We all know the secret to stopping malware exploitation of vulnerabilities is consistent and rigorous patching regimens. So why do we still have issues with these things happening? Given the rise of bug bounty programs and disclosure windows, most major software vendors have a lot of lead time to get patches out ahead of disclosure timelines. Yet we still see a lot of IT administrators lagging behind when it comes to applying patches. Why?
IT admins have been bitten by patch issues more times than they care to count. It may be super important to install this patch that fixes something like Heartbleed but there is no way to tell if that patch will have an impact on another workload somewhere. Even with cloud software being constantly updated and validated you may end up creating issues with application integrations that could affect the way your knowledge workers do business. With so much riding on digital transformation today, you have to be sure that you can keep doing business without picking the lesser of the two evils of blindly applying patches or leaving vulnerabilities open to be exploited.
Taking the Third Option
During Security Field Day 2 this past June, I got a chance to see a great presentation from Illumio. One of the videos stuck out to me specifically:
While short, I think this video introduces some great ideas that we need to consider when it comes to using security tools in new ways to combat other issues. Specifically thinking about how we need to deploy defense in depth to provide extra layers of protection when administrative policies block us from being protected.
Your organization may have a policy in place that all patches need to be tested before being deployed. That’s a great policy to have. It means you’re concerned about what might happen when you break something while attempting to fix something else. But you also have to be cautious about what happens when someone uses the window of exposure between disclosure of the vulnerability and the time when you can be sure your patches are deployed.
And that testing time doesn’t even take into consideration what happens when you have hundreds or thousands of devices that need to be patched. Given a short maintenance window for each device, you could still be committing thousands of work-hours to get everything upgraded and secured. likely just in time for the next big patch to be tested and approved.
How does Illumio help this? By offering the ability to segment traffic at a host-to-host level you can ensure that you can block people from exploiting bad communications before they happen. We’ve been able to do this for many years at the perimeter of the network with traditional firewalls, but today’s data center isn’t as well-defined as in the past. We may have large portions of our users connecting from remote locations on mobile devices. We can’t guarantee they’re going to be behind the protection of a VPN or a branch office. And even if everything goes perfectly we still run the risk of someone compromising our perimeter and moving laterally through the soft underbelly of the network.
With Illumio, microsegmentation means that you can secure traffic between hosts or incoming to a specific host with certainty. If you don’t want anyone connecting to a server via TLS you can ensure that won’t happen at all with an Illumio policy. Sounds easy, right? Now, go back to our scaling argument. What if you need to prevent TLS connections to a hundred servers? Or ten thousand? Illumio gives you the ability to define groups of devices and apply policy to them immediately. If you need to lock down communications for a port based on a released vulnerability you can do that as fast as you can create a new policy.
More than that, you can use Illumio as a solution to eliminating the patch window possibilities. You can create a policy to prevent communications to vulnerable devices and put it in place while you roll out patches to systems. As systems are patched to prevent exploitation you can remove the security policy from the host and let it resume normal operations. Not only does this prevent the spread of bad software, but it also prevents attacks from creating vulnerabilities in remote parts of the system that can then be used to gain a foothold later on after everything has been cleaned up.
Trust But Verify
This whole idea is the heart of zero trust networking. I don’t trust anyone unless you prove you have the right to communicate with my systems. Policies can be put in place to ensure that critical systems can communicate with each other based on my knowledge that those systems are secured. But I can also challenge systems and users to authenticate and prove they are worthy.
This becomes a key point for your users when you’re trying to ensure they aren’t contributing to the issue. If you force authentication and posture assessment for your remote users with Illumio, you can make sure that when they get into the network that they’re not dragging something else in that can cause issues or allow someone to do reconnaissance on your network. You can rest at night knowing the only things talking in your network are things you know need to be talking.
Bringing It All Together
The delicate balance of patches and usability is hard to discern. One day you’ll get lucky with preventing a massive outbreak and the next your patch will crater an entire application system. Rather than trying to guess what you should be doing between the two extremes you should instead look at other options. Illumio gives you the ability to secure your workloads and your users while you evaluate the best way to patch your systems. That extra lead time will let you catch issues before they blow up in your face. The peace of mind you get from microsegmentation is the best sleep you’ll ever have.