One of the most damaging aspects of modern cyberattacks is when an attacker achieves persistence – the ability to penetrate a network and remain resident for long periods of time, moving from system to system, gathering valuable data to steal. The goal of the security industry must be to deny an attacker persistence. Three relatively new technologies can play a major role in protecting servers and the network from persistent attacks.
This is a new version of an old idea – firewalling. The fundamental concept behind a firewall is that not every server should be allowed to connect to every other server. Most firewalls are placed at a network boundary, to tightly control traffic coming in or out. But all servers within that boundary or perimeter are generally considered trusted and therefore allowed to communicate without restriction. Once an attacker penetrates the perimeter firewall, they can move relatively easily from server to server, looking for what they want. Microsegmentation is like a miniature firewall that can put a boundary around a single server, so random connections between servers in the data center are not allowed. This is a very effective way to stop the internal spread of malware within an enterprise.
Microsegmentation can be done in the OS itself, but this strategy has a weakness – once an attacker has penetrated the OS, they can bypass any controls. The most effective form of micro-segmentation is done at the hypervisor layer – a layer below the OS. Major hypervisor providers such as VMware and service providers such as Amazon, Google, and Microsoft all offer some form of micro-segmentation.
A major source of attacks is socially engineered content that entices a user to click a link. The attackers then use the web traffic to deliver a payload onto the user’s machine and get a toehold in the network. Trying to keep up with every web vulnerability is an impossible task, so a host of new vendors have developed a technology called web isolation. The idea is to run web pages in a safe container and then just deliver the finished web pages to the browser.
The web isolation approach has the major advantage of not needing any prior knowledge of an attack, since malware is kept in a “petri dish” where it cannot do any harm to the end user. It is a very effective strategy and is rapidly being adopted by IT teams worldwide. Major vendors include traditional web security vendors such as Symantec and Proofpoint, and also new pioneers such as Menlo Security.
Server immutability is based on the idea that most components of a server should never change once it has loaded into memory and is running. The challenge with this belief is that once an attacker gains privileged access in the OS, they can make any changes they want. The OS cannot protect itself from attack. Several open-source projects have made big strides in this direction – App Armor and SC Linux are two of the most notable. These projects have not achieved widespread adoption because they can be challenging to use. However, new advances in server virtualization technology can create a platform to deliver truly strong, usable immutable systems. Further, the movement to “cloud-native” applications based on containers means that applications are less dependent on an OS. The OS is never to be patched or updated, but rather just simply “repaved,” or a new server is spawned. In this type of cloud-native environment – where a server is more disposable, never needing to be updated or changed – it’s quite possible to lock down the configuration of the server tightly and thereby reduce the attack surface. Immutability is a promising area and likely to be an active solution in the next year.
The headlines are filled with the business impact of targeted, persistent cyber attacks. While there is no silver bullet, these three new technologies make it much harder for the attackers to achieve their goal of stealing valuable data.