Written by: Byron Acohido, The Last Watchdog
Many companies take an old-school approach to bringing up the rear guard, if you will, when it comes to protecting IT assets.
It’s called network segmentation. The idea is to divide the network up into segments, called subnetworks, to both optimize performance as well as strengthen security.
At RSA 2020 in San Francisco recently, I learned about how something called “micro segmentation” is rapidly emerging as a viable security strategy. Micro segmentation takes the fundamental principle of network segmentation and drives it down to smaller and smaller subnetworks.
One security vendor pushing micro segmentation just about as low as you can go — all the way to the individual device level — is a Nova Scotia-based startup called Byos. I had the chance to visit with Matias Katz, founder and CEO, and Ryan Bunker, business development director, at RSA 2020. For a full drill down on our conversation, give the accompanying podcast a listen. Here are key takeaways:
A network gateway is like a submarine’s bulkhead passageways, which can be sealed off in emergencies. It’s where traffic passes from one subnetwork to the next. It’s also where you can put a hard stop on the movement of anything dangerous.
Byos took the idea of a network gateway and shrunk it down to fit on a USB stick. The user inserts the stick into a laptop and the Byos micro gateway shows up as a choice in the WiFi connection menu. The user simply chooses the Byos hookup, instead of any of the other WiFi options.
This simple step results in a full stack of network-level defenses being brought to bear on the individual device. “We perform network security processes on the hardware itself,” Katz told me. “We can detect anything from someone trying to do an evil twin and clone your WiFi, to someone trying to reroute your packets, to someone trying to directly attack your computer by doing a fingerprint attack.
“Maybe the attacker is not trying to hack your computer, but instead wants to attack a router on your network, and try to reroute packets,” Katz continues. “The device will detect all those attacks and stop them, and then alert the user so that they’re aware that they are in a dirty network.”
This pushing down of security protections to the device level allows more granular enforcement of security policies. Devices can be then organized in subgroups, according to geography or divisions of labor, and security policies, thus, fine-tuned.
“You can push out different policies that are more restrictive or more permissive, according to the type of user in a particular group,” Katz says. “Marketing can have access to Salesforce, but only during office hours, and never on weekends, for instance. Or you can set policy so nobody can connect to a server in a country you don’t trust, that sort of thing.”
This is a per device solution. So, every endpoint device connecting to the network must be using a Byos micro gateway. It appears that companies have reached the point where they’re willing to compel employees using company laptops to do this. This is because current security software solutions have fallen well short of fully protecting endpoints, Katz says.
“By having an additional layer of security that can only be provided by hardware, then you can truly isolate devices,” he says.
Byos is starting with USB sticks; but it has a full roadmap for adapting micro segmentation to devices that don’t have a USB input, such as smartphones, as well as IoT system endpoints.
For instance, it is developing a solution for IoT systems that can extend a full stack of network monitoring and security systems to each data ingesting sensor. The notion is to embed security services at ground level for, say, medical devices deployed throughout a hospital, or even through critical parts of an autonomous transportation system.
“The current form factor is USB to WiFi device,” Katz says. “However, the way we built the hardware means that we can personalize each part of the connection to different technologies. We can change Wi-Fi to LTE, to Bluetooth or to Ethernet, and instead of a USB stick, we can have a PCI express stick that could be embedded directly into the motherboard of endpoints.”
It’s too early to tell how much further down the road micro-segmentation will take us toward making the Internet as safe as it ought to be. The notion of embedding a hard stop at each and every endpoint is intriguing. I’ll keep watch.