The modern threat landscape is almost incomprehensibly complex. Each day, security and operations teams fend off attacks via spear phishing, viruses, worms, and ransomware. Keeping on top of the hundreds of thousands of new pieces of malware created daily only adds to the difficulty of defense.

But even though there’s a never-ending stream of new threats and vulnerabilities, current security approaches focus primarily on threat detection and vulnerability management. Modern CIOs and CISOs want “provable security.” They want to see that their security strategy is stopping threats from causing a compromise, but there’s simply no way any security solution can possibly detect and thwart 100% of the multitude of threats they face.

That said, there is a different way to go about security that can ensure threats cannot exploit a vulnerability: controlling system access. While threats and vulnerabilities are virtually infinite, access is finite, measurable, and most of all, provable. Therefore, by controlling access, security can, in fact, be proven.

Restricting the access that threats have to your systems begins with implementing a zero trust environment with microsegmentation. This method has been recognized by analysts at Gartner as a “core workload protection strategy,” but what, exactly, does it involve?

Zero trust

With all the threats in existence today, and more coming online every day, an intrusion into your network isn’t an “if” — it’s “when.” There’s simply no way to prevent every single attack from penetrating your organization’s security perimeter.

Historically, organizations have leaned on traditional approaches like firewalls and other perimeter defenses to keep threats at bay. Firewalls rely on identifying potentially malicious traffic and keeping it from accessing your network. Complete reliance on this model is outdated and downright dangerous. While certainly a part of a comprehensive security strategy, no firewall can protect all your enterprise assets from bad actors.

Provable security requires a new way of thinking. Zero trust is built on the premise that all traffic is potentially harmful and nothing should be inherently trusted — “trust no one,” as Fox Mulder might say.

Take the example of software that carries a verified signature. Even then, it could still be concealing malware, and therefore, it shouldn’t be blindly trusted with the keys to your network castle. With zero trust, every application is authenticated for access, not just once, but continuously.

Microsegmentation

The zero trust model is the key to microsegmentation. As the name suggests, microsegmentation creates small zones by which organizations can separate applications and workloads from each other to secure each one individually. At its core, microsegmentation makes network security more granular.

This gives IT the ability to not only restrict north-south traffic at the network perimeter as firewalls do, but to also control east-west traffic inside your network environment. Controlling east-west movement is critical because when a piece of malware is able to get past a firewall, which it was likely allowed to do because it carried the right signature, despite its dangerous payload, the places it can travel and damage it can cause become drastically limited.

One challenge created by this approach is gaining transparency into just how many available pathways exist (it’s usually in the thousands), but advances in machine learning have given us the ability to quickly and accurately map out networks of virtually any size and complexity. These maps reveal thousands upon thousands of potential paths between applications, workloads, and data sources. Each one of these has the potential to be a point of exploitation.

Having this information also lets your security team identify and leave open only the paths that are critical to your network operation. By reducing the number of open paths, you restrict access and reduce the potential avenues of attack to a manageable volume. Threats have much fewer places to go.

There are zero trust microsegmentation software solutions available now that make microsegmentation easier to achieve. They automatically create detailed network maps and let you visualize how applications communicate in real time. They then help you monitor your environment to identify unexpected or unusual traffic patterns that may indicate a threat. At this level of detail, you can see all the applications that are accessing resources in your network and understand how. This transparency allows you to learn the potential risk of communicating applications on your network and serves as the foundation for the security policies that give you enhanced control of your environment.

Now, you’re not just trying to identify known threats and keep them out of your network. You’re analyzing every application that tries to communicate across your network, monitoring all traffic inside, and limiting the pathways potential threats can travel. This provides security at a much more granular, manageable level, while increasing the complexity involved for any attacker trying to exploit your network. This analysis, and the resulting control that can be applied, provides quantifiable, provable security.

Provable security that is easily managed is pretty close to the Holy Grail for CIOs and CISOs. We all know IT budgets are notoriously tight, and investments simply don’t happen without measurable ROI. This is why provable security is such a key metric. It allows both operations and security teams to know their solutions are effective and document the threats that are detected and denied access before they affect the network.

This shows real ROI on security spending – ROI and security that’s provable to your board.

Peter Smith, Founder and CEO, Edgewise Networks