NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!
 
 

Introducing 1-Click Auto-Segmentation from Edgewise

By Peter Smith, Founder and CEO — Jun 11, 2019

If we can land rockets on a barge in the middle of the ocean, if cars can drive from one location to another without a human ever touching the steering wheel, if we can search 30 trillion unique web pages in mere seconds, why does network microsegmentation still take months to implement and cause so many headaches in the process?

 I have been pondering this question for years, and it’s why I started Edgewise three years ago. Today, after tens of thousands of hours of hard work by our engineering and development teams, I can finally announce that Edgewise has made microsegmentation a one-click effort for our customers. Just like the technological advancements that led to autonomous vehicles and quick, accurate web searching, the journey to 1-click auto-segmentation was challenging, but the result is well worth it. Network operators and security professionals now can have stronger, scalable, operationally simple security for their companies’ applications and services, whether they’re operating in the public cloud, in on-premises data centers, or in container environments. 

Where did 1-click microsegmentation begin?

Back when I was in college, I was also working at Harvard Business School managing their network. Universities present distinct challenges in networking because they tend to promote openness and sharing, yet there is still need for confidentiality, integrity, and availability of data and resources. My responsibility was to create a system that granted students and faculty the appropriate levels of network access depending on their role and location. This was pre-network access controller (NAC) days so there wasn’t any established guidance I could follow.

Fast forward a few years to when I was managing infrastructure and security for another organization and I found myself constantly frustrated with security tooling that relied on address-based controls. And this was long before cloud and containers were as prevalent as they are now! Even in an on-premises environment, address-based controls were (and remain) too mutable, too easy for an attacker to spoof, to make them the primary control plane for securing access to the company’s critical applications and business-sensitive data. Not to mention, it’s applications and data the company needs to protect anyway, so why not move the control plane there?

Today’s cybersecurity challenge

Why does this all matter? Because the cybersecurity problem isn’t getting any better. Because there are hundreds of thousands of new malware files appearing daily. Because there are dozens of new vulnerabilities discovered every week. The massive number of security technologies built, sold, and implemented don’t properly address the core issue of unauthorized access to applications leading to breaches. How can I be so certain of this? Just look at some of the major headline breaches over the past decade: Target, OPM, Equifax, Anthem. All post-breach analyses say the same thing: these incidents could have been prevented had these companies’ networks been microsegmented properly. Attackers were able to gain an initial foothold in these companies’ systems then pivot and piggyback on network resources to move laterally to their intended targets—the data. Segmenting the network and requiring access verification at every step along the path would have stopped the attackers in their tracks. It’s inevitable that attackers are going to bypass perimeter controls through phishing or software vulnerabilities, so companies need to focus on hardening the internal network, preventing unauthorized east-west traffic with a zero trust approach.



Zero trust was absolutely essential to the creation of Edgewise. Anything less would result in yet another security tool attackers could bypass for malicious purposes. Starting at zero trust, though, meant that every access request inside companies’ networks would need to be verified before a communication was sent or received. This last point is central to Edgewise and we’ve even been granted a patent for our innovation. Many zero trust solutions check verification before access is permitted. Edgewise’s patent is for symmetric, identity-based verification at both ends of the communication. This matters because it prevents malware from propagating, even if it’s added mid-communication. Edgewise can stop malware before it’s sent, not just when it’s requesting a connection.

Another critical element of Edgewise’s solution is our machine learning. Not coincidentally, adaptive policies are also an important part of a zero trust environment. Edgewise’s second patent was awarded for our machine learning innovation that drastically reduces the number of policies required to secure access pathways between applications. Policy reduction is necessary because it addresses the previously-mentioned complexity problem of traditional microsegmentation with legacy, address-based tools. Especially in dynamic, auto-scaling networks like the cloud and containers, the number of policies operators must create and manage is immense. In fact, the management problem is so substantial that most companies never achieve enough ROI to justify a microsegmentation implementation. This is exactly why companies ignore recommended guidance and operate flat networks that lead to data breaches, as previously mentioned.

Operational ease; unmatched protection

However, microsegmentation doesn’t have to be that hard. Edgewise creates immutable, cryptographic identities for all software and services communicating on our customers’ environments. Unlike IP addresses, ports, or protocols, the identities we build can’t be faked or exploited, which is why they are the exact right control plane for controlling access to critical business applications and services. Once an identity has been automatically created, Edgewise’s machine learning determines what access each entity should have based on a statistical analysis of the environment. Unused or unnecessary application communication pathways will also be blocked based on the environment analysis, which results in a dramatically reduced network attack surface. Add in the continuous, symmetric identity verification at every communication request and you’ve got a system that is significantly hardened to attack.

Another aspect of Edgewise that is unique is that we decouple protection from the network. As I noticed early on in my career, using the network as the control plane for what can communicate (and how) is risky. Because it’s applications that organizations need to protect, it only makes sense to put the strongest control there. Yet so many security tools don’t do that. Edgewise’s application fingerprinting is a key component of why Edgewise works ubiquitously across every network environment. It’s a leading reason Edgewise is so easy to use. And it’s why we can confidently and credibly say that Edgewise offers a provable return on security investment that other companies can’t.

All of this is great news for any company wanting to eliminate flat networks and improve security control, but the most exciting part is the announcement of our 1-click auto-segmentation. Our team has worked really hard to build the best technology on the market, and I couldn’t be more proud of them. The fact that we made everything I explained above—a reduced network attack surface, application-based microsegmentation, cryptographic identity verification, zero trust, policy compression—achievable in one click is the real story. We’ve taken the complexity out of microsegmentation, delivering immediate results with provable security outcomes. We call it “impossibly simple microsegmentation with zero trust security.” Edgewise protects any application, in any environment, without any architectural changes. We provide measurable improvement by quantifying attack path risk reduction and demonstrate isolation between critical services—so that your applications can’t be breached.

Strong. Scalable. Simple.

There’s so much more I could share in this blog post, but instead, I invite you to experience 1-click auto-segmentation in action for yourself. Contact us to schedule an online demo or visit us at any one of these upcoming conferences to speak with me, personally, about how to implement strong, scalable, impossibly simple security in one click.

 

Peter Smith, Founder and CEO

Written by Peter Smith, Founder and CEO

Prior to founding Edgewise, Peter was on the founding team at Infinio Systems where he led cross-functional strategy for Infinio's products and technology as VP of Product Management. Peter brings a security practitioner’s perspective to data center products with more than ten years of expertise as an infrastructure and security architect of full-service data centers and customer-hosting environments for Harvard University, Endeca Technologies, American Express, Fidelity UK, Bank of America, and Nike.