Cyber Resilience, CISAs Strategic Plan, and Zero Trust Segmentation Proof

Cyberattacks are growing more frequent and sophisticated everyday why arent cybersecurity strategies keeping up?

This months news coverage focused on solutions to this ever-growing problem: the 2023-2025 CISA Strategic Plan, Zero Trust security strategies, and the efficacy of Zero Trust Segmentation.

Risk reduction and resilience: Cybersecuritys new north star

With the 2023-2025 CISA Strategic Plan released this month, Illumios Andrew Rubin, CEO and co-founder, addressed the importance of the document in the context of todays threat landscape in his Fortune article, The U.S. is overdue for a dramatic shift in its cybersecurity strategybut change is finally coming.

According to Rubin, Were still hemorrhaging losses to ransomware. Its clear that the way were approaching cyber is wrongand its on all of us.

He outlines some key ransomware statistics that showcase the implications of the way we currently approach security:

• 649 U.S. critical infrastructure entities were hit with ransomware attacks, according to the FBI.
• Almost 90 percent of all U.S. critical infrastructure sectors were hit by a successful ransomware attack in 2021, according to the FBIs Internet Crime Complaint Center (IC3).
• More than 76 percent of organizations have been attacked by ransomware, and 66 percent have experienced at least one software supply chain attack in the past two years alone.
• The world will spend nearly $170 billion on cybersecurity in 2022, with nearly $20 billion of that will be spent by the U.S. Federal Government.

Despite the ongoing wake-up calls to cybersecurity leadership in the form of incessant ransomware attacks, Rubin believes were moving much too slowly in a threat landscape that changes faster each day.

The 2023-2025 CISA Strategic Plan is so important because it acknowledges what were getting wrong with security but also outlines a new path forward: one predicated on resilience, he explained.

This is an evident and deliberate shift away from the traditional security approaches of keeping attacks out (prevention) and detecting them quickly when they break through the perimeter, he said. The traditional security models that weve relied on for decades arent designed to solve the problems posed by a hyperconnected, digital-first landscape.

It's inevitable that todays ransomware and other malware attacks will breach the perimeter and evade detection. Organizations must be ready to meet agile attackers with equally dynamic security strategies. This is what Rubin defines as the era of breach containment and resilience.

Organizations are focusing on isolating and minimizing breaches to reduce the impact and recover much more quickly. We are focusing on enhancing visibility across networks, workloads, endpoints, and critical infrastructure since you cant defend what you cannot see. Risk reduction and resilience are finally serving as the north star for cybersecurity, he said.

Rubin sees CISAs new plan as evidence that the security industry, as well as public and private sector security leadership, are pivoting to meet new realities posed by ever-evolving ransomware and other cyberattacks. He reiterated this view in his comment for the Bloomberg Law article, Nation-Backed Cyberattacks Escalate Push to Bolster Data Shields.

We all talk about public-private partnership as the whole key to cybersecurity, Rubin told Bloomberg Law. The government has to work with private industry, private industry has to work with the government, and I think were probably in a better place on that than weve ever been. CISA is doing a great job of embedding itself in that conversation, especially recently.

CISAs Strategic Plan shows federal shift to resilience-based cybersecurity

Gary Barlet, Illumios federal field CTO, also discussed the 2023-2025 CISA Strategic Plan with Grace Dille in MeriTalks article, CISA Sets Strategic Plan for 2023-2025, Eyes Unity of Efforts.

The plan is CISAs first, comprehensive strategic plan of its kind since the agency was established in 2018. Dille outlined the plan's four main goals:

1. Ensure defense and resilience of cyberspace.
2. Reduce cyber risk and strengthen the resilience of U.S. critical infrastructure.
3. Strengthen whole-of-nation operational collaboration and information sharing between government and the private sector.
4. Unify the agency internally by breaking down organizational silos, growing the value of the agencys services, and increasing stakeholder satisfaction.

Illumios Barlet applauded CISAs goal to unify the agency. But he also emphasized that the goals will be difficult to achieve without continuous funding and sufficient resources.

CISAs goal of agency unification will strengthen information and resource sharing, but without a clear outline of funding priorities, cyberattackers will always be steps ahead while the government runs with weights on its ankles, Barlet said.

Despite these challenges, Barlet remains positive about the direction of federal cybersecurity as reflected in CISAs new plan.

CISA is still a new agency and issuing this strategic plan signposts its commitment to driving change in a huge way, he said. Im excited to see the federal government begin to shift to a resilience-based cybersecurity strategy.

Zero Trust Segmentation is foundational for true Zero Trust

CISAs goals for cyber resilience are achieved with a Zero Trust security approach. And foundational to Zero Trust is implementing microsegmentation, also called Zero Trust Segmentation.

