Why Deep Observability Is Essential for Microsegmentation

Microsegmentation is a hot topic in InfoSec architecture circles and a required component of several Zero Trust architectures and maturity models. Many organizations look to it as a way of significantly reducing their attack surface, and it does.

What it does not do — despite what many believe — is actually prevent lateral movement. It’s not a lateral movement denial strategy; it’s a lateral movement degradation approach. Lateral movement will still be possible — it will just be harder.

Let’s do a thought experiment, which I call “think like an attacker.” Reverse the roles: Imagine you are an adversary trying to penetrate an organization that has implemented a microsegmentation approach. This could be network-based microsegmentation or host/agent-based — it doesn’t matter for the purposes of our thought experiment.

As an attacker, you rarely get to choose where you land. A vulnerability in an internet-facing service might gain you access to that server. Maybe you trick a user with a phishing attack to install a RAT, then you’re on their PC. Or you compromise the supply chain and get a backdoored OT device into their environment. You almost certainly haven’t landed near your target, so you need to move laterally, try to stay as quiet as possible, and plan your strategy.

At this point, no attacker is going to give up. Instead, you would explore the available attack surface by running some discovery scans to see what you’re allowed to connect to. This could include services, cloud infrastructure, even IoT/OT devices like printers. You can look at the connection table on the host, but if that doesn’t yield something you can exploit, you’ll be forced to scan.

If you’re facing network-based segmentation, you probably need to run a scan to see what you are allowed to talk to based on the enforced segmentation. These scans will be highly atypical and would be seen by even a basic IDS. However, most network-based segmentation isn’t looking, so these scans won’t be seen, and you will identify a lateral movement opportunity and exploit it.

Now, if you have agent-based segmentation and can get admin privileges, you can probably disable the endpoint or open ports that allow lateral movement. Some agent-based solutions also provide visibility, so disabling the agent is probably on your agenda, too. Once you have admin privileges, for example, via a BYOVD (bring your own vulnerable driver) attack on Windows, “tamper-resistant” agents are mostly moot. Again, you will still need to scan, looking for attack surface, but these scans will look extremely atypical, especially compared to agents running on comparable endpoints.

All microsegmentation has done is make it harder (a degrade strategy) rather than impossible (a deny strategy).

So, let’s change the scenario and introduce microsegmentation with the deep observability Gigamon can enable, feeding something like an NDR tool or even an IDS.

As soon as you start to scan, you’ll be seen, alerting SecOps to your presence.

The reality is that, without the network visibility of the Gigamon Deep Observability Pipeline, microsegmentation is an incomplete solution in which an attacker can hide. Microsegmentation with deep observability is the best of both worlds, limiting attack surface while easily revealing attacker presence. It’s a win-win scenario and the best possible outcome.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today