Why Threat Detection Needs Zero Trust Segmentation

This article was originally published on channelfutures.com.

Over the last decade, cybersecurity has become infinitely more complex. Consequently, many organizations have turned to managed security services providers (MSSPs) to help protect them. Up until now, their focus has been almost entirely on threat detection and response, but that decision has had some negative, unintended consequences.

For most organizations commercial, nonprofit or public sector cybersecurity isnt a core competency. Thats why many have outsourced some or all of it to an MSSP. And that outsourcing doesnt just include security operations; its often the entire cybersecurity function, including purchasing and strategic planning.

When the client of an MSSP has a high-profile security breach, like a widespread ransomware attack, the ensuing conversations arent pleasant. The entire reason a company outsources its security function to an MSSP is to avoid those outcomes and their attendant publicity, cost and damage to the brand.

AI: Panacea, or a Tool that Needs Assistance?

Many vendors have convinced organizations that the answer to their prayers is AI-based threat detection. Theyve been led to believe that if they just spend enough money on AI, theyll catch those ultra-sneaky attackers. Theyve gone down an AI-based detection rabbit hole, but the results they were expecting havent materialized. They havent happened.

While I agree that AI-based threat detection is a major step forward for our industry, it needs some assistance to get the job done. Enter Zero Trust segmentation.

If you pre-segment the network before you go threat hunting, the task of detection be it AI-assisted or not becomes much simpler and faster. You reduce the size of the attack surface where you need to look for threats. Pre-emptive segmentation eliminates many of the pathways that would otherwise enable attackers to move laterally across the internal network.

The metaphor I use is rather than looking for one needle in one big, complex haystack, you create lots of micro haystacks. Then your tools can look inside these micro haystacks in parallel, so youre likely to find that needle much sooner.

What a Ship Can Teach Us About Segmentation

Years ago, in my first active duty assignment as a U.S. Navy midshipman, I boarded the USS McCloy, whose primary mission was to hunt, detect and deter enemy submarines off the U.S. coastline. I had just finished my first year of college as an electrical engineering major and was training to become an officer in the U.S. Navy. I couldnt wait to learn about the Navys sophisticated enemy submarine detection technology and meet members of the McCloys elite threat detection team.

So, imagine my surprise on the first day when I was handed some wrenches and screwdrivers, paired with a fellow crew member, and assigned the task of ensuring all 30 or so steel "hatches (aka doors) on the McCloy were ship-shape. And if they werent, to make any repairs. So much for helping my shipmates hunt down malicious adversaries!

As I went about my mission, I thought about the phrase "batten down the hatches. It originated in the 19^th century when, at the onset of a major storm or other risk of water breach, ship captains would order their crew to close all doors on the ship and barricade those doors with wooden rods or "battens. Today, this phrase is a metaphor for the wisdom of taking immediate and decisive action at the onset of any major risk.

I came to appreciate that all the McCloys elite tech and threat-hunting experts would be at risk of failing their mission if the McCloys hatches werent there to protect them. Thanks to the McCloys built-in segmentation architecture and well-functioning hatches, a hull breach would not escalate into lateral spread of water from hallway-to-hallway, and from room-to-room, sinking the ship.

The Cyber Equivalent of Battening Down the Hatches

In the 1990 movie "The Hunt for Red October, the Red October was a Russian submarine with the most advanced detection avoidance technology. In todays cyber equivalent, were not hunting for elusive submarines, but for increasingly stealthy and sophisticated cyber-adversaries in electronic networks.

Cyber threat hunters must segment their networks with electronic "hatches to prevent the lateral movement of intrusions. If you have a breach in your network, you dont want malware or ransomware to spread, which is why you must divide the network into individual compartments that function as barriers.

Segmentation is a security tool, in addition to managed detection and response (MDR), that MSSPs can offer as a service Zero Trust segmentation as a service.

In my next blog, Ill further explain why segmentation (and, more specifically, host-based segmentation) is a perfect complement to robust managed detection and response. Its not only good for MSSP clients, but good for the MSSP as well.