Alex - stock.adobe.com

Use microsegmentation to mitigate lateral attacks

Attackers will get into a company's system sooner or later. Limit their potential damage by isolating zones with microsegmentation to prevent lateral movement.

Many IT infrastructure professionals view microsegmentation solely as a method to restrict access among servers, applications and workloads in the data center. Microsegmentation has evolved far beyond this initial capacity, however, now offering companies another way to embrace zero trust.

Why enterprises adopt microsegmentation

A serious challenge enterprises face today is guarding against an attacker's ability to move laterally within a data center once past the secure perimeter.

The news is filled with stories about attackers breaching company networks. Once inside, attackers can access anything with little, if any, hindrance. As a result, many companies are implementing zero trust and, more specifically, microsegmentation. This method makes it difficult for attackers to freely move laterally within a system.

How has microsegmentation evolved over the years?

Early on, microsegmentation was limited in what it could provide from a cybersecurity and infrastructure scalability perspective.

One early method to prevent attackers from moving laterally in a data center involved physical or logical segments through Layer 4 firewalls, said Vivek Bhandari, senior director of product marketing at VMware. Segmenting initially limited a company's ability to scale up traffic as it all went through central firewalls. The granular nature of segmentation also meant that policy management became more difficult.

To solve early microsegmentation problems, vendors developed software-defined products and platforms that worked at the network level. Software-defined networking platforms, for example, made it possible for firewalls to be at the hypervisor level. With firewalls at this level, admins could deploy microsegmentation for all VMs. Newer microsegmentation products accommodate Layer 7 firewalls, which can protect at the application and user ID levels.

Granular access control using virtualized, distributed firewalls was a significant advancement in the war against unauthorized lateral movement. However, enterprises soon wanted a way to distribute their intrustion detection and prevention systems (IDSes/IPSes) directly onto the hypervisor. Additionally, full-system emulation sandboxing was needed to detect unknown, zero-day threats that could not be identified using signature-based detection technologies. This led IDS/IPS and network sandboxing services to again be decoupled from centralized network security appliances and placed into the hypervisor.

To consider microsegmentation successful, admins shouldn't stop at segmenting traffic. According to Bhandari, every data center flow should be monitored to determine whether an anomalous action is benign or malicious. This has led to additional features being added to microsegmentation, such as sandboxing data center workloads. Microsegmentation also enables policies to be tied to workloads, thus reducing complexity around management, such as moving workloads between servers and data centers.

While the inclusion of Layer 7 firewalling, IPS/IDS inspection and sandboxing is great, the evolutionary story of microsegmentation does not end here. Because of the growing risk of advanced persistent threats and the ability for hackers to bypass multiple cybersecurity protections, microsegmentation has introduced behavior-based analysis.

Newer microsegmentation products and platforms often provide network traffic analysis and network detection and response (NDR), enabling admins to collect and connect data from anywhere. NDR can also recognize malicious activity before it can move laterally within a system, thanks to AI and machine learning.

Simplifying the path to modern microsegmentation

For microsegmentation to truly be successful within the enterprise, it must be easy to deploy and manage. One option is to visualize and categorize traffic flows effectively. Organizations should look for platforms with automated traffic visibility and discovery and mapping functions.

Software-defined technology continues to become more complex. IT needs to be able to identify, analyze and map existing application traffic flows. Once analyzed, it's time to implement microsegmentation policies.

Companies interested in modern microsegmentation often experience discouragement due to effort required to build per-workflow policies. But there are tools out there that can streamline and automate the integration process.

This was last published in March 2022

Dig Deeper on Network security

SearchNetworking
SearchCIO
SearchEnterpriseDesktop
SearchCloudComputing
ComputerWeekly.com
Close