Unleashing Automated, Agentless Microsegmentation to Isolate the Next Breach

Well thanks for the, the introduction. So my name is is Peter. I work at Zero Networks and like was introduced, I'm a director of customer engineering. We're gonna spend some time to talk about microsegmentation. Who knows roughly what microsegmentation is about.

Okay, there's a few. Does anyone have any experience with microsegmentation? On a scale from one to 10, how terrible was it? That's pretty terrible, right?

Or maybe, maybe your experience is different, but this is what we're hearing from the market. So anyone knows what this is, this is what an attacker feels like when they compromised one of your assets because they can just roam around in your network and go lateral and party like there's no tomorrow. And this is actually the root cause of many attacks of today. Ransomware, you name it doesn't matter.

You know, it all starts with one asset being compromised and then the attacker just spreading lateral across. So this is something we gotta solve.

And ah, by the way, one thing I didn't intro or didn't say during my introduction, I joined zero networks at the beginning of this calendar year. Before that I was with Microsoft for 15 years in in various roles and I just was sick and tired of customers being breached. And when I say customers, it's everyone including Microsoft there just a company like any other very big one. But we gotta solve the root of the the issue. So what has been done historically, I'm gonna blaze through a couple of these slides.

If we go back, I don't know, 10, 15 years ago, and some companies still operate this way, they isolate it, the intranet and the internet, right? You put a bunch of Cisco, Palo Alto's, whatever, hardware, firewalls in between and people think they're safe. Now obviously that's not the case because if one asset is breached, it's game over. So then organizations started to segment floors, departments, groups of people with again hardware firewalls. And although the blast radius is a little less, ransomware is still here, right? We haven't figured this out.

So then came along the promise of microsegmentation, which is like wrapping an enterprise grade firewall around every asset. And when I say asset, it could be Windows, Linux, mec, it, ot, and the promise itself is fantastic because then if one asset is compromised the check, it can't go anywhere. It's just this one asset which okay, well you just toss it or re-image, whatever you like. But since this market is, I don't know, six, seven years old, find me an organization that has truly micros segmented all of their assets. Do you know any of 'em? No. So why not? This is a question for you.

So hoping someone will speak out loud, why is that the case? Why is microsegmentation so hard? I know there's a few with experiences, so I'm hoping they can share some of their experience. Any feedback Costs, too much Costs definitely. And when we look at the costs, thank you for jumping in. If we look at the costs, it's specifically the cost of implementation. So a lot of these microsegmentation solutions, they require all kinds of professional services in order to deploy. And if we break it down, it's mostly because of the manual rule creation.

You have to manually create this group of servers can access that group of servers over this port and this protocol. And you need an army of network engineers creating and maintaining those rules, which doesn't skill, it simply doesn't work. The second thing is a lot of the solutions out there today, they require an agent who likes agents. And there was a gentleman sitting on this chair who said, agents are fantastic.

I'm like, I don't fully agree with this statement. Back in my time at Microsoft, I visited this very big oil company. I guess there's no small oil company, but, and they, their clients were so slow because of the amount of agents installed that they could get like one or two cups of coffee because before the thing was booted, they made fun of their own client design.

They said, we have a leave no vendor behind policy, which I found was, was funny. Anyway, typically speaking, people don't like agents. They introduce performance stability and ironically sometimes security issues. And third is the solutions out there today you either open or close a port. That's it. So if you have something privileged, I dunno, RDP or an RDS server of SS or SSH, well you gotta access it, right? So it needs to be opened, which means that port is always exposed. Now like any good marketing slide, we do things a little differently.

So on the full right you can see we have, and this is hard to believe, we have fully automated rule creation. Now I just set this in like five seconds, but this was actually two years of hardcore engineering before we could claim victory here.

And ah, to be honest, it's still in process. Like this is never done. We'll continue tweaking, but right now I'll, I'll explain you how we do it, but we can create specific access rules for all of your assets. It doesn't matter how many you have. Second is we can be used agentless, we also have an agent for specific environments, but in 99% of the cases we can be run without any agent. And lastly we can have just in time MFA on anything.

