 Hi, this is your host Aptin Bahartiya and welcome to another episode of TFI. Let's talk and today we have with us once again Steve Winterfell advisory CISO at Akamai. Steve is great to have you back on the show. Yeah, I'm glad to be here I always enjoy our discussions and today we are going to talk about the state of segmentation report But before we go deeper into the report, I just want to understand or explain for viewers What did you mean by what do we mean by segmentation when it comes to environments? So first I always encourage people to have something that can pass an audit. So NIST 800-207 Zero Trust breaks out a great description of micro segmentation But in general, let's talk about what we want to do with micro segmentation We're trying to build zones of trust so if one zone is compromised, our whole network isn't compromised So for instance, if you process credit cards, you belong under PCI So everything that processes credit cards would be in one zone Or you might have a network with a production zone and an administrative zone So if somebody broke into your administrative zone, that wouldn't impact your production zone Or I always have my labs or my innovation centers segmented Because there's crazy stuff going on over there and you don't want it to impact the larger area And of course, there's a couple ways to do this The first is internal firewalls, I've tried that, I have PTSD from trying that It's very complicated And we'll talk in this report, almost 89% say micro segmentation Which I tend to take towards agent-based or software-based segmentation Gives you more fidelity, but again, we're really trying to minimize impact of any incident Can you also talk a bit about what are the efforts, not only from Akamai, but UC, industry-wide And also there are a lot of federal agencies as well to understand the state of segmentation So I think segmentation has become very popular right now as one of the pillars under zero trust And zero trust is again, it's been around for over 10 years, we're still building towards it But zero trust is that concept where we see in some of the reports, a lot of those are coming through stolen credentials Or getting access to somebody's identity So that access is the first part of zero trust The second part of zero trust is that segmentation And I think the one threat that's really driving this is ransomware So 15 years ago, cyber incidents were put in companies out of business But now with ransomware, we've seen companies never recover from an attack We've seen major financial impacts, what we would call a material impact With an increase in the last year of 143% for ransomware attacks globally And they're causing downtime, data loss, brand damage, it is just huge And so one of the things I like to think about is how are we able to address this rampant And that's by quick detection All of my peers are talking about minimizing dwell time, preventing it from spreading all the way through your network And so that's why I think you're seeing this huge increase in paying attention to micro segmentation When we look at micro segmentation, can you also talk about the benefits that teams, organizations face Which go beyond just security, it could also be about helping teams to move faster, increase their velocity, increase their efficiency, increase the performance So the thing I love about micro segmentation is the visibility it gives me So I now know where data flows are going, I know where my data is In these hybrid environments where I have some aspects of my network or in the cloud Others are in SaaS providers, I still have some legacy stuff in a data center Unless you're a new, brand new company that kind of natively started in the cloud And even then, it's distributed, so I like the visibility Because I can tell where my data is, where my data flows are going, if I have choke points, where I have a risk And it really allows me to do some analysis and investigation of what's going on with my data So I think the real up part of this is having a better view and understanding of your overall network Now let's talk about this report or e-book that you first came out with Talk about the concept idea behind this report and what were some major findings And as I always ask you, there are some findings that you were expecting And there's someone in your aha moment that, oh, wow, I was not expecting that First part is, we went out and we surveyed over a thousand IT security professionals and leaders And we talked to them about what's going on, where are you seeing return on investment on security controls And bottom line is, most of these people are talking about segmentation, what they're getting from it 93% of our respondents say segmentation is critical to stopping large damaging attacks Within that, it was interesting, though, that only 40% say that there's no trust journey to include segmentation And segmentation has been fully defined and deployed So, again, zero trust is a journey, we see people constantly moving towards it, never fully done And then 89% said within segmentation, micro-segmentation was the thing they were looking at To answer the second part of your question, you know, how are people... Actually, go ahead and ask me what are some of the issues people are having to have not fully deployed What kind of awareness is there in terms of micro-segmentation? It's fairly high, I think most of the people understand that it is becoming vital to basically be part of zero trust Zero trust is almost universally understood Zero trust in its earlier stages