Hello. My name is Tony Lauro. I'm a senior director of security strategy and technology, at Akamai. Today, I'm joined by Sean Flynn. Also on the security strategy team. And we're going to talk a little bit today about what we've seen in regards to a segmentation impact study that Akamai recently did. So, Sean, if you're ready, let's get into it. Yeah, let's. All right.
So one thing we noticed, just right off the bat, was there was a bit of a disconnect. The adoption rate for segmentation was actually very high. Although the maturity level of the segmentation technology in regards of the type of segmentation they're doing and what their actual controls were remains low, leaving this kind of gap in execution, potentially leaving enterprises at risk. So we'll talk a little bit about what those things are and how it might affect these outcomes.
We'll also deep dive into some pretty interesting data points. Talking about some of the advantages that microsegmentation deployments actually gave these respondents. Lower insurance premiums. That's kind of a big one right off the bat. Faster claims processing, i.e., microsegmentation because of the way it works. You're actually aligning more to the actual business outcomes and not just from a security and technology perspective. Stronger audit readiness. And of course, the one that we all would love to see as the golden, the golden outcome, which is better ransomware outcomes. So when something bad happens, which we know it will happen, what is the aftereffect of that? And how do we make sure that we, we ride that wave, safely?
So there's seven key research findings. I'm not going to go through all of these, but obviously, you know, the one that I mentioned at first, which is public-facing apps remaining critically under-segmented. This is obviously critical because these apps face the internet so a compromise of an application server. And then the subsequent east-west lateral movement throughout the environment could really, really be a bad day for some people.
Another one that I think is pretty important is kind of just the idea of visibility. A lot of times segmentation, traditional network segmentation, is about segmenting the network and keeping things separate. But as we know, or if you talk to any pen test or a red teamer, once you're inside of a network, these devices are meant to talk to each other. That's how business gets done on the network, right? So communication between apps is critical. But having visibility into what's actually there, how the apps are communicating with each other. And if something happens, that's outside of the normal, you know, occurrence of what should normally be happening, we need to know about that. So visibility is a real key critical component.
So Sean, we're going to go into some discussion points that we pulled out. Sean and I kind of built these together and kind of try to, better articulate what's happening in this impact study. It was from a survey over 1,200 Akamai customers. And I think you'll find the results pretty interesting.
So the first one off the bat, Sean, and this is kind of a softball, but it still comes up. There seems to be, still some, you know, disparaging, viewpoints. What is the difference between segmentation and microsegmentation? Would you mind kind of clearing the air on that? Sure. And considering that we're going to be talking a lot about both, you guys, it's a good idea to define them.
Segmentation is typically, separating out large swaths or zones of your network. A lot of times you're doing it with a VLAN or with a network appliance or a network firewall. So think of it at a very network, usually at a very network, layer. So IPs, maybe Mac addresses. Where microsegmentation comes into play is being able to do it at a much granular level. So, being able to do it at what we would consider a workload or level where, you're able to do things like put a ringfence around individual applications so that if an attacker gets into an application that's vulnerable, the attacker can't go across and get into other applications. So, granular. Also, one where we're not focusing necessarily on the network. So if we're able to identify things at the application layer, it means that regardless of where it is in the network, we can we can logically connect them into a single segment. So not tied to an IP base.
Interesting. So a lot more, kind of real time and less like, hey, let me update my Visio diagram of how the applications talk to each other and then present that to an auditor. Exactly. Interesting. Okay, cool. Thank you.
