Written
by
Gary
Barlet,
Field
CTO, Illumio.
Historically,
cybersecurity
in
both
the
public
and
private
sectors
has
followed
one
consistent
theme:
prevention
and
detection.
The
problem?
Prevention
and
detection
aren’t
enough.
Breaches
are
still
happening.
After
decades
of
trying
to
prevent
and
detect
direct
attacks
by
adversaries
–
and
failing
–
it’s
time
to
shift
the
focus
to
containment.
Whether
Einstein
actually
said
it
or
not,
the
truism
is
still
accurate:
“The
definition
of
insanity
is
doing
the
same
thing
over
and
over
and
expecting
different
results.”
Traditional
security
methods
aren’t
enough
to
fight
modern
adversaries
Most
security
teams’
efforts
have
focused
on
trying
to
keep
threats
from
entering
the
data
centre
or
cloud.
The
boundary
between
the
untrusted
outside
and
the
trusted
inside
is
where
the
majority
of
security
tools
have
been
placed.
This
is
where
next-generation
firewalls,
anti-virus
scanners,
proxies,
and
other
security
tools
are
deployed
which
attempt
to
inspect
all
incoming
traffic
to
ensure
that
nothing
bad
slips
through.
However,
all
of
the
security
breaches
of
the
past
years
have
had
at
least
one
of
these
tools
deployed
and
most
have
been
in
compliance
with
security
requirements.
Yet,
adversaries
have
successfully
entered
the
network.
And
once
inside
the
network,
all
adversaries
have
one
thing
in
common:
They
like
to
move.
They
spread
laterally,
east-west,
moving
from
host
to
host
to
seek
out
their
intended
target
for
data
exfiltration.
Many
of
these
breaches
have
been
discovered
long
after
they
entered
the
network,
sometimes
months
later.
Even
with
the
shift
from
prevention
to
detection,
today’s
tools
are
no
match
to
modern
adversaries
who
are
very
good
at
avoiding
detection
until
after
the
damage
is
done.
Once
compromised,
most
networks
are
wide
open
to
east-west
propagation
A
traditional
approach
to
cybersecurity
defines
everything
outside
of
the
perimeter
as
untrusted
and
everything
inside
of
the
perimeter
as
trusted.
The
result
is
that
there
is
often
very
little
to
prevent
adversaries
from
spreading
laterally
once
inside
of
the
trusted
core.
Spreading
host
to
host,
application
to
application,
across
network
segments
means
that
most
workloads
are
sitting
ducks
to
fast-moving
adversaries.
And
network
segments
are
usually
very
ineffective
at
preventing
them
from
spreading
between
hosts.
Network
devices
look
at
packet
headers,
but
discovering
adversaries
requires
looking
deep
into
the
data
payload
of
packets,
and
this
requires
deploying
firewalls
between
all
hosts.
This
quickly
becomes
expensive
and
a
potential
network
bottleneck,
with
every
packet
needing
to
be
‘cracked
open’
and
inspected,
relying
on
either
signatures,
‘sandboxes,’
AI,
Machine
Learning,
or
other
complex
methods
without
slowing
down
the
network.
Even
when
this
approach
is
tried,
it
is
quickly
abandoned
or
pared
down
–
and
delivers
no
ROI
on
hard-won
budget
dollars.
This
leaves
very
little
to
prevent
east-west
propagation
and
hosts
remain
wide
open.
When
the
inevitable
breach
occurs,
people
start
pointing
fingers.
Organisations
without
Zero
Trust
Segmentation
are
fighting
a
war
they
can’t
win
All
perimeters
are
porous.
Even
a
99
percent
effective
perimeter
security
boundary
will
eventually
be
breached.
Or
a
security
breach
will
enter
from
the
inside,
either
accidentally
or
intentionally.
Those
who
are
still
trying
to
deploy
even
more
expensive
security
tools
at
the
perimeter
–
and
who
continue
to
trust
that
their
hosts
are
not
propagating
any
kind
of
threats,
will
find
themselves
in
the
media
the
next
day
as
the
latest
victim
of
a
direct
attack.
Zero
Trust
Segmentation,
also
known
as
microsegmentation,
is
a
major
part
of
a
Zero
Trust
architecture
in
which
every
resource
is
a
trust
boundary,
decoupled
from
network
boundaries.
Illumio
ensures
every
single
workload
is
segmented
from
every
other
workload,
enforcing
a
least-privilege
access
model
between
them,
with
hosts
identified
using
a
metadata-driven
model
and
not
their
network
addresses.
This
means
that
workloads
deployed
on
hosts
are
identified
via
their
function
and
not
their
location,
enabling
the
clear
visualisation
of
network
behaviour
between
hosts.
Gain
visibility
of
how
applications
are
talking
on
your
network
Visibility
into
network
traffic
between
applications,
from
an
application-centric
perspective,
is
challenging
using
network
devices,
either
physical
devices
in
a
data
centre
or
virtual
devices
in
a
public
cloud.
This
is
because
visualising
application
behaviour
and
dependencies
from
switches,
routers,
firewalls,
or
monitoring
tools
usually
requires
translating
network
behaviour
into
application
behaviour
and
discovering
‘who
is
doing
what
to
whom’
between
applications
and
hosts.
Usually,
this
quickly
becomes
more
confusing
than
revealing.
Visualising
how
applications
talk
to
each
other
across
a
network
requires
a
solution
deployed
directly
on
the
hosts
which
those
applications
reside
on.
Having
a
clear
and
precise dependency
map between
all
applications
in
your
data
centre
and
cloud
enables
very
quick
discoveries
of
compliance
violations
and
how
hosts
are
communicating
with
each
other
without
having
to
touch
the
network
or
touch
the
cloud.
Always
assume
breach
The
modern
security
model
needs
to
assume
a
breach
either
will
or
already
has
occurred.
Whether
the
breach
comes
from
a
state-sponsored
adversary
or
a
criminal
gang,
with
the
right
technology,
like
Zero
Trust
Segmentation,
that
threat
can
be
isolated
and
prevented
from
spreading.
About Author
