How Application Relationship Management Enables Orchestrated Segmentation to Protect Against Zero Day Threats

The last few months, a number of major breaches and exploits have hit enterprises hard. The latest breaches disclosed over the past few days involve several Zero Day vulnerabilities within Microsoft Exchange Server. The vulnerabilities, announced at the beginning of March, appear to have been subject to exploit since early-mid January according to a number of reports. Once again, the timeline between broad exploitation of vulnerabilities and the eventual discovery, and subsequent release of updates and patches, have left many organisations exposed. Current estimates are that upwards of 30,000 organisations within the United States have been compromised and data stolen. 

So, while attackers are consistently exploiting Zero Day vulnerabilities, how can an organization protect themselves and respond quickly to an incident once it has occurred? Application Relationship Management (ARM) is perfectly suited for this. ARM solutions like vArmour Application Controller, can quickly discover your critical systems (email servers, systems and network management platforms, secure transfer gateways, etc.) and their relationships to other applications in your environment. From there, Orchestrated Segmentation can be applied for a Zero Trust security model where correct policies are applied to the correct infrastructure, and if a breach should occur, understand the impact of the attack.

So how should an organization begin with Orchestrated Segmentation?

Step 1 – Getting the Scope right

Do you know where all your Exchange Servers or Domain Controllers are? Organisations have inventory systems and CMDBs but they are almost always imperfectly maintained. Having a system that can classify servers by their behaviour and validate against your CMDB gives confidence that you are about to protect all your critical infrastructure and, for many applications, their dependencies. Having validated inventory makes your security more reliable, and even makes patching remediation more streamlined and effective. No server left behind.  

Step 2 – Assessing the Communication Paths

Once you’ve scoped your critical systems, you can evaluate their connectivity requirements, critical dependencies, and the attack surface you can remove. Application Relationship Management, utilizing the vArmour Application Controller makes this simple, demonstrating relationships and dependencies with other applications as opposed to a ’spaghetti graph’ to hundreds of IP addresses. It also lets you understand potentially unacceptable relationships, such as internal mailbox servers communicating directly with external forwarding gateways. 

Step 3 – Orchestrating a Zero Trust Policy

Orchestrated segmentation means just that. For the example of Exchange Servers, orchestrating a policy means selecting an Application Function isolation template applied to your Exchange Servers. The vArmour Application Controller will compute a more accurate Zero Trust policy given its understanding of your environment, which can be curated, reviewed and simulated against historical activity and validated against your environment’s enforcement capabilities. Once you are happy with your policy, it can be pushed into your environment for enforcement or used to monitor for new relationships. vArmour abstracts the complexity of diverse environments, transforming your policy to ensure consistent enforcement by native endpoints, whether you’re using VMware NSX, Tanium, or major public clouds. 

From this moment onwards, any new attempts to access your Exchange Servers (or equally, attempts to laterally spread or exfiltrate) will be blocked and/or immediately called out by the policies orchestrated by the vArmour Application Controller. In the case of the latest Exchange vulnerabilities, reducing the systems able to access your Exchange Server on tcp/443 might just have prevented that breach from occurring long before software patches were available. 

Step 4 – Monitoring for Policy Effectiveness and Deviations from Baseline

Getting to a deployed policy is only part of an effective Zero Trust Program. Once deployed, your policy needs to be monitored for efficacy and proper change management. It is also quite common to enforce somewhat broad and permissive policies to facilitate; for example, changes to email client population while implementing very specific monitor policies which will notify the service owner as soon as dependencies change. Also, once your policies are deployed, you will need to be able to attest to your security posture when it comes to cyber audits. vArmour Application Controller streamlines ongoing Orchestrated Segmentation operations. 

Orchestrated Segmentation provides a crucial and powerful control in reducing attack surface but sometimes breaches do occur. When this happens, having the most accurate and complete information about your environment enables effective incident response. 

Step 5 – Incident Response

Understanding current and historical relationships can give you a clear picture of the timeline of an attack. For example, understanding where and when connections over tcp port 443 to your Exchange Servers first occurred over the past 2 months will probably point you towards the most likely source were you unfortunate enough to be breached. The vArmour Application Controller’s Relationship Search function makes it straightforward to identify the most likely patient-zero event, even in the most complex environments.

Summary

The immediate task now for many organizations is to assess whether they were a victim of this particular breach, gain an understanding of the impact, and determine remediation actions to take. vArmour can help and is the leader in Application Relationship Management. Using Orchestrated Segmentation, vArmour can help any organization with visibility of application relationships, create and propagate Zero Trust policies enterprise-wide, and continuously monitor actual behavior can reduce the size and scope of future breaches.