How to Harness East-West Visibility for a Stronger Defensive Security Strategy
Editor’s note: This is part four of a four-part series. For part one, see “Be Sure to Whack Your Cybersecurity Blind Spots,” for part two, see “Avoid Dead Reckoning: Why Zero Trust Requires Network Visibility,” and part three, see “Precryption: The Zero Trust Prescription for Decryption.” This series is also available as an ebook.
The days when a firewall-based perimeter was sufficient for a reliable security posture are long gone. Today, every endpoint, every user, every system is suspect. Compromises are taken for granted, and Zero Trust is becoming a way of life.
Given the need to reduce every organization’s attack surface, encryption has become the go-to technology of choice for securing all kinds of network traffic. From web sites with secure HTTP to internal communications between corporate applications, encryption has become ubiquitous.
Encryption, however, is not sufficient – even for traffic within an organization, including what we call East-West or lateral traffic. Understanding the shortcomings of encryption, as well as how to mitigate them, is essential for strengthening your security posture in today’s Zero Trust world.
East-West vs. North-South
The Wikipedia definition of East-West is traffic within a data center, while North-South traffic connects data centers. However, this definition does not reflect the subtleties of today’s complex, hybrid cloud environments.
With virtual networks, the cloud, and now cloud-native computing, the definitions of East-West and North-South have climbed the ladder of abstraction.
Today, East-West refers to laterally moving traffic between endpoints within an abstracted network segment – perhaps a virtual private cloud, or in the cloud native context, between microservice endpoints in the same Kubernetes environment.
North-South traffic, in turn, often traverses APIs – either between organizations or among different clouds, domains, or network segments within an organization.
You need to secure all traffic regardless of the points on the compass, but East-West and North-South traffic present different challenges that bring importance to the distinction.
Perimeter-based security (firewalls, API gateways, and the like) have always secured North-South traffic. The challenge today is bringing Zero Trust to bear for East-West traffic.
Zero Trust may be simple in principle – everything is untrusted until it is explicitly authorized to take a particular action – but the devil is in the details.
Network microsegmentation can provide a measure of Zero Trust across distributed networks. This approach is a strategy for containing network issues and providing situationally targeted security monitoring for an improved security posture.
However, it is insufficiently flexible to handle East-West interactions in some situations, for example among ephemeral microservice endpoints. This leaves organizations with a lack of context as to what is occurring between each of the segments and where to focus their efforts when troubleshooting must occur.
What Zero Trust means in practice, therefore, can vary depending on the context of particular interactions. The result is increased complexity, and with it, expanded opportunities for bad actors to find and exploit points of compromise.
Encryption to the Rescue?
Given this complexity of East-West traffic at different levels of abstraction, it’s not surprising that encryption alone doesn’t address today’s cybersecurity challenges.
Encryption is point-to-point by definition. It doesn’t consider network complexity that underlies today’s East-West traffic. In reality, communications may traverse many endpoints to get from point A to point B – many of which are hidden from view under layers of abstraction.
Those layers may obscure complexity, but they don’t slow down attackers. In fact, every intermediate point on a message’s journey gives adversaries an opportunity to mount a break and inspect (aka man-in-the-middle) attack.
Another primary encryption shortcoming is more subtle, but even riskier: the fact that encryption is a blunt tool that hides both bona fide corporate data as well as any malicious data bad actors wish to put in a message.
As Intellyx’s Jason English explained in his previous article, hiding malicious data in encrypted communications on the network is a common MO, as East-West communications are essential for lateral movement and data exfiltration – fundamental elements of the MITRE ATT&CK Framework.
The Missing Piece of the Puzzle: Visibility into Encrypted Traffic
Encrypted communications from point A to point B might contain sensitive corporate data, while the next message contains malware looking for a juicy target. But since both messages are encrypted, how do you tell good from bad?
The simplest answer, of course, is to decrypt and analyze them, but once you decrypt them, they are vulnerable to further attack. This approach also slows messages down, introducing unacceptable latency.
Gigamon has cracked this problem by offering an alternative: Gigamon Precryption™ technology . Precryption technology provides a simpler way (by capturing plaintext traffic) to front-run any kind of encryption and eliminate blind spots by seeing concealed threat activity and anomalous data in the cloud, VMs, and containers, before it hits an encryption library and moves on to the network.
Precryption makes copies of messages that the Gigamon Deep Observability Pipeline moves to a protected environment for inspection. Such inspection can work at different levels of abstraction, all the way down to individual packets.
The Intellyx Take
In cloud native environments, microservice endpoints are ephemeral, and thus East-West traffic connects abstracted endpoints that may not even have fixed IP addresses.
In such environments, establishing visibility into encrypted traffic is especially challenging, and requires the Precryption technology that Gigamon provides. Anything less would give bad actors too many opportunities.
Cloud native, however, isn’t the whole story. Virtual networks, virtual private clouds, and network microsegmentation all depend upon encrypted messages flowing east to west across some level of abstracted network.
Cloud native may be the latest generation of such abstraction, but virtually every organization has sufficient network complexity to take advantage of Gigamon Precryption technology to keep adversaries at bay.
Copyright © Intellyx LLC. Gigamon is an Intellyx customer. Precryption is a Gigamon trademark. Intellyx retains final editorial control of this article. No AI was used to write this article.
Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.
CONTINUE THE DISCUSSION
People are talking about this in the Gigamon Community’s Security group.
Share your thoughts today