Dropping the Network-centric Approach for Microsegmentation Mainstream Adoption

Taking a look at mainstream adoption of host-based microsegmentation

In both Gartner’s Hype Cycle for Workload and Network Security 2022 (login req.) and Hype Cycle for Enterprise Networking, 2022 (login req.), Microsegmetation (which includes TrueFort as a representative vendor) is prominently placed in the ‘Slope of Enlightenment’ with the context that it “will reach the ‘Plateau of Productivity’ in less than two years.” This technology – finally reaching the mainstream – should excite any security team who has struggled to contain the spread of ransomware and other forms of unauthorized lateral movement.

In the report, Gartner defines “microsegmentation” as follows:

Microsegmentation can reduce the risk and impact of cyberattacks. It is a form of zero-trust networking that controls the access between workloads and is used to limit lateral movement, if and when an attacker breaches the enterprise network. Microsegmentation also enables enterprises to enforce consistent segmentation policies across on-premises and cloud-based workloads, including workloads that host containers.

But none of this concept sounds new. Why has it taken until 2022 to see a path to mainstream adoption? TrueFort believes that the goals were always correct, but the approach needed to change.

Network segmentation has been too difficult to achieve with firewalls

Network segmentation was considered a best practice for years, but once the findings of the Target data breach were made public in 2013, many security teams raised its priority in their long-term programs. Beyond the foundational controls already in place, organizations needed to secure application runtime environments in two key ways:

1. Segmenting the network to isolate vulnerable assets from assets with sensitive data
2. Enforcing “least privilege access” across all servers to curtail lateral movement

However, it just wasn’t that easy. When you think about network segmentation, it’s natural to think it’s most likely to work through the devices already deployed to monitor and filter network traffic – a firewall, an intrusion prevention system (IPS), and a next-gen firewall (NGFW). We’ve heard from organizations who have deployed as many as eighty (80) next-gen firewalls in their data centers to segment East/West traffic (i.e., traffic between application servers). Segmenting traffic was simply too challenging with these legacy devices designed to filter out known-bad traffic.

And this aligns well with some of the drivers Gartner states are important to microsegmentation adoption:

• As servers are being virtualized, containerized or moved to infrastructure as a service (IaaS), existing safeguards such as traditional firewall, intrusion prevention, and antivirus are rarely able to follow the fast pace of deployment for new assets. This leaves the enterprise vulnerable to attackers gaining a foothold and then moving laterally within enterprise networks. This has created increased interest in visibility and granular segmentation for east-west traffic between applications, servers and services in modern data centers.

• The increasingly dynamic nature of data center workloads makes traditional network-centric segmentation strategies difficult to manage at scale, if not impossible to apply.

• The shift to microservices container architectures for applications has also increased the amount of east-west traffic and further restricted the ability of network centric firewalls to provide this segmentation.

All changes in application architectures, as in cloud deployments, demand a new approach to controlling network traffic.

Host-based microsegmentation is the new approach to this known security challenge

When we all walk around the RSA Conference exhibit hall, there are always some consistent trends: “next-gen” for antivirus, firewalls, and SIEM and “2.0” for deception, vulnerability management, and network traffic analysis. The new solutions are not often new. These are invariably enhanced technology applied in slightly different ways.

Except when there’s truly a new approach. I have been a part of building a lot of disruptive security products: a SIEM with user and endpoint context, an endpoint protection solution that actually explained what the SOC blocked and how to automate blocking next time. These are all valuable enhancements to legacy controls, but they aren’t completely new approaches.

No level of enhancement to the status quo of next-gen firewalls makes microsegmentation achievable. Network devices simply can’t understand what is running on the servers or, more importantly, what the larger applications are supposed to do daily. Even when security teams took advantage of host-based firewalls and those at the hypervisor, it was rarely possible to move to segmentation enforcement because of the elevated risk that legitimate activity could be unintentionally blocked, causing an outage more expensive than a potential incident. Network activity alone is utterly useless in preventing novel attacks or stolen credentials.

This is why TrueFort customers control the network by enforcing application and workload behavior. We strive to ensure our customers understand all of the legitimate East/West traffic, service account activity, and day-to-day workload behavior within their application runtime environment. This aligns to two more of the drivers Gartner highlights for microsegmentation:

• Some microsegmentation products provide rich application communication mapping, allowing data center teams to identify which communication paths are valid and secure.

• Growing interest in zero-trust networking approaches has also increased interest in using application and service identities as the foundation for adaptive application segmentation policies. This is critical to enforcing segmentation policies in the dynamic networking environments used within container-based environments.

I believe very strongly that the only way to achieve both segmentation and least-privilege access effectively is through alignment with application owners. Security will only block without adverse consequences if they enforce the desired application behavior.

Full adoption of microsegmentation is now possible, but it takes planning

What we hear from our customers is not that they’re thinking about microsegmentation – it’s that they’ve been trying for 4+ years to do it effectively with the products they had available. Of the obstacles and user recommendations highlighted in the Hype Cycle report, a few are very consistent with we’ve navigated with our customers.

Important obstacles Gartner highlights are

• Complexity — If not planned and scoped correctly, microsegmentation projects can lose organizational support before completion.

• Organizational dynamics — Cloud-centric organizations employing DevOps may value agility more than security, believing that any additional security controls will introduce operational friction.

And the user recommendations we have seen most with our successful customers

• Start small and iterate with basic policies. Oversegmentation is the leading cause of failure and an unnecessary expense for segmentation projects.

• Do not use IP addresses or network location as the foundation for east-west segmentation policies. Use the identities of applications, workloads and services — either via logical tags, labels, fingerprints or stronger identity mechanisms.

• Apply continuous adaptive segmentation. Start with new assets, then close existing gaps. Identify quick wins, and mix zoning governing principles when needed.

• Target the most critical assets and segment them first.

If controlling lateral movement with network segmentation and least-privilege access has felt like a pipe dream, drop us a line, and we’ll show you how we can help your team make it a reality.

If you’re a Gartner client, you should check out the Hype Cycle for Workload and Network Security, 2022 report here (requires login). To check out the full Hype Cycle for Enterprise Networking, 2022 report here (also requires login).