Another one that came up in the survey is that network complexity seems to be one of the top barriers for adoption. What are your thoughts on that? Yeah, there's several barriers to microsegmentation. And a lot of these barriers are coming from taking a segment approach, or segmentation approach, which is network based and trying to make it microsegmentation. So trying to take a network- based environment, or a network-based approach and and make it more granular. And you're going to have problems with that, especially at the, at a complexity level. Because if you think about a modern network, it's there's several layers of it. There's what might be considered a legacy, network piece and then there's your cloud network, and then there's the SaaS portion of the network. And these layers, they communicate in different ways. So trying to kind of approach this from a network component approach doesn't translate well when you're going from, for example, legacy to cloud. And so the hesitancy is looking at it from, how do I get everything under a single pane of glass? The other side of it, I also would say, is that the modern network needs to be more flexible than it has been in the past. You mentioned the Visio diagram, which was the way that we used to do it back in the day. But when you have containers that are coming up and down, and when you're adding things dynamically in cloud and you're starting to use SaaS, the flexibility of network is critical. And it's not like it used to be, where it was much more that you had a DMZ and everything kind of had its place. Things need to be able to move around. And so when you're looking at moving to a microsegmentation solution, you want a solution that has the ability to do that.
So what I'm hearing is that, although the network controls, you know, might still be good to have in place understanding how the applications speak to each other and having the flexibility to deploy those in different disparate environments. Seems like it's really one of the core components of that. Yeah. I mean, think about like, if you had to, if you had to move things to a cloud, that means you'd have to go to your network devices and change the policies every single time there was a move. So it's so, and that's why it's so much more critical to be able to do things like identify assets by the software that they're running on so that if you move them, once they come back up into the network, they can be auto-identified into the segment that they should be at, regardless of where they are, IP space or cloud or legacy. You're able to tag them, you're able to organize them, above and beyond IP. And that way you know, think about it as like, hey, I've, I've got accounting software, no matter where that accounting software is in my network, I want it under an accounting segment because that has that software. We know that's what it's doing regardless of where it's at. Yeah. Yeah. Makes sense. Awesome.
Okay, so this one we kind of brought up at the beginning here, seemed that public-facing applications were still pretty under-segmented, despite the fact that they're in the high-risk category. Why do you think that is? So I mean, it really, we kind of talked, touched on some of them already, which is complexity and cultural resistance. I think really what it boils down to is companies are very hesitant to, to do anything that might impact the performance or impact downtime on their public-facing applications. For many companies, those are revenue- based applications or they're brand related. So they don't want any negative impact on them. So there's a hesitancy to, you know, in a sense, ringfence them or secure them, because they're afraid that there might be unintended outcomes where it might impact performance. Or bring the application down. The way to resolve that, though, is visibility, you know, microsegmentation with visibility. You know, microsegmentation that comes with visibility at the application layer gives you that context, that historical context, where you're able to say, look, I understand this application, even in the last 30 days or in the last 60 days, or the last 90 days, and I can start to understand the hidden dependencies and I can see what the communication is doing, and I see where it's reaching out. I know the processes that are triggering this port, this protocol to this thing. I understand the, you know, the front end, the back end, the load balancers. I see it all and I can make intelligent, informed recommendations on how to isolate that or ringfence that application, because I have confidence that I'm seeing everything. I'm seeing all the communication. And when you think about network groups that have to talk to security groups that might even have to talk to developers to get kind of sign-off on all of this, having that that visual, in a sense, map of here's what we know of the application and here's how we're going to defend it or tighten down access to it. You're going to have a much better reception. You're going to have much more confidence in that when you're able to do it that way. Yeah. I mean, that's a huge point. I mean, understanding that a critical piece of the application environment is still relying on a server that's sitting under someone's desk, and understanding what that, you know, what that server is actually doing. And not just what you think it might be doing. And that seems like a pretty big eye opener. So having that kind of confidence as you go in to making changes, that makes a lot of sense. Yeah. Awesome.
