Breach Readiness in IT/ITES

table of contents

An impenetrable perimeter means little if an intruder can freely roam within it once inside. 

Consider this: You’re managing the IT infrastructure for a sprawling IT services firm, where multiple clients share a common physical infrastructure. Despite having robust firewalls, encryption, intrusion detection systems, and intrusion prevention systems in place, you discover that attackers have bypassed these defenses. The attacker entered the network by exploiting a weaker client, which allowed them to navigate through the network and cause disruptions to other clients who may have strong security but are exposed due to the weak client. The primary threat here is the lateral movement of attackers across shared resources, which jeopardizes the security and operations of all clients.  

This is not a hypothetical scenario but a reality that many IT/ITES organizations face. Security measures like network segmentation, EDR, and various other tools and techniques, while essential, often fall short when it comes to protecting against internal threats and lateral movement within the network.   

A Modern Tale of Cyber Intrusion 

Consider the 2020 Cognizant Maze ransomware attack: The Maze ransomware attack follows a sophisticated kill chain. Initially, attackers gain access through spear phishing using file format exploits. Once inside, they conducted lateral movement across the network to expand their reach and steal credentials using Living off the Land ( LOTL) techniques. Then, unencrypted data was exfiltrated from vulnerable systems. After gaining administrator privileges, they deployed Maze ransomware and, finally, demanded a ransom and threatened to release the exfiltrated data if the payment was not made. 

Maze ransomware attack kill chain

Cognizant, which provides IT services to the manufacturing, financial services, technology, and healthcare sectors, began emailing their clients to warn them that they were under attack by Maze Ransomware, urging them to disconnect from Cognizant to protect themselves from potential damage. Cognizant also acknowledged the attack in a statement released on Saturday, April 18. The Maze ransomware attack not only compromised Cognizant’s systems but also put their client’s data at significant risk. 

Visibility Gaps in Lateral Movement 

Today, over 75% of all network traffic is lateral, or East-West, yet most traditional security solutions offer minimal visibility into this critical traffic. This significant blind spot enables attackers who breach perimeter defenses to evade detection for extended periods, as they move laterally to target endpoints, applications, and workloads.  

Traditional network segmentation using VLANs and perimeter firewalls cannot provide the necessary visibility of lateral movement as the traffic is bypassed from them.  Enhanced visibility of lateral movement is essential to detect and mitigate these movements, thereby ensuring comprehensive protection against sophisticated threats.   

Challenges Faced by IT/ITES Organizations 

IT/ITES organizations encounter several challenges in their quest to maintain robust security and breach readiness. One major challenge is managing and securing a multi-tenant environment where multiple clients share the same infrastructure. This setup requires stringent isolation to prevent the lateral spread of attacks from one client to others causing enterprise-wide damage.  

Another challenge is the complexity of implementing effective micro-segmentation within such environments. Ensuring that segmentation policies are consistently applied and enforced across diverse client setups can be difficult, particularly when dealing with dynamic workloads and rapidly changing network configurations.  

Additionally, maintaining up-to-date security policies and configurations across a dynamic and diverse set of client environments is challenging. As the client’s needs evolve and new vulnerabilities emerge, IT/ITES organizations must continually adapt their security measures to address these changes effectively while ensuring that protections remain robust and relevant. 

The Shift to Breach Readiness 

Current approaches primarily emphasize post-incident response and damage management, which naturally results in a reactive posture. To transition from a reactive to a proactive approach, IT/ITES companies must focus on being Breach Ready – a strategic shift that places emphasis on preparedness and response rather than solely relying on the prevention of breaches.  

Microsegmentation is instrumental in achieving proactive breach readiness by operating under the assumption that a breach has already occurred, rather than merely anticipating potential breaches. Microsegmentation is a security practice designed to make network security as granular as possible by dividing the network into isolated segments. This allows for meticulous monitoring and control of traffic within each segment, which helps prevent unauthorized lateral movement within the network. This is achieved by creating secure zones to isolate environments, data centers, applications, and workloads across on-premises, cloud, and hybrid network environments, thereby enhancing overall security posture. Given that predominantly IT/ITES organizations manage data center environments, microsegmentation plays a crucial role in protecting these infrastructures from both internal and external threats. 

