Ransomware was again the top attack type in 2021, with manufacturing replacing financial services as the top industry in a
ssailants’ crosshairs—representing 23.2% of the global attacks remediated last year by IBM Security’s X-Force, according to the company’s Threat Intelligence Index 2022 report.
With news like this, it is not surprising that “ransomware is the threat that keeps me up the most at night,” says Jon Hocut, director of information security for Brooks, the renowned running shoe manufacturer. It doesn’t help that Brooks’ IT infrastructure “grew over time for quite a while before security became a primary issue,” he says. Therefore, the company sought a cyber security solution to address cyberattacks fast, without first requiring a complete network rebuild.
Brooks believes it has found this solution in Illumio Core, a zero-trust segmentation (ZTS) platform from Illumio that can be implemented in stages across a corporate network, protecting the most vulnerable areas first — like installing locks on a bank vault and safety deposit box room while leaving the customer records’ room for another time.
“Illumio’s mission at the highest level is to prevent breaches from becoming cyber disasters,” says PJ Kirner, Illumio’s CTO and co-founder. “Our zero-trust segmentation platform helps people limit the impact of those that do occur, while providing visibility and control of the entire network.”
Illumio Core: a pragmatic approach to zero trust
The “trust no one” logic of zero trust requires users to authenticate their identities whenever they request access to data or applications across the network. But “zero-trust segmentation goes further than just isolating different parts of the network,” says David Holmes, senior analyst at Forrester Research. “Zero-trust segmentation solutions isolate each participating computer, only allowing the specific connections and access explicitly declared first. This is why companies like Brooks are doing the right thing by investing both capital and technical resources into zero-trust segmentation, as it solves not just ransomware but generally any other network-oriented breach.”
Illumio’s pragmatic approach to zero-trust segmentation applies it to the most vulnerable areas first—the ones hackers are most likely to attack—and worries about the rest later. It’s an approach that works, according to a study conducted for Illumio by the offensive security firm Bishop Fox, who staged cyberattacks against an Illumio Core-protected network. Based on the results of those unsuccessful attacks, “zero-trust segmentation can be applied to effectively isolate compromised hosts during an active attack,” the Bishop Fox report concludes. “ZTS can (also) be used proactively to ring-fence entire environments and applications, drastically reducing the pathways available for exploitation through lateral movement.”
How Brooks is applying ZTS
In line with “doing what matters most first,” Brooks has applied Illumio Core to block unauthorized access to hundreds of its Windows servers and cloud resources. Most staff are not supposed to access them as part of their jobs, so proactively blocking requests for access until they can be reviewed by IT security staff is a simple, yet effective, cybersecurity solution.
“We’ve separated our users from our servers and our resources, with the goal of only allowing the minimal amount of traffic that's necessary back and forth,” Hocut says. “Now these servers may need to talk to each other in a lot of ways on a lot of different ports. But the users from their laptops don't need to talk across those ports, and so we stop them from doing so without explicit permission.”
It is these laptops, operated by non-IT employees with network access, that are most likely to be the targets of hackers through phishing and other such attacks. So, when it comes to making Brooks’ IT infrastructure more secure using ZTS, “the first thing to do is take those laptops that are most likely to be compromised and segment them off from everything,” says Hocut. “So that isn't zero trust across the enterprise, there's just less trust. You're still saying, ‘well, we'll trust the servers to talk to each other.’ But we will keep the most likely compromised machines away from the most valuable machines and control that traffic as much as possible.”
The Illumio Core platform documents all access requests, allowing the Brooks IT team to analyze this historical record to detect possible breach attempts, access request trends, and other potential signs of past hacker attacks. All of this data is being used to tweak the company’s cybersecurity policies and procedures and shape its approach to ZTS management and expansion throughout the network going forward.
Implementing ZTS has been relatively painless
It took only four months during the second half of 2022 for Brooks to implement Illumio Core ZTS on its network. “Today, we're just monitoring alerts and following up on them,” says Ryan Fried, Brooks’ senior security engineer. “It's easy to just let the alerts go by and block traffic for something like RDP, but we do our best to reach out to the user, understand why they were doing it, and then talk to them about the alternative processes that are in place.”
A case in point: In the past, a Brooks employee “might make SQL connections from their laptop to a database, which is terrifying to me,” Fried says. Now, after such an access attempt has been detected and blocked by Illumio Core, “we direct them to a safe server for us, and then we initiate the RDP or SQL connection from there.”
Ironically, the biggest challenge in implementing Illumio Core at Brooks wasn’t digital but analog. Hocut and his security team had to calm the fears of Brooks’ business executives who were uneasy about their network access being moved to ZTS before they could take action.
“Tell someone on the enterprise resource team that you're going to mess with the firewalls around the ERP system,” says Hocut. “They're not going to take you out for beers. They're going to be concerned about how this is going to affect operations.” Even his boss, Brooks’ VP of Information Technology, wanted to know how the move to ZTS could be done without causing downtime, and maintained without causing issues. “I had to build trust with everyone by explaining that Ryan would set up a proposed ZTS rule set and run it non-operationally for a while to make sure it worked, before taking Illumio Core live,” he says.
Testing before deployment is essential
Doing such testing before deploying any ZTS system is a must, says Holmes. “Zero-trust segmentation is very effective but requires work up front to define the correct segmentation policy,” he explains. “Incorrect policy results in local network outages and manual tuning, adding a layer of complexity to the management of the network. Modern ZTS solutions work hard to divine the correct policy for you, but even the models that use AI aren't 100% accurate and tuning is required.” Having done this work, Brooks’ ZTS system is working as promised, providing the company with proactive protection from ransomware and other cyber threats.
Looking ahead, Hocut plans to extend Illumio Core into other parts of Brooks’ IT infrastructure. “We're looking to tighten the granularity of our network controls with different groups of servers so that we're not treating all servers the same,” he says. “We're going to be watching outbound traffic from the servers as well. Servers have very specific functions and should only be talking to the outside world in very specific ways. And we can use Illumio to learn what all those current ways are, making the assumption that those are probably all good — and block absolutely everything else.”