TL; DR: Illumio Edge is helping stop ransomware and malware from propagating laterally through an environment via zero-trust endpoint and network protection. The solution, delivered in Software-as-a-Service (SaaS) form, ensures the first endpoint infected is also the last. As more people shelter in place than ever before, Illumio Edge offers CISOs the peace of mind that an increase in endpoints doesn’t have to mean higher risk.
Working from home has unequivocally become a part of the new reality brought on more quickly than anyone could expect by COVID-19.
But while remote connections have afforded employees numerous benefits — better work-life balance, productivity gains, and, most importantly, isolation from the virus — they also introduce risk from a network perspective.
That’s because ransomware and malware attacks on a single endpoint in a network can spread laterally to thousands of others in the blink of an eye.
“If you’re a CISO, and you and your employees are all working on laptops from home, you’re inheriting risk from their kids, spouses, and maybe even roommates,” said Matt Glenn, VP of Product Management at Illumio. “We recently launched Illumio Edge to mitigate that risk. We’re essentially enabling people’s laptops to shelter in place.”
The Software-as-a-Service (SaaS) solution stops an attack from propagating through an environment — even if it hasn’t been detected yet — via zero-trust endpoint and network protection. In addition to ensuring the first endpoint infected is also the last, Illumio Edge segments endpoints with a whitelist policy that will not disrupt users or the business at large.
Implementation is easy, beginning with the creation of an automated whitelist policy. With this policy in place, simple, fast enforcement follows the endpoint on or off the network. It is invisible to employees, does not trigger IT tickets, and will not affect performance.
With seamless CrowdStrike integration and an agile, feedback-based approach to product development, Illumio Edge aims to provide CISOs the peace of mind that, while endpoints may have increased, attacks don’t have to.
Stopping the Spread of Harmful Breaches Since 2013
Matt told us that Illumio, now a leading provider of micro-segmentation, was founded in 2013 to stop breaches in their tracks.
“I don’t mean that in terms of detecting a breach,” he said. “Segmentation as a market is like building a submarine compartment. The assumption is that, at some point, you’re going to be breached, but if you have a compartment in your submarine, it won’t take down the entire ship.”
Initially, the company used a host-based firewall for enforcement purposes and focused squarely on the datacenter. Since then, Matt said the company has often been asked why it hasn’t moved the solution from the datacenter to workstations.
“Our answer has always been twofold,” he said. “First, we’ve always believed that focus yields good results, and we were very much focused on the datacenter problem. Second, we’d gotten to the point where we had hundreds of thousands of workloads in enforcement. We had tackled the scale problem. We had tackled how to operationalize it. We had tackled the cloud problem.”
Eventually, a member of Illumio’s advisory board approached the team with a request.
“He said, ‘Is there any way you would be willing to extend your product to solve my laptop problem from a segmentation perspective?’” Matt told us. “When you think about lateral movement, the sort of thing that has been taking out municipalities, law firms, etc., has been the fact that the attacker can move within an environment and there’s nothing to stop them from moving laterally.”
Matt said that while many endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions focus on what happens inside an individual machine, segmentation is about determining how your system relates to the outside world.
“We gave him a build of our product last year, and it solved his problem,” Matt said. “After watching him use it successfully over the last year, we learned that a lot of the features that we built into the product for the datacenter — such as application dependency maps — were unnecessary for stopping lateral movement.”
Illumio then spent the end of 2019 through the beginning of 2020 building the workflows to enable people to use the product in a more simplified fashion. The result was Illumio Edge, a comprehensive endpoint threat prevention system.
Featuring the Illumio Edge for CrowdStrike Integration
Illumio Edge works seamlessly with CrowdStrike Falcon, a single lightweight agent that unites advanced antivirus EDR with a 24/7 threat-hunting service.
“It was surprising to some people that we shipped with this integration with CrowdStrike, but if you look at our history, it’s a very logical move,” Matt said. “Instead of deploying the Illumio agent, what we can do is program the Crowdstrike Falcon agent to effectively act like our own, so we’re creating more value on top of their solution.”
Matt told us that CrowdStrike’s EDR works harmoniously with Illumio Edge in terms of prevention and containment.
“When you think about it, it’s highly complementary,” he said. “CrowdStrike is concerned with what happens inside the machine, and we’re concerned about how it relates to the outside world.”
CrowdStrike customers can tap into Illumio Edge’s zero-trust containment capabilities via the CrowdStrike Falcon agent, effectively preventing ransomware propagation and lateral attacker movement.
At the end of the day, Illumio Edge’s overall value prop lies in allowing CISOs to rest assured that they’re safe from current and future threats.
“I was reading Chase Cunningham’s book, ‘Cyber Warfare – Truth, Tactics, and Strategies,’ a couple of months ago, and there was this recurring theme in which nation-state actors develop a hack to target other countries, but invariably, it ends up in the hands of bad actors who weaponize it to make money,” Matt said. “And that weaponization is always going after some vulnerability your EDR or EPP vendor has never seen before.”
Illumio Edge strives to prevent lateral movement to ensure that customers don’t get taken out by these unpredictable types of attacks.
Agile Development via a Customer Feedback Loop
Matt told us that, as with the creation of Illumio Edge, user feedback is a significant part of the company’s internal development.
“It’s built deeply into our culture,” he said. “When I joined the company in August 2013, the goal was to find, borrow, or steal customers and get them to try the product — but not sell it to them. The logic was, if you give the product to the customer, you can learn how to improve it more rapidly than you could with a bunch of people sitting in front of a whiteboard.”
At the beginning of 2013, Illumio had begun shipping new versions of the product to customers at no charge. The feedback the company received from that exercise allowed developers to make significant jumps forward.
“The idea of building application dependency maps came out of that because these customers were afraid to hit the enforcement button,” Matt said. “So, we gave them a really nice on-ramp.”
In another case, Illumio gave a preview of its solution to one of the biggest banks on the globe with no intention of selling it to them. After using it for two months, Illumio’s CEO Andrew Rubin and several of the company’s engineers sat down with Matt and CTO PJ Kirner.
“They said, ‘We love your product — that’s why we’ve been using it. But if you think we’re ever going to use your SaaS solution directly, you’re crazy,’” Matt said. “They asked us to build it on the same product on-prem, so now we offer it both on-prem and in the cloud because of that customer feedback loop.”
Development for Illumio Edge followed a similar process. “We had weekly phone calls with the customer to gather feedback,” Matt said. “And our goal wasn’t to sell it to him; it was to make the best possible product. But at the end of the day, he did buy the product.”
Moving forward, Illumio plans to continue to evolve its end-to-end segmentation services. And, because Illumio Edge is primarily SaaS-delivered, upgrades are always included.
“This gives an organization the ability to start at the data center and go out to the user — or go from the user to the data center, securely,” Matt said. “In the future, I think you’ll see us continue to enhance this capability.”