Two years ago, security startup Illumio, having $42 million (US) in venture capital, came out of stealth mode by announcing Adaptive Security Platform (ASP). Then and now, the company’s goal has been to eliminate weak links in distributed data centers—environments where workloads could move between multiple servers and scale either up or down at a moment’s notice.
Cofounders Andrew Rubin (CEO) and PJ Kirner (CTO) believe security must be as agile as the workloads being protected under those conditions. Fast forward to April 2015, add another $100 million (US) in venture backing, and Illumio has launched a new product called Attack Surface Assessment Program (ASAP).
As to what “attack surface” means, Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director for cybersecurity policy for the National Security Council at the White House, says to eWeek’s Sean Michael Kerner that an attack surface is an open communication pathway between servers in a data center or a company’s digital infrastructure. Gleicher also notes that reducing attack surfaces has been a cornerstone of all Illumio products. He adds, “The new ASAP effort is an outgrowth of the visibility that Illumio offers its customers as a way to understand what the attack surface is within a data center.”
The company’s April 2016 press release announcing ASAP adds:
“ASAP gives enterprises MRI-like visibility inside the data center and cloud by providing a map of high-value assets and open communication pathways between applications. It then enables organizations to understand — and radically reduce — the attack surface of their high-value assets.”
How ASAP works
In this age of automating everything, Illumio ASAP is surprisingly hands-on. Experts from Illumio work with the client to determine the best way to ensure the company’s communication links are as secure as possible. Gleicher describes the process in this video.
Visualize the client’s infrastructure
The first step, according to Gleicher, is understanding the client’s digital environment by determining all the applications, platforms, and communication links. More specifically, the Illumio consultants:
- determine working communication links between different environments or applications;
- detect patterns of traffic moving from low-value environments to high-value environments (pathways that most interest intruders); and
- highlight the most connected workloads (most talked to servers).
Analyze the communication links
The next step is to determine whether communication links are moving malicious traffic, traffic needed by the client, or benign and unneeded traffic traversing the client’s network. That is accomplished by showing the client a networking visualization of all the communication links.
“When the client’s security team see the map for the first time, they say, ‘Wait a minute, why is that server talking to this server?'” mentions Gleicher, who is not surprised when the security personnel from the client admit they were unaware of the undocumented communication links.
This is when the discussion turns to whether the communication links indeed need to be open. If not, members of the in-house security team disable the links. If the links are needed, they are flagged as being open and potential attack surfaces that need priority when applying security measures.
Provide long-term security strategy
Gleicher suggests it is near impossible to protect everything, so only safeguard high-value environments. With that in mind, the Illumio security team will create a step-by-step segmentation strategy to reduce attack surfaces, and explain how to implement the security strategy for the least cost, least complexity, and least effort. He adds, “We make sure the client gets the most bang for their buck.”
On a slightly different note, privacy is a concern for the people at Illumio, as they deal with data from their clients that attackers would love to steal. The press release advises that all data is transferred to Illumio across an encrypted channel and stored in an isolated, encrypted repository; client data is anonymized before being analyzed by Illumio; and data shared with Illumio is deleted two weeks after presenting the final report.
What differentiates ASAP from the competition?
The press releases suggests, “ASAP visualizes the relationships between your servers, analyzes your attack surface, and helps you quickly take steps to harden your data center against lateral movement.”