Another day, another critical vulnerability. It is almost a foregone conclusion now. Vulnerabilities are here to stay and there does not appear to be much anyone can do about it. Or is there? Is there a way to protect crown jewel applications and workloads without the often disruptive way?
We may not be able to avoid vulnerabilities coming to light but it should be possible to at least contain the effects of such vulnerabilities. One such way is being able to overlay vulnerability data from your scanner of choice into a rich map of application dependency and communication flows. Then being able to enforce stateful firewall rules per host as per normal but importantly also based on vulnerability data pertaining to affected hosts.
If you "assume breach" as a strategy, then one of the high priority logical things to do as a protection tactic will be to effect prevention and containment. Security Segmentation will then be the way to go but in a new way where security is decoupled from the network and applied in a stringent but consistent way across mulitple OS platforms (Windows, Unix and or Solaris workloads) directly. Providing flexible and consistent security that follows the workload wherever it goes.
This way, in the unfortunate event that a critical vulnerability should be discovered like the latest critical ones discovered in the widely used open source SaltStack (CVE-2020-11651 - authentication bypass and CVE-2020-11652 - directory traversal) which may affect servers or workloads in your data center or cloud environments, you can move quickly having already segmented off your workload environments to an extra level of containment by closing vulnerable ports directly on the workloads without having to re-architect the network. The new Adaptive Security way!
"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours"