Prepare to be breached: the radical cyber-security strategy that might save your business

Independent

29-01-2025

Illumio is a Business Reporter client
Illumio's Mario Espinoza on why the future of digital defence is about containment, not prevention.
If you're struggling to keep cyber-attacks out of your network, Illumio Chief Product Officer Mario Espinoza has some advice you might not expect from a security vendor: admit that you can't.
'The breach is going to happen no matter what,' he says. Today's IT environments are just too complex to prevent them, he argues; the attacks too advanced; the technical flaws too numerous. And, above all, people are just too prone to human error.
The sooner security leaders shift their mindset away from trying to prevent breaches to containing them, the better off we'll all be. 'If you're a sensible organisation, you're going to accept that,' says Espinoza. 'Now the question becomes, how do you prevent the attacker from moving to other parts of your organisation?'
The answer? Zero Trust.
As the term implies, Zero Trust is a security model based on the principle of 'never trust, always verify'. Unlike traditional security focused on protecting the network perimeter (a 'moat and castle' approach), Zero Trust assumes that every connection is a potential threat. Resources are protected no matter where the connection is coming from, inside or outside the security perimeter (if there's even such a thing as a perimeter anymore).
'Zero Trust protects you before the attacks happen.' Espinoza says.
Microsegmentation is one of the key pillars of Zero Trust. Rather than having one big open space protected by a perimeter, microsegmentation divides the environment into very small zones around individual workloads.
For years, even those who agreed with Zero Trust in principle found it hard to use in practice. Deployment was slow and costly. And when the network environment changed, the IT team had to readjust firewall rules and other controls – manually, in most cases.
Keeping up grew even harder with the rise of hybrid environments, where workloads constantly spin up and down in the cloud, on virtual machines and within containers. Today's IT teams typically manage a complex mix of on-premises data centres, multiple cloud providers, remote workers, IoT devices and operational technology.
In the eyes of many security leaders, the downsides of trying the new approach outweighed any potential upside.
But that's changing, thanks to two converging trends. First, cyber-threats have only multiplied in the 15 years since Zero Trust creator John Kindervag first introduced the concept of Zero Trust. Breaches have grown so frequent that only the largest qualify as news. And every headline serves as another reminder that old security models aren't working anymore (if they ever did). The second trend was a more hopeful one: modern Zero Trust tools have become easier to use, with AI and automation helping to simplify the process.
'It's not as if people just now realised how effective containment is,' Espinoza says. 'But the technology has evolved.'
In the process, Zero Trust has gone from ambitious theory to security canon.
In 2021, the White House issued Executive Order 14028, which mandated Zero Trust adoption across all federal agencies. (Government departments are at various stages of deployment.)
The tech sector has quickly lined up behind the idea. Most market research firms now urge clients to adopt Zero Trust and microsegmentation into their cyber-defences. All major cloud platforms now integrate Zero Trust principles into their security offerings. And all of the major infrastructure players are integrating Zero Trust capabilities into their core products.
Perhaps most remarkably, corporate giants such as JP Morgan Chase and Bank of America – usually loath to air their defence strategies – have publicly documented their Zero Trust journeys.
According to research firm MarketsandMarkets, the global Zero Trust security market will more than double from 2022 levels to $60.7 billion by 2027. And Forrester Research, where Kindervag introduced the concept of Zero Trust, says more than 60 per cent of enterprises are already deploying or expanding their Zero Trust efforts.
Enter AI
One of the biggest shifts in the threat landscape is the rise of AI-powered social engineering attacks, Espinoza says. Attackers are already using it to create highly convincing phishing attempts and even clone voices for impersonation attacks. These attacks will only get more effective, spurring security leaders to shift to a strategy of containment.
'The weakest link today is the human at the keyboard,' he says. 'Hacking the human is so easy. It ensures that the breach is going to happen no matter what.'
The rise of security graphs
Espinoza says security leaders should start thinking about new approaches, such as security graphs. Rather than looking at individual workloads in isolation, a security graph might analyse traffic patterns between different parts of an IT infrastructure to spot potential threats.
Such approaches have been proposed before. But given the massive amount of data involved – think terabytes and petabytes – they haven't been practical. Now, innovations in data processing and AI are finally putting them within reach.
The way forward
For those looking to adopt Zero Trust, Espinoza recommends starting with visibility rather than jumping straight to deploying controls. Seeing vulnerabilities and potential attack paths is valuable in itself. And mapping out how data moves across the environment lays the groundwork for setting Zero Trust policies.
As threats evolve and IT environments become more and more complex, this shift towards containment will only snowball, he said. Prevention and detection are still important. But they are no longer enough on their own to protect against today's threats.
Espinoza admits that these new approaches won't reduce the number of attacks. But they can greatly limit their impact, he contends. 'We can make attackers' lives much more difficult. With proper containment, an attack won't become a cyber-disaster.'