So this means anything that listens on the network, we can MFA by default, we do this for RDP, win, MSSH, all the privileged stuff, which means if you have an RDS server running that port 3, 3, 8, 9 is closed for everyone. And then when you try to connect, we'll send you an MFA on your phone or browser or whatever or you have all the options available. And after approval, we'll temporarily open up that destination port or 4, 6, 8 hours, whatever you configure. And afterwards we'll close it again. So once your networks is in your environment, this is how an attacker feels like.

So a lot different, right? Completely stuck. So just to explain a little how this works, the way it works is we have a virtual appliance which you install in your network. It doesn't matter where it's not an inline device, you deploy it and then this asset will reach out, sorry, this virtual appliance will reach out to all of your assets, windows, Linux, Mac on-prem, cloud client, server, physical, virtual, doesn't matter. And it will ask the host-based firewall. So the Windows firewall, Mac firewall, Linux IP tables to forward specific metadata source, IP sockets process, that kind of stuff.

It then pipes it up to our SaaS solution and it starts learning for 30 days on what kind of access rules are required. And this is the whole engineering magic that we've been working on. So while you are watching Netflix for 30 days, we're creating those rules. And after 30 days, this is when the segmentation kicks in. This is when we take ownership of the host-based firewall, we block everything inbound and we only allow the bare minimum of what we know is required. And this is something we can do without generating help desk calls.

So in 30 days, and again this is fully automated, we can close your network, we can reduce the openness of your network with like 98%. And then for anything privileged like we just discussed, we close it and we require MFA. So we like to tell the market that you know where the, the apple of microsegmentation, not price wise by the way, but just in terms of ease of use, that's the thing we're, we're striving for making it super easy to microsegment all of your assets. So who thinks this sounds too good to be true at this point? Yes.

Okay, 1, 3, 4, 5. Okay, this is actually a big problem that we have today. A lot of people are like, they give us the frowny face like yeah, sure this, this can't be, this can be true. So obviously we hope at some point afterwards I have some cards if anyone's interested, I can give you my card, we can schedule a deep dive, we can do APOC. POC is a time investment of three hours by the way. But also on our website we have some testimonials of people telling you the same thing. So it's not just us. All right? So let's do a quick demo of something privileged.

All right, so let's, let's see. So this is obviously this is my laptop, it doesn't have any agents installed. I only have AVPN connection to our on-prem environment and I want to access an RDS server or a server over RDP.

Wait, before I go there, let, let me actually show our Porwal first. So here you can see all of the access rules that have been created and if I zoom out a little so you can see it, it's a little small, but here you can see ai, we're actually renaming it to automation because we're kind of fed up with everyone abusing the term ai, including us.

So anyway, it's automation. All the rules you can see with AI means no human has created this. This is all automated now and you can see a bunch of, of, of rules in here. Like for example, here's one, let me zoom in a little, Okay, it's a little difficult on this podium. So here's one where you can see that our software identified two nodes in a cluster and it limited traffic to the destination process being class as VC. So even if you compromise one of these nodes, you can only jump to the other one if the destination process is class SVC, which makes it extremely hard to to compromise.

So it's an example of server to server rules. I'm sure we also have, yeah, this one is an easy one here you can see web servers. Any process 84, 4 3, that's easy. We just tag everything that's a web server. We combine 'em in a group and we open it. Now the one thing you will not find here a lot is privileged. So if I search for 3, 3, 8, 9, you can see we only have four rules and there's nothing that says as a source asset, Peter's laptop. I can promise you if I look at these entities, there's some IP addresses in it, but nothing says Peter's laptop can connect to a server.

So which means if I grab my little RDC manager here, so he can see we have this office trust server. This thing over here, if you would go to this server right now, you would find on the inbound firewall, 3, 3, 8, 9 is blocked for everyone. So even if there is an exploit, it's Saturday morning you get an email, there's a big exploit, we need to patch everything. Sure you should, but you can wait until Monday as well because this port is closed, it cannot be abused now. So watch and observe live demo, anything can can go wrong. If I connect, I'm not touching the the keyboard anymore.

