The first portable traffic monitors were introduced in 1936. Referred to as electronic eyes, these weatherproof road strips were laid across the pavement and connected to a battery-operated recorder. When your Hudson or Packard passed over the strip, the recorder would increment the car count by one. It also printed the results, along with the time, onto a roll of paper that lasted for about 24 days. The clock required winding every eight days. So cool.
If you Google the term traffic monitoring today, you’ll find that modern versions of these electronic eyes are more likely to be collecting and analyzing data network communications than counting up road traffic. And much of the motivation for such network monitoring is cyber security-related. This is because – and perhaps the following is becoming a bit cliché, but I’ll say it anyway – you cannot secure what you cannot see.
Any traffic monitoring process will work well, so long as the sensors are well-placed. For example, I’ll bet those weatherproof strips used in 1936 were situated on busy highways, rather than obscure side roads. Similarly, most modern data collection and analysis tools are installed at obvious network chokepoints, such as the enterprise perimeter DMZ. Such placement has served the security industry well for the past two decades.
But now, with the dissolution of the perimeter, the problem of understanding traffic patterns has become more difficult. And frankly, monitoring is the easy part for security engineers trying to protect distributed workloads in hybrid cloud environments. Mitigating access securely based on strongly authenticated workloads is a much bigger challenge – and has been quite the stubborn obstacle for organizations intent to implement zero trust security.
I was therefore so delighted when my friend Maria Cirino from .406 Ventures recommended that I spend time with Peter Smith, CEO and Founder of Massachusetts-based Edgewise. Peter and his team have built an amazing platform that collects data from hybrid cloud environments to build maps, implement white lists based on strong authentication, and effectively support next generation secure cloud computing. Let me share what I learned:
“Our mission at Edgewise is to prevent cyber security breaches through the use of zero trust segmentation,” explained Smith. “We do this by accurately verifying the identity of software before it communicates with any protected segment in an environment. This approach results in malware and attackers becoming unable to move laterally across an enterprise. And such lateral movement is the hallmark of modern advanced threats.”
The Edgewise solution is perhaps best understood in the context of three basic functional strategies: First, the Edgewise platform is designed to provide detailed visibility into the exact nature of on-going hybrid cloud communications. “The platform creates a map of how your applications are communicating.” Smith said. “It then provides a detailed visualization of this communication map to highlight all normal, expected data flows.”
Second, the Edgewise platform utilizes the baseline mapping of your hybrid cloud to support profile-based analysis of live communications between all software in protected segments. The goal is to identify when any application is attempting to behave in an unexpected manner, perhaps in conjunction with some unrecognized application. Security analysts would thus investigate such anomalies and identify suitable fixes.
Third, the platform supports live mitigation of undesired communication between segments. By creating segment identities based on hashes (designed in a fuzzy manner to support software mods), Edgewise allows for policy enforcement across distributed workloads. Policy rules are based on the maps created from the baseline profiles of normal workload communications. The result is the type of zero trust implementation coveted by most enterprise teams today.
I asked Smith whether serious problems arose creating communication maps for segments if applications don’t expose all external actions within reasonable times. Smith explained that the Edgewise platform utilizes deep inspection of software run-time architectures to understand how such communication can be and will be established. This helps to provide a more perfect mapping of expected normal behavior.
I also asked Smith about the problems of external scanners and other tools that might get denied access by white lists established via the dynamic Edgewise process. If a security team decides on a new scan long after the behavioral profile has been established, then the inbound probes will not work. But this is also easy to address, according to Smith, since the platform includes simple default rules to allow the more popular scanners inbound access.
Finally, I asked Smith about the challenge of dealing with flat but messy enterprise architectures. His response was that segmentation based on address-based controls certainly becomes more complicated in a messy environment, but since Edgewise segmentation is identity-based, and is an overlay to an existing network, it can reduce complexity. (I still think some clean-up before segmentation is a good idea. Just my two cents.)
So, if you are like pretty much everyone and want to implement zero trust security, then I think you should speak with Peter Smith. The Edgewise team can help you down a realistic path toward the visibility, behavioral understanding, and mitigation policies that are required to support a distributed, segmented, hybrid cloud architecture. This might be more complex than those 1936 traffic strips, but I suspect you’ll find the process surprising straightforward.
As always, please share what you learn.