All right. So the next one, and this is, you know, in my mind where kind of the rubber meets the road, so to speak, is, we saw microsegmentation reducing ransomware containment time by up to 33%. That seems like a pretty amazing stat. Can you talk a little bit about what we saw in the report that kind of led us to that info? Yeah. I mean, and that's a big number, right? That's a third of the time. And part of it is just the very nature of microsegmentation is to limit the blast radius of an attack. It means that if an attacker comes in, whether they're coming in through a phishing campaign or they, if they're attacking the, the outward-facing application or they got credentials from a social engineering attack from the help desk. It doesn't matter how they came in, they're going to be limited to where they can go. Even if that means getting in at the application where they're saying, hey, I managed to to compromise the application. You're only going to, you're going to be stuck on whatever assets that application is on, but you're not going to be able to go further. So limiting the blast radius is the biggest kind of driver on that, is you're preventing them from going across the entire network. And the way I look at it is you're preventing a network issue and you're kind of leaving it to a localized issue. And the localized issue is much easier to recover from than a network-wide issue. Right? And you can see the numbers here as far as how fast you're containing it by, you know, 32.6%, you know, you're twice as likely to kind of rate it as very effective. When it comes to containment, when you're using microsegmentation. So the segmentation piece is one of it, but I don't want to dismiss the other piece of microsegmentation. And we're going to, I almost want to say we should do a drinking game on the word visibility. But it really is critical on being able to understand these attacks and being able to see them. Most companies that don't have microsegmentation probably doesn't have that level of visibility at the application layer when they're seeing the network, so they don't understand what's normal and what's not normal, or what's anomalous. And so when we think about ransomware, for example, it shows up like, it really does show up like a sore thumb. And when you have visibility causing an asset trying to reach out to different assets, the protocol, the process that is being, that they're utilizing, and you're very quickly able to say, wait a minute, that's, that is not normal traffic. I know what normal traffic now looks like, and that's not normal. And if you have a policy that's looking for that, you have a microsegmentation strategy or policy that can actually identify that automatically, then you're able to just shut that down so much more quicker. And then the, the other piece to that is that when you have that visibility, you also know how they came in and where they went. So when you start looking at, well, what systems do I need to address to recover? You know, you see you've seen it in the history, you know, in the past where companies have had to take down large, you know, all their applications, they have to shut down, you know, huge portions of their organization to be able to address this. And they're doing that because they don't know exactly what was damaged and what the attacker got into. When you know exactly where they went, then you know exactly what to address, which is going to allow you to come back that much quicker. Yeah. I'm thinking in my mind, casino, big casino platform, and what the outcome of that was. Yeah. That was not a pretty recovery process, I'm sure. Now, in that example, they said that just shutting it down was a, it was, they estimated at the time at about $100 million of loss just from the shutdown. Jeez. Yeah.
You know, something interesting kind of going back into these, case studies, there's three case studies that we highlight in the report. One is the Capital One breach from 2019, where a cloud misconfiguration was exploited. And if they were using microsegmentation at the time, they could have blocked that lateral movement, from that compromised device, going out to stored customer data in the cloud. So I think that's, we talk a little bit about that. The other one is Colonial Pipeline in 2021, the compromised VPN credentials, obviously, containing communication between business systems, if it looks like it's outside of the realm of what should be happening, microsegmentation could be used there very well, to contain that exploit. And then a more recent one is United Natural Foods. They had some unauthorized internal network access and, at the workload level, they could have isolated these business- critical systems from you know, having the attacker kind of pore through and move laterally. So I think it is interesting to kind of see when you kind of take a non, you know, a non-"what if" approach, and you kind of look at what actually happened and then try to apply some of these principles to those, I think you guys would be interested in reading those in the report. So yeah, very interesting.
All right. So how is host-based microsegmentation a game changer as compared to kind of the traditional methods that we talked about earlier? So traditional methods are looking at things at a network layer, level, which means they can't see the applications. So it's they, they don't have the same visibility. They don't have the same flexibility. So I would say that that visibility is a game changer, in and of itself. And there's actually several others that I'll get into. But if you think about it, it's almost like, you know, imagine trying to build a skyscraper at night, right? You could do it, you know, it wouldn't be, it wouldn't be fun, wouldn't be easy. And you would probably be second- guessing yourself. You'd have to go much slower. There will always be that kind of I-hope-we're-doing-this-right kind of approach. And there's that fear and uncertainty because and really, if you think about it, why? It's because you don't have the same visibility as you do in the day. Adding that daylight, and that's what I mean by like having that application- layer visibility changes everything. Because now you have daylight on your network. You're actually understanding how the applications work. And when you think about like lay-of-the-land attacks that we're seeing from nation-state sponsored attackers, like some of the Typhoon attackers, they're using tools that are already existing in the network. So how do you know how they're doing that? Right? You've got to be able to identify anomalous traffic. You got to be able to say, I know it's normal so that I can identify what's not. And you can't do that without having clear visibility. So it is a game changer. I could almost make a joke that it's, you know, it's the difference between night and day since I gave that analogy, but I'm not going to go that bad. It's not going to be that bad.