In fact, security analyst firm ESG found that 81 percent of surveyed security leaders consider Zero Trust Segmentation key to any successful Zero Trust initiative, including cyber resilience.

In the VentureBeat article, Why Getting Microsegmentation Right is Key to Zero Trust, Louis Columbus explained how Zero Trust Segmentation works as part of a Zero Trust strategy. He also featured Zero Trust Segmentation insights from a recent webinar with PJ Kirner, Illumios CTO and co-founder, and Forrester senior analyst David Holmes, in his piece.

According to Columbus, Zero Trust has become a significant priority for security and business leaders who need a better security strategy than constant firefights with ransomware and other cyberattacks. Columbus says that an assume breach mindset is driving Zero Trust planning, including the implementation of security controls like Zero Trust Segmentation.

Traditional network segmentation techniques are failing to keep up with the dynamic nature of cloud and data center workloads, leaving tech stacks vulnerable to cyberattacks, explains Columbus. More adaptive approaches to application segmentation are needed to shut down lateral movement across a network.

But implementing Zero Trust Segmentation can be a challenge. In their recent webinar, The Time for Microsegmentation is Now, Kirner and Holmes offered three key pieces of advice to organizations starting their Zero Trust journey.

1. Start small, create basic policies first, and resist over-segmenting a network.

As Holmes explained, You may want to enforce controls around, say, a non-critical service first, so you can get a feel for whats the workflow like. If you did get some part of the policy wrong, you can learn how to handle that before you push it out across the whole org.

2. Target the most critical assets and segments as they plan to implement Zero Trust Segmentation.

Kirner said Illumio has learned that matching the microsegmentation style that covers both the location of workloads and the type of environment is an essential step during planning.

3. Dont base segmentation policies on IP addresses.

This is due to the way microservices container architectures are increasing the amount of east-west traffic in data centers.

Instead, Holmes and Kirner advised that organizations goal should be defining and implementing a more adaptive Zero Trust Segmentation approach that can continuously flex to an organizations needs.

To achieve cyber resilience, security leaders point to Zero Trust and implementing Zero Trust Segmentation.

Getting microsegmentation right is the cornerstone of a successful Zero Trust framework, said Columbus. Having an adaptive microsegmentation architecture that can flex and change as a business grows and adds new business units or divisions can keep a company more competitive while reducing the risk of a breach.

Get more Zero Trust insight from Kirner and Holmes in this webinar Q&A.

Bishop Fox: Zero Trust Segmentation stops attackers in less than 10 minutes

A recent ransomware attack emulation performed by Bishop Fox found that Zero Trust Segmentation is a proven strategy for fighting ransomware, especially when combined with endpoint detection and response (EDR) services.

Nancy Liu detailed the emulations findings article in her article for SDxCentral, Ransomware Attack Emulation Unveils Effectiveness of Zero-Trust Segmentation.

According to Liu, Bishop Foxs emulation mapped to the MITRE ATT&CK framework and was based on real threat actors tactics, techniques, and procedures (TTPs).

Liu reports Bishop Foxs key findings, also summarized in the chart below:

• In the scenario with no security protection, the attacker breached all hosts within 2.5 hours in a network without any protection, and all 26 TTPs available to the hacker were executed.
• In the scenario using only EDR, the attacker breached the network in 38 minutes, and 12 of the 13 TTPs available to them were executed
• But in the scenario with both EDR and Illumio Zero Trust Segmentation, the attacker was stopped in only 10 minutes, and 6 of the 8 TTPs available to the hacker were executed.

Liu spoke to Trevin Edgeworth, red team practice director at Bishop Fox, for insight into Bishop Foxs findings. While the amount of time it takes to stop a hacker is important, Edgeworth also points to the ability to limit the amount of TTPs a bad actor can use.

I would say the measure of the amount of TTPs theyre able to actually get through is a great metric. But the numbers should also not be discounted in that [test]. This was two hours of activities that we were able to reduce to 10 minutes, Edgeworth said.

As Liu explains, Zero Trust is often described as a philosophy, an approach, or a security strategy. But Bishop Foxs emulation shows that specific Zero Trust controls like Zero Trust Segmentation have real-world, metrics-driven evidence.

Learn more about the Illumio Zero Trust Segmentation Platform:

• Download our in-depth guide on how to achieve Zero Trust Segmentation with Illumio.
• See why Forrester has named Illumio a Leader in both Zero Trust and microsegmentation.
• Learn how HK Electric ensures its impeccable supply reliability of 99.999% by deploying Illumio Zero Trust Segmentation.
• Contact us to find out how Illumio can help strengthen your defenses against cybersecurity threats.