Leveraging Micro-Segmentation Data to Accelerate Breach Detection

Micro-segmentation provides the ability to isolate communication flows within applications and workloads and allows for more granular workload security than traditional tools. Beyond using micro-segmentation to allow or block connections and alert on those activities, the ability to compare, within a single platform, policy violations to historical observations can dramatically accelerate threat detection, investigation, and response.

Visibility is the foundation for building strong micro-segmentation policies. Gaining a full understanding of the communications occurring either inside an application or a workload, and the communications they must expose outside the walls of their service, is a fundamental first-step. Micro-segmentation policies also provide fantastic insight into data flows by segmenting the network granularly. The more boundaries there are, the more data that needs to cross them to accomplish something, and thus the more it can be monitored and acted upon.

The value of observing data flows is two-fold. Real-time monitoring catches issues as they occur. Retaining information about data flows allows for comparison of historical versus observed flows is essential for detecting anomalies. The ability to spot applications that are behaving inappropriately allows security teams to identify both misconfigurations and potential attacks.

Take for example an application with three tiers—a load balancer, some web servers, and a database server. Malicious actors working on a compromised systems often produce communication flows that looks legitimate in order to attack other systems in the same, or adjacent, tier. Micro-segmentation enables security teams to secure flows within the different tiers in the service so they can prevent a compromise in one tier from spreading to the others. While a micro-segmentation policy prevents an attack from spreading, a compromised service is still a beachhead inside one’s network from which malicious actors can attempt to compromise other services.

With a platform that integrates micro-segmentation with threat detection, analysis and response capabilities security teams can quickly investigate policy violations by comparing them against historical observations to answer critical questions such as: Did the workload attempt to use a new process or protocol? Have the patterns of communication between workloads in the service suddenly changed? Did the workload receive connection attempts from, or try to connections to, servers on the internet it had never tried to communicate with previously? Any deviation from the baseline can be an indication of compromise.

Policy-based threat detection tools can help security teams more quickly detect, confirm and contain threats to prevent damage and minimize losses. These granular security controls do double duty, preventing an intruder from gaining malicious access to an application or process, while simultaneously alerting administrators to the intruder’s presence. The faster compromised workloads can be detected, investigated, and remediated, the less the damage they are able to cause.

The ability to spot micro-segmented applications that are behaving inappropriately, and distinguish a misconfigured flow from an attack, allows security teams to sort configuration errors from legitimate attacks and quickly start the investigation process. Both of which would be difficult and more time consuming without an integrated micro-segmentation and threat detection solution.

0 comments

Leave a Comment

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *