ExtraHop has spent over a decade monitoring enterprise networks. We saw the enterprise network landscape transform from dedicated on-premises Windows servers to distributed microservice-based applications, and from homogenous client workstations and laptops to a large variety of mobile and IoT devices. It's this vantage point that led us to tackle one of the biggest cybersecurity challenges that modern enterprises face: as their network permeriter fades away, critical applications become more distributed, number and variety of devices on the network explode, organizations have little ability to control their cyber risks and mitigate attacks inside of the network perimeter even as the attack surface grows at an exponential rate. It's akin to sailing on a large cruise ship with no watertight compartments where a single small hull breach would sink the whole ship.
Traditional network segmentation inhibits lateral movement inside a network, but is difficult to implement and maintain. The growing number of IoT devices makes it more important to stop attackers' lateral movement.
This spring, we are excited to introduce service-layer discovery and detection, a new approach to detecting malicious lateral movement inside networks. Without requiring any configuration, service-layer discovery and detection enables IT and security teams to support rather than impede technologies that drive business agility, specifically the cloud and IoT.
The Drawbacks of Traditional Network Segmentation
Traditional network segmentation is an extremely useful mechanism to mitigate and detect attacks, but it is rarely adopted in practice due to the complexity of managing and deploying network segments without impacting production traffic. More specially, it typically requires a large amount of manual work and expertise to identify and continuously maintain a good set of security policies. For these reasons, organizations typically deploy network segmentation for specific, clear-cut scenarios, like guest access and data center communications but struggle to operationalize segmentation further, if at all. This leaves many other parts of the network open so that attackers can easily move laterally.
The difficulty of implementing traditional network segmentation was highlighted in a report from the NASA Inspector General following a data breach at the Jet Propulsion Laboratory. The report cited lack of network segmentation between a low-privileged IoT device that was compromised and sensitive databases with PII data as one contributing cause of the massive breach.
Setting Automatic Guards with Machine Learning
Service-layer discovery and detection is built on the foundation of Extrahop's Reveal(x) network detection and response platform, leveraging capabilities such as auto-discovery, Layer 7 fluency, asset clustering, and behavior graph analytics. It is designed to automatically define watertight compartments (to use the cruise ship analogy again) and detect lateral movement across those boundaries even in diverse hybrid enterprise networks, especially those with a multitude of IoT devices (e.g., VoIP phones, teleconference equipment, smart TVs, printers, badge scanners, etc.).
This hands-free, out-of-band approach offers a number of advantages, and is complementary with traditional methods. Here is how service-layer discovery and detection compares with traditional network segmentation and workload-based micro-segmentation:
|Traditional network segmentation||Workload-based micro-segmentation||Reveal(x) service-layer discovery and detection|
|Adaptive to workload changes||No||Somewhat||Yes|
|Cloud workload support||Minimal||Somewhat||Complete|
|Potential for disruption to business||Significant||Significant||None|
|Software agent deployment||None||Significant||None|
More specially, service-layer discovery and detection works as a two-step process:
- Service-layer inference: The technology leverages passive network monitoring and sophisticated ML to automatically infer which devices belong to a service based on their observed behavior. Applying machine learning techniques such as peer group clustering, Reveal(x) defines segmentation policies based on inferred services—such as the database tier of a large application, a group of VoIP phones, or a smartboard solution deployed across remote sites—independent of the network subnets and locality. The inference is fully automated and capable of dynamically adapting to changes in the network, from new approved communication patterns between two previously isolated tiers to autoscaling of certain service tiers.
- Service-layer segment detection: Compared to traditional network segmentation, which requires deploying routing and ACL changes to all parts of the network, service-layer discovery and detection leverages out-of-band network monitoring to detect violations of the inferred segmentation policies. More specifically, instead of actively segmenting the network by preventing A from talking to B, it utilizes passive monitoring and simply alerts when A talks to B, converting a network reachability hurdle for attackers into an invisible tripwire. In addition, due to the enforcement not being in-line, service-layer segment detection utilizes computationally-intensive post processing to distinguish benign violations caused by policy errors from real policy violations caused by malicious activity. Finally, the enforcement can also be integrated with the switching and routing infrastructure to immediately cut off network communication for any segmentation violations.
Example - VoIP Phone Communicating with Source Code Repository
Below is a simulated IoT device compromise that was detected by service-layer discovery and detection in a real enterprise environment.
In this case, service-layer discovery and detection automatically identified a group of VoIP phones on a large corporate network across multiple subnets and intelligently inferred that they were part of the same service, noting how these phones tend to communicate with the external VoIP service provider via SIP and RTP, and rarely directly communicate with other devices on the network. When one of the VoIP phones suddenly starts to access a sensitive engineering source code repository via SSH, Extrahop picked up the inferred policy violation and immediately reported the finding to the security team.
Service-layer discovery and detection runs on ExtraHop's cloud-scale ML architecture and has been enabled for all Reveal(x) customers. We believe this new capability adds an important layer of defense against malicious lateral movement within environments, immediately improving organizations' security posture without the worry of disrupting business. ExtraHop Engineering is continuously refining this technology and plans to add more capabilities to it in the coming months.