On December 11, Zscaler’s TheatLabz observed exploit attempts of the Log4j in the wild, analyzed the vulnerability, and recommended protection strategies. Read the blogs here and here. Among the recommendations to mitigate the impact of the vulnerability was to apply app-to-app microsegmentation using identity. This post explains why identity-based segmentation is superior to traditional firewall-based segmentation in preventing initial compromise and stopping lateral movement of threats from a compromised workload.
Traditional address-based segmentation uses L3/L4 based host firewalls rules to control what’s being communicated. This approach is ineffective because an IP address does not reveal what software is communicating. Even L7 firewalls looking at protocol information are unable to conclusively determine the identity of the communicating software. For example, if a Log4j server is compromised and malicious code has been remotely executed, the malicious code could piggyback on approved firewall policies to move laterally in the environment. In this attack scenario below, in Phase 2, the compromised Log4j server—after the final payload has been delivered—could allow threats to move laterally.
An identity-based segmentation solution would help prevent or contain the blast radius of the exploit. First let’s understand how identity-based segmentation works. This blog post “Identity-Based Microsegmentation is Foundational to Cloud Security: Don’t Get Spoofed” from Zscaler explains it in detail. Here is a relevant excerpt:
"To enable identity-based microsegmentation, each device and software asset is assigned an immutable, unique identity based on dozens of properties of the asset itself, such as a SHA-256 hash of a binary or the UUID of the BIOS. Identities extend down to the subprocess level, so we can uniquely identify even individual Java JAR and Python scripts. Identity creation and management is fully automated to simplify operations.
Zscaler verifies the identities of communicating software in real time. This zero trust approach prevents unapproved and malicious software from communicating. Piggybacking attacks using approved firewall rules become a thing of the past. Identity is the secret to achieving simpler operations and delivering stronger protection compared to traditional network security controls."
In the exploit example (image above), if identity-based segmentation had been in place with least-privilege enforcement, attack risk could be reduced through multiple layers of defense:
In summary, identity-based segmentation from Zscaler verifies software identity and enforces least-privileged access where only known good applications are allowed to communicate on approved paths. Segmentation using identity is extremely effective in protecting against a broad range of threats with no change to the applications or the network. This approach makes it easy to extend zero trust security to workloads in cloud and data center environments. Together with other solutions from Zscaler, organizations can use a zero trust architecture to minimize risk and the impact of future vulnerabilities.
Request a custom Workload Segmentation demo today to get started on your journey.
Run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.
Join our webinar on Wednesday, December 15th for more details and expert guidance on the Apache vulnerability.