Benefitting from microsegmentation
With all of this in mind, nearly every post-breach analysis by industry experts reveals that better network segmentation would have prevented these large-scale breaches. Even if the attacker exploited unpatched software, a system misconfiguration, or a user’s credentials, a properly segmented network using zero trust principles would have stopped attackers before they reached their ultimate targets—generally speaking, the data.
The long list of standard security tools are standard for a reason: they’re part of a larger ecosystem of technologies that are proven to help security and networking teams manage the confidentiality, integrity, and availability of systems and system resources. Each of these “checkbox” tools has its place in the ecosystem, especially as the high-level goal is to reduce the number of ways adversaries can get into the network. Antivirus is good at catching the “low-hanging fruit” aimed at organizations constantly. Firewalls are proven-effective at managing external traffic requesting network access. SIEMs are great at collecting data from multiple sources and alerting on deviations from normal network activity. But let’s remind ourselves that as effective as these technologies are, most were originally built for and implemented in on-premises environments. Even though some next-gen versions of these tools can adapt to the cloud, they weren’t born in the cloud, which is why they’re not able to prevent today’s attacks with greater confidence.
Eliminating network blind spots
Almost every company I’ve talked to in the last few years manages a hybrid cloud, often with a multi-cloud deployment (meaning they operate internal data centers plus more than one cloud, from different cloud providers). The tooling that works effectively in on-premises data centers may not scale or adapt to large enterprises’ cloud instances. And the cloud-native tools provided by the cloud providers themselves are only germain to that specific provider. What this means is that companies now have to manage a vast set of disparate tools across multiple environments, then try to correlate those tools to understand what’s happening on their multiple networks with their myriad of data. This is creating too many blind spots and opportunities for exploit.
Getting back to the idea of network segmentation, the problems mentioned in the last few paragraphs illustrate just how complex it is to manage the organization’s systems and data. A one-size-fits-all approach to segmenting the network is next to impossible with address-based tools. Though most security and infrastructure practitioners know about—and may have suffered through—firewall-based segmentation or microsegmentation projects, this approach just does not scale in today’s dynamic environments. The customers and prospects I speak to want to segment their networks to keep the bad guys from accessing private data, but they’re gun shy. In the past, segmenting the network meant too many rules, too many exceptions, and not enough assurance that adversaries couldn’t abuse network information to reach their intended targets anyway.
So while we can all agree that better (micro)segmentation and a zero trust methodology are a “must,” past methods keep practitioners from moving forward at the speeds they need. In other words, attackers aren’t the ones letting technology hold them back. Defenders are investigating and talking about how to accomplish network segmentation/microsegmentation and time is of the essence. To struggle through another costly and time-intensive failed implementation isn’t an option.
Increasing hybrid cloud security without adding technical debt
What I am learning and excited about is the fact that Edgewise is ideal for organizations that want to move ahead with zero trust microsegmentation, especially if the initiative doesn’t require re-architecting the network or making significant changes that result in technical debt. Network and security teams managing hybrid cloud want a cross-platform solution that helps them understand application, server, and host communication patterns—managing the unknown. Beyond baseline visibility, companies want a straightforward way to secure apps and services uniformly, without constantly writing and revising rules when network constructs change.
I joined Edgewise because I thought I saw a solution that could deliver an answer to previously-laborious microsegmentation projects. Several months into my tenure here, I know that companies looking for a way to segment their networks—even the most dynamic networks spread across multiple providers—have a way to protect their sensitive applications with zero trust without the pains of the past.