was largely around access And I think as people have gotten more mature, they're including micro-segmentation in it And, you know, it's to the point where you kind of see it as a vendor buzzword And whenever I see that, I think, you know, that's when the customers are talking about it When suddenly you see the marketeers trying to include it in their language But beyond that indicator, I think truly we're seeing a return on investment Which is why it's becoming more popular But are there any areas where you also see teams struggle or the challenges that they face in terms of micro-segmentation? Yeah, when we say only 40% are done, there's a reason, you know A lot of it is, you know, those 44% say they started it two years ago So that's quite a long process And what we're seeing those challenges are First of all, it's a lack of skills and expertise to do segmentation You know, if you're depending on which mode you're building in It requires a lot of investigation because you don't want to impact production If you put in a rule somewhere that blocks your operations You know, that's not a good day for security The second is the performance bottlenecks You know, if you're implementing this in a way that everything has to come back to a security control Then you're building in latency And latency is the last thing we want to be accused of here in security So the architect of this has to be not bringing everything back to central firewalls But distributing the control And then the last is, you know, those compliance requirements We mentioned PCI early It's probably one of the most classic of a zone that has to be segmented And so when you think about compliance rather than security I think it takes you in a different direction And sometimes that's a more deliberate process than just integrating security Earlier when we were talking about, you know, how do you look at segmentation You said, you know, it kind of gives you visibility And let's just talk about some of the jargon's terms, practices Observability is, you know, very well known practice these days How do you see microsegmentation playing in these, you know, broader practices, jargon's terms that we use So I think first of all, you know, the difference between segmentation and microsegmentation You know, we have no governing body defining those terms I think generally when people talk about segmentation, it's more that legacy firewalls When you talk about microsegmentation You're getting more down at the data flow level work process level And so where do you want that visibility? Do you want it at the larger, okay, this is PCI Or do you want it down at the server where we can see the processes within the server And we can see this one process is actually, you know, going out to the internet And so that gives us visibility to not just a zone, but down into the workflow So that's where I think the difference of microsegmentation and why so many people like it Is your situational awareness is so much more acute And, you know, how do we then pull that back For those who have been in this game for a long time We remember, you know, the first generation of a security operations center With those alerts scrolling off the screen You know, we're much more mature now How do you build that visualization in so you can intuitively work with those data flows And gain understanding from it And that's where you get situational awareness in my opinion What kind of recommendations do you have for teams and organizations? So all my examples, I was really giving like maybe two zones And I think that's one of the things that we've discovered in our survey was You know, only 30% of the organizations had more than two zones And we found that the real payoff comes when you have We developed a template of six critical areas The first is your critical business assets In a segment The second is your critical apps Then your public-facing apps Your domain controllers Your servers and your endpoints And when you develop those six zones What you end up having is You're going to be 11 hours faster when you detect a threat And so rather than 15 hours to stop something like ransomware You would be done in four Or if there was a zero day And something like log4j that you saw movement You could limit that movement in three hours versus 14 hours on average So by building out those segmentation zones You have a rapidly quicker way to respond to threats Last time we also talked about the seriousness of ransomware About the importance of kind of discovery versus prevention When it comes to ransomware So you know ransomware used to have a one-phase attack Come in and encrypt your data And so after you have your initial access Then you have to spread throughout the network And encrypt the entire network And encrypt the backups And truly then you're going to have the kind of impact Where you can just demand the ransom And then we saw a second generation Where you now have people coming in and exfilling that data And then calling and saying If you don't pay this ransom We're going to put your data on the internet Of all your customers And we saw criminal groups going to those customers And telling the customers Hey, we stole your data from this vendor You need to go tell that vendor to pay us Or we're going to put your information out there We even saw a criminal group File an SEC complaint Security Exchange Commission complaint Because they had done a ransomware attack And that company hadn't reported it Within the required amount of time And so we're seeing this constant going on But what