A browser pops and it says Hey, it looks like Peter is trying to connect from or to the office trust. I actually get a notification on my phone as well using a particular process you wanna approve or not. Now for demo purposes, I have a browser configured and I only have to approve in production environments it would be your phone with the Microsoft Authenticator app or duo or whatever you're using.

But again, this is nice and visual. So that's why I have the browser pulp configured agentless. Now if I go back here, I can see that a new rule has been created as you would expect. It says this rule's being created by Peter from his service laptop five to the trust over port 3, 3, 8, 9. The platform is MFA, that's why this thing has been approved and it expires at 4 29 later today so I can connect to it. This port is now open for my source IP only. The cool thing is imagine if I close my laptop now I go to my hotel BEF and I, I'm there before 4 29.

I open up my laptop, I get a different ip, right? Well at least it's likely I'm getting a different ip. So we notice that you're getting a new IP and we actually reach out to this server and change the IP address before you can even do anything. So you don't even notice. So as you would expect, now if I go back, I can actually connect to this server because now the port is open. If you do this quick enough, you don't even have to reconnect because TTCP reconnect will kick in. So only because it's a demo and I'm talking too much. That's why I have to connect again.

All right, so that was a quick demo on the the privileged MFA part. You can MFA, anything on your network by default we do R-D-P-S-S-H, all the nasty stuff. But if you have a finance app running on port 4, 4, 3 or 1, 2, 3, 4, 5, you can create a policy in seconds. We can do the same for identities. This is something we've launched somewhat recently. Also agentless. What we can do is classify all of the accounts that you have, human accounts versus service accounts. If we look at service accounts, what we do is we learn what kind of service accounts permissions are required.

So if there's a backup service account and it only logs onto the backup server, then we can revoke all the rights and only give it that specific right from this asset to that asset. And also we can remove the logon type.

So if, if it's using, I dunno, service logon, we can remove RDP interactive and all the other stuff. So if a service account is leaked, it doesn't matter. And the same with humans. You can create a policy that says my domain administrators can only connect to domain controllers after they went through MFA. Something you can configure in seconds.

Okay, so in the interest of time, I'm gonna move on a little. So we have the, the network segmentation, which I talked about for the first 10 ish minutes. And then just the last minute I talked more about the identity segmentation. It's automated agentless and MFA enhanced. Then real quick, this is something a customer sent us. It's the Mitre tech framework that everyone here is familiar with. They told us that our solution prevents 60% of what's documented, the attack methods documented in the mitral tech framework. Then we had a partner challenge us and say, no, no, no, no, no, we don't.

We don't agree. We think it's more, we think it's 70%. We're like, okay, we'll take that as well.

That's, that sounds nice. So in terms of low hanging fruit, we obviously, I'm a little biased, but I think it's a, it's a great solution. It's fairly easy to deploy. You need to deploy the virtual appliance, which is one hour. I do this several times a week with various customers. It's a time investment of one hour. Then it starts learning for 30 days while you do something else. It's completely automated. And then afterwards all of your assets will go into segmentation mode and will block all of the crap and we'll reduce the openness with 98, 98, 90 9% of your network.

So what are the use cases? Well, pretty much any attack I would say that spreads throughout your network. You can micro segment and a click apply MFA on any app that listens on the network. Stop ransomware, pass a pen test. We actually had an East coast US customer hire, a top tier red teaming organization, I'm not sure if I'm supposed to call out names here.

And they hired them for a month with our technology enabled and after two days they decided to disable zero networks because otherwise it would be a waste of time because they, their usual playbooks didn't work normally their domain admin in like 30 minutes. This time they couldn't go anywhere. So if you're interested we can, we can always schedule a deep dive, which is one hour. We can also do APOC. APOC is fairly easy. It's investment of one hour after two weeks we have a check-in meeting to see what kind of rules are being generated.

And after four weeks we micro-segment assets and then we can show you that we just made a massive leap in your zero trust journey without breaking anything. With that, we have 28 seconds. I don't know if that's enough for a question, but thanks a lot for your time. Thanks very much.