Illumio’s cyber assessment program helps find new attack surfaces ASAP

Program can reduce the number of possible paths malware can traverse, minimizing the blast radius of any breach

Credit: Thinkstock

Earlier this week, I wrote a post discussing how visibility can be used to reverse the security asymmetry challenge. On Tuesday, hot security startup Illumio proved my point by announcing a cyber assessment program that uses granular visibility to identify new attack surfaces.

Illumio’s Attack Surface Assessment Program (ASAP) was led by Nathaniel Gleicher, former Director of Cybersecurity Policy for the National Security Council at the White House and now the Head of Cybersecurity Strategy for Illumio. The White House obviously has the strictest of security policies, giving Gleicher the necessary level of paranoia to put together a program like this. Now, any company can benefit from his experience.

Increase of east-west traffic raises security challenges

The data center is an interesting place in that it’s the location with the most high-value assets, but it’s also one of the most insecure places. Most companies focus on securing the paths into the data center, so the inside of the network is assumed to be highly secured.

The rise of east-west traffic, however, has made data centers less secure.

Almost all data center security is located at the core, and this was fine when all traffic moved in a north-south direction because all north-south traffic has to pass through the core.

However, when traffic moves laterally, or in an east-west direction, it completely bypasses the core, meaning it bypasses the security. The growth of east-west traffic is due to the rise of virtual servers, containers and private cloud build-outs. A 2015 ZK Research study found that east-west traffic was growing at about 5x the rate of north-south traffic, making the challenge something businesses need to deal with now.

One solution would be to attach a security device to every possible connection in and out of a server, but that would be over-the-top expensive and so complicated to manage that it is not a feasible option.

Another possible solution is to use some kind of segmentation technology. This creates individual virtual networks or segments to isolate different types of traffic or data. The issue with segmentation is that it can be complicated to set up and manage and is generally deployed only at a high level. Each “segment” is effectively a separate IT environment to deploy and manage. Some servers have hundreds of connections into them, so creating hundreds of segments for that one server quickly becomes unmanageable. That is why segmentation tools can be difficult to deploy at scale.

Providing visibility to identify attack surfaces

Illumio’s ASAP uses fine-grained—or MRI-like, as the company calls it—visibility inside the data center and cloud to provide a map of high-value assets and exposed communication paths between applications. This map can be used to help enterprises understand what the new attack surfaces are and then reduce the number of them.

Once a breach has occurred, the malware can live inside the data center for literally months while it builds its own map of high-value assets. Hackers can use this map to identify specific information they would like to exfiltrate at a later date. ASAP can be used to reduce the number of possible paths malware can traverse, minimizing the blast radius of any breach. Also, the increased visibility can be used to find malware that is spreading laterally, most likely in an east-west direction that would typically have evaded any security located in the core.

Another interesting point of the assessment is that the output map can be used to help enterprises understand where to apply IT segmentation tools. As I stated before, segmentation is powerful but hard to scale. The output of ASAP can be used to help focus on areas where segmentation will have the most value.

A sample executive summary of the output of ASAP is shown below. The report provides a high-level summary of total workloads and attack surfaces but then provides some granularity to identify high-value targets. The report gives businesses the right information to understand where the greatest risks are and then take action—ASAP.