Microsegmentation visibility is key for best cybersecurity practices
Gartner’s new Market Guide for Microsegmentation (login req.) states that “Gartner sees interest across all verticals and geographies. Midsize organizations are evaluating microsegmentation solutions, a relatively new development.”
This aligns with their statements made in the 2022 Hype Cycles, and we at TrueFort strongly believe that advancements in technology have finally made it achievable. Three of the recommendations from the report mesh well with the innovations that we consistently hear our microsegmentation customers need.
There is a high “visibility” bar needed to gain the confidence to enforce microsegmentation policies
One key recommendation on Gartner’s list for choosing a microsegmentation technology is:
Choose the tool that provides most granular visibility per type of workload and enables east-west traffic segmentation to reduce the attack surface and to prevent the lateral spread of threats.
I have always struggled with describing the value TrueFort delivers as simple “visibility”, but the Gartner team coined the phrase “Application-mesh visibility” with a detailed description of what we often hear as the first and most important phase of a microsegmentation project.
Whenever I ask what led to their other microsegmentation projects failing short, they point to the same problem: they weren’t certain of the repercussions if they started blocking. With different technologies, the gaps may differ – some tools only showed flows between IP addresses, others may tie it more clearly to the workloads involved – but none of them painted the whole picture of how the services, workload, and databases within applications operate every day. Without this clarity, there wasn’t the confidence to block anything more granular than global policies around ports and protocols.
This is why the foundation of TrueFort Platform is built on the real-time, continuous stitching together of all behavior in the environment. Want to know what caused the concerning network connection that triggered an anomaly alert? Rewind the clock, dig into the related application, and go deep enough to view the full process tree and commands that led to it. With this level of detail, the next recommendation becomes the key second phase of microsegmentation projects.
Context, integrations, and scale – are all necessary to create a helpful baseline
The Market Guide lists another recommendation as follows:
Test the capability of the tool extensively, including their ability to:
- Create rules based on application — identity, tags, labels and characteristics
- Collect contextual data from various cloud sources, asset inventory, CMDBs, etc.
- Scale seamlessly when implementing these features
Context and domain expertise have long been valuable to security, as business operations are not designed to explain themselves. But the challenge is always automatically tying enough context for security teams and application owners, especially across large, complex environments.
Tying back to the first recommendation, it’s easy to pretend that log collectors or EDR agents could gather all the necessary context, but that’s the myopic approach. No one data source can sufficiently explain every asset, every network connection, and every service account across the data center and cloud. There are already so many products in each environment tracking application configurations, host-based activities, network traffic, and more.
This very challenge has driven much of the TrueFort product strategy in the past 12 months. You’ll rarely meet an IT professional who trusts their CMDB to be fully current, but we add much context to what’s happening, even with partial accuracy. Almost every organization has an EDR solution, so we built deep integrations to use telemetry from the installed CrowdStrike and SentinelOne agents. Environments usually have asset management tools in place, so we partnered closely with Armis to give customers context around IoT devices and unmanaged assets. Only with this extensibility can we make the third recommendation truly effective.
Moving from manual network rules to automated microsegmentation requires all of the above and more
The last recommendation from the Market Guide that we constantly hear as the final piece of the puzzle for enforcement is:
Leverage an [sic] microsegmentation supporting technology that gives visibility into workload communication and uses AI/ML to provide policy recommendation and semiautomated deployment.
As we commonly hear, it is one thing to get snapshots of workload activity and network connections, but too many solutions focus on asking you what to block before they’ve shown you what needs to be allowed. Machine learning (ML) has a great deal of value to add here – unlike unpredictable human administrators, workloads follow the orders by code. Explaining consistent, repetitive behavior is where algorithms shine. Observing these high-pace environments for a couple weeks tells you enough to generate a full set of recommended microsegmentation policies.
And this is where TrueFort truly stands out from all other options: in explaining what needs to happen in your data center and cloud. The TrueFort team is obsessed with explaining seemingly benign, daily activity to make sure no workload behavior goes unexplained. And we specifically apply machine learning to demonstrate a single truth to both application owners and security teams about what happens in these environments. Visualizing these baselines with the application-mesh visibility and extended context is what finally gets the full organization (not just security) comfortable moving into enforcement mode.
Doing more with less: Consolidation of agents, consoles, and use cases
One last point shared in the guide is more of a passing data point but is incredibly relevant when considering microsegmentation solutions. According to the authors, “the 2022 Gartner CISO: Security Vendor Consolidation XDR and SASE Trends Survey found that 75% of organizations surveyed are actively pursuing vendor consolidation”. Well, if you have a microsegmentation solution that analyzes every behavior between and within your applications, why couldn’t it also alert you to file integrity issues on workloads or unusual behavior from service accounts? It is already mapping every one of these actions back to a baseline of approved policies, right? It’s this combination of segmentation, FIM, and covering a gap in UEBA/PAM technologies that convinced me to join the TrueFort team. It may sound too much to be on a single platform, but we would happily show it all in a demo.
If you’re a Gartner client, check out the full Market Guide here (requires login).
To learn more about TrueFort, please request a demo to see why we’re picked over the rest of the list.