InfoSec Insider

You Can’t Eliminate Cyberattacks, So Focus on Reducing the Blast Radius

Tony Lauro, director of security technology and strategy at Akamai, discusses reducing your company’s attack surface and the “blast radius” of a potential attack.

Lately, I’ve started wondering if the biggest risk concerning cyberattacks is that we’re becoming desensitized to them. After all, businesses experience a ransomware attack every 11 seconds—the majority of which the public never hears about. Faced with this reality, it may seem like your efforts to safeguard the enterprise are futile. But that’s all the more reason to strengthen your resolve—and switch up your cyber defense strategy. The core of this strategy is the concept of “reducing the blast radius” of an attack. Since you can’t completely eliminate cyberattacks, you need to take steps to contain the impact.

Let’s review some elements of this strategy, starting with some basic blocking and tackling that you should already be doing (and if you’re not, consider this your wake-up call!).

Zero Trust Remote Access

With the advent of ubiquitous remote access, every laptop, phone and tablet has become a potential threat vector for malware seeking to access the corporate network. A virtual private network (VPN) can’t address this if a “trusted” device seeking access is infected. You need a Zero Trust approach to remote access.

Zero Trust ensures that all access to your corporate systems is tightly controlled according to a “least privilege” principle, replacing implicit trust with verification. In the most robust Zero Trust implementations, access requests are sent to a reverse proxy that applies policy-based security controls before sending a virtualized version of the connection to the remote device. This effectively eliminates any physical connection to the corporate network—isolating it from a potential malware “blast.”

Inspecting Traffic

Data breaches are often discovered when third-party companies examine corporate network activity and find large amounts of data being transferred from a compromised device to a foreign server, undetected by the victimized organization. Panic ensues.

Minimizing this risk requires that you keep a close, continuous eye on passive signals, either leaving the corporate network or originating from the home network of a remote user. This involves intercepting and inspecting these signals—through a recursive DNS inspection or via a secure web gateway—to detect potential indicators of compromise and contain them in time to avert disaster.

It’s Not Enough

You need to be doing those things—but it’s not enough. Bad cyber actors are continually probing for weaknesses and cracks in the armor. Effective risk mitigation assumes that, sooner or later, a breach will occur. So how can you reduce the blast radius once malware is inside?

The answer is network segmentation. This divides devices and workloads into logical segments with policies providing access controls between them. Just as the watertight bulkheads in a ship prevent a breach in the hull from sinking the vessel, segmentation prevents the lateral movement of malware across your network, preventing it from accessing critical assets.

Segmentation is a well-established security concept. But, as with any technology solution, it all depends on how it’s implemented. Taking a hardware-based approach to segmentation has drawbacks. Today’s IT environments are constantly changing and evolving. But legacy hardware-based segmentation tools like firewall appliances and VLANs don’t change readily. Policies governing what devices can communicate with each other can become stale, restricting access in ways that hamper business agility. When this happens, human nature can take over, seeking ways to work around the controls—defeating the whole purpose of segmentation.

In addition, hardware-based tools are not easily scalable, making it difficult to keep pace with growth. This can create vulnerabilities that are easy to overlook. What’s needed is a more intelligent and dynamic approach to segmentation.

Software-based Micro-Segmentation

Micro-segmentation based on a software-defined model overcomes these shortcomings. Instead of using infrastructure for segmentation, software creates a segmentation overlay that works across data center and cloud environments to manage all segmentation policies. This offers greater flexibility, precision and scaling, while maintaining effective segmentation even as the hardware environment evolves.

Software-based micro-segmentation also provides a higher degree of visibility, enabling you to easily see what systems or devices are talking to each other. This goes beyond a static policy audit, which only shows permissions, rather than actual observed activity. By providing a clear view of activity across all on-premises and cloud environments, software-based micro-segmentation enables continuous monitoring. That view can be presented visually, making management extremely intuitive.

This makes it easy to map relationships, dependencies and traffic flows between entities. Then you can easily implement policies by selecting from a policy library. Policies can be very granular and context-based—down to the level of individual processes and users, if needed.

Agility and Consistency

Software-based micro-segmentation offers advantages that make it preferable for the real world, where the environment is dynamic and constantly evolving. Policies are defined at the network stack level of the device that is communicating. This creates assurance that the policy will be enforced even as things change in the infrastructure.

Being able to easily discover and visualize relationships between devices, with both real-time and historical views, also provides valuable insight to help inform decisions on how the network should be segmented to provide effective protection of critical assets.

A software-based approach also helps ensure a consistent security posture across the entire infrastructure, including on-premise, cloud and hybrid resources, according to corporate standards. With a “single pane of glass” for your entire segmented environment, you have the information needed to quickly assess and update policies as things change.

Reducing Your Attack Surface

Managing the onslaught of ransomware and other cyberattacks requires a multi-dimensional approach—one that assumes a breach will eventually occur despite your efforts to prevent it. In concert with other Zero Trust strategies, software-based micro-segmentation offers a solution for reducing your attack surface, together with the flexibility and precision to keep pace with continuous change. The result is a more resilient infrastructure with less management complexity.

Breaches are a fact of life in the digital enterprise. But by reducing the blast radius of an attack by containing the bad actors, you can save the day.

Tony Lauro is director of security technology and strategy at Akamai.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles