I’ve heard that thinking for a long time in software-defined networking (SDN) circles, where the increase in lateral traffic — connections within one network or data center — comes hand-in-hand with the possibility that an attacker breaching the perimeter will be free to wander around.
That thinking got reaffirmed at last week’s RSA Conference. It doesn’t mean giving up on firewalls, but it does mean recognizing that the cloud creates a more uncertain and permeable perimeter. A modern security approach is all about what you do after a breach occurs.
“It means: Assume something will get through, and sandbox it,” says Steve Herrod, managing director at venture firm General Catalyst Partners.
Security’s New Philosophy
RSA Security (the company that’s part of EMC and is the host of the RSA Conference) exemplifies the shift in thinking. Originally a cryptography company, it’s now more about analytics. Last week, it announced behavioral analytics and machine learning, features aimed at creating a real-time response to a breach.
The new philosophy was brought into the company by Amit Yoran, who became president in 2014. It’s “a way of thinking about security that isn’t all-or-nothing,” says Robert Griffin, RSA’s chief security architect.
It involves identifying an attack as early as possible and deciding on an appropriate response. In some cases, you’d want to squelch the attack immediately. Sometimes, though, it’s more advantageous to let the attacker snoop around, to find out what the motivation is.
Check out our full RSA Conference 2016 coverage.
Alan Cohen, Illumio’s chief commercial officer, likens normal security to an airport. Once you’re past the TSA, you can walk to almost any gate you want, and it’s even possible to board the wrong plane. What’s preferable, and what Illumio strives for, is an architecture where “you can’t even see the other jetways. It’s a kind of application cloaking.”
The word General Catalyst’s Herrod likes for this is “isolation,” and the term is, not coincidentally, used by Menlo Security — which, like Illumio, is one of General Catalyst’s investments. Menlo acts, not at the PC level, but at the Web-browser level. Menlo isolates a user’s Web session and claims to prevent phishing attempts and malware from spreading beyond that sandbox.
What About the Network?
Approaches such as Illumio’s and RSA’s share a belief that security is no longer a question of armoring the network. Another point of view, shared by Cisco and Juniper, is that the network itself is the vehicle for delivering security.
Again, it’s a recognition that the idea of a perimeter is no longer perfect — but the networking vendors naturally don’t take to the idea of taking the focus away from the network.
For Juniper, that means relying on analytics — part of the company’s threat protection service called Sky — and allowing security enforcement to take place in routers and switches, not just at the firewall. A switch could decide itself to block a particular port, for example.
“Why can’t the network itself become an active participant?” says Kevin Walker, Juniper’s CTO of security. “The idea of being able to suppress it as close to the device as possible is a key foundation of this approach, and on the enforcement side, we will over time be offering APIs so other devices, not Juniper devices, can partake of it.”