that means is You've got a window of opportunity From the moment they get in They have to spread laterally And that's where your visibility of micro segmentation Is going to detect it And then they have to expel that data And things like secure web gateway And watching data flows of micro segmentation Are going to detect that data being stolen And so that's what we're looking for Is that window to interrupt their attack Before it fully deploys Earlier we were also talking about zero trust How does segmentation or micro segmentation Fit in or play into building a zero trust strategy Zero trust is about Ensuring that we have visibility of it And if you go to the NIST framework There are many different ways To implement a zero trust framework But at a very high, simple level I think the two most important are Controlling access And then minimizing the blast zone Or minimizing the impact And so a reminder, zero trust is designed To protect your employees and your corporation And so it is protecting The operations of your network Earlier we were talking about some of the challenges That teams face Can we look at it from two different perspectives? I love talking about cultural impact But also look at the technological impact That teams face If you can look at both of these aspects So I think the technology comes in a couple ways Is first of all Hardening or choosing an architecture That is able to be deployed In a fairly quick amount of time We talked about earlier People have been trying to deploy segmentation For two years My network changes every six months And if I'm trying to implement Micro segmentation on a changing network I want to do that in a shorter span of time And so going to an architecture Like agent based You can deploy that much faster Lower effort So I think on the technology side Going with a project That you can rapidly be successful in Is probably the architecture I would want And also going with a vendor That is going to help train me Because we talked about that skill set challenges So train my people Help me architect a solution Help me implement it I think those are critical The second part is cultural As we talk to this Maybe I have somebody on the firewall team That feels threatened by micro segmentation Because they say Oh, the firewalls are going away Well, the firewalls aren't going away External firewalls are still needed But we need to then talk to that culture About retraining our people So they have a new skill set Not be threatened by a new skill set But have a second skill set That culture of constant development Of constant training Improving our team I think that's where we get our high retention From as well Can you also talk about the rule Of the vendor ecosystem Of course, players like Akamai To help these teams? I think more and more of my peers That I talked to, the other CISOs Are looking to do vendor consolidation They're looking to partner with vendors That can offer expertise Or even manage services As it's getting harder and harder To find the right skill sets So, you know, there was a report out That said, you know, a company Of 500 people may have 66 security controls I now as a CISO I'm doing vendor management Other than, you know, program management And so I think that's where we see Consolidation Akamai is a well-known platform We have DDOS We have internal We have micro-segmentation We have API protection We have our web application firewall So I think that's one of the benefits Of working with some of these larger Organizations Is getting to that consolidate Fewer vendors What advice do you have for teams So that not only they can build The right culture that we talked about But also they can also get Most value out of the tools That are available to them You know, it is interesting If you're in a culture of high transformation Which most of us are Our businesses are constantly transforming What if we're not careful We fall into the trap of complexity And we're getting more and more complex And accruing more and more technical debt And so I would move towards a culture Of simplicity Of the CIS principle Keep it simple, stupid Where as we move towards innovation And transformation We think about how to do it In a way that doesn't introduce Unnecessarily complexity Keep track of our technical debt And continue to reduce that Where do you have two tools Doing the similar thing Where do you have three You know, in that tax sequence Where do you have four tools Looking for data being X filled And no tools looking for lateral movement And where can we shift our tools To have balance across that detection platform And I think those are kind of The keys that I would focus on Can you also talk about the resources That are available for teams Of course, you folks came out with this Report, this e-book How people can get access to these resources So yeah, I think, you know There's a link associated with this Or if you just go out and Google Akamai state of the segmentation report This is the second report So make sure you get that one from this year We also put out a number of reports Called the state of the internet report And blogs We have a report in there on ransomware It talks about threat trends It's a great resource to partner with this But yeah, those would be my recommendations Steve, thank you so much for taking time out today And talk about this report And some great advice and great Of course, recommendation, great suggestions there Thanks for all those insights And as usual, I would love to chat with you again Thank you Thanks so much for having me