Why Threat Detection Needs Zero Trust Segmentation

This article was originally published on channelfutures.com.

Over the last decade, cybersecurity has become infinitely more complex. Consequently, many organizations have turned to managed security services providers (MSSPs) to help protect them. Up until now, their focus has been almost entirely on threat detection and response, but that decision has had some negative, unintended consequences.

For most organizations - commercial, nonprofit or public sector - cybersecurity isn't a core competency. That's why many have outsourced some or all of it to an MSSP. And that outsourcing doesn't just include security operations; it's often the entire cybersecurity function, including purchasing and strategic planning.

When the client of an MSSP has a high-profile security breach, like a widespread ransomware attack, the ensuing conversations aren't pleasant. The entire reason a company outsources its security function to an MSSP is to avoid those outcomes and their attendant publicity, cost and damage to the brand.

AI: Panacea, or a tool that needs assistance?

Many vendors have convinced organizations that the answer to their prayers is AI-based threat detection. They've been led to believe that if they just spend enough money on AI, they'll catch those ultra-sneaky attackers. They've gone down an AI-based detection rabbit hole, but the results they were expecting haven't materialized. They haven't happened.

While I agree that AI-based threat detection is a major step forward for our industry, it needs some assistance to get the job done. Enter Zero Trust segmentation.

If you pre-segment the network before you go threat hunting, the task of detection - be it AI-assisted or not - becomes much simpler and faster. You reduce the size of the attack surface where you need to look for threats. Pre-emptive segmentation eliminates many of the pathways that would otherwise enable attackers to move laterally across the internal network.

The metaphor I use is rather than looking for one needle in one big, complex haystack, you create lots of micro haystacks. Then your tools can look inside these micro haystacks in parallel, so you're likely to find that needle much sooner.

What a ship can teach us about segmentation

Years ago, in my first active duty assignment as a U.S. Navy midshipman, I boarded the USS McCloy, whose primary mission was to hunt, detect and deter enemy submarines off the U.S. coastline. I had just finished my first year of college as an electrical engineering major and was training to become an officer in the U.S. Navy. I couldn't wait to learn about the Navy's sophisticated enemy submarine detection technology and meet members of the McCloy's elite threat detection team.

So, imagine my surprise on the first day when I was handed some wrenches and screwdrivers, paired with a fellow crew member, and assigned the task of ensuring all 30 or so steel "hatches" (aka doors) on the McCloy were ship-shape. And if they weren't, to make any repairs. So much for helping my shipmates hunt down malicious adversaries!

As I went about my mission, I thought about the phrase "batten down the hatches." It originated in the 19^th century when, at the onset of a major storm or other risk of water breach, ship captains would order their crew to close all doors on the ship and barricade those doors with wooden rods or "battens." Today, this phrase is a metaphor for the wisdom of taking immediate and decisive action at the onset of any major risk.

I came to appreciate that all the McCloy's elite tech and threat-hunting experts would be at risk of failing their mission if the McCloy's hatches weren't there to protect them. Thanks to the McCloy's built-in segmentation architecture and well-functioning hatches, a hull breach would not escalate into lateral spread of water from hallway-to-hallway, and from room-to-room, sinking the ship.

The Cyber Equivalent of Battening Down the Hatches

In the 1990 movie "The Hunt for Red October," the Red October was a Russian submarine with the most advanced detection avoidance technology. In today's cyber equivalent, we're not hunting for elusive submarines, but for increasingly stealthy and sophisticated cyber-adversaries in electronic networks.

Cyber threat hunters must segment their networks with electronic "hatches" to prevent the lateral movement of intrusions. If you have a breach in your network, you don't want malware or ransomware to spread, which is why you must divide the network into individual compartments that function as barriers.

Segmentation is a security tool, in addition to managed detection and response (MDR), that MSSPs can offer as a service, Zero Trust Segmentation as a service.

In my next blog, I'll further explain why segmentation (and, more specifically, host-based segmentation) is a perfect complement to robust managed detection and response. It's not only good for MSSP clients, but good for the MSSP as well.