teissTalk: Reducing your attack surface - Zero Trust and microsegmentation

On 7 July, teissTalk host Geoff White was joined by Richard Staynings, Teaching Professor, University of Denver; Andres Andreu, SVP, CISO, 2U; and Larry Cameron, Chief Information Security Officer, Anti-Human Trafficking Intelligence Initiative.

Views on news

A session at the Cloud and Cyber Security Expo  focussed on why – given the scale of attacks in businesses with zero trust - organisations get zero trust wrong. Social engineering, for example, is proving an effective tool for attackers to get around it. Sadly, there is no single button that a company could push and say “now we have zero trust.”  Zero trust has become somewhat of a buzzword, which, on the upside, also makes it easier to get funding for such initiatives. The biggest problem affecting the security of the US healthcare is the lack of visibility regarding what is connected to the system and what risks those devices present for the network.

Micro segmentation layers and the role automation needs to play

Zero trust can be sees as a methodology to get closer to zero risk but isn’t identical with it. Different vendors have different data sharing policies. MFA and privileged access management and a layered approach to security can go a long way in fending off breaches, but you need to ensure your network’s secure in a dynamically changing environment. Due to the proliferation of connected devices gathering health and other personal data, the threat surface has expanded enormously –  therefore, adopting a policy of segmentation and containment is key to better security. Businesses and hospitals are already using segmentation but often in an unsafe fashion via slapping up firewalls or putting medical devices on a VLAN, which, in fact, doesn’t offer security, only routing segmentation. The most robust solution is micro segmentation, where each device is segmented from every other device. Segmentations have a number of layers – down to the application level it’s layer 7, a more achievable depth is layers 1-4 when devices aren’t allowed to talk to each other unless they have to communicate to provide a functionality. Flat networks aren’t viable anymore, as once a hacker gets in, they can scan the network, discover services and directories and then apply that knowledge to the rest of the network. Some of the services today are actually making a network weak.

 You can prevent any method of data exfiltration by blocking all the external ranges that you don’t access or using Zscaler to lock it down to the IP ranges This way hackers won’t have access to the keys for a ransomware attack or file sharing. But how easy it is to implement zero trust depends on the complexity of the ecosystem. When you have millions of users accessing the system through browsers, it’s a different dynamic from how you segment a controlled network. If you don’t do micro segmentation down to Layer 7, the risks there will remain the same. Given enough time and opportunities to move laterally, threat actors will be able to figure out how to attack your system. Automation is key to the implementation of micro segmentation, especially in a hybrid, multi-cloud environment. ML-based tools able to profile devices and understand the ports protocols and destination IP addresses, which are also able to learn what baseline behaviour is for devices are essential to micro segmentation. Also, these device profiles need to be connected with existing network access control systems (Cisco ISE, Aruba ClearPass, PAN Cortex, etc). Another case for automation is that the bad guys are already using AI/ML tools, so we can’t control them unless we also do. Implementations that leverage a neural network to learn patterns and provide a continuous feedback loop to the protective devices are viable solutions and can be fairly effective.