As traffic on the network increases, so do potential vulnerabilities. Network access should be managed more tightly to keep data secure.
For years, IT security has been focused primarily on defending the enterprise network from external threats by protecting the perimeter, identifying threats and patching vulnerabilities. There are hundreds of thousands of new malware files detected every day, and in January alone, the Zero Day initiative listed 160 new security vulnerabilities. Eventually, one of the attacks in the infinite onslaught of new threats targeting new vulnerabilities will succeed in penetrating the firewall, leading to network access.
The initial entry point is rarely the intended target. Once inside the network, bad actors exploit exposed network pathways to move laterally to access the most valuable data and applications. While there may be hundreds or even thousands of these network pathways, their number is limited. Unlike malware files or vulnerabilities, the number of ways to access critical digital assets is finite. If pathways can be secured in a way that controls east-west communications, any attacks that get beyond the perimeter will be unable to do much, if anything.
But understanding and identifying those communications pathways is no simple task. Most security and networking teams have no map of these pathways, much less the ability to identify which ones offer the shortest viable paths that allow attackers to reach their target efficiently. What’s more, the network’s attack surface is constantly changing and growing. New applications and services, mobile device access, the addition of clouds and containers … these all add new potential vulnerabilities to enter companies’ networks undetected.
Understand the Pathways
Without a clear understanding of all the ways an attacker could reach their target, it’s impossible to decrease and secure those available routes so security teams will first need to discover all assets in the network. Addressing the following questions presents a good place to start:
- What assets does the company have in on-premises data centers, the cloud and container environments?
- Which assets are most critical to the business?
- Which would cause the most damage to the business if they were disrupted, damaged or exposed?
- What and where are the organization’s most exploitable vulnerabilities (e.g., phishing, insecure code, unpatched systems)?
- Which pathways would best serve an attacker as they move laterally toward these critical assets and vulnerabilities?
This assessment is not a one-time exercise, but rather needs to be an ongoing effort that, ideally, takes advantage of automated scanning. Given the size of most large enterprise networks, automated discovery is really the only feasible way to keep an up-to-date record of assets and available network paths.
Eliminate Unnecessary Pathways
Once IT has created an offensive map of the network, which identifies the low-friction network pathways that exist between attackers and targets, the security team can determine which paths are most likely to be exploited and then eliminate pathways to and from critical assets that are never or seldom used. As a result, security and network teams will sharply limit the ability of attackers to move laterally inside the network.
While limiting the number of paths attackers can use to access critical assets reduces risk, it’s not enough to protect the interior. Next, networking or security teams need to build segments around sensitive data and systems through microsegmentation at the workload level.
Some readers may be groaning at this point, because they’ve already lived through a prior microsegmentation project that relied on IP addresses and VLANs. It’s hard to blame them. This antiquated way of microsegmenting a network is cumbersome, lengthy and expensive. Network-based microsegmentation tools require re-architecting both the network and application, which is no small task. If a new application is deployed on the network, creating a new firewall rule for it can take hours, and because the network is always changing, admins spend much of their time updating static policies manually.
Thankfully, modern microsegmentation is based not on IP addresses, ports and VLANs, but rather on software identity, which relies on immutable, cryptographic attributes of the software for control decisions. Software identity confers a number of advantages. First, it’s a more reliable construct on which to enforce access decisions in today’s dynamic environments. It also eliminates the complexity of creating multiple rules for each application, and policies and can be supported across any platform, including multi-cloud environments and containers. Finally, application-centric policies can adapt to the environment, so administrators can create and manage policies from a central location and retain visibility no matter where workloads are communicating.
Mapping key assets and pathways, optimizing these pathways and then microsegmenting the network—it’s all a huge undertaking. Simply keeping an up-to-date map of resources across dynamic networks is a big challenge on its own. But we’re long past the point when the enterprise can rely on securing the perimeter, patching vulnerabilities and detecting threats to protect the critical data and applications on which the business depends. Through asset discovery and software identity-based microsegmentation, organizations can ensure that they’re not working in a hard shell with a soft center, but in an environment that’s hardened all the way through.