The other piece of that, though, is if you have that visibility, you can also tag and create policies based off of applications. So I kind of mentioned already, like how do I how do I, how do I, how do I segment out if I'm not doing it by IP? Well, I can do it by operating system, or I can do it by process that's being run on the server. Or I can do it by the software that's actually in the server. And when I can do it that way, now it doesn't matter where IP wise or where physically or virtually or in a container it is. As soon as it shows up, it automatically gets added based off of that software. So it's a lot quicker to implement. In fact, you know, the traditional system, the segment approach can take years. The microsegmentation approach, we've seen with companies that we're trying to recover from, ransomware attacks where they knew they were going to come back, they were able to do it within a matter of months. So it really is a game changer, be able to deploy and then have that visibility. Yeah. And it sounds also like, one of the key things that you're talking about is to have the visibility, the same level of visibility across disparate environments, the ability to put the same controls across disparate environments. And then obviously to be able to execute on those controls in an automated way. So instead of like saying, hey, you need to have a whole squad of people watching, you know, network and application logs looking for anomalies. The actual technology does that on their behalf. Right? So that's, I mean, that's huge. Just kind of taking the guesswork or the reaction time out of the picture. That seems like it's a big, a big win for microsegmentation. Just that alone, you know? Yeah. I mean, and you made a good point. Security folks, we definitely have the reputation. And it is kind of our mindset that we're tracking down logs. We're tracking down, you know, packets and we're trying to identify that way. But that's really intensive. It's a large level of effort, you're not going to be, And when you think about a ransomware attack, how long it takes to you for you to do that, the damage is already being done When you have visibility where you can look at a map, right? You're saying I can see right here on this map visually, it's not, I'm not having to look at individual lines of logs. I have a graphical interface that's showing me what's going on. You're able to see it much quicker without, you know, such an intensive search. Which also means to me, you know, you don't have to have, you don't necessarily have to have the security professional with 10 years of experience to be able to look at a map, you're kind of broadening who can actually kind of use these tools as well. Yeah, it's more business oriented if you know, you don't have to train up experts to do the work, right? Yeah. In my mind. The the other thing, I guess, it makes me think about, just, you know, working with, you know, the thousands of clients we've worked with, with this kind of technology is, you know, when you run off of logs and you're looking at log data, you're technically looking at the adverse effect of something bad that's potentially already happened. Whereas having automated controls in place and having that granular level of visibility, the first time you see that something is bad is when you see that something has been blocked and the, you know, the ransomware contained, that's the first level of alert that you would see, right? Is that instead of saying, oh, 300 systems went down, now you try to track down what happened. That's a huge game changer. You know, talking about visibility being a game changer, that's huge to be able to look at, not look at the adverse effect of what went wrong on the network to tell you that you had a ransomware attack, but to see that containment be the first level of indicator, that's huge. I would actually take it a step further. And you made a great point by kind of how we're typically reactionary on our security, but we are seeing companies using microsegmentation solutions to go hunt. And hunting is kind of one of the first ways a company can be proactive, right? And trying to identify issues within the network before an attacker tries to exploit them. So when you have that visibility and you're looking at what's normal, the other thing you can also do is go, hey, is what's normal being, you know, best practices, you know, is is the Microsoft Active Directory performing the way it should be performing, or is it doing something that it shouldn't that maybe somebody can take advantage of. So it's, I would say once you have that visibility, you actually have the opportunity to be proactive in your tightening of your security and your network security approach instead of kind of relying on that reactive approach that unfortunately, we get so used to because that's kind of, again, we're kind of stuck with what we've, with the tools that we have. And a lot of those tools tend to be reactionary. Yeah. It brings up a point, you know, when we saw Log4j and Spring4Shell, using these controls, we were able to say, show me where these services exist in our environment, and give us that visibility into, you know, where this zero-day could be exploited. And let's go ahead and patch that vulnerability from taking place while you're waiting. You know, the whole while the service still runs and still operates, still functional, but you're blocking the exploit while you're waiting for all the different vendor implementations of the patch to actually be deployed. That, talk about game changer, that was a big deal for us. And one of the first times that I saw microsegmentation as more than just a ransomware tool that's where visibility, understanding what you have, where it is, is such a big game changer for how security operations respond to things. Yeah, that's huge.
