An Interview with Paul Ciesielski, CRO, TrueFort
TAG Cyber: What are the greatest risks to cloud workloads?
TRUEFORT: While most workload-protection vendors would claim that the biggest risk to every organization is the compromise of a single cloud workload, the reality is that it has little impact on an organization. The greatest risks to cloud workloads revolve around the tactical advantage they offer an attacker with access to one. Once reached, attackers can often operate for days or weeks without detection because they are already inside the perimeter, and the understanding of normal operations is especially weak. Moreover, on most workloads, the execution of important commands is automated with privileged accounts, meaning attackers can steal these accounts from the compromised systems and reuse them to move laterally. Finally, from an initial cloud workload access, attackers easily move from one asset to another to access critical data stored in a database within the same environment.
TAG Cyber: What specifically is meant by Zero Trust segmentation?
TRUEFORT: Historically, all access to a production environment required authentication, but after a user was authenticated once via VPN, they were trusted to access any workload or database within the same environment without limitation. Attackers famously took advantage of this by stealing privileged credentials and using them to rapidly spread across the network, system by system, until they reached a database containing critical data they could monetize. Attacks may originate as phishing successes or SQL injections on a website, but they escalate when they gain administrator control of a cloud workload. Zero Trust aims to disarm this common attacker behavior by questioning every single lateral move within the data center or cloud.
The two major aspects of a Zero Trust architecture are Zero Trust Network Access (ZTNA) and Zero Trust segmentation. ZTNA is determined to improve VPN access by testing every access of an administrator within the data center or cloud, whereas Zero Trust segmentation focuses on making it impossible to move from one workload to another in a manner that is not necessary for typical enterprise applications to serve customers. More specifically, Zero Trust segmentation is an aspect of Zero Trust that blocks access from one workload to another between, and within, enterprise applications. This means that despite an account getting approved to access one workload in the environment, all access to a second or third workload is blocked until reevaluated and approved, thus creating a significant number of network segments within a single application environment.
TAG Cyber: How does the TrueFort solution work?
TRUEFORT: Our solution makes Zero Trust segmentation (or microsegmentation) more accessible and effective by starting with a precise behavioral mapping of all activity within the data center and cloud from Day One. Rather than merely demonstrating network traffic between workloads, TrueFort shows security teams all activity according to the who (Which service or admin account?), what (What command was executed?), when (Does this happen often?), and where (Is the resulting activity at the destination unusual?). Once our customers have this clarity, they can not only enforce the blocking of network connections through host firewall rules, but also automatically kill any of these unapproved behaviors. They can prevent processes from running, shut down an account behaving strangely, or even go so far as to kill an unusual command line argument to instantiate a network connection that’s been witnessed thousands of times before.
TAG Cyber: Tell us more about how you integrate with commercial endpoint agents.
TRUEFORT: Generally, one of the biggest pains around security products is that they always require “yet another agent.” This is why we invested so much development effort into making the TrueFort Platform work with existing CrowdStrike and other endpoint detection and response (EDR) agents that our customers have already deployed. The full extent of how service accounts are used to execute key network connections between applications and workloads is gleaned through the telemetry gathered by already installed agents. And it doesn’t stop with analyzing the telemetry that comes from these EDR leaders, TrueFort also pushes enforcement policies to the agents to automate microsegmentation. As IP addresses change from the DHCP or new workloads spin up to auto-scale for a customer, TrueFort fingerprints these workloads based on their behavior within enterprise applications and uses that to identify anomalous actions. No one in the cyber security market shows more value from the EDR agents that customers have already installed.
TAG Cyber: What predictions can you share regarding this area of enterprise cybersecurity
TRUEFORT: From what enterprises are experiencing, it is clear that microsegmentation is rapidly moving from a “nice to have” to a “must have” when protecting both critical and regulated data. Since it is a likely occurrence that there will be some level of compromise in any application environment, microsegmentation is now viewed as the only viable mitigation against the lateral movement that makes these attacks so devastating. Between NIST and the DOD, including microsegmentation as mandatory for Zero Trust architectures, cyberinsurer mandates, and regulators requiring deeper segmentation for compliance, it is time for every organization to build their plan for enhancing enterprise security with microsegmentation.
