Identify assets and exposures
If the purpose of the security program is to reduce risk to the business by mitigating cybersecurity risk, the first step should be to assess the network attack surface:
- What assets does the company have in on-premises data centers, the cloud, and container environments?
- Which assets are most critical to the business, i.e., which ones would materially impact the business if disrupted, damaged, or exposed?
- What and where are the organization’s most exploitable vulnerabilities (e.g., phishing, insecure code, unpatched systems)?
- How could an attacker reach the “crown jewels” if initial vulnerabilities are exploited?
- How are workloads and applications interconnected?
- What are the most likely pathways an attacker could use to move laterally toward business-critical assets?
Understanding the environment and exposure thereof requires ongoing assessment. Ideally a multi-pronged approach combining automated scanning and manual testing is used, but given the size and scope of most organization’s networks, the only way to stay continually up-to-date is automated discovery of assets and available network paths.
Approximately two-thirds of organizations say network blindspots are the biggest challenge when it comes to protecting data; implementing automated discovery tools can substantially improve network visibility and contribute to reducing risk.
Eliminate unnecessary pathways
Protecting the organization from cyber intrusions requires a multi-layered strategy, and one effective way to reduce the network attack surface is to decrease the number of routes an attacker can use to reach target systems. Offensive maps are an extremely valuable tool for analyzing which low-friction network pathways exist between attackers and targets, and for anticipating attackers’ next move given a view of all viable options. Once created, defenders can use their newfound network visibility to determine which vectors are most likely to be exploited and block never- or infrequently-used pathways to and from critical assets to reduce attackers’ abilities to move laterally inside the network. In other words, pathways not required by applications but which exist simply because they are on a connected network should be blocked for use as a communication vehicle.
Apply microsegmentation at the workload level
Once an adversary gains access to the network through an initial exploit (e.g., phishing, software vulnerability), the security team must be able to prevent unauthorized access to and tampering with critical databases and applications. Limiting the number of paths attackers can use to travel from Point A to Point B helps localize focus, but it’s not enough. Revisiting the idea of a multi-layered strategy to manage expansive network attack surfaces, microsegmentation at the workload level builds tight boundaries around companies’ sensitive data and systems.
Unfortunately, many security and networking professionals have an unfavorable view of microsegmentation. Old methods of microsegmentation using IP addresses and VLANs is kludgy, time consuming, and expensive. Creating a firewall rule for a new application on the network can take hours, configuration issues can lead to outages, and static policies need to be constantly manually updated. In addition, network-based microsegmentation tools necessitate re-architecting both the network and application (i.e., translating “network speak” into “application speak”). It’s no wonder that microsegmentation is met with trepidation.
Modern microsegmentation, however, is based on software identity—using cryptographic attributes of the software, as opposed to the network, for control decisions. Especially given today’s dynamic network environments, not only is software identity a more reliable construct on which to enforce access decisions, but it eliminates the complexity of creating multiple rules for each application, reduces the time it takes to create policies, and results in policies that are supported across any platform (i.e., multi-cloud environments, containers). Further, application-centric policies adapt to the environment, which means that administrators can create and manage policies from one centralized location and retain visibility regardless of where workloads communicate.
Paring down the network attack surface to reduce overall organizational risk is not an easy endeavor, to be certain. Simply keeping abreast of all resources across ever-growing networks is a massive challenge. However, in today’s complex threat landscape, it’s imperative for security and networking teams to simplify the protection strategy by improving network visibility and implementing application-centric, adaptive security control. To get started, organizations should:
- Identify the extent of the network attack surface, including systems, devices, users, workloads, and exposed network paths;
- Prioritize protection based on the criticality of assets and block network paths not required by business applications; and
- Use application-centric microsegmentation to prevent unauthorized access and communication on the network.