Traditionally, an enterprise’s security is only as robust as its weakest link; once this link is breached, the entire system is exposed. However, with a microsegmentation strategy, the breach of a weak link is isolated within the compromised segment, thereby safeguarding the security and integrity of other segments. This method prevents vulnerabilities from spreading across the network, greatly enhancing overall resilience. 

This can be accomplished using the following approaches: 

  • Reducing the Attack Surface: The attack surface of an asset measures its susceptibility to attacks via different entry points on the asset. This involves shutting down unused and potentially malicious ports while blocking unauthorized or unacceptable connections on active ports.  
  • Reducing the Blast Radius: The Blast radius of an asset is a measure of its ability to propagate a security breach to its connected components in the network. By systematically deactivating dormant ports and applying stringent access controls to those in use, we effectively reduce the attack surface, limiting the potential entry points for threat of a security breach to impact and propagate through interconnected network components. Stringent policies are enforced on the affected device to restrict its outbound traffic to isolate it from the network, thus curbing its potential to propagate the breach to other unaffected devices.   
  • Enhanced Visibility: Visibility is a cornerstone of effective micro-segmentation, serving as the essential first step in securing network environments. It provides a clear view of open and dormant ports, as well as active connections, enabling IT service providers to map out their network landscape comprehensively. With this insight, operators can craft precise security policies aimed at reducing both the attack surface and the blast radius. Visibility empowers organizations to identify and assess risky ports and connections, pinpointing vulnerabilities that could be exploited for lateral movement within the network. This detailed understanding of network assets and potential weak points is crucial for developing a robust security strategy that fortifies defenses and limits the impact of potential breaches. Without such visibility, creating and enforcing effective security policies would be challenging, making it a critical component in building a resilient and secure network infrastructure.  
  • Control: This entails the strategic management and restriction of access across various network segments, involving the implementation of stringent policies that dictate who can access which resources. The primary objective of microsegmentation is to reduce the attack surface and the blast radius, under what conditions, thereby safeguarding sensitive data and systems from unauthorized access. Effective control includes both the proactive configuration of access permissions and the dynamic enforcement of policies to respond to emerging threats. 
  • Monitoring: By continuously monitoring network activity and policies, organizations can ensure that only authorized entities interact with sensitive resources. This approach allows for the real-time detection of unauthorized access attempts or unusual behavior, enabling swift corrective actions. Such vigilance not only minimizes the risk of breaches but also maintains the network’s integrity by promptly addressing potential security threats before they can escalate. 

ColorTokens Xshield™ delivers essential breach readiness capabilities, tackling major IT/ITES security challenges. It minimizes the attack surface by managing and controlling network ports, shutting down unused ones, and enforcing strict access controls on active ports. This limits potential entry points and enhances defenses against unauthorized access. In case of a breach, Xshield™ contains the damage by isolating affected segments and restricting outbound traffic, preventing further spread. Xshield™ provides detailed visibility into traffic within each isolated segment and outbound/inbound traffic, allowing for precise detection of anomalies and threats. Xshield™ offers granular control over policies, dynamically adjusting to safeguard sensitive data and maintain network integrity. Additionally, Xshield™ delivers continuous progress reports that offer detailed metrics on the effectiveness of the microsegmentation strategy. These reports provide valuable insights into the reduction of the attack surface and blast radius, helping both clients and IT/ITES teams assess the impact of their security measures. This comprehensive approach is why Xshield™ is a highly effective Breach Ready platform.  

Protect your clients and your business. Contact us to fortify your IT/ITES environment with ColorTokens Xshield™ and achieve unmatched resiliency against breaches.