All right. So this one was an interesting finding in the report, that insurance carriers are rewarding a high level of microsegmentation adoption maturity, with lower premiums. And this kind of makes sense, obviously, if if I can tell that you're doing more than just the bare minimum to protect and monitor your environment, you're probably a lower risk, right? Right. And this is a great way to tie a security solution to a business outcome or a favorable business outcome. Right? This is something that CISOs could go to their boards and make a case for, you know, hey, if we're implementing this solution, there is a material benefit to that. And the reason for that is because there is a material reduction in data breaches when you're using microsegmentation. So there is less exposure there is less when it comes to security breaches, you know, you're less likely to have network-wide issues. And insurance companies are noticing that. So, you know, some of these numbers on this slide are really interesting because you're seeing that, you know, 75% of the people that were surveyed say that, you know, insurers are now looking at this, you know, do you have, segmentation while they're doing the underwriting, and they're actually starting to reduce premiums because of the segmentation maturity. And they're, we're also seeing things like audits are being reduced, in time, because when you're able to show the microsegmentation solution and what it's able to do, it definitely makes the the audit process much faster. One of the numbers I thought was really interesting was that 30% of companies said that their insurance companies were making segmentation a formal insurance requirement. So it's kind of driving that to microsegmentation. So I also feel like this is a great example of a company, of kind of an entity that's completely outside tech saying this solution is so important that we're making this mandatory. So it's, you know, don't trust the vendor. Pay attention to the insurance companies. They're recognizing it as well. Yeah. And that's probably based on the thousands of different cases that they've seen where segmentation could have been helpful, and could have reduced that risk that they ended up having to pay out for. Same. Exactly. Yeah. So they're trying to stay in the black, too. So obviously they're doing something for themselves as well. That's great.
So we might have just answered this, but what do you think is driving the rapid acceleration in segmentation investment? Obviously, insurance is probably one of the big ones. What else is? So yeah, and I think we've touched on several of them and it's I would say it's kind of, it's a combination of all of it. Right? It's, it is insurance companies pushing more for compliance, you're starting to see more compliance environments where they're starting to make it more of a regulatory or a mandatory thing for compliance. Ransomware. You know, we talk about there's a lot of other use cases, but ransom, you know, for microsegmentation, separating out, you know, production from QA, isolating, you know, PCI or other compliance environment pieces of your network so that you're not having to make the entire network compliant. You can make segments of your network compliant. But the one that typically resonates, and I think the one that really does the most damage and why there's a motivation there, is ransomware. You're seeing attacks that are successful against traditional segmentation. And we're seeing success with microsegmentation. So the ransomware attacks that have been going on, gosh, for the last eight or nine or 10 years, and the fact that it's not going away and you add in, you know, AI-aware platforms and ransomware as a service platforms, ransomware is getting easier to implement. And that is pushing companies to have to respond. Yeah, that's that's a huge piece of the puzzle, I would imagine. I forget some of the stats, but from, you know, when the Conti playbook got leaked, I mean, just the, the realization that this is such a massive business investment for the attackers and that they've got huge enterprises, and they all have their different roles and customer service and all this around doing ransomware as a service for other threat actors. I mean, that's wild. Yeah. I mean, Conti was making hundreds of millions of dollars off of it. So if you're thinking about, of course, they're going to invest in some sort of, you know, architecture and framework that's going to be successful for them when the scope is that level. We're not talking about script kiddies. We're talking about organizations, criminal organizations, that are, that are designed, and we're seeing that with, you know, the implementation of AI for exploit. And like you said, having a, you know, a troubleshooting tech center or you know, call support, is amazing that it goes to that. You know, payload isn't working, can you help me out? Yeah, yeah, that's wild.
