John Kindervag explains the value of security graphs for developing a containment strategy that stops both ransomware and shadow IT.
Intuitively, the concept of containment makes sense for cybersecurity. With breaches becoming increasingly frequent, the goal is to limit the damage by preventing intruders from moving laterally across an environment.
“A goal of Zero Trust and security graphs is to help companies address security issues, including ransomware and shadow IT,” explains John Kindervag, chief evangelist at Illumio and the creator of Zero Trust.
Security graphs are an important piece of Illumio’s technology. Could you explain how they work and their role?
A security graph is a graph database that stores security information such as IP addresses, source, destination, port, and protocol. Out of that, it builds maps. For a long time, what’s going on in our environments has been invisible, because we didn’t have the data and we didn’t know how to display it effectively.
What security graphs do is allow you to create better policies based on the visualization of how everything is connected. Before Illumio, it would take weeks to do this stuff, because you’d have to interview people and ask, “How does this system work?” Or “Well, Joe says the database talks to this thing and that thing.” But you didn’t have actual data to back it up. You were always guessing.
There was also a lot of unnecessary access, because traditionally it’s been incredibly difficult to clean up rules. You had to do it manually by calling a lot of people. “Does Philip still work here?” Now we’re automating this process more and more.
So security graphs help create better policies, which are fundamental to Zero Trust and containment. Meaning that only connections that a policy allows are permitted. How does that address ransomware?
All successful cyberattacks are insider attacks. Even if you started from the outside, you become an insider, because you’re allowed to move around with impunity. In the old twentieth-century model, the assumption was that once you came into the trusted network, you became a trusted user. There’s an inheritance of trust called transitive trust.
Let’s say I’m watching TV with my wife, and I say, “Hey, honey, do you know the guy getting beer out of the fridge?” And she says, “I don’t.” And I say, “Well, since he’s able to get beer out of the fridge, he must belong here. So, I’m going to go make up the guest room.”
In Zero Trust, there is no transitive trust. In a Zero Trust network, an intruder can’t go anywhere. They’re stuck unless you have a rule that allows them to do something. And that rule generally shouldn’t exist. If it does, then there’s a bad rule set.
The way ransomware works, there are six, eight, or 10 connections that have to happen for it to be successful. Ransomware has to set up a command-and-control (C2) function outbound to the public internet. Well, there should be no rule that allows an unknown piece of software on any server to access an unknown resource on the public internet. It’d be like the criminal gang is going in and out of your house while you’re sitting there watching TV. In a properly configured Zero Trust environment, using our technology, that is impossible.
And how does Illumio’s technology address the issue of shadow IT?
We have visibility into pretty much everything. If there’s shadow IT on-premises, even if it doesn’t have our agent on it, we’ll still see the connectivity, because it’s going to talk to something that has our technology on it. The shadow IT isn’t invisible. Packets aren’t allowed to wear Harry Potter cloaks. They can’t hide.
Contain the breach with Illumio.
