【Illumio #1】Containing Ransomware with ‘Illumio’ Zero Trust Segmentation (Micro-segmentation)
投稿者:NI+C engineer in charge of Illumio application
Welcome to the first in a series of blog posts exploring Illumio, an innovative solution offering micro-segmentation – the potent strategy against the looming threat of lateral movement in cyber-attacks.
This post will deliver insights into evolving ransomware trends, demystify Illumio, and provide a lucid understanding of communication visualization, a key feature of Illumio.
1.Tracking Ransomware Trends
There’s been an alarming rise in the number of ransomware attacks of late.
As reported by the Metropolitan Police Department of Japan, in their publication “Cyberspace Threats and Conditions 2022”, 2022 saw 230 ransomware damage cases reported, a whopping 57.5% increase from the previous year.
The stark reality is that just 8% of malwares were detected, largely due to inadequate antivirus software implementation by affected companies.
2.Intersecting Ransomware and Micro-Segmentation
As various corporations and organizations patch up their security measures, one key question looms. Have all potential intrusion paths been sealed?
A single overlooked hole can result in catastrophic intrusions, with ransomware employing a silent, “lateral movement” to maximize damage.
Micro-segmentation may just be the answer to this threat.
Micro-segmentation, the process of dividing a larger network into smaller, manageable units, acts like creating multiple rooms in a large house. Even if one room suffers from an issue, it stays contained, not impacting the other rooms. This mechanism prevents a virus from propagating throughout the network, containing any damage within the infected unit.
3.Illumio Unveiled
Illumio is a comprehensive platform that facilitates micro-segmentation, regardless of your existing ecosystem (on-premises or cloud).
Illumio offers a SaaS version which accelerates implementation, eradicating the need for a management server. This not only reduces upfront investment but also maintenance costs.
The platform enables efficient configuration of security policies, even in complex network structures.
Moreover, real-time visualization of network communication and detection of aberrant patterns help to quickly implement countermeasures, thus enhancing organizational security.
Enhanced Security:
Illumio enhances security by segmenting your network into smaller parts and controlling communication between each segment. This arrangement minimizes the risk of a vulnerability attacked by ransomware or a cyber attack in one part affecting the rest of the network. As a result, it prevents intruders from moving internally, significantly improving security.
Scalability:
As Illumio provides software-based micro-segmentation, it can be quickly deployed in large-scale network environments without the addition of physical network equipment.
Visualization of Key Information:
Illumio enables real-time visualization of network communication status. This functionality allows administrators to easily understand the condition of the network and quickly detect abnormal patterns or signs of attack.
Flexibility:
Security policies can be flexibly formulated to suit the existing network environment and operating system.
Strengthening Compliance:
To meet regulatory requirements, appropriate security controls and its evidence are often needed. Illumio assists in adhering to compliance requirements by recording and controlling each segment’s communication in detail.
Virtual Enforcement Node (VEN):
With Illumio’s VEN installed on each server or workload, real-time network traffic surveillance and controlling sending/receiving operations are viable. This nodal system facilitates granular communication control (micro-segmentation), outlining clear security policies.
Policy Compute Engine (PCE):
The PCE component of Illumio collects information on network communication from VEN installed in each server or workload to comprehend the entire network’s communication status. It also make instantaneous calculations of communication rules based on the security policy.
4.Micro-Segmentation with Illumio
Now we’re moving on to hands-on with Illumio to explore the practical application of micro-segmentation.Today’s session dissects the “VEN registration”, “label creation and assignment”, and “communication visualization”.
Here’s a brief roadmap of what we’re planning ahead for our tech blog series:
|
#1(This article): highlights visualization of traffic from each device. #2: explores communication control using micro-segmentation. #3: outline the integration process with other security-related products. |
VEN Registration
For this demonstration, we’ll be registering the VEN on a LinuxOS server.
1.By default, pairing profiles of “Visibility Only” for “Endpoint VEN” and “Server VEN” are registered.
Since we’re registering it as a Server VEN this time, we select the “Default (Server)” link. Note that under the “Visibility Only” policy, all communications are visualized and additional configuration is necessary for blocking communication.
2. Click “Generate Key”, and it’s ready.
3.Next, we install VEN on the Linux OS. For this, we copy the Linux OS Pairing Script in the upper red box.
*Note: If you’re installing VEN on WindowsOS, use the script in the lower red box.
4.Logging in to the LinuxOS server where the VEN will be installed, we then paste and execute the script copied from the previous step.
Please check if you see the “VEN has been successfully paired with Illumio” message to make sure the installation has been successfully completed.
*Please note that if you’re connecting to the internet via a Proxy, some script editing is required.
5. With the host where VEN was installed visible on the console, our VEN installation is complete.
6. Also we can click on the host to view detailed information about the specific host.
・Label Creation/Application
Labels help diverse workloads (servers, VMs, terminals, etc.) to be grouped for clearer visualization of communication.
1. Select the target host on the console and click “Edit Labels”,
2. Click “Select Labels”
3.Select the label you would like to use from the list.
Each label is applied in a well-defined hierarchy and only one can be applied at each level. The hierarchy is as follows:
① Location: Tokyo, North America, etc.
② Environment: Production, Development, DR environment, etc.
③ Application: System name, Service name, etc.
④ Role: WEB, DB, APP names, etc.
4. With the preferred label displayed, click “OK”.
5. Make sure that the label is now applied to the target host.
6.By looking at the map, we can confirm that the hierarchy has been accurately created for each label.
Visualizing Communication Processes
Now we’ll check the communication to the Public and Private Addresses.
1. We initiate the process by accessing a website from the LinuxOS host.
2. You can see on the console that the host communicates with the company’s DNS server through UDP/53 to resolve names.
3. Similarly, you can see on the console that the LinuxOS host is communicating with TCP/443 to access external websites within the company.
Conclusion
Our exploration into micro-segmentation using Illumio is now complete.The aim was to provide you with a solid understanding of the recent trends in ransomware, and give you a broad overview of Illumio and how to visualize communication with Illumio.Stay tuned for our next blog “【Illumio #2】Communication Control via ‘Illumio’ Zero Trust Segmentation (Micro-segmentation)”.We look forward to continuing this tech journey with you.
For those considering the implementation of Illumio, we highly encourage you to consult with us at NI+C first.Upon discussing your specific needs, we will strive to propose the most optimal solution to enhance your security measures.
For inquiries, please email us at global@niandc.co.jp.