All right. Well again if you're just joining us, you'll see that Sean and I are talking about the Akamai impact study. This is a segmentation impact study done across 1,200 different global security customers. You know, we see that 90% of organizations are using some form of segmentation. But obviously the the maturity range of what they're doing is usually at the lower end, software-defined microsegmentation, obviously giving you a lot more viewpoint of what your attack surface is and actually uncovering and shedding light onto systems and applications and how they behave that you probably didn't know how they were doing that in the first place. So really interesting.
Hey, Tony. So there is a question that somebody had. I thought maybe we would address that before we kind of do the final. Yeah, sure. And I'll go ahead and read it. And it's a good question. Besides IT, what about OT security segmentation? Does your security, does your solution address OT security zones, which are now converging into IT security? And I guess I can kind of start with, yes. That's a huge area. Think about manufacturing. Think about, not just OT, but IoT as well is an area that is a major concern if you can't put a piece of software on it, how do you secure it? And there's ways around that. There's ways to be able to do that. Not to go too far into it, but that is definitely something that is taken into consideration. It can be pushed out, policies can be pushed out at the switch layer. Identifying the the assets by communication patterns is another way to do it. So the solutions do work with OT and IoT. You gotta do it a little differently. And it's, you need to, it needs to be architects. Right? So I can't just say, oh, this is the way to do it. Because it really kind of depends on how it's set up. But it can be addressed and can be done. And it is part of, of the solution. I mean, it has to be. There's just too many companies that require, and that are using OT and IoT devices. So yes, definitely something that microsegmentation can do. We just have to do it a little differently. Yeah. We actually have great case studies and use case readouts from some of the biggest, you know, clients of microsegmentation that we have are in the manufacturing, and health care sectors, which have a ton of, you know, IoT devices and basically headless devices. I guess one way to kind of look at it is, if you can't tell a device to stop communicating, you can tell the rest of the devices that you can talk to, to not, you know, continue to communicate with the infected device. And then obviously having controls in place, you know, using APIs and things like that. I mean, that's a really interesting use case. Thank you for that question. Yes. Hope that, hope that helped answer it.
So we just, are just wrapping up, talking about granular policy enforcement, compliance-ready architecture, cloud native flexibility. I mean, these are all things that you would imagine that you would need to be able to do. But when we start to kind of compare what we're doing, and we use this within our own environment, we really needed these capabilities in place. So when you're looking for a microsegmentation solution, make sure you're kind of looking at the top level of what do I actually need to accomplish from a business perspective, from a, you know, visibility perspective, reducing risk, etc. And, and clearly, you know, clearly be able to define can you do that across all of your different environments, even though they're different from each other?
So in closing, you know, obviously, the report shows us a lot of evidence that that shows that microsegmentation is doing what legacy segmentation technology cannot do. VLANs and your typical subnetting and keeping things away from each other. There's always shared systems that can communicate. And as an attacker, if you talk to a red team, they'll jump to a shared system that they know are talking to several other systems outside of the segment that they're not allowed to talk to. And that's how they get access, you know, through that lateral movement. We have the report, available to you guys. We're also going to share a few links, for a couple other reports that we have, but this is the segmentation impact study. And, Sean, I want to say thank you, for you to be here today and answer all these questions. And I hope everyone enjoyed it. Thank you very much. Yes, thank you for your time. Talk to you later, Sean. Take care.