Attacking a Macro Security Problem with Micro-segmentation

by Charlie Gero

Ransomware is everywhere. And the shift of workloads to the cloud and employees to work-from-home models has only expanded the attack surface, creating new opportunities for attackers to leverage. Companies need Zero Trust solutions that not only defend against threat actors gaining access to enterprise systems, but also mitigate the impact of infections that slip through the cracks.  

A permeable barrier

Those cracks are numerous and growing. VPN login credentials can leak, allowing bad actors to have unfettered access to an entire network. Social engineering attacks use convincing phishing emails with links to malware, leading well intentioned employees to accidentally expose company assets. Employees take their work laptops home, where they become infected while surfing the web, and then bring the malware into work when they plug into the network, facilitating a “sneakernet” attack behind the firewall. Advanced hacking groups infect the software supply chain, causing trusted enterprise software to become the launchpad for widespread breaches.  There are simply too many attack lanes to completely enumerate.

And it’s not just the number of ways an infection can occur that’s frightening. Ransomware tactics range from the simple to the extremely sophisticated, and are continually evolving to evade detection and bypass security controls. Worse yet, once inside, ransomware leverages the outdated notion of a trusted network perimeter to probe adjacent systems for vulnerabilities, known as east-west or lateral movement, to expand the infection from a single machine to large swaths of critical infrastructure within the network.

There are countermeasures designed to prevent these intrusions — strong identity and access controls, multi-factor authentication, secure web gateways, antivirus tools, and more. And, surely, these and other solutions are crucial elements in a Zero Trust security strategy. But the stark reality is that it just isn’t possible to plug all the potential cracks in the enterprise. At some point, there are diminishing returns in trying to create an impenetrable barrier. You need a strategy for protecting critical assets when ransomware breaches those enterprise defenses.

Multiple lines of defense

With its planned acquisition of Guardicore and its best-in-class network micro-segmentation solution, Akamai will be equipped to provide that protection. Guardicore complements Akamai’s industry-leading Zero Trust security solutions, providing multiple lines of defense against ransomware and other forms of malware.

Guardicore’s micro-segmentation technology logically divides the enterprise into distinct security segments, down to the individual software and workload level, with well-defined security controls for each. This approach addresses the problem of malware proliferating across the enterprise via east-west movement. Just as the waterproof bulkheads in a submarine prevent adjacent compartments from becoming flooded in the event of a hull breach, Guardicore’s micro-segmentation contains the “blast radius” from a malware attack, dramatically limiting its lateral spread.

The concept sounds simple, but achieving it is immensely challenging. That’s because modern networks are extremely heterogeneous and constantly changing. Virtualization, containerization, and other modern approaches for deploying software mean workloads are constantly migrating across boundaries within the data center and between the data center and the cloud.

Innovative, agent-based approach

To overcome this challenge, Guardicore employs an agent-based approach to segmentation. Agent-installed systems can only communicate with other agent-installed systems in the same segments or groups. Systems lacking agents are restricted to communicate only with other agentless devices and specifically chosen segments, separating them from high-value targets. This agent-based strategy greatly simplifies management while enabling very fine-grain controls, with a centralized, visual portal enabling quick and easy configuration of the segmented network.

Additionally, Guardicore’s agent-based architecture provides visibility down to the individual application level. With deep insight into all application interactions, across data centers and cloud environments, businesses can more fully understand their networks and workloads, from the core of the enterprise to the edge of the cloud.

As a result, breaches can be detected early on so that remediation is taken as quickly as possible. This combination of deep visibility and segmentation is what makes this solution so powerful.  And despite this level of sophistication and control, Guardicore makes configuring your segmented infrastructure simple, resulting in a highly secure solution with low total cost of ownership.

A holistic mitigation strategy

Minimizing the potential attack surface both outside and inside the enterprise is a pragmatic and holistic strategy for mitigating the threat of ransomware. Once the acquisition is finalized, by combining web application firewall, Zero Trust network access, DNS firewall, secure web gateway, multi-factor authentication, and now micro-segmentation, Akamai will be positioned to provide one of the most comprehensive and effective solutions for combatting today’s cyber threats. Combining end-to-end Zero Trust on both north-south and east-west traffic can provide defense in depth, without creating additional network management burdens.

Once Guardicore becomes part of Akamai, it will be great news for every business looking to minimize their risk — and bad news for cyber criminals.

Read the press release on the announcement.