trying to sell the next widget. So what is micro-segmentation and zero trust?

 

Micro-segmentation:

  • Distinct security segments for individual workloads
  • Security controls for each unique segment.
  • Protects the perimeter
  • Protects east-west traffic

 

Zero Trust:

  • Granular enforcement based on a combination of factors
  • Only trusted and verified processes/traffic are allowed
  • Least-privilege access

 

Advantages of zero trust and micro-segmentation:

  • Reduce the risk to the organization
  • Reduce the total attack surface of a network security incident
  • Securely isolate networks and applications from each other
  • Limit the ability to land and expand from a compromised device

 

I have firewalls, EDR, Antivirus, DLP, HIDS, NIDS, WAF, RAF, and SIEM…. shouldn’t I be covered?

In traditional security approaches the attacker has the advantage.  Attackers are constantly looking and creating new attacks.  Security vendors are always trailing behind, stuck in a constant game of cat and mouse.  Security teams are creating new signatures and monitoring for new behaviors to match the constantly evolving threats. IT teams are trying to patch and keep up with never ending vulnerabilities closing holes as they are discovered. Organizations take weeks to months to test and roll out patches, leaving the corporation vulnerable.

This is where zero trust and segmentation come into play.  When you restrict a server/application to only known processes and traffic that are used by the application you have changed the game. You get the advantage over the attacker, forcing the attacker to have to know how your application works and know what processes are trusted to able to exploit a vulnerability.

Think of it as a safety deposit box. You will need access into the bank, access to the vault, and the safety deposit box key. There are reasons and people that need access to the bank. Then a smaller group of people that need access to the vault.  Then only a few people have the safety deposit box key.

 

It sounds great, but is zero trust and micro-segmentation possible?

  • We do not really know how the application works.
  • We do not want to break production.
  • It is too hard to keep up with changes to the application.
  • We have tried micro-segmentation and it was too hard.
  • We have tried white-listing and it was too complex and impossible to support.

 

Look for segmentation products that are easy to use and help you with the implementation process. Let tools and technology help you understand the current behavior, determine what good behavior looks like, and automate the process.

 

Use a crawl, walk, and run approach:

  • Start with visibility and start capturing the current state
  • Pick some critical applications and start with alert mode.
  • Move critical applications to block mode.

 

For example, in a typical three tier application. Be strategic, do you feel comfortable with locking down DB servers? Then move to web servers and finally to the application servers.

 

Remember it takes time to implement a fundamental change in thinking.  Focus on small wins. Visibility into new processes being run in your environment is a great start, knowing most intruders are in networks for months to a year before being noticed. Securing critical application in your environment will put you in a better position over your current state as you continue to